The Identity Theft Smoke Screen: Data Mining of Prescription Drug Records and Personal Data Privacy
Personal data privacy once again has taken front stage in Sorrel v. IMS Health, Inc. Vermont passed the Vermont Confidentiality of Prescription Information Law that allows doctors which prescribe drugs to patients, to decide whether pharmacies can sell their prescription drug prescription records. IMS Health as well as other health information companies contested the law, arguing that the law poses a restriction on commercial speech as access to such information helps pharmaceutical companies market their drugs effectively to doctors. The Supreme Court is now tasked with determining the constitutionality of the restriction on access to prescription information with regards to our First Amendment. 
However, this post is focused on the secondary effects asserted in amici curiae briefs supporting the petitioners of allowing companies to purchase such information, specifically the concern of data privacy and patient re-identification.  Under the Health Information Portability and Accountability Act (HIPAA), personal health information is de-identified by your local pharmacy prior to such information being shared with any third party. By de-identifying the data, your personal data cannot, it is believed, be linked or traced back to you. De-identifying your health information is a way for covered entities to share your information without your consent or authorization and in accordance with the law. The information once shared is completely anonymized. After the transfer to a third party, like IMS Health, your information is solely data of zeros and ones that translate to dates of dispensing and drug names. No longer does your prescription record list your name or month or day of birth. 
Briefs in the case assert that data mining firms could, hypothetically, create profiles based on these de-identified prescription records. Such prescription profiles would constitute certain patient’s prescription habits, including an individual’s medication types, pharmacies visited and dates dispensed. The briefs argue that linking and mining further public information to these drug profiles could result in patient re-identification.
IMS Health, Inc., of course, asserts that it has no knowledge of any patient re-identification and it protects such records with all the security privacy measures set forth under HIPAA and as strengthened by Health Information Technology for Economic and Clinical Health Act (HITECH). So what is the issue, I ask?
A pharmaceutical company does not need nor want to know who you are. Aggregate data is more beneficial to a marketing company, rather than just one record with your name on it. What benefit would a company get from a record that says, John Doe, DOB: 01-Jan-1984? The company could send you a mailer, but under the current regulations, you can opt out of the marketing material and it stops there. However, what helps a pharmaceutical company is aggregate datasets that say Dr. Jane Doe, MD writes 100 scripts for Lipitor ® a month. No one cares if the patients are unidentifiable, and most likely, the pharmaceutical company wants to keep it that way. Not only will the de-identified data be cheaper to buy, but it also assures the third party purchasing the data that it is not aiding a HIPAA violation.
Last, it is also asserted that there is no penalty for re-identification of personal health data, but there are stark penalties under HIPAA for “a person who knowingly … (1) uses or causes to be used a unique health identifier; (2) obtains individually identifiable health information relating to an individual; or (3) discloses individually identifiable health information to another person.”  If the offense is committed with the intent to sell, transfer or use the individually identifiable health information for commercial advantage, the penalty could be up to $250,000 and 10 years imprisonment.  If claims are brought against companies, like IMS Health, the companies will surely argue they are not covered entities subject to the penalties under HIPAA; however, this does not prevent civil lawsuits against them.
What will happen if a breach occurs due to patient re-identification? Most likely, the current healthcare environment where many companies are acting under corporate integrity agreements or deferred prosecution agreements, promotes reporting, if not out of altruistic purpose at least a compliance purpose. With this said, once reported to both the Department of Health and Human Services, Office of Civil Rights, as well as, in most states, the Secretary of state, privacy and confidentiality laws require notification to be provided to the patient that has been re-identified. This patient whose privacy rights have been infringed can then bring an individual civil claim against the organization responsible for the disclosure of their health information as well as the collateral damages caused by the unauthorized disclosure. Now, what company today wants to get involved with this type of bad publicity?
In conclusion, just because the possibility exists that a patient can be re-identified with data mining practices, does not mean that our current environment will foster such. The nine Justices of the Supreme Court need to be more concerned with the First Amendment and the commercial speech implications of their ruling, rather than amici curiae briefs supporting public policy positions based on unwarranted fears of patient information disclosure.
I therefore urge you to put yourself in the role of your favorite Justice and consider if you should be more concerned that a company is going to buy your prescription records and try to determine that you took amoxicillin for a sinus infection when you were five years old, or if that company would rather purchase all the information you posted on Facebook ® or other social networking sites, including all the locations you have checked in. Which do you think is more useful to market its products? It is with this mindset that you must consider if the regulation directly advances the governmental interest “in protecting the public health of Vermonters, … the privacy of prescribers and prescribing information” and is no more extensive than necessary to serve that interest. 
 Petition for Writ of Certiorari, Sorrel v. IMS Health, Inc., 131 S. Ct. 857, No. 10-779, Dec. 13, 2010.
 Vt. Stat. Ann. tit. 18, § 4631 (2010).
 See Central Hudson Gas & Elec. Corp. v. Pub. Serv. Comm’n of N.Y., 447 U.S. 557 (1980).
 Brief of Electronic Privacy Information Center (EPIC) et. al. as Amici curiae supporting Petitioners, Sorrel v. IMS Health, Inc., 131 S. Ct. 857, (2011) (No. 10-779), 24-9, available at, http://www.atg.state.vt.us/assets/files/10-779%20EPIC%20amicus%20Sorrell.pdf; Latanya Sweeney, Simple Demographics Often Identify People Uniquely (Carnegie Mellon University, Data Privacy Working Paper No. 3, 2000), available at, http://dataprivacylab.org/projects/identifiability/paper1.pdf.
 Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L. No. 104-191 (1996), 45 C.F.R. §§ 164.312(e)(2)(ii), 164.514(b)(2)(i) (2010).
 42 U.S.C. § 1320d-6(a)(1)-(3).
 Id. § 1320d-6(b).
 Brief of Electronic Privacy Information Center (EPIC) et. al. as Amici curiae supporting petitioners, Sorrel, 131 S. Ct. 857, (No. 10-779).
 See Vt. Acts & Resolves No. 80, § 17 (2007) (Confidentiality of Prescription Information); Vt. Acts & Resolves No. 89, § 3 (2008) (amending Act 80).