I spoke about privacy recently with Carol Rose, M.D., president of the Pennsylvania Medical Society. She told me that she had prescribed for herself a box of syringes. She and her husband have allergies severe enough to require treatment with injectable medications.
Rose has given me permission to reveal her prescription, but she didn't give permission to her pharmacist. Yet a couple of days after visiting the pharmacy to buy the needles, she was horrified to find her home mailbox stuffed with ads for various products--not for allergies, but for paraphernalia a diabetic patient would use.
Even though the marketers got her diagnosis wrong, Rose said she felt violated by the ads.
"I still continue to get them," she said last month, a year after writing her prescription. "Once you're on a mailing list, you stay on it."
Nearly all the physician leaders we surveyed this year said they do not want to see any data sold that could identify their patients. The majority of doctors said they want no patient data sold, "de-identified" or not.
Yet marketers who spent money on those misdirected advertisements to Rose and other patients will strive to improve their aim. They'll want to buy data on each patient's diagnosis as well as on their prescription. Today, a huge volume of prescription data is available instantly, but the data miners' Holy Grail is to link prescription and diagnosis at the time the prescription is written.
Database expert Latanya Sweeney testified in a recent privacy suit that de-identified patient data being sent by claims clearinghouse WebMD to data miner Quintiles Transnational is "readily re-identifiable using commonly available technology and available public data." She said she cracked the de-identified data using a personal computer, a Microsoft Access database program and a voter list bought for $175.
The potential to gather and deliver valuable raw data to drug marketers exists in the many electronic medical records systems and a few of the more advanced prescription writing/charge capture tools developed for handheld personal digital assistants. A doctor can press a button and send a prescription and, inadvertently, the matching diagnosis code whisking to the corner drugstore--and then to a PBM, a data miner and, eventually, a drug marketer.
Is this being done right now? Frankly, I don't know. Selling out patients is not something I've heard anyone bragging about. But can it be done now? According to industry experts I've spoken with, absolutely.
What can be done to prevent it? Healthcare lawyers tell me physician executives need to scrutinize the contracts they sign with every IT vendor. Get it in writing that the vendor won't sell patient data, not even de-identified data, without the patient's permission. Then, physician executives should work through medical societies to lean on claims processors, PBMs and insurance carriers to adopt similar no-sale policies.
What is at stake is the trust at the core of the physician-patient relationship. Physician executives have spoken loud and clear: Don't mess with that trust.