• Data Mining the Constitution*

    * Disclaimer:  I served as counsel of record to amici The New England Journal of Medicine, the Massachusetts Medical Society, the National Physicians Alliance, and the American Medical Students Association, all in support of Vermont.  Read our brief here.

    The Vermont data mining case (Sorrell v. IMS Health) is being briefed before the Supreme Court this month, in preparation for oral arguments on April 26, 2011.  (SCOTUS blog here; Nature.com blog here)

    Pharmacies sell your prescription records to data mining companies, who aggregate the information and sell it to drug companies for billions of dollars per year.  Drug companies use it to sell drugs.  Lots of drugs.

    Vermont physicians were appalled, and the state passed a law in 2007 extending privacy protections to prescription records that identified the physician.  Maine and New Hampshire passed similar laws, ultimately resulting in a decision by the First Circuit Court of Appeals in Boston that these laws were constitutional.

    Vermont won at the Federal District Court, but the appeal went to the Second Circuit Court of Appeals in New York City.  A divided panel voted 2-1 to reverse, saying that Vermont’s law violated the First Amendment rights of data miners and drug companies.  The Supreme Court accepted the appeal on January 7, 2011.

    To the drug companies & data miners, this could be the most important commercial speech case in a decade; a counterpart to Citizens United.  The states and physicians opposed to data mining insist this case is really about medical privacy, and will be the most important Supreme Court decision on medical privacy in a generation.

    Who owns this “prescriber-identifiable” information?  If it’s private and confidential – like HIPAA protected medical records – then taking it without the consent of the patients and doctors violates the law and the First Amendment doesn’t apply.  The First Amendment isn’t a defense to data theft.  I can’t steal trade secrets from a company or medical records from a hospital and expect to get off just because I publish or sell the information.  This is the core argument by Vermont and its amici.

    But if this information is already public, the data miners can collect and sell it to whomever they please.  Including drug companies.

    Stay tuned.


    36 states and the District of Columbia filed an amicus brief yesterday supporting Vermont.

    The federal government also filed a good brief supporting Vermont.  Nice to have support from the DoJ (and, indirectly, the FDA).  The one problem with the US brief was the final section, that unnecessarily tried to distinguish HIPAA.

    Public Citizen and AARP each filed briefs supporting Vermont, as did the Yale Rudd Center and EPIC.

    One of my favorite briefs supporting Vermont is from the Electronic Frontier Foundation.  The opening paragraph:

    “This case presents no novel First Amendment issues.  Instead, the Court of Appeals misunderstood the legal background of this case in a critical aspect: it wrongly asserted that the medical records at issue here are public. This error led the Court of Appeals to ignore the privacy interests at stake. Amicus therefore focuses on how the Vermont law at issue here protects patient privacy and how upholding the decision below could jeopardize much federal privacy law.”

    Briefs from the data miners, drug companies and their amici will be filed in the coming weeks.


    • Thanks for this Kevin. I am sure that you realize Ilya Shapiro, he of the libertarian CATO Institute is defending this. I find it kind of perverse that info which should be confined to patient, physician ad pharmacist is being shared as though it is information from a phone book. It also appears to add billions to the health care budget. For those who do not know what detailing is, drug companies send salespeople out to do one-to-one sales with docs. These reps make, including benefits, about $160,000 per year. There are over 60,000 of them. Brief description at link of numbers and costs.



    • is this still going on and “legal” in every other state?

    • “In the course of filling prescriptions, pharmacies acquire prescription information. Certain information, including the prescriber’s name and address, the name, dosage and quantity of the drug, the date and place the prescription is filled and the patient’s age and gender, is purchased by third parties…”

      Date (does that imply time too?), place, age, and gender is sufficient to identify individuals to someone sufficiently motivated. Set up a video camera and record people going into Walgreens and which car they get into (license plate). Bam, now you know who they are and what medications they bought by guessing age & gender. Not as direct as having a patient name & address.

      Or the flip is targeting a known individual (and knowing their age and gender) and knowing when they fill their prescriptions then cross-checking to see what medications they purchased.

      Honestly, I don’t know what the “identifiable” test is.

      If all patient information is redacted then I don’t see how this information falls under HIPAA.

      If it’s just physicians not wanting to be annoyed/pestered/targeted then this sounds almost identical to the intent of the do not call registry.

    • I wonder if the drug companies take the aggregate prescription by doc info and then use their sales reps to strong arm or reward doctors who are selling the most pills for them? Kinda like a frequent prescriber program that screws the patient.