The San Francisco Chronicle has a story about SB1096, which would allow pharmacies to sell customers’ prescription data for marketing purposes. Currently, the California Confidentiality of Medical Information Act prohibits such sales. The California Medical Association opposes the bill, saying this would affect doctor-patient relationships. The bill was previously defeated in the Senate, but is up for another vote today after it was amended to say, “that the patient shall receive an opportunity to opt out of the written communication.”
Opt-out clauses are not protective enough. Would the opt-out clause be posted in a prominent area? Would the language be clear? Would the patients understand what they were opting out of? The pharmacies would have financial incentives to have as few customers opt-out as possible. It is irresponsible for the pharmacies to place the burden on customers to keep their private medical data from becoming public.
Last year, I was co-counsel on an amicus curiae brief (pdf) in IMS Health v. Ayotte, a case about a New Hampshire state law that banned the sale of prescriber-identifiable prescription drug data for marketing purposes. The marketing companies in the New Hampshire case weren’t asking for data that would outright link individuals to their prescriptions, yet we detailed the problems that could come from “de-identified data.” We argued:
Although de-identification measures are increasingly innovative and computationally complex, patient data is still vulnerable to attacks because sophisticated re-identification programs are also being developed. Individuals can be re-identified using information such as zip code, date of birth, and gender and then comparing that data to publicly available information. Such information is easily accessible via birth and death records, incarceration reports, voter registration files, and driver’s licensing information.
Passage of the California bill would cause a much worse scenario. The Chronicle notes, “People receiving medication for a litany of illnesses, including cancer, diabetes, asthma, osteoporosis, depression, hypertension and heart disease, could receive the [marketing] letters” once their private medical data is sold by the pharmacies. The intensely personal data would be viewable by the company employees who sent out the mailings, the Post Office employees who sorted and delivered the marketing documents, anyone who saw the materials on an individual’s kitchen table. Those who want to learn more about protecting your medical data should visit Patient Privacy Rights.