Walgreens is being sued by customers who are not happy that their prescription information – even though it has been de-identified – is being sold by Walgreens to data-mining companies.
The data privacy and security concerns surrounding the transfer of de-identified data are significant. To “de-identify” what is otherwise protected health information under HIPAA, some outfits will simply strip data of 18 types of identifiers listed in federal regulations. However, the relevant regulation (45 CFR 164.514(b)(2)(ii)) also provides that this only works if “the covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.” Thus, the problem with this approach is that, these days, nobody can disclaim knowledge of the fact that information de-identified by removing this cookbook list of 18 identifiers may be re-identified by cross-matching data with other publicly-available data sources. There are a number of reported instances of this sort of thing happening. The bottom line is that our collective technical prowess has outstripped the regulatory safe harbor.
Is this the basis of the lawsuit brought against Walgreens? An objection to trafficking in health information that should remain private? No. The plaintiff group of customers is suing to share in the profits realized by Walgreens from trading in the de-identified data. Read more »
*This blog post was originally published at HealthBlawg :: David Harlow's Health Care Law Blog*