More MS news articles for February 2000

Report Recommends Safeguards for Prescription Privacy

February 9, 2000
Paul Candon
© 2000 Medical PressCorps News Service

What happens to your prescription information once it's entered into the pharmacy's computer?

Although in a recent survey 40 percent of respondents said they believed federal law protected the confidentiality of their medical records, no such comprehensive law exists.

In fact, pharmacy benefit management companies, or PBMs, some owned by pharmaceutical companies, regularly monitor physician-prescribing practices and collect data that are used to implement cost controls. PBMs act as intermediaries between pharmacies and third-party payers, including insurance companies and employers.

A new report, appearing in the February 9 issue of the Journal of the American Medical Association (, discusses the ethics of such programs and sets out recommendations for the use of health information by PBMs.

A public discussion of such recommendations is important now because on February 17, the U.S. Department of Health and Human Services will begin to modify its proposed regulations guiding medical privacy. Some have suggested that less privacy protection rather than more could be the outcome.

The workings of PBMs initially came to widespread public attention in 1998. In Washington, D.C., pharmacies owned by Giant Foods and CVS provided patient prescription information to a firm called Elensys, a direct marketing company. With this identifiable patient data, Elensys mailed information about new drugs to people who had filled prescriptions for similar medications. They also sent out prescription refill reminders.

Included among the letters Elensys mailed was information about the nicotine replacement drug bupropion (Zyban, Glaxo Wellcome), sent to patients who had previously received other smoking-cessation prescriptions. None of the recipients had initially been asked for permission to have their prescription information shared.

The public response was "extremely negative," according to Giant Foods, and the two companies dropped the campaign.

"The Elensys case dramatizes that patients may not realize how health care organizations may use prescription information, either internally or through contracts with external service organizations," wrote the report's authors, led by Dr. Bernard Lo of the program in medical ethics in the division of general internal medicine at the University of California, San Francisco.

In the report, the authors outlined seven main points to which, they believe, PBMs should adhere. First, actions taken by these companies should be of direct benefit to patients. Second, an oversight committee that does not have a financial stake in the decisions made should monitor PBMs.

Third, patients should actively authorize outside use of their medical information and be able to easily withdraw that authorization. However, the study authors also noted that health care organizations should be allowed to use patient information in evaluations of the cost-effectiveness of prescribing practices. This benefits the patient, they said, by keeping prescription prices lower.

Fourth, the authors wrote that PBMs should disclose financial interests that may pose ethical conflicts of interest with patients' concerns. "Some conflicts of interest are so severe that they should be prohibited rather than merely disclosed," the authors explained. "For example, pharmacy benefits management programs should not pay pharmacists for switching patients to specific drugs."

Fifth, for sensitive medical conditions like HIV infection or a diagnosis of mental illness, they argued that PBMs should be allowed access to information, but within certain constraints. Access to this information should be very limited, they said, and physicians and patient-advocacy groups should be closely involved in its use.

Sixth, they proposed that all PBMs should have policies that protect patient confidentiality through "administrative, technical and physical safeguards," and that all data be used only for their intended purposes.

Finally, the authors wrote that "patient authorization to use personal health information for advertising should be separate from authorization for pharmacy benefits management."

According to Dr. Peter Glaeser, a pediatrician at the University of Alabama at Birmingham, "the proposed regulations [from the Department of Health and Human Services] would abolish the traditional principle that patients' consent is generally required before their medical information can be released to third parties."

Glaeser authored an editorial that accompanied Lo's report in JAMA.

He said that the report "exemplifies the concerns evoked by the new ways in which identifiable medical information, in this case prescription drug data, is being used."

Continued Glaeser: "In the absence of hard evidence demonstrating that aggressive management of prescription practices either saves money or improves care, millions of patients' records each year are scrutinized by PBM companies."

Glaeser noted that almost anyone involved in health care operations can have access to medical information under the proposed government regulations, possibly including lawyers and employers.

"Each time the privacy of medical records is traded for some other purported good, there is a real risk of dissuading people from coming for treatment or from revealing the information that physicians need to provide adequate care," Glaeser concluded.

Journal of the American Medical Association (2000;283:795-797,801-806)