The Finch Formerly Known As Gold

24 June 2007

Oh, by the way, I take these drugs

I've previously mentioned the Albertson's selloff; I hadn't mentioned that I've had my prescriptions filled at their Sav-on Pharmacy for the past three or four years. Now comes this disturbing possibilty:

I remember when the Health Insurance Portability and Accountability Act (HIPAA) passed in 2003. My pharmacist gave me a written copy of the pharmacy's privacy policy, and the store put a tape line 10 feet back from the cash register so that those behind me in the queue couldn't listen in on my discussions while I picked up my meds. The changes lulled me into thinking my pharmacy records were private. I was wrong. A loophole in the federal law allows my pharmacy to treat my records as a business asset and sell them, including my drug history, insurance information, address, phone number, and social security number, without my knowledge or consent.

It's happened before:

Randee Lonergan filled prescriptions at the same pharmacy for years. But a month ago, she was shocked to find the pharmacy closed — and all her family's medical records sold to a nearby Target store in Levittown [New York].

Shockingly, her information was sold legally, due to a loophole in medical privacy law that allows pharmacies to "auction off" years of customer records — including prescriptions, information about medical conditions, social security numbers and insurance records — "to the highest bidder," Senator Charles Schumer said Monday.

"I'm outraged," said Lonergan, 34. "I felt that my right to privacy and my right to choose had been taken away from me." Not only were her records sold, so were her husband's and 8-year-old daughter's.

What's Senator Schumer doing about it?

The senator is calling on the federal Health and Human Services secretary, Michael Leavitt, to immediately change the law to require pharmacies to notify patients before selling or transferring their records and allowing patients to opt out.

This might carry some more weight if Schumer were to introduce a bill to modify HIPAA to require this change, but at least someone is aware of the situation.

Update, 27 June: Francis W. Porretto demurs:

Traditionally, the rule has been that, with certain exceptions made for "peeping Toms," what you learn is yours to do with as you please, provided you've violated no confidentiality agreement and no one's property rights in doing so. There's no question that this rule allows businesses to amass large databases of personal information about private citizens, simply by keeping records of their purchases. There's no question that this permits those businesses to trade and merge their databases to mutual commercial advantage, often to the discomfort of the persons whose data is in them. There's no question that, owing to the all-but-complete transition of our society to an information economy, in which money itself has become a stream of bits flowing across the ubiquitous wires, the hazards attending uncontrolled proliferation of personal data are greater than ever. But is the law, in any shape, the proper instrument with which to address these concerns?

There are those who say privacy no longer exists, and in some sense they are correct. Then again, presenting me with a fait accompli of this sort is no way to gain my support.

Posted at 10:12 AM to Dyssynergy

TrackBack: 7:02 AM, 25 June 2007
» Biz Ethics, Anyone? from BabyTrollBlog
IT OCCURS TO ME THAT the only real answer to travesties such as [described at] Dustbury is to enshrine in law and business ethics recognition of the truth that information about a person belongs to that person, not to anyone to whom he chooses to......[read more]

The HIPAA line is marked at Kroger pharmacies, but the waiting areas, with chairs, are between that line and the counter.

I think people tend to have the idea of privacy ass-backwards. I just can't think of any way my prescription history, or anything else I might talk about at the counter, is useful to anyone but me, my doctor and my pharmacist. If someone wants to do anything seriously criminal they need to hack computers and manipulate files -- and a tape line, while visible and therefore (falsely, more often than not) reassuring, doesn't ensure the security of the actual records.
For that matter, the only way I know of that I can be harmed by someone hacking the pharmacy's computers is that they get that next refill before I do, and manage to bill my insurance for it.

Posted by: McGehee at 3:08 PM on 24 June 2007

The velvet ropes and stuff are window-dressing. I'm more concerned with those records en masse falling into the hands of someone whose business it isn't. And given the Feds' obsession with drugs of late, even OTC drugs, I want as many loopholes closed as is humanly possible.

Posted by: CGHill at 3:18 PM on 24 June 2007

The feds can get those records anyway, if they can convince a judge to issue a subpoena.

Posted by: McGehee at 7:31 PM on 24 June 2007

Brian J. Noggle complained (figuratively) to Schumer:

No, senator, you as the legislator should change the law. As a member of the executive branch, Leavitt should implement it as written. That was the whole point. But if you cede responsibility, you can cede the blame.

Posted by: CGHill at 7:36 PM on 24 June 2007

Yeah, for Schumer to tell a bureaucrat to change a law is -- about par for him.

Posted by: McGehee at 8:58 AM on 25 June 2007