How good are those rules?

Some notes from Monday's Health Privacy Summit in Washington, where the pending U.S. Supreme Court case Sorrell vs. IMS Health loomed large:

Attorney Christian Hamann of German law firm Gleiss Lutz served on a panel discussing data mining and Sorrell. In April, the court heard oral arguments in a constitutional challenge to the Vermont law seeking to curb the use of physician-identified prescription-drug data in marketing. To hear Hamann tell it, it would be inconceivable for such a case to arise in Germany or elsewhere in Europe.

"All European laws are based on the principle that any use of personal information is prohibited unless there has been consent or there is a statutory exemption," Hamann said. In all cases, he said, it is prohibited to sell or exchange patient data outside the healthcare system. Pharmacies are never allowed to transfer information to private companies, even if they de-identify the data.

William Sage, vice provost for health affairs at the University of Texas School of Law and moderator of the panel, said he expects the high court to render a decision in two weeks.

Also on the panel was computer scientist and privacy guru Latanya Sweeney, who spoke via the Internet. Sweeney and other speakers questioned the efficacy of the Health Insurance Portability and Accountability Act of 1996's privacy provisions. Sweeney expressed her doubts about the regulations as they apply to prescription-drug data buyers and sellers such as the analytics company IMS Health.

According to Sweeney, HIPAA allows under two circumstances data sharing for uses other than for specifically exempted areas, such as treatment, payment or healthcare operations. One is when more than a dozen key identifiers are stripped away, creating a "safe harbor."

The other is the HIPAA "statistician provision"—a sketchy safeguard at best, as Sweeney noted.

"The HIPAA statistician provision is so broad that it simultaneously supports good and bad practices indistinguishably, allowing data that can be trivially re-identified to enjoy the same wide distribution, free of HIPAA privacy protection, as data that has provable guarantees on anonymity," Sweeney said. "IMS Health, like many other entities, receives patient data under the HIPAA statistician provision, and the question is, is the data they receive sufficiently de-identified? Can patients be re-identified?"

Sweeney, who directs the Data Privacy Lab at Carnegie Mellon University, didn't answer her own question but said she has two experiments planned and called on IMS Health to join a third to find an answer.

Kimberly Gray, IMS Health's chief privacy officer, served on the same panel. Gray said IMS uses an outside contractor to render anonymous the prescription records it receives.

"The data is de-identified before it hits our doors," Gray said. "We're trying to ensure that the data is not re-identified. Where we've fallen short, perhaps, is in being a little less transparent about our practices. Most corporations do not want to be on the wrong side of pubic opinion. Nobody wants to be a case study for re-identification. IMS Health is much more aligned with this group than many people may think."

Follow Joseph Conn on Twitter: @MHJConn.