On June 23, 2011, the United States Supreme Court, in Sorrell v. IMS Health Inc., determined that Vermont’s law prohibiting pharmacies from selling prescription data to “data-mining companies” violated the Free Speech Clause of the First Amendment. Data miners purchased the prescription data to aggregate and resell it to pharmacy manufacturers for marketing purposes. Drug manufacturers used the information to target physicians for face-to-face visits (“detailing”) by salesmen to convince the physicians to prescribe more of the manufacturers’ costly brand-name drugs. The prescription information purchased from the data miners enabled the manufacturers to target particular physicians who were not prescribing their brand-name drugs or who were prescribing competing drugs.
Several states objected to drug manufacturers’ use of prescription information for detailing, contending that it increased sales of brand-name drugs and drove up healthcare costs. When these states passed laws preventing the pharmacies’ sale of the prescription information to data-mining companies and the use of this information by drug manufacturers, the data miners and drug manufacturers sued.
When the challenge to Vermont’s data-mining law reached the Supreme Court, the Court invalidated it on the grounds that it violated the Free Speech Clause. The Court held that the law did not survive strict scrutiny. It prohibited the use of prescription information with a particular content (prescriber histories) by particular speakers (data miners and detailers) and did not advance Vermont’s asserted goals of ensuring physician privacy, improving the public health, and containing healthcare costs in a permissible way.
The Federal Privacy Rule, implementing the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), is similar to the data-mining laws in its restrictions on the disclosure of private health information. This Article applies the HIPAA Privacy Rule to the practice of data mining and, surprisingly, finds that HIPAA restricts it. The Privacy Rule flatly prohibits any unauthorized use or disclosure of protected health information for marketing purposes. Nevertheless, the practice of data mining continues despite HIPAA. In fact, at least one court has recently declared that nothing in HIPAA restricts data mining.
The question post-Sorrell is whether the marketing provisions of the Privacy Rule, like Vermont’s data-mining law, also violate freedom of speech. Although there are obvious similarities between HIPAA’s marketing provisions and the marketing restrictions of Vermont’s data-mining law, there are also substantial differences. The structure of the Privacy Rule is quite unlike the data-mining law in that the discriminatory intent and impact that the Supreme Court found objectionable in Sorrell is largely absent in HIPAA. Unlike Vermont’s data-mining law, the Privacy Rule does not target disclosures with particular content or by particular speakers. Therefore, this Article concludes that it is likely that application of the Sorrell analysis to the Privacy Rule would yield a different answer.
