Sorrell (Vermont) v. IMS Health Inc.

A secondary question in the case is how identifiable is the patient data received by the data mining vendor. The Statistician Provision of the HIPAA Privacy Rule enables sharing patient data widely, free of HIPAA penalties and oversight. Certifications can use scientifically strong guards for patient privacy (e.g., the Privacert approach), but certifications can alternatively use weak methods giving easy access to re-identifiable patient data. The policy doesn't distinguish strong from weak methods and many vendors receive patient data under the Statistician Provision. This case provides a public example of data provided under the Statistician Provision. How identifiable is the data? What methods were used to certify it?

• Sweeney, L. Implications of Patient Privacy in Sorrell v. IMS Health. Presentation at Health Patient Privacy Summit in Washington, DC June 13, 2011. (video).

• Sweeney, L. Patient Identifiability in Pharmaceutical Marketing Data. (abstract, PDF)

• Sweeney, L. Patient Privacy Risks in U.S. Supreme Court Case Sorrell v. IMS Health Inc. (abstract, PDF, HTML)

Background

Pharmacies forward a copy of prescription information to IMS, which in turns provides a copy of the information to pharmaceutical companies for marketing to prescribing doctors. Vermont passed a statute baning the sale of this information. The U.S. Supreme Court agreed to hear the case, January 2011. The question before the Court is "Does a law restricting access to personal information in nonpublic prescription drug records violate the First Amendment?" Data privacy issues: how identifiability is the patient data and what are the privacy risks of de-identified patient data regulated by the Vermont statute?

Decision

The Court's decision focused on the commercial free speech issue in the case and the decision followed the lines revealed at oral arguments. The State cannot attempt to influence physicians to prescribe generic drugs while simultaneously restricting the speech of commercial drug salespeople. As predicted, the decision included no mention of the secondary issue in the case, patient privacy. There are numerous references to the privacy of the prescribing physician, but the only reference to patient privacy is near the end:

"The capacity of technology to find and publish personal information, including records required by the government, presents serious and unresolved issues with respect to personal privacy and the dignity it seeks to secure."

In summary, patient privacy is "unresolved".

This means regardless of the decision, patient privacy issues will not go away because the case provides such a publicly visible case, fueling the debate between Ohm and Yakowitz about re-identifications, and occurring at a time when HHS is assessing the HIPAA Privacy Rule.

Background Documents

• Supreme Court Decision
• Brief for Sorrell (Petitioner)
• Brief for IMS (Respondent)
• Vermont Statute, 18 VT. STAT. ANN. § 4631

Data Privacy Documents (sequential)

• Sweeney, Patient Identifiability in Pharmaceutical Marketing Data.

• Electronic Privacy Information Center. Petitioner Amici Brief
• Electronic Frontier Foundation. Petitioner Amici Brief
• Brief of AARP and the National Legislative Association on Prescription Drug Prices in Support of Petitioners
• Brief for the Vermont Medical Society, The New Hampshire Medical Society, The Maine Medical Association, The Medical Association of Georgia, The American Academy of Family Practitioners and The American Academy of Pediatrics Supporting Petitioners

• El Emam and Yakowitz Respondent Amici Brief

• Sweeney, Patient Privacy Risks in U.S. Supreme Court Case Sorrell v. IMS Health Inc..

• Response Brief for Sorrell (Petitioner)

See SCOTUS for a list of official documents filed before the Supreme Court in this case, some of which are also archived above.