Can Medical Medication Information be Re-Identified – Sure It Can Just Run the Queries and if Those Don’t Work, Write New Ones
Posted Aug 10 2009 10:33pm
What we are talking about here is the information that is generated with medication records from pharmacies and some pharmacy benefit managers. We have been for sale for quite a while now as these data bases existed long before electronic medical records came into existence and were used by the pharmaceutical companies to help them target and market physicians for their drugs, but as time evolved, the information the data bases offer are indeed becoming part of a medical record system, so there’s a bit of the old practice still hanging out there that sells our information and is not under the control of HHS.
Certainly information can be encrypted and encoded, but it also has to be decoded to use and if the one in possession has another data base of perhaps demographics for a simple example to compare, matches can be made from some common indexes, and items get matched, again this depends on the content of both data bases as to what and where matching occurs. Let’s face it, nobody is going to pay for a data base that can’t be read and decoded, all that guarantees is that it is sent in a method to prevent someone outside the process of getting a hold of the information like a hacker would do.
By using your medication trail algorithms can be run to determine your risk when a carrier is considering insuring you, and yes you are for sale.
Milliman's Intelliscript or Ingenix Medpoint are the 2 big data miners that find out when you apply for health insurance what your medication rap sheet has been for the last 5 years as an example of where some of this begins. By applying for insurance, you sign a release to allow the companies to mine the information, no signature and permission, then probably no insurance will be written for you; however, the release you sign is HIPAA compliant, whatever that constitutes at this point. What if you are taking a medication for an off label diagnosis and treatment plan, try and explain that one! It may be helping your condition, but by the standards set up, there’s no room for that in the analysis process, you are still grouped in the “labeled” section, which may be much worse than your condition really is.
As the example in this story though, there are leaks and this woman is still stuck somehow in the marketing ring and can’t get out and her information may have been sold to a number of marketing concerns from the original point of sale, so she keeps getting mail and advertisements for fertility drugs. Information can be sold to data-mining companies like IMS Health for marketing as an example and once you are re-matched with some additional data base it might be next to impossible to get out of it too so not only has her medication history been sold, it may have been matched with other data bases to further market in other areas. Data Base programmers get paid pretty good money for the most part to do this type of work as it creates both additional exposure and dollars. BD
MORE than 10 years after she tried without success to have a baby, Marcy Campbell Krinsk is still receiving painful reminders in her mail. The ads and promotions started after she bought fertility drugs at a pharmacy in San Diego.
Before the changes, privacy regulations mainly applied to hospitals and doctors. Enforcement was weak, and there were lots of loopholes.
Privacy experts cite research by Latanya Sweeney, director of theData Privacy LabatCarnegie Mellon Universityin Pittsburgh, which shows that a computer-savvy snooper can easily match names, addresses, Social Security numbers and so on to “re-identify” information that had supposedly been rendered anonymous.
“Our biggest concern is the complete lack of protection against re-identifying data that was supposed to be anonymous and secure,” Ms. McGraw said. Selling data to drug manufacturers is still allowed, if patients’ names are removed. But the stimulus law tightens one of the biggest loopholes in the old privacy rules. Pharmacy companies like Walgreens have been able to accept payments from drug makers to mail advice and reminders to customers to take their medications, without obtaining permission. Under the new law, the subsidized marketing is still permitted but it can no longer promote drugs other than those the customer already buys.
Privacy advocates and a judge in the case argued that de-identified information could easily spin out of control. “This information quickly finds its way into other databases, including those of insurance carriers and pharmacy benefits managers,” Judge Bruce M. Selya wrote in a federal appeals court decision upholding the New Hampshire law.