Supreme Court Finds No Privacy in Vermont Drug Marketing Law
On June 23, the U.S. Supreme Court issued its decision in Sorrell v. IMS Health, Inc. et al., striking down as unconstitutional a Vermont statute that prohibited the use of drug prescribing information for marketing purposes.
The data targeted by the statute was de-identified with respect to patients per HIPAA standards. The data identified prescribers and their prescribing patterns and is commonly used for "detailing" or targeted prescriber marketing by drug company sales representatives. In enacting the statute, Vermont identified the need to curb costs associated with the prescribing of brand-name drugs (versus available generic alternatives). Vermont also argued that the statute was enacted to protect patient and prescriber privacy.
By a vote of 6-3 the Court found that the Vermont statute was not aimed at protecting privacy and violated the free speech rights of drug marketers.
CDT issued an initial memo on the case back in March. Today in iHealthBeat, CDT analyzes the opinion and discusses the potential implications of the decision. Below are some key points raised in the analysis:
• The Court’s seminal concern with the Vermont statute was that it targeted a particular type of commercial speech (marketing) by particular actors (pharmacies and drug manufacturers). Such “viewpoint discrimination,” where the government is targeting only one side of an issue, is the ultimate offense under the First Amendment.
• The Court acknowledged that Vermont’s desire to lower health care costs is a legitimate state policy goal, but declared that the state could not pursue this goal by curtailing speech.
• CDT does not believe the case deals a death blow to privacy regulation. On the contrary, the Court expressly acknowledged the threats to privacy posed by modern information technology and noted that the state could have advanced those privacy interests "by allowing the information’s sale or disclosure in only a few narrow and well justified circumstances."
A number of privacy advocates had urged the Court to find that the data at issue could identify patients, implicating the viability of the HIPAA de-identification standards. But the Court did not take the bait on this issue, never questioning the premise that the data at issue did not raise privacy concerns for patients. As a result, the issues that have been raised by CDT and others about HIPAA de-identification are left to be resolved by Congress and regulators, who are better suited to handle them.