Last year, the Supreme Court limited the ability of states to regulate the sale of prescription data. In Sorrell v. IMS Health, the Supreme Court determined that a 2007 Vermont law that effectively banned the sale of prescription data for commercial marketing purposes unless the prescriber consented was an unconstitutional limitation on free speech. Now another attempt to curb the sale of prescription data for marketing purposes has failed.
On February 15th, U.S. District Judge Mary McLaughlin in Philadelphia ruled that a pharmacy chain could not be sued under Pennsylvania’s Unfair Trade Practices and Consumer Protection Law (UTPCPL) for selling prescription-related information about consumers to pharmaceutical manufacturers and data firms without the consumers’ knowledge or consent. Arthur Steinberg and Philadelphia Federation of Teachers Health and Welfare Fund v. CVS Caremark Corporation, E.D. Pa., No. 11-2428 (2011). The suit alleged that CVS Caremark Corporation and CVS Pharmacy, Inc., (collectively “CVS”) violated the UTPCPL and the common law prohibitions against unjust enrichment and invasion of privacy by failing to disclose to consumers that third parties could buy confidential information related to their prescriptions. The class action had originally been filed in state court, but was removed to federal court by CVS. The judge’s order dismissed this class action lawsuit with prejudice because the plaintiffs had failed to allege an actionable claim.
Allegedly, the prescription information was intended to help data firms and pharmaceutical manufacturers to target consumers and physicians for marketing and promotional purposes. The plaintiffs asserted, to no avail, that CVS’s failure to include information about the sale of the prescription information in its publicly-available Code of Conduct and Notice of Privacy Practices amounted to a deceptive practice under the UTPCPL. But CVS successfully countered that it lived up to the representations it made in those policies because the information it sold was de-identified in compliance with the Health Information Portability and Accountability Act (HIPAA) – patient names, birthdates, and Social Security numbers were removed from the data. Although the information did contain medical histories, drug lists, prescription fill dates, medical diagnoses, and prescribing physician information, the files included no information that could directly identify the patient; therefore, the data did not qualify as personally identifiable health information under HIPAA. Because CVS did not disclose legally-protected information of their consumers, the Judge found the lawsuit could not stand.
Had the data sold not been HIPAA-compliant, the outcome may have been different. But for now, another attack on the practice of selling prescription utilization data for pharmaceutical marketing purposes has effectively been thwarted.