Virtual Mentor. May 2002, Volume 4, Number 5.
Cases in Law and Ethics
Drug Marketing and Patient Consent
An ethical case describes the use of a pharmacy's database to market directly to their patients without either patient consent or disclosure of the marketing intent of the materials they received.
Erica Ozanne Linden, JD, MPH
Margaret Jacobs has diabetes. She takes medication to control the disease and for the past 5 years has had her prescriptions filled at ABC pharmacy. Last year, ABC implemented a new program to provide health care information to its pharmacy customers. As part of this program, ABC created a customer database that collected information on its customers, including names, addresses, social security numbers, birth dates, and medical and prescription information. In the course of filling her prescriptions, Margaret herself provided ABC with her home address, her social security number, her age, and disclosed that she was diabetic as well as other pertinent medical information. Margaret assumed this information would be kept confidential and at no time was she told why this information was collected.
A few months after the implementation of ABC's new program, Margaret received a letter from ABC discussing the dangers of high cholesterol. The letter informed Margaret that elevated cholesterol is a risk for those people with diabetes and recommended that she take Zilax, a drug used to control high cholesterol. No drugs other than Zilax were recommended for control of cholesterol.
Since the letter was written on the ABC Pharmacy letterhead, Margaret assumed that the letter was in fact from her pharmacy and took it to her primary care physician, Dr. Freeman, to discuss whether she should take Zilax. Dr. Freeman read the letter Margaret brought to him and recognized it as similar to numerous other letters patients had shown him recently. Over the past 2 months, Dr. Freeman had seen at least 15 letters sent to his patients by ABC either warning them of the dangers of certain diseases or urging them to take a specific drug made by a specific pharmaceutical manufacturer.
Dr. Freeman was concerned that the letters sent to his patients encouraged them to take medications that may not be appropriate for their particular circumstances and also wondered why the letters always recommended one brand name drug instead of several drugs that would be equally effective.
Upon further investigation, Dr. Freeman discovered that ABC had been in the news recently for allegedly giving patient prescription records to pharmaceutical companies who then used the information to market their products. Concerned that his patients' confidential medical information may have been given to drug companies without their knowledge or consent, Dr. Freeman investigated. He discovered that ABC sent out a variety of letters to its customers. The letters took different forms; some gave information about the risks of certain health conditions, some encouraged customers to switch to other prescription medication, and others reminded users of a specific drug to refill their prescriptions.
The mailings were not paid for by ABC but were instead financed by drug manufacturers and a marketing firm was used to carry out the actual mailings. Each manufacturer gave ABC specific selection criteria for each mailing. The criteria were used to identify customers with certain medical conditions, and ABC used its databases to select customers according to the manufacturer's criteria. ABC provided the manufactures and marketing firms with patients' names, addresses, social security numbers, and medical conditions. The information was then used to create the letters that promoted use of drugs manufactured by the sponsoring manufacturer. At no time were ABC customers told of this practice or asked for their consent.
Questions for Discussion
The law that most directly governs confidentiality of medical records is the Health Insurance Portability and Accountability Act (HIPAA) passed by Congress in 1996. As part of the law, the Department of Health and Human Services (HHS) promulgated standards to protect the security and confidentiality of such information. These were entitled Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule), and came into effect on April 14, 2001. The compliance date is April 14, 2003. (See 45 C.F.R. §160 and § 164 (2001)).
Information that is protected under the rule includes health information that can be identified with an individual and is used or disclosed by an entity covered under the regulations. Entities covered by the rule ("covered entities") are health plans, health care providers, and health care clearinghouses. Included in the regulations are standards relevant to the use of protected health information (PHI) by third parties. These standards restrict the information that covered entities can give or sell to third parties such as pharmaceutical manufacturers.
The Privacy Rule places stringent requirements on the use of PHI for marketing purposes. In general, a covered entity must obtain specific authorization to use or disclose PHI in a marketing communication. The key point in this case is whether ABC qualifies as a covered entity under the standards. Typically, a pharmacy is not a health plan, health care provider, or a health care clearinghouse and would therefore not be a covered entity.
The Privacy Rule defines a health care clearinghouse as an entity that either "processes or facilitates the processing of health information received from another entity…into standard data elements or a standard transaction" or "receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity."
If ABC collected some of its patient information from an "entity" such as a health care provider, then it would qualify as a health care clearinghouse (a "covered entity") and would fall under the Privacy Rule. Covered entities cannot give or sell any form of PHI to third parties, such as drug manufacturers, without obtaining consent from the individual. Since ABC did not obtain consent from its customers and its activities were not geared toward marketing ABC's pharmacy service but were instead designed to promote the marketing of pharmaceutical companies' products, its activities would not be permitted under the Privacy Rule.
However the customer information that ABC collected, organized by certain health-related criteria, and passed along to third parties came from individual customers, not another "entity." Therefore, ABC most likely does not qualify as a covered entity and is not subject to the Privacy Rule.
The viewpoints expressed on this site are those of the authors and do not necessarily reflect the views and policies of the AMA.
© 2002 American Medical Association. All Rights Reserved.