(Bloomberg) — Ever since the days of castor oil laxatives and mercury syphilis tablets, pharmacists and patients have had a tacit understanding: whatever you buy, the information is confidential.
No longer. Drugmakers and Internet companies are quietly joining forces to link U.S. pharmacy records with online accounts to target ads to people based on their health conditions and the prescription drugs they buy.
In a little-known process, third-party companies assign patients unique numerical codes based on their prescription-drug records, a practice websites also rely on to track their registered users. The two sets of data can be linked without names ever changing hands, allowing pharmaceutical companies to identify groups that use a specific medicine and send them tailored Web ads.
See also: Small breach, big lesson in backpack.
The practice has become an essential part of the $1 trillion pharmaceutical industry’s digital marketing efforts. The industry says the technique complies with federal medical privacy laws because patients’ names are concealed. Still, critics see it as a breach of confidentiality.
“Marketers are treating our health data as if we were buying a pair of pants or a book,” said Jeff Chester, executive director of the Center for Digital Democracy, a privacy group in Washington. “That’s unconscionable. These are highly personal, sensitive decisions that people make.”
The technique’s growing use is raising alarms that technological advances are undoing protections provided by the Health Insurance Portability and Accountability Act (HIPAA), the federal medical privacy law, according to Bloomberg interviews with more than 60 industry executives, regulators and privacy advocates. Websites and data firms exist in a legal blind spot because HIPAA applies to doctors, hospitals, pharmacies, insurance companies and their contractors.
See also: 3 things you CAN’T know about IRS PPACA problems.
The notion of privacy is so fundamental to the medical profession that it is enshrined in the Hippocratic Oath from ancient Greece, which required doctors to swear that they would keep secret all patient information. The modern-day pharmaceutical profession adheres to that message. The International Pharmaceutical Federation’s code of ethics requires that members “respect and protect the confidentiality of patient information.”
The process that worries Chester and others is known as a matchback and represents the cutting edge of medical data analytics, an industry that McKinsey and Co. projects will surpass $10 billion in revenues by 2020.
Here’s how matchbacks work: Companies known as data brokers — IMS Health Holdings Inc. is one of the biggest — have amassed hundreds of millions of prescription records, buying them from drug benefit managers such as Express Scripts Holding Co. and CVS Health Corp. The brokers use algorithms to substitute patients’ names with numerical codes. They then partner with websites that rely on the same software to transform their users’ data. Drugmakers pay the websites to match the two sides. Most consumers who have filled a prescription at a drugstore in recent years have been assigned a permanent code, which can be used to send them customized ads.
See also: PPACA risk system may get 9 billion claim records per year.
The industry views matchbacks as an aid to people looking for medical information online and giving drugmakers more clarity. Only aggregate information is shared with pharmaceutical companies, and people are targeted in groups, executives said.
“It involves tracking patients over time anonymously,” said Jody Fisher, director of U.S. product management for Danbury, Connecticut-based IMS, which has dossiers on more than 500 million patients worldwide. “It helps all stakeholders identify patterns of behavior that make delivery of health care more efficient.”
Matchbacks are part of a broader trend of pharmacies, hospitals and others riffling through Americans’ medicine cabinets. Hospitals are scouring credit-card records to learn about patients’ vices such as smoking and unhealthy eating, hedge funds are listening on health forums to glean pharmaceutical investment tips, and marketing companies are aggregating bits and pieces of information to assemble lists of people suffering from certain conditions.
The concept behind matchbacks isn’t new. For decades, retailers have hired marketing firms to link the names on their sales receipts back to lists of people who were sent promotional coupons, with a view to boosting sales of everything from soap to oatmeal by targeting ads to their shoppers. Now, the growth of the Web combined with the advent of powerful data mining has enabled pharmacy companies to adopt the practice.
Data firms that perform matchbacks other than IMS include Symphony Health Solutions, which is part of private-equity firm Symphony Technology Group in Palo Alto, California, and Crossix Solutions Inc., a startup in New York.
Haren Ghosh, former chief research and analytics officer for Symphony Health Solutions, said the technique is misunderstood and privacy concerns are slowing companies’ ability to deliver more value to drugmakers and patients.
The goal is more personalization of ads without knowing the patients’ names.
See also: What if CMS disagrees with a Medicare plan’s risk billing?
“That is the world we are going to,” said Ghosh, who left Symphony in March to start Analytic Mix Inc., a marketing and data-analytics firm. A spokeswoman for Symphony did not return e-mails and telephone messages.
Crossix only performs matchbacks for websites whose users opt in, often by registering, said co-founder Asaf Evenhaim. The company uses multiple layers of anonymization to ensure that patient identities can’t be learned, he said.
“There’s a difference between making a link and knowing who a person is,” he said. “I’m very proud of what we do and how we do it.”
Reading your mind
Still, a prescription for, say, Viagra or Prozac isn’t the same as a grocery receipt, and as drug matchbacks become better understood, they’re raising concerns among patients about medical information available on the Web.
“Just because something’s legal doesn’t mean morally that it’s right,” said Aaron Laxton, a 35-year-old social worker from St. Louis, Mo., who was diagnosed with HIV three years ago.
Laxton, who has chronicled his post-diagnosis journey in a series of YouTube videos, said he is not surprised to see ads for new HIV medications as he travels the Web, but worries that he may be the target of a more subtle form of profiling, based on knowledge of his medical records. He said he is routinely shown banner ads for sleeping pills — a type of drug he has long taken yet rarely discusses or researches on the Internet.
“It’s this uncanny sense of, is this computer reading my mind?” he said. “It’s almost as if the computer pops up the ad even before the thought pops in your head.”