Data Mining Personal Medical Information to Sell Prescription Drugs

1
Data Mining Personal Medical Information to
Sell Prescription Drugs

• Prescription Project Conference
• December 9, 2008
• Washington D.C.

2
Using Individual Medication History for Marketing
Drugs Two Forms

• Uses individual patient medication history to
  promote specific drugs directly to patient
• Uses partially de-identified patient history to
  market drugs to doctors and indirectly influence
  patient care

3
Marketing to Individuals Using Identifiable
Patient Medication History

• Ads/letters sent to individuals by mail, using
  Protected Health Information to promote alternate
  drugs
• HIPAA allows communication without consent for
  alternative treatments, therapies, sites of
  care, or providers
• Not classified as marketing
• PBMs, mail order pharmacies, manufacturers may
  benefit
• Consumers hate this

4
Marketing to Individuals Using Identifiable
Patient Medication History

• Reminder to Fill Prescription letters
• Currently sent by business associate of covered
  entity pharmacy where Rx originally dispensed
• Letters give appearance of care coordination
• Patient may be better off NOT refilling at same
  pharmacy
• Calif. S. 1096 would have allowed drug companies
  access to patient pharmacy records to send
  directly to patients

5
Electronic Medical Records Easier Target for
Marketing Use

• Software vendors may have individual patient
  records on back-up servers
• More easily follow patients across sites of
  care
• Software vendors are business associates, not
  HIPAA covered entities
• Business Associate loopholes in HIPAA
• No federal enforcement
• Business Associate must promise privacy
  protections
• Covered entity only at risk if it knew or had
  reason to suspect violation
• No private right to sue in federal court, 4
  criminal cases

6
IT Expert Says Software Vendor Contracts Violate
HIPAA Privacy Rules

• There are vendors that are obligating covered
  entities to do things they are not allowed to
  do.Paul Tang, member of HHS IT and NCHVS
  privacy and confidentiality advisory groups
• Vendor contracts claim ownership of data, real
  time access and right to resell

7
Software Vendors Share Patient Data with
Manufacturers

• Tangs concern confirmed in New Hampshire
• Vendor admits they sometimes share data for
  research
• Permission granted by doctor--extent of PHI
  disclosure unclear but includes unique identifier

8
Public Not Confident About Privacy and Security
of Medical Information

• 80 Very worried (Markle Foundation)
• Lie to doctors, ask doctors to fudge records,
  skip tests
• Medical Identity Theft250M cases in 2005 (FTC)
• Expensive (50 vs. 1 for social security number
  theft) and dangerous

9
Who Supports Better Privacy Controls?

• National Committee for Health and Vital
  Statistics
• National Governors Association
• Government Accounting Office
• Secretary of Veterans Affairs
• The Presidents Council of Advisors on Science
  and Technology

10
Who Will Oppose Better Privacy Controls?

• PhRMA
• Hospitals, PBMs, Pharmacies, Health Care
  Communications Companies, Possibly Doctors and
  Other Providers

11
HIPAA Loopholes Must be Closed To Prevent Use of
Individual Medication History for Selling RX
Drugs

• No action seen at federal level
• HIPAA allows states to enact stricter laws
• Add privacy/security provisions on business
  associates with state enforcement and penalty
  (consumer protection act) to stop software
  vendors from selling data
• Redefine marketing more broadly than HIPAA to
  require consent for alternative treatment/
  therapies/sites of care/providers

12

• Cindy.Rosenwald_at_leg.state.nh.us
• 603.271.3589