HealthBlawg

David Harlow's Health Care Law Blog

    • Twitter
    • Facebook
    • LinkedIn
    • RSS
    • Email
  • About
  • Archives
  • Podcast
  • Press
  • Awards/Reviews
  • HIPAA
  • HCSM

Who owns patient data? (The Walgreens edition)

March 22, 2011

Walgreens is being sued by customers who are not happy that their prescription information – even though it has been de-identified – is being sold by Walgreens to data-mining companies. 

The data privacy and security concerns surrounding the transfer of de-identified data are significant.  To “de-identify” what is otherwise protected health information under HIPAA, some outfits will simply strip data of 18 types of identifiers listed in federal regulations.  However, the relevant regulation (45 CFR 164.514(b)(2)(ii)) also provides that this only works if “the covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.” Thus, the problem with this approach is that, these days, nobody can disclaim knowledge of the fact that information de-identified by removing this cookbook list of 18 identifiers may be re-identified by cross-matching data with other publicly-available data sources. There are a number of reported instances of this sort of thing happening. The bottom line is that our collective technical prowess has outstripped the regulatory safe harbor.

Is this the basis of the lawsuit brought against Walgreens?  An objection to trafficking in health information that should remain private?  No.  The plaintiff group of customers is suing to share in the profits realized by Walgreens from trading in the de-identified data.

While I haven’t pored over the papers filed in this case, my guess is that there’s enough legal boilerplate in the Walgreens HIPAA notice of privacy practices given out and signed for up front by patients who fill prescriptions so that they do not have a claim worth much more than nuisance value.

This case reminds me of the landmark case of Moore v. Regents of the University of California, decided about twenty years back, where a leukemia patient wanted to share in the profits from a line of cells grown from cells harvested from his body by researchers who told him that his return hospital visits were for checkups and monitoring only.  He lost.

The specific governing rules in play are different, but I don’t see how the ultimate result would be much different this time around, especially since the Walgreens plaintiffs were probably given more information about how their goods might be used (in the notice of privacy practices) than Moore ever was.

Nobody asked me, but I would think that a more productive line of inquiry would lie with figuring out whether the data that is being sold – patient gender, state and age group; name of drug prescribed; and ID number of prescribing physician – could be combined with other data available out there to the folks buying these data from Walgreens and used to re-identify patient records.  Given the slightly-differently-de-identified insurance company records that are out there, and the profit motive of the data-mining companies, I would not be surprised if at least some of these de-identified records were easily re-identified, thus exposing Walgreens to liability for HIPAA violations.  The data-mining companies are almost certainly re-identifying the physicians, since that’s where the value in this whole exercise lies: targeted marketing to physicians based on their prescribing patterns.  (Regarding re-identification of patient information, consider the case of the Netflix prize, where de-identified video rental data could be re-identified by cross-matching with online consumer movie reviews – “Simply removing names does not ensure that data will remain anonymous. And the implications stretch far beyond the world of Netflix.”)   Of course, HIPAA violations just yield a fine, payable to the government (and we know how useful HIPAA CMPs can be in ensuring compliance) – there is no third-party liability under HIPAA – so it would be a stretch to translate them into a plaintiffs’ verdict involving cash.   

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Filed Under: Health care policy, Health Law, HIPAA, Prescription Drugs, Privacy

you might also like:

  1. Unlocking the Power of Health Data

  2. Patient control over patient data in electronic health records: A work in progress

  3. CVS and Google Health: adding lots of prescription data to PHRs

« Direct Project reaches critical mass: Interoperability on the horizon
Social media in health care: David Harlow quoted in recent articles »

Comments

  1. Glenn Laffel, MD, PhD says

    March 22, 2011 at 9:22 am

    David-
    Maybe in another post perhaps you can address the pending Supreme Court case against IMS (I believe scheduled to be heard this May)? Your readers might find it useful. And how that case ties in to this one.

  2. David McCallie Jr says

    March 22, 2011 at 4:19 pm

    In order to re-identify the patient, the Rx data would probably have to be “joined” against some other external data source (PBM, claims, labs, etc.) In which case, it would not likely be the pharmacy that was releasing PHI. Rather, it would be some downstream agent (the data miner) that was re-identifying already released (de-identified) data.

    In that case, would there be a violation of HIPAA? What if the data miner (the re-identifier) is not a Covered Entity? Is the releaser of de-identified data legally responsible (under HIPAA) for what happens after release?

    –david

  3. David Harlow says

    March 22, 2011 at 9:35 pm

    @David — We have been conditioned to think of records with the 18 enumerated identifiers stripped out as de-identified. However, that stripping just creates a rebuttable presumption of de-identification. As the reg goes on to say, this presumption is valid only if “the covered entity [in our case, the pharmacy co] does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.” It matters not who actually does the re-identification. For a covered entity to claim it has no actual knowledge that at least some of the records could be re-identified would arguably be unreasonable ostrichlike behavior in this day and age. When the rule was written, the Netflix trick probably could not have been pulled off. Today, the “actual knowledge” exception may be close to obliterating the de-identification “safe harbor.” Thus, data with the 18 identifiers stripped out might no longer be called “de-identified.”

Follow me on Twitter

David Harlow 💉😷 Follow 43,243 17,535

Mastodon @healthblawg@c.im #HealthCare #MedDevice #Compliance #Privacy @MyOmnipod #HIPAA #digitalhealth #HarlowOnHC #pinksocks Tweets are tweets No more no less

healthblawg
healthblawg avatar; David Harlow 💉😷 @healthblawg ·
21m 1641120626864799747

ICYMI> Osagie Ebekozien MD, Chief Medical Officer, T1D Exchange — Harlow on Healthcare https://healthblawg.com/2022/02/ebekozien-t1dexchange-harlowonhealthcare.html?utm_source=twitter&utm_medium=social&utm_campaign=ReviveOldPost #digitalhealth #hcldr #hitsm

Image for the Tweet beginning: ICYMI>  Osagie Ebekozien MD, Twitter feed image.
Reply on Twitter 1641120626864799747 Retweet on Twitter 1641120626864799747 0 Like on Twitter 1641120626864799747 0 Twitter 1641120626864799747
healthblawg avatar; David Harlow 💉😷 @healthblawg ·
3h 1641080431243042816

The latest Harlow On Health Care Daily #HarlowOnHC #digitalhealth #healthcare #innovation #privacy #hcldr Thx: @joyclee @ClimaxBetty @_timos_ #digitalhealth #healthtech

Image for twitter card

What satisfied EHR users do differently

healthcareitnews.com A new Arch Collaborative user's guide dives into what 3,000 highly satisfied electronic health reco...

paper.li

Reply on Twitter 1641080431243042816 Retweet on Twitter 1641080431243042816 0 Like on Twitter 1641080431243042816 0 Twitter 1641080431243042816
healthblawg avatar; David Harlow 💉😷 @healthblawg ·
7h 1641015055335432193

ICYMI> Paul Schrimpf, at Prophet Consulting, Driving Health Care Transformation — Harlow on Healthcare https://healthblawg.com/2022/12/paul-schrimpf-prophet-consulting.html?utm_source=twitter&utm_medium=social&utm_campaign=ReviveOldPost #digitalhealth #hcldr #hitsm

Image for the Tweet beginning: ICYMI>  Paul Schrimpf, at Twitter feed image.
Reply on Twitter 1641015055335432193 Retweet on Twitter 1641015055335432193 1 Like on Twitter 1641015055335432193 0 Twitter 1641015055335432193
Load More
Follow me on Mastodon

HIPAAtools

Hipaatools

The HIPAA Compliance Toolkit

The Walking Gallery

The Walking Gallery

Quick Links

  • Home
  • Categories
  • Archives
  • Podcast Interviews
  • HIPAAtools
  • HIPAA Compliance
  • Health Care Social Media
  • Speaking
  • In the Press
  • Blogroll

David Harlow

David Harlow

HealthcareNOW Radio

Connect with David

  • Twitter
  • Facebook
  • LinkedIn
  • RSS
  • Email
  • Subscribe
  • Contact
  • Book Me: Speaking
  • About
  • The Harlow Group LLC
Copyright © 2006–2023
HealthBlawg is a publication of The Harlow Group LLC. See Copyright notice and disclaimer.
Fair use with attribution and a link is encouraged. Click for more on David Harlow.
[footer_backtotop text="Back to top" href="#"]