Fact sheet on LD 838 - An Act Protecting the Confidentiality of Prescription Information

By Rep. Sharon Treat, Sponsor

March 27, 2007

Why is this bill necessary? This bill is a matter of protecting privacy; safeguarding public health; and reducing unnecessary prescription drug costs so that more people in Maine can have access to needed medications. On the privacy front, currently patient data is inadequately protected and prescriber data isn’t protected at all. On the cost end, the use of this information for marketing purposes is a key factor in the skyrocketing costs of prescription drugs and the increased usage of expensive brand-name medicines. And from a public health perspective, use of prescriber data for marketing facilitates the provision of biased and inaccurate information about health risks, and encourages the prescription of new products that might be riskier to patients than known agents on the market.

What LD 838 will do:

Require all entities that handle prescription information to keep both the patient-identifiable and prescriber-identifiable data confidential.

Protect privacy rights of the patient (Federal law requires patient confidentiality but there are marketing loopholes in the HIPAA law that would be closed).

Protect privacy rights of the prescriber.

Prohibit the use of patient-identifiable and prescriber-identifiable data for the purpose of pharmaceutical company sales or marketing or for analysis of prescriber-specific effectiveness of their sales force.

Improve health care outcomes and limit prescription drug costs for patients, employers & the state Medicaid (MaineCare) program. According to the data mining industry itself, “Research has shown that winning just one more prescription per week from each prescriber yields an annual gain of $52 million in sales.”

What LD 838 will NOT do:

Because the bill has specific exemptions to preserve core public health, law enforcement, billing and other uses of prescriber-identifiable data, it will:

NOT interfere with the use of patient or prescriber-identifiable data for the purpose of insurance reimbursement, dispensing prescriptions, utilization review, public health research or for law enforcement purposes.

NOT prohibit the use of prescriber-identifiable data for the current drug utilization review under State Medicaid laws.

NOT prohibit the use of prescriber-identifiable data for analysis of drug formulary compliance under Medicaid or private insurance.

NOT prohibit pharmaceutical manufacturers from using prescriber de-identified data for sales and marketing analysis. There is NO prohibition from using aggregated prescriber data so long as the information cannot be used to directly or indirectly identify the individual or the prescriber.

Why doesn’t the AMA “opt out” program adequately protect prescribers?

The American Medical Association (AMA) sells data it collects annually on physicians to health care information (data mining) organizations, which combine this database with prescription information from pharmacies and then package the information for sale to others, including pharmaceutical companies. The AMA received $44.5 million in 2005 for its physician database. Although the AMA initiated an option in July 2006 to allow physicians to “opt out” of this program, the “opt out” option is inadequate for many reasons:

Many physicians do not know about the AMA opt out option; two thirds of the physicians in the U.S. are not AMA members, even though their data is also included to the AMA database.

Even if a doctor opts out, the personally identifiable prescribing information on that doctor is still sold to datamining companies and drug manufacturers, who may still use it to target their marketing efforts. The only limitation is that a drug detailer may not have direct access to the doctor’s specific information; however, the detailer may be told which doctors to target and how to spin their message based on that information.

The AMA “opt out” only affects data collected by the AMA; other data is collected through pharmacies and other sources and is not affected by the AMA policies.

Doesn’t Federal law already protect privacy?

This is a smokescreen. The federal Health Insurance Portability and Accountability Act, or HIPPA, is only intended to protect patient identifiable data. LD 828 primarily focuses on the physician and other prescribers’ privacy and the importance of not inappropriately influencing their prescribing patterns through to marketing strategies based on data mining. Prescriber privacy is NOT protected in HIPPA.

HIPPA isn’t even effective in protecting patient information, its stated goal. Private information is still available for marketing purposes, and there is a complete lack of enforcement of this law. LD 828 thus addresses both patient and prescriber privacy, since state law may be stricter HIPPA. Some physicians have raised concerns about patients still being able to be identified, especially in rural areas. In addition, HIPPA allows health care providers to share patient medical records not only for treatment purposes, but also, according to the Wall St. Journal, for “myriad uses” including marketing. As the Journal stated: “Over the past three years, millions of Americans visiting doctors' offices, pharmacies and hospitals have been handed forms and brochures discussing privacy rules under… HIPAA. Many assume signing somehow protects their privacy. It doesn't. In fact, the disclosure notice essentially details the many ways a doctor can use and disclose medical information -- often without a patient's consent or knowledge.” As Karen Hinton, a spokesperson for Patient Privacy Rights, told the Journal: "It's impossible to violate HIPAA because there's such a big, huge loophole" allowing a variety of disclosures without consent. In any event, the law isn’t being enforced. Although violations can result in fines, the Office for Civil Rights, which received more than 22,600 complaints between mid-April 2003 and Sept. 30, 2006, to date has not issued any fines. LD 838 includes an enforcement mechanism through the Unfair Trade Practices Act.