Posts Tagged ‘Healthcare’

Labor Day Ode: Should Consumer Privacy be part of Antitrust Analysis?

September 4, 2009 Leave a comment

After our summer of discontent over healthcare reform, this Labor Day I thought it was particularly appropriate to write about the recent letter, sent by Change to Win, (a coalition of 6 labor unions representing over 6 million workers), urging the FTC to re-examine the 2007 merger of CVS and Caremark.  This follows concerns expressed by National Community Pharmacists Association, as well as several letters sent by Senators to FTC Chairman Jon Leibowitz, asking him to take a second look at the merged entity.

Why am I writing about a health-care merger in a blog that’s mainly focused on tech policy and regulation?  Because a primary issue at the center of this growing controversy – CVS-Caremark’s handling of private patient data – raises an unresolved question for regulators: should consumer privacy be part of antitrust analysis when considering merger or conduct involving companies who have access to sensitive user data?  The answer to this question will ultimately have significant impact on all companies doing business on the Internet.

In their November 2008 report, Change to Win discusses how CVS-Caremark – the largest provider of prescriptions in the United States – has “unprecedented access” to private patient information (including pricing information).  This access allows CVS-Caremark to sell patient data to third parties (including insurance companies who then use the data to deny patient claims), and to promote drugs – both on behalf of pharmaceutical companies and to doctors.  In addition, the report suggests that Caremark (one of the country’s largest “pharmacy benefit managers”) routinely shares patient prescription data with its retail arm CVS to increase sales of both healthcare and non-healthcare related products.

Change to Win is not alone in their assessment of CVS-Caremark’s practices. In their letter to the FTC, Senators Byron Dorgan, Russ Feingold and Amy Klobuchar write that the merger has created a “heightened opportunity for anticompetitive conduct in the prescription drug market.”

The last time the FTC looked at consumer privacy within the context of a merger was also the first time the Commission had really been presented with the issue – the 2007 examination of Google’s acquisition of DoubleClick.  After an 8-month investigation, the FTC approved the transaction.  FTC Commissioner Pamela Jones-Harbour (the lone dissenter), expressed concern over a merger that would “combine not only the two firms’ products and services, but also their vast troves of data about consumer behavior on the Internet.”  At least with regard to CVS-Caremark, her words may have been incredibly prescient.  And, if the FTC does choose to re-examine the CVS-Caremark merger, the interplay between consumer privacy and merger efficiencies will be closely watched.

Categories: Regulation Tags: , ,

A 2-Track Society?

August 20, 2009 Leave a comment

The recent flap over a White House email tip line ended this week when the feature was disabled. I won’t go into the details that drove the White House to this decision – they are captured quite well in this Washington Post article.  But the incident has led me to wonder: in the future, will the benefits you receive as a US citizen (or resident) increase depending on your willingness to surrender certain personal information about yourself to the government?

Perhaps the idea of a White House email tip line is a bit premature.  Governments are just starting to connect with citizens using technology.  Trust needs to be built.  Trust in your government (that your personal information will not be used in a way that violates your privacy). Trust in technology (that it will be secure and robust enough to protect your personal information from misappropriation).  Given the White House’s recent proposal to scale back the ban on tracking technologies on federal websites, I’m sure this question will be re-visted again.

But let’s assume the White House is successful in scaling back the tracking ban.  This would mean that citizens who “opt-in” to being tracked by a federal agency website – such as – will be asked to set up a personal profile (similar to what already happens when you shop online or have a website remember your customized settings and preferences). According to White House CIO Vivek Kundra, the federal government will then use this information to provide better, more targeted customer service.

Arguably, by knowing more about you, the government could serve your needs better.  Here are a couple examples. As a business owner, you could receive real time updates – from a pertinent federal agency – about the laws and regulations that impact your business. Most businesses do not have currently have access to this type of information (short of hiring a lawyer or other expert for advice).  Another example: under a technology pilot being spearheaded by US CTO Aneesh Chopra, the process to gain US citizenship or residency is being overhauled.  Now, after creating a profile, INS applicants will be able to get real time updates on the status of their US citizenship or residency application.  For anyone who has been through this process or knows someone who has, this will be a tremendous improvement to the normally onerous INS process.

All of this also means that people who choose to “opt-out” of the government’s tracking system will miss out on certain benefits (the magnitude of that loss would depend on personal and work situations).   This isn’t just a lack of information, it’s also a lack of engagement.  And over time, we will have two types of citizenry in our country – those that remain engaged and connected to government, and those who don’t.  There will be a cost – even if you don’t interact with a federal agency on a regular basis, you will still be deprived of valuable information – that may impact life and work decisions – if you opt out of this system.

Let’s circle back to where we started – the White House’s email tip line.  In the end, the situation has been resolved to some extent.  People who are in search of a response to “disinformation” about President Obama’s health insurance reform plan are being directed to the White House’s Reality Check website with specific questions being answered through a web-based form.  But this is a country where many layers of bureaucracy and protocol stand between the average citizen and the President.   Did “fear-mongering” and “online rumors” lead us to miss an opportunity to engage more deeply with the White House and enrich the national debate on a deeply important subject?

We’ll never know.  For now, at least with regards to health insurance reform, the White House wants your query to be completely anonymous.

FTC issues Health Breach Rule (Regulation)

August 18, 2009 Leave a comment

The 2009 Recovery Act identified a growing segment of the technology market – “web-based entities” that collect health information from consumers. These include companies that allow consumers to manage their personal health record or “PHR” online. Such entities are currently not required to comply with the privacy and confidentiality requirements of HIPAA.

Under the Act, HHS and the FTC must study “privacy, security and breach notification” requirements for covered entities, and then report back to Congress.  The hope is that Congress will eventually implement the report’s findings into future legislation.  But until that happens, the Act provides temporary requirements, and looks to the FTC to promulgate the implementing regulations.  After digesting over 130 comments, the FTC has now issued its final rule.

The FTC’s Health Breach Rule requires covered entities to notify US citizens and residents in instances where there is a “breach of security,” i.e. instances where there is an “unauthorized acquisition of unsecured PHR identifiable health information of an individual”…

Some additional highlights: Notification must be made without “unreasonable delay” – within 60 days.  The rule does not apply to HIPAA-covered entities (with many pages devoted to this analysis). Comments to the rule reveal considerable concern over the use of electronic health records, and potential consumer confusion over multiple breach notices (required under other federal or state laws).

The rule is clear on pre-emption: only state breach notification laws that are contrary to this rule are pre-empted.  In other words, the federal rule is merely a “floor” here; covered entities must also comply with any additional state law requirements.