Is Your Prescription Private?

First, the bad news. The answer to the question I posed in the title is largely "no" (as in no, your prescription drug records are not private). For Californians, the good news is the answer to that same question is largely "yes" (a privacy protection that the Consumer Federation of California fought hard to preserve last year). I suppose also falling into the "good" category is the fact that there is a provision in President Obama's stimulus plan that may significantly increase privacy protections related to prescription drug records.

As the New York Times notes, "The federal stimulus law enacted in February prohibits in most cases the sale of personal health information, with a few exceptions for research and public health measures like tracking flu epidemics. It also tightens rules for telling patients when hackers or health care workers have stolen their Social Security numbers or medical information, as happened to Britney Spears, Maria Shriver and Farrah Fawcett before she died in June.

Before I get to more of the Times article on this issue I want to first discuss a bit more about what was at stake just recently here in California, and how it relates to the larger issue of prescription record privacy. The general rule of thumb in our country when it comes to prescriptions is that "all the information on them — including not only the name and dosage of the drug and the name and address of the doctor, but also the patient’s address and Social Security number — are a commodity bought and sold in a murky marketplace, often without the patients’ knowledge or permission."

Here in California, the state with some of the strictest ( New Hampshire, Maine and Vermont too) protections of prescription record privacy in the nation, a bill nearly passed the legislature in 2007 (that CFC vigorously opposed) that would have permitted drug stores to share confidential patient prescription information with third parties.

The bill raised significant privacy and health care concerns for patients - concerns that Americans should have in states across the country. The bill would have created an exception to California's Medical Information Act, and allowed the sharing of confidential patient drug prescription information among pharmacies, third party corporations and pharmaceutical companies without a patent's consent.

Californians expect that their private medical records will be held in confidence by their doctors and pharmacists. SB 1096 would have allowed pharmacies to share prescription information with businesses that provide mailings to the patient – ostensibly reminders that patients should continue to take their medications. The reminder would appear to come from the pharmacy, but in fact it would be paid for by the drug manufacturer.

The bill's main backer, Adheris Inc., is a subsidiary of inVentiv Health Inc., a drug marketing company currently being sued for privacy breaches related to patient prescription records.

A patient’s doctor - not a third party marketing company - is the best source for informing a patient about how to manage his or her health condition. By intruding upon and confusing this relationship, this bill could have put patients’ health, as well as privacy, at risk.

For example, a physician might discontinue a prescription if a patient complained of an adverse reaction. Unaware of the changed course of treatment, the drug marketing company would continue sending reminders that appear to come from the drug store, urging the patient to keep taking the old prescription. The bill placed no liability on drug markets that provide bad information to patients.

The legislative battle was a fierce and contentious one, pitting privacy and consumer groups and physicians against drug store chains and drug marketers. Thanks to a significant public outcry against the legislation - helped by some good reporting on the issue, the bill was defeated (representing an important victory for California’s landmark medical records privacy law).

I think this California case study I have sourced serves as a useful tool in understanding what remains at stake for patients privacy around the country, how close California came to losing the protections we enjoy, and, why it could be a very important and positive development if the Obama Administration can strengthen our rather lax privacy protections when it comes to prescription records.

The New York Times reports:

MORE than 10 years after she tried without success to have a baby, Marcy Campbell Krinsk is still receiving painful reminders in her mail. The ads and promotions started after she bought fertility drugs at a pharmacy in San Diego. Marketers got hold of her name, and she found coupons and samples in her mail that shadowed the growth of an imaginary child — at first, for Pampers and baby formula, then for discounts on family photos, and all the way through the years to gifts suitable for an elementary school graduate.

...

“The new rules will plug some gaping holes in our federal health privacy laws,” said Deven McGraw, a health privacy expert at the nonprofit Center for Democracy and Technology in Washington. “For the first time, pharmacy benefit managers that handle most prescriptions and banks and contractors that process millions of medical claims will be held accountable for complying with federal privacy and security rules.”

The law won’t shut down the medical data mining industry, but there will be more restrictions on using private information without patients’ consent and penalties for civil violations will be increased. Government agencies are still writing new regulations called for in the law.

Ms. Krinsk was never able to find out who sold her information, but companies that have been accused in lawsuits of buying and selling personal medical data include drugstore chains like Walgreens and data-mining companies like IMS Health and Verispan. CVS Caremark, which handles prescriptions for corporate clients, has also been accused of violating patients’ privacy. These companies all say that names of patients are removed or encrypted before data is sold, typically to drug manufacturers. But as Ms. Krinsk’s case shows, there are leaks in the system.

...

Selling data to drug manufacturers is still allowed, if patients’ names are removed. But the stimulus law tightens one of the biggest loopholes in the old privacy rules. Pharmacy companies like Walgreens have been able to accept payments from drug makers to mail advice and reminders to customers to take their medications, without obtaining permission. Under the new law, the subsidized marketing is still permitted but it can no longer promote drugs other than those the customer already buys.

The ban on marketing is even more strict in California, where Walgreens is fighting off a class-action lawsuit filed on behalf of customers who received the subsidized mailings before the state outlawed them in 2004. Michael Polzin, a Walgreens spokesman, defended the mailings as a cost-cutting measure. “Patients who fail to properly take their medication cost the U.S. health care system $177 billion a year,” when they fall sick and need treatment, he said.

...

IN another big change, the stimulus law provides $19 billion to push doctors toward installing electronic records systems. It is a milestone on the road toward President Obama’s goal of digitizing all medical records within five years. But digitization creates the potential for more abuses by hackers, as well as blackmail and insurance fraud.

“Privacy is under greater duress than ever before as medical records are switched from paper to electronic,” said Pam Dixon, a consumer advocate and executive director of the World Privacy Forum near San Diego.

...

Google, Microsoft and WebMD all say they will not show advertising alongside a person’s health records. But visitors to WebMD, Google Health and Microsoft’s site, HealthVault, see ads for drugs for diseases like osteoporosis or acid reflux as they seek information on an array of ailments.

Technology experts say identities of viewers and their health interests are often captured at the moment they click on online ads for a drug. That provides the advertiser with a prospective customer to pursue online or by mail.

...

Since 2003, more than 45,000 complaints have been filed at the civil rights office in the Department of Health and Human Services by people who said their medical privacy was violated. The office says it has taken enforcement actions on more than 8,900 cases in that period, covering millions of people.

A single case can involve thousands of patients. For example, CVS paid a $2.25 million settlement early this year after an Indianapolis television station found paper records with CVS customers’ personal drug information had been tossed into Dumpsters. In the settlement agreement, CVS promised to protect patient information at all 6,300 CVS stores.

A survey sponsored by the Federal Trade Commission suggested that tens of thousands of patients each year had their records broken into by hackers and unauthorized employees of hospitals and other health industry companies. Keith B. Anderson, an economist at the F.T.C., estimated that the personal information of about 890,000 adults was misused between 2001 and 2006. Stolen identities and data were used to trick Medicare, Medicaid and other insurers into paying for bogus medical treatment and supplies, he said.

Click here to read the rest of the article.

Its not hard to predict that these kinds of technological advancements will also lead to an increasingly contentious and important battle between identity thieves and data miners on one side, versus those of us that believe in ironclad privacy protections simply being a non-negotiable component of any system that stores medical or prescription drug records.

As the Times points out, not all people think that the stimulus law goes far enough to protect patients’ privacy (I would be one). While it bans paying a pharmacist for marketing to patients, it does not bar the sale of personal drug information by one pharmacy to another. Baby steps I suppose...