Supreme Court Sides with Data Miners Over Prescription Privacy

Just when I think the Supreme Court can't top its disastrous recent record they out due themselves. Don't get me wrong, when it comes to the "privacy rights" of the government and big corporations, the Court's conservative majority come off as radically activist, pro-privacy extremists. But for some reason when it comes to the privacy rights of human beings, this same "pro-privacy" (for powerful interests) cabal resembles the gang who can't shoot straight (or that's read the Constitution).

So just when you thought this group couldn't come up with another twisted ruling designed to strip rights from the people and then "re-gift" them to corporate criminals and the government they (6-3) overrule Vermont's law (what about state's rights??) which prohibits pharmacies from selling information about prescriptions to data mining firms for marketing purposes.

That's right, in the warped, borderline fascist worldview now aggressively applied by the conservative majority on the Supreme Court (shockingly Justice Sotomayor ruled with them), the Vermont statute was ruled an unconstitutional limitation on the First Amendment rights of data mining companies. Got that? More important than YOUR privacy, and YOUR right to keep your most personal medical records private, is the right of corporations seeking to profit OFF your private information.

As EPIC points out, there was a strong dissenting argument written by Justice Stephen Breyer, and joined by Justices Ginsburg and Kagan, which stated that the Vermont statute was a reasonable regulation of commercial activity that did not significantly burden the free speech rights of data miners. Justice Breyer wrote, "[T]he prohibition is justified by the need to ensure unbiased sales presentations, prevent unnecessarily high drug costs, and protect the privacy of prescribing physicians."

EPIC also filed a "friend of the court" brief on behalf of 27 technical experts and legal scholars, as well as nine consumer and privacy groups, arguing that the privacy interest in safeguarding medical records is substantial and that the "de-identification" techniques adopted by data-mining firms do not protect patient privacy.

In fact, in January of this year, the LA Times editorialized, strongly, in favor of Vermont's law. A few key points in the piece are worth repeating now:

    IMS Health Inc. operates in the shadows of the healthcare industry, gathering data that drug makers can use to sell medications more effectively. The data, however, are taken from the prescriptions that doctors write for their patients. That information is at the heart of a dispute over how far states can go to protect privacy — a dispute that has reached the Supreme Court, and one that could broaden the reach of the 1st Amendment in troubling ways.

    IMS and a handful of market research competitors pay pharmacists for the details contained in prescriptions, including the name of the doctor and the patient, the drug prescribed and the dosage. They compile that information into databases that track individual doctors' prescribing habits, replacing patients' names with "de-identified" numbers. Such databases can be valuable to the public, potentially helping to enforce drug laws, find patterns in the spread of disease and spot variations in how medications are used. But the main use — and the one that pays for the databases — is to help pharmaceutical companies persuade physicians to prescribe more of their products.

    That's one of the reasons states across the country have proposed or enacted regulations governing prescription data mining. Drug makers hire legions of sales representatives to pitch physicians in person about new products and new applications for older medications. They pay market researchers millions of dollars for information on individual doctors' prescriptions because it helps them find sick people (chronically sick people in particular) who could be treated with their drugs or who are taking their competitors' medications.

     …

     This month the Supreme Court agreed to consider Vermont's appeal, and we hope the justices will be guided by the dissent written by 2nd Circuit Judge Debra Ann Livingston. As Livingston noted, pharmacies obtain sensitive information about doctors and prescriptions only because the state orders them to gather it for law enforcement reasons. Otherwise, doctors and patients might insist that the data be kept confidential. That information is every bit as sensitive as a hospital chart or a doctor's notes, and should be subject to equally effective protection.

     Just because IMS doesn't supply patients' names to drug companies, that doesn't mean they can't be tracked individually. According to Meredith Jacob of the American University Washington College of Law, the databases assign unique numbers to pharmacies' customers that can be used to follow their prescriptions over time, helping drug makers spot the patients most likely to be customers for their new drugs and market those medicines to their physicians.

    What's worse, the data about prescriptions could conceivably be combined with other records to reveal some patients' names. That's because "de-identified" data may provide clues that enable it to be matched against names in other databases. In one example of this technique cited in a brief by the Electronic Privacy Information Center, a researcher was able to use public records to name more than a third of the supposedly anonymized victims in Chicago's homicide database.

In fact, I've written pretty extensively on this issue myself, as we were part of a coalition that stopped legislation in California that sought to lift such privacy protections that we enjoy here.

As I recently wrote, "The reality that our most private prescription drug records are not in fact private should be of increasing concern to consumers, legislators, and the courts - where the issue is now playing out.


So when you’re talking about efforts to sell private prescription drug records to third parties, so drug manufacturers can better target their products to you (often times in an invasive and dangerous way), its more than just the violation of privacy – it’s the products themselves that should also be of concern.

Recent studies indicate that a whopping sixty-five percent of the country takes a prescription drug. In 2005 alone, we spent $250 billion on them. Another 100,000 Americans die each year from prescription drugs — that’s 270 per day - more than twice as many who are killed in car accidents each day.

Unfortunately, thousands of patients die from prescribed mistakes too, but this study looked only at deaths where our present medical system wouldn’t fault anyone. Tens of thousands of people are dying every year from drugs they took just as the doctor directed. This shows you how dangerous medications are – and why, as you’ll see, privacy is paramount.

For Californians, the good news is we have stricter protections against the selling and sharing of our prescription records than just about any other state (aside from New Hampshire, Maine and Vermont).

It was just a couple years ago that we (Consumer Federation of California) actively opposed (and successfully) legislation that would have allowed the sharing of confidential patient drug prescription information among pharmacies, third party corporations and pharmaceutical companies without a patient's consent.

Californians rightly expect that their private medical records will be held in confidence by their doctors and pharmacists. But, if we had lost this fight, pharmacies could share prescription information with businesses that provide mailings to the patient – ostensibly reminders that patients should continue to take their medications. The reminder would appear to come from the pharmacy, but in fact it would be paid for by the drug manufacturer.

The bill's main backer, Adheris Inc., is a subsidiary of inVentiv Health Inc., a drug marketing company that was being sued for privacy breaches related to patient prescription records.

A patient’s doctor - not a third party marketing company - is the best source for informing a patient about how to manage his or her health condition. By intruding upon and confusing this relationship, this bill could have put patients’ health, as well as privacy, at risk.

For example, a physician might discontinue a prescription if a patient complained of an adverse reaction. Unaware of the changed course of treatment, the drug marketing company would continue sending reminders that appear to come from the drug store, urging the patient to keep taking the old prescription. The bill placed no liability on drug markets that provide bad information to patients.

The victory was an important milestone for California’s landmark medical records privacy law – a fight that is now playing out nationwide and in the Supreme Court.

The issue is a stark one: failing to protect prescription records would be a windfall for corporations seeking to track, buy and sell a patient's private medical records. This would represent a significant intrusion by pharmaceutical companies into the privacy of patients. By opening this Pandora's Box, consumers could wind up receiving mailings designed to look as if they came from the pharmacy yet conflict with what their pharmacist or doctor has recommended."

To conclude, here was EPIC's summary argument presented to the Supreme Court:

The Vermont Confidentiality of Prescription Information Law seeks to safeguard the privacy of prescribing information. This is a substantial state interest that is of even greater concern than the record below reveals. The “deidentification” technique adopted by the Respondents in this matter does not adequately safeguard the medical privacy of Vermont residents or the residents of other states whose personal prescribing information could be obtained by data-mining firms and subsequently sold to pharmaceutical companies. These records include the prescriber’s name and address; the name, dosage, and quantity of the drug prescribed; the date and location at which the prescription was filled; and the patient’s age and gender. The only missing element – the patient’s actual name – is concealed by a weak cryptographic technique that does not actually prevent reidentification of the patient by Respondent.

In such circumstance, the Vermont law, and the many other similar state confidentiality laws, seek to safeguard personal information that is without question among the most sensitive and most deserving of protection. Considering also that the state compels the collection of this information for public safety and research purposes, the subsequent disclosure for other unrelated purposes implicates a Constitutional interest in informational privacy.

Unfortunately, the Supreme Court, once again, ruled in favor of the profit interests of the powerful, rather than the privacy rights of the individual.