On April 26, the U.S. Supreme Court will hear arguments in a case that could have significant implications for patient privacy. Sorrell v. IMS Health, Inc., et al. challenges the constitutionality of a Vermont statute that prohibits the use of drug prescribing information for the purpose of marketing drugs to physicians and other prescribers, without the consent of the prescriber. The case has the potential to do real damage to privacy protections, but understanding the various risks posed by the case requires some careful unpacking of the ways in which "privacy" is -- and is not -- at issue.
Vermont legislators wanted to control the costs associated with increased prescribing of brand-name drugs and to address safety issues related to increasing off-label drug uses. So they adopted a law saying that drug companies cannot obtain data about doctors' prescribing habits and use the information to market drugs to prescribers unless the doctors have consented.
The data at issue contain doctors' names but do not include patient names. The data are "patient de-identified" pursuant to standards established under the HIPAA privacy rule. HIPAA already prohibits the sale of patient-identified data for marketing to patients or to doctors. Vermont relied on the HIPAA standards and instead targeted the use of prescriber identifiable data for marketing purposes.
Companies that compile the data claim their use of this information for marketing purposes is protected by the First Amendment. Vermont (and the U.S. Solicitor General) argues that the statute is a reasonable exercise of the state's authority to regulate a commercial activity for the legitimate state goals of controlling drug costs paid by the state and preventing potentially dangerous off-label prescription drug uses. However, Vermont also argues that the statute was enacted to protect patient and prescriber privacy. Amicus briefs filed by the medical community and some privacy advocates also assert that patient and prescriber privacy interests are at stake.
The case sets up a potentially dangerous conflict between privacy and the First Amendment. As amici in the case argue, it would be a disaster if the Supreme Court were to hold that the First Amendment rights of corporations could trump the privacy interests of patients and others. We share these significant concerns.
But are the defenders of the law properly invoking privacy in the first place? Certainly, medical data are sensitive. However, some of the privacy claims in the case are, in our estimation, seriously overbroad.
If the Supreme Court were to accept some of the privacy claims, it actually could do damage to privacy by discouraging use of de-identified data. Further, claims that doctors have a privacy right in their prescribing practices could upset a host of policy goals associated with improving the efficiency and safety of the health care system.
Concerns About De-Identified Data
The Center for Democracy & Technology has a long history of promoting consumer privacy on the Internet, and our Health Privacy Project plays a leading role in promoting health privacy protections as the nation moves rapidly to adopt electronic health records. Our work in health privacy includes seeking to improve policies governing de-identified health data. The issues surrounding de-identified data are very important because there are many beneficial uses for health data that go beyond the direct treatment of patients. If these secondary purposes can be served with de-identified data, that is far better for privacy because it reduces the flow of identifiable data.
However, CDT does not believe that there are zero privacy interests in de-identified data. Among other things, there is a concern that insufficiently de-identified data could be re-identified. CDT believes that current HIPAA de-identification methods -- in particular, the safe harbor approach -- are not as robust as they need to be to justify a "hands-off" approach to regulation. Consequently, CDT has recommended re-evaluating and updating de-identification standards to accommodate a rapidly changing data environment that makes it easier to re-identify. We also have called on policymakers to enact strict prohibitions against inappropriate re-identification. Moreover, in some contexts, such as online behavioral advertising, even de-identified data pose major concerns.
However, it is important that HIPAA and other health privacy laws maintain a distinction between fully identifiable data and data that have been properly de-identified and protected against re-identification. If privacy laws do not recognize a distinction between de-identified and fully identified data, then there will be little or no incentive to de-identify data or to improve de-identification techniques. Instead, there will be a tendency to use fully identified data for secondary purposes -- such as public health and quality control -- which would raise far greater privacy risks for individuals.
Do Prescribers Have a Privacy Interest in Their Prescribing Behaviors?
Vermont and a number of amici have asserted that the state's interest in protecting prescriber privacy motivated enactment of the statute.
CDT has long recognized that the doctor-patient relationship is the foundation for building and maintaining public trust in the electronic collection and exchange of health information to improve individual and population health. However, we are concerned about claims of a privacy interest on the part of prescribers.
The behavior of physicians and other health care professionals is routinely scrutinized by regulators, accrediting organizations, licensing boards and health care plans, among others. A broadly recognized privacy interest in prescriber-identifiable data could have implications for multiple important issues -- including quality measurement, public health reporting and comparative effectiveness research -- that are critical to health reform.
If the Supreme Court were to agree that prescriber records need to be protected like corporate "trade secrets" or that there is no role for outside review of physician decision-making, important reform activities that depend on access to and use of prescriber-identified data could be impaired or prohibited.
Implications of Supreme Court Ruling
In many ways, Sorrell v. IMS Health is not about privacy as the defenders of the Vermont law claim.
A broad ruling by the Supreme Court on de-identified data could have negative impact on patient privacy. Meanwhile, a broad statement by the court on doctor "privacy" could derail other very timely initiatives.
This is not the case, nor is the Supreme Court the institution to make policy on either set of issues; the parties have offered other practical rationale for the court to use to decide this case.
There needs to be a policy conversation about the viability of the current de-identification standard, but this case must preserve the concept that there is a meaningful distinction between identified and de-identified data. It is up to other processes to ensure a continually robust de-identification standard and strict accountability for re-identification.