Is Your Medical Data for Sale?

About two weeks after undergoing surgery at a local hospital in the fall of 2001, medical claims specialist Mary Jane Stull of of Northbend, Indiana, received no fewer than four telemarketing calls from companies that provide home medical services trying to sell her one manner of home care or another. When she asked the callers how they got her name, they refused to say.

It was all the proof Stull needed to confirm her long-standing concerns that hospitals, doctors, pharmacies, or all the above, were peddling medical patient health information on the open market.

Robert Gillman, a medical privacy consultant in Washington, D.C., says that Stull’s suspicions are correct. “Medical records today are not private,” Gillman says. “And, what will happen now is that an electronic records system will just add to the sharing problem.”

Gillman believes that the ability to share private medical information electronically between interested parties, rather than cost savings, is what has really interested companies in electronic medical records. When Gillman refers to “interested parties,” he is referring to industries that feed off the U.S. health system.

And one of the biggest feeders is pharmaceutical and medical supply companies. Gillman says you can easily spot their handiwork right in the Health Insurance Portability and Accountability Act of 1996.

“The marketing provision in HIPAA is the worst I have ever seen in my 20 years in this business,” Gillman said. “Not only will your doctor have an incentive to sell this information to drug companies, but so can laboratories, your pharmacy and your health plan. And, if you find out and go to one of these entities and tell them to stop, that does not stop the others from continuing to sell your information. You have to track down every one of them individually.”

The salient wording in the HIPAA legislation: “[T]he covered entity can engage in health-related marketing on behalf of a third party, presumably for a fee. Moreover, the covered entity could retain another party, through a business associate relationship, to conduct the actual health-related marketing, such as mailings or telemarketing, under the covered entity’s name.”

According to Gillman, the laws that will govern the selling of confidential patient information once HIPAA goes into effect in 2003 “has holes in it big enough for drug companies to drive their whole marketing efforts right through it.”

Gillman’s concern about the marketing of electronic medical records is shared by Joseph Conn, editor of Modern Physician Magazine. Last summer, Conn published an article titled Code Red: Data Pipeline to Drug Marketers Raises Privacy Concerns.

“I was at the AMA convention this summer in Chicago,” Conn recalls, “And there were a lot of drug-industry folks there talking up everything from direct-to-consumer advertising to data mining and physician profiling.”

Conn says that the drug industry showed its interest in patient EMRs by investing in several companies producing software for the Palm handhelds doctors use to create electronic prescription orders. “What they were interested in,” Conn says, “was creating a way to hook into doctors’ workflow and get those details flowing down the pipeline to target their marketing efforts.”

Of most interest to pharmaceutical companies are the diagnosis and prescription codes, now standardized thanks to HIPAA. “Still, they have had trouble getting their hands on the diagnosis code because doctors usually refuse to fill that field in when they submit their prescriptions to the pharmacy,” Conn says. That could change, he says, if they are able to build hooks, called a charge capture, into these handheld devices. “The whole idea is to marry all the data that flows to insurance companies and pharmacy benefit-managers in real time.”

To that end, Conn says big money is pouring into creation of such a medical information system. Microsoft, IBM and Pfizer have created an company called PenChart that produces and sells a medical records system married to a prescription tool, so it’s coming on strong.

“By forming a relationship with The PenChart Corporation, we are working closely with one of the leading developers of ambulatory (electronic records) solutions,” said Stephen Pacicco, director of business development at Pfizer. “We at PHS are excited about offering our customers the PenChart Suite of products, which represents a significant opportunity for physicians to enhance the delivery of quality patient care.”

Pfizer touts PenChart for its ability ‘to break down the barriers currently believed to be blocking the successful wide-scale acceptance of an [electronic records] solution featuring direct interaction by providers.” (The PenChart Suite runs on the Windows NT platform with MS-SQL Server and was developed using Microsoft Visual Basic.)Last year Pfizer/PenChart announced the release of its 2 Click Prescription module for doctors who use handheld computers.

PenChart created an algorithm based on the historical prescribing trends for each provider, Pfizer said. The system then would fill out the quantity, refill, dosage, chronic/episodic tag and comment for each drug strength and form selected. That would make it possible to order a drug in three seconds, and doctors could even use a Compaq handheld computer to do it.

Further proof of the interest in electronic prescription data surfaced during the debate over HIPAA privacy rules. A consortium of private industry firms opposed the rules as they were written because they were too restrictive. One member of that group was the Food Marketing Institute (FMI), which represents more than 8,800 markets that operate in-store pharmacies.

What the FMI objected to were provisions that would have required patient consent before their medical information was shared with others. “The consent area was a concern to us,” says Ty Kelley, the Washington lobbyist for FMI. “Prior written consent before you can do anything with prescription information, like sending your aunt in to pick up your prescription. It would create burdens and problems for patients.”

Asked if the information could be used for direct marketing to patients, Kelley doesn’t dismiss the possibility. “Ads in the mail? I supposed that could happen,” Kelley says, “but I doubt it would. Maybe for chronic diseases like diabetes or hypertension, but not for something like Viagra.”

Ultimately, some experts say, the matter of patient prescription privacy will be settled not by laws, but by market forces. “Privacy will become more protected as it becomes more a market issue,” says Dennis Melamed, publisher of Health Information Privacy Alert, an industry newsletter.

“Once this rule (HIPAA) settles down and the insurers in the field sit down and figure out how they are going to underwrite these risks, you will see a lot better security than exists now.”

Also, the potential of a consumer backlash against companies that misuse their private medical information will also temper marketing enthusiasm. That’s precisely what happened in 1998 when east coast drug store chain CVS decided that it would be a good idea to market its line of diabetic products to its customers who also purchased injection kits and insulin there. They transmitted that list to a private marketing company, which then resold the list to other companies with related products. CVS’ diabetic customers were suddenly flooded with mailings and calls from marketing companies pushing diabetic products.

The result was a public relations disaster for CVS and the flap even forced the marketing company they hired to change its name, from Elensys to Adheris.

Still, the hunger for such highly targeted patient marketing data may be the lure that’s hard for some companies to resist. And, despite the CVS affair, the possibilities are clearly still being weighed.

“Everyone has a different definition of privacy,” says FMI lobbyist Kelley.