If there is one thing physician executives agree on, it's that patient privacy must be protected. Only 1.4% of respondents to the technology survey approve of physicians selling medical data that identifies patients. Just 1.9% believes it's OK for others--hospitals, payers, pharmacy benefits managers, IT vendors and data processors--to peddle patient-specific information.
A larger segment of physician leaders is comfortable with the sale of aggregated data that has been de-identified. But the overwhelming majority is against the sale of information derived from medical claims or prescriptions under any circumstances.
"I don't like people getting my personal information. I don't think it should be sold," says Arnold Weil, M.D., principal of a small nonsurgical orthopedic practice in Marietta, Ga.
According to Keith McReynolds, M.D., a partner in a four-physician otolaryngology practice in Mesa, Ariz., "It just doesn't seem ethical on the face of it."
Ethical or not, AMA policy allows the marketing of de-identified patient data, as do the HIPAA privacy regulations that are set to take effect in 2003. How those regulations will be enforced is unknown, as HHS expects a flood of litigation before the effective date.
The first landmark court ruling in the area of patient privacy might have come out of a yearlong fight between online medical information service WebMD Corp. and data miner Quintiles Transnational Corp., but the two sides reached a settlement Oct. 12.
The battle flared last month when WebMD, citing privacy concerns, asked a federal court to overturn an injunction that had forced it to provide de-identified patient data to Quintiles since March. Quintiles responded by suing to recover damages from WebMD's decision to cut off the data flow early in the year. Its management argued that WebMD was concerned more with finding a merger partner than with safeguarding privacy.
The settlement requires WebMD to keep the data pipeline open through Feb. 28.
According to privacy expert Robert Gellman of Washington, the case really boiled down to whether individual states' privacy protection laws can supersede less stringent HIPAA regulations, as WebMD contended, or whether the U.S. Constitution's interstate commerce clause means that the federal HIPAA law always trumps states' rules. With the settlement, the question will remain unanswered until another case comes along.
"That whole issue is a mess right now," Gellman says. "What's interesting here is that we have two companies fighting each other over patient data. The one group that is not represented is the patients. From a patient perspective, patients have no idea that their personal information is being exploited, shared by these companies they've probably never heard of."
That is a sentiment apparently shared by quite a few physician executives.
"I think patients would be appalled if they knew how much their information is being sold," says survey respondent Philip Chase, M.D., of Pleasanton, Calif., chief information manager for the western region of Team Health, a hospital-based PPM based in Knoxville, Tenn.
Stuart Weisman, M.D., CEO of ePhysician, a vendor of handheld clinical software applications, says: "I'm a physician, and I took a Hippocratic oath, and I also run a data company. But I certainly believe in protecting patients from the release--intentionally or unintentionally--of private information."
Just how secure private information remains is the subject of much debate. In June, the Journal of the American Medical Association reported that a privacy guru at Carnegie Mellon University was able to identify former Massachusetts Gov. William Weld from a supposedly anonymous sample of health insurance claims because the de-identified data still included each patient's date of birth, gender and five-digit ZIP code.
"There's enough artificial intelligence out there in the computer world that de-identification is rather meaningless," says Chase.
John Easter, chief privacy officer of e-healthcare software vendor MDeverywhere, says, "De-indentified data, to me, can be cracked." What's important, he says, is to minimize the risk of protected health information falling into the wrong hands.
Cynthia Sherry, M.D., chair of the physician leadership council at Texas Health Services, a 13-hospital system in north Texas, says she understands there can be real clinical benefits from studying aggregated patient data.
But as a practitioner at 14-physician Dallas Radiologists, a THS affiliate, "I have mixed feelings about (selling de-identified data) because some savvy people can re-identify this information," she says. "Then I think it's reprehensible."