The Identity Theft Smoke Screen: Data Mining of Prescription Drug Records and Personal Data Privacy

Filed in Uncategorized by on May 2, 2011 4 Comments

[Ed Note: We are pleased to welcome a guest article from Christopher J. Asakiewicz, J.D. He graduated from Seton Hall Law in 2011 with a concentration in Health Law, recently passed the New York Bar Exam (congratulations!) and works for ImClone Systems Corporation, an affiliate of Eli Lilly and Company, drafting and negotiating various clinical documents and patient disclosures with both US and ex-US institutions as well as central and local investigational review boards (IRBs). During law school he worked  at Saint Vincents Catholic Medical Centers of New York (SVCMC) in the department of legal affairs, and prior to pursuing a legal education, managed phase IIIB/IV international clinical trials for Pfizer Inc. in the areas of neurology and neurodegenerative diseases.]

casakiewiczPersonal data privacy once again has taken front stage in Sorrel v. IMS Health, Inc.[1] Vermont passed the Vermont Confidentiality of Prescription Information Law that allows doctors which prescribe drugs to patients, to decide whether pharmacies can sell their prescription drug prescription records.[2] IMS Health as well as other health information companies contested the law, arguing that the law poses a restriction on commercial speech as access to such information helps pharmaceutical companies market their drugs effectively to doctors. The Supreme Court is now tasked with determining the constitutionality of the restriction on access to prescription information with regards to our First Amendment. [3]

However, this post is focused on the secondary effects asserted in amici curiae briefs supporting the petitioners of allowing companies to purchase such information, specifically the concern of data privacy and patient re-identification. [4] Under the Health Information Portability and Accountability Act (HIPAA), personal health information is de-identified by your local pharmacy prior to such information being shared with any third party. By de-identifying the data, your personal data cannot, it is believed, be linked or traced back to you. De-identifying your health information is a way for covered entities to share your information without your consent or authorization and in accordance with the law. The information once shared is completely anonymized. After the transfer to a third party, like IMS Health, your information is solely data of zeros and ones that translate to dates of dispensing and drug names. No longer does your prescription record list your name or month or day of birth. [5]

Briefs in the case assert that data mining firms could, hypothetically, create profiles based on these de-identified prescription records. Such prescription profiles would constitute certain patient’s prescription habits, including an individual’s medication types, pharmacies visited and dates dispensed. The briefs argue that linking and mining further public information to these drug profiles could result in patient re-identification.

IMS Health, Inc., of course, asserts that it has no knowledge of any patient re-identification and it protects such records with all the security privacy measures set forth under HIPAA and as strengthened by Health Information Technology for Economic and Clinical Health Act (HITECH). So what is the issue, I ask?

A pharmaceutical company does not need nor want to know who you are. Aggregate data is more beneficial to a marketing company, rather than just one record with your name on it. What benefit would a company get from a record that says, John Doe, DOB: 01-Jan-1984? The company could send you a mailer, but under the current regulations, you can opt out of the marketing material and it stops there. However, what helps a pharmaceutical company is aggregate datasets that say Dr. Jane Doe, MD writes 100 scripts for Lipitor ® a month. No one cares if the patients are unidentifiable, and most likely, the pharmaceutical company wants to keep it that way. Not only will the de-identified data be cheaper to buy, but it also assures the third party purchasing the data that it is not aiding a HIPAA violation.

Last, it is also asserted that there is no penalty for re-identification of personal health data, but there are stark penalties under HIPAA for “a person who knowingly … (1) uses or causes to be used a unique health identifier; (2) obtains individually identifiable health information relating to an individual; or (3) discloses individually identifiable health information to another person.” [6] If the offense is committed with the intent to sell, transfer or use the individually identifiable health information for commercial advantage, the penalty could be up to $250,000 and 10 years imprisonment. [7] If claims are brought against companies, like IMS Health, the companies will surely argue they are not covered entities subject to the penalties under HIPAA; however, this does not prevent civil lawsuits against them.

What will happen if a breach occurs due to patient re-identification? Most likely, the current healthcare environment where many companies are acting under corporate integrity agreements or deferred prosecution agreements, promotes reporting, if not out of altruistic purpose at least a compliance purpose. With this said, once reported to both the Department of Health and Human Services, Office of Civil Rights, as well as, in most states, the Secretary of state, privacy and confidentiality laws require notification to be provided to the patient that has been re-identified. This patient whose privacy rights have been infringed can then bring an individual civil claim against the organization responsible for the disclosure of their health information as well as the collateral damages caused by the unauthorized disclosure. Now, what company today wants to get involved with this type of bad publicity?

In conclusion, just because the possibility exists that a patient can be re-identified with data mining practices, does not mean that our current environment will foster such. The nine Justices of the Supreme Court need to be more concerned with the First Amendment and the commercial speech implications of their ruling, rather than amici curiae briefs supporting public policy positions based on unwarranted fears of patient information disclosure.[8]

I therefore urge you to put yourself in the role of your favorite Justice and consider if you should be more concerned that a company is going to buy your prescription records and try to determine that you took amoxicillin for a sinus infection when you were five years old, or if that company would rather purchase all the information you posted on Facebook ® or other social networking sites, including all the locations you have checked in. Which do you think is more useful to market its products? It is with this mindset that you must consider if the regulation directly advances the governmental interest “in protecting the public health of Vermonters, … the privacy of prescribers and prescribing information” and is no more extensive than necessary to serve that interest. [9]

[1] Petition for Writ of Certiorari, Sorrel v. IMS Health, Inc., 131 S. Ct. 857, No. 10-779, Dec. 13, 2010.

[2] Vt. Stat. Ann. tit. 18, § 4631 (2010).

[3] See Central Hudson Gas & Elec. Corp. v. Pub. Serv. Comm’n of N.Y., 447 U.S. 557 (1980).

[4] Brief of Electronic Privacy Information Center (EPIC) et. al. as Amici curiae supporting Petitioners, Sorrel v. IMS Health, Inc., 131 S. Ct. 857, (2011) (No. 10-779), 24-9, available at,; Latanya Sweeney, Simple Demographics Often Identify People Uniquely (Carnegie Mellon University, Data Privacy Working Paper No. 3, 2000), available at,

[5] Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L. No. 104-191 (1996), 45 C.F.R. §§ 164.312(e)(2)(ii), 164.514(b)(2)(i) (2010).

[6] 42 U.S.C. § 1320d-6(a)(1)-(3).

[7] Id. § 1320d-6(b).

[8] Brief of Electronic Privacy Information Center (EPIC) et. al. as Amici curiae supporting petitioners, Sorrel, 131 S. Ct. 857, (No. 10-779).

[9] See Vt. Acts & Resolves No. 80, § 17 (2007) (Confidentiality of Prescription Information); Vt. Acts & Resolves No. 89, § 3 (2008) (amending Act 80).

Tags: , , , , , , , ,

About the Author ()

Comments (4)

Trackback URL | Comments RSS Feed

  1. Christopher Asakiewicz says:

    Thank you for these insightful comments. I really appreciate your interest in my posting.

    1) As to the computer science of reidentification: Are you arguing that Paul Ohm’s article “Broken Promises of Anonymization” is wrong?

    With regards to the science of reidentification, my view is much in line with Professor Ohm’s views. In the above posting, I am not arguing that reidentification is not possible, nor a probable concern. Reidentification of personal information can be performed today by those using a simple excel spreadsheet with much precision, and the more datasets available to the user, the better probability the user has of reidentifying the individual who the data is associated. Furthermore, I agree that a regulator when legislating in the arena of data privacy must no longer consider all “adversaries” to be the same, but rather consider the motivations and human factors associated with reidentification. This is the area where although I agree with Professor Ohm’s views, my analysis most likely results in a different conclusion.

    It is my position that when one weighs the risks versus the benefits there is little concern of patient reidentification in the narrow situation of a pharmaceutical company purchasing data from pharmacy data aggregators. I do concede however that this assumption must consider that data may be more useful when reidentified and the third parties who obtain this information can reidentify in secret, the motivations of which would be a substantial edge, equating to increased profits for these marketing firms. But, the companies purchasing such information, already under heightened scrutiny, should help to keep this concern at a minimum. Nevertheless, this issue could be addressed with a penalties associated with sale or use of identifiable data, rather than a consent statute implicating First Amendment concerns.

    2) As to the deterrent impact of HIPAA or related fines: Wasn’t the first ever monetary fine in the near-15 year history of the law issued a few months ago? Before that, wasn’t the law consistently dismissed as a “toothless tiger”?

    While I agree that HIPAA is, even today, a toothless tiger in many respects, monetary civil or criminal penalties are not the only characteristics that may be used to analyze the effectiveness of a statute or it’s implementing regulations. Since HIPAA was instituted, many covered entities have established or stepped up pre-existing compliance efforts with the Privacy and Security Rules. Moreover, HITECH increases all participating entities, including business associates, obligations with respect to breach notification and accounting of disclosures. Thus, if the primary characteristic of an effective statute is behavior modification of society, I would say that HIPAA is succeeding in that respect and even without a track record of having any teeth to back it up.

    3) Even if we could assume that there is no patient privacy right at issue here, physicians have some interest, right? This is a data collection mandated by the state.

    As for the last question, my posting was only meant to focus on the secondary effect on patient privacy, a policy concern used to sway public opinion and bolster Attorney General Sorrell’s position. With respect to a physician’s interest, this is an issue that the Supreme Court is tasked to answer and I would rather not impose my views upon the reader. It is for the Court and the reader to decide, if once the issue of patient privacy is lifted from case, does the state still have a substantial interest in protecting a physician’s right to consent to this non-public prescription information.

  2. Frank Pasquale says:

    A very interesting perspective. A few questions:

    1) As to the computer science of reidentification: Are you arguing that Paul Ohm’s article “Broken Promises of Anonymization” is wrong?

    2) As to the deterrent impact of HIPAA or related fines: Wasn’t the first ever monetary fine in the near-15 year history of the law issued a few months ago? Before that, wasn’t the law consistently dismissed as a “toothless tiger”?

    3) Even if we could assume that there is no patient privacy right at issue here, physicians have some interest, right? This is a data collection mandated by the state.

Leave a Reply

Your email address will not be published. Required fields are marked *