Sale of "De-Identified" Data Would Not Violate California Medical Information Privacy Law

This posting was written by Thomas Long, Editor of CCH Privacy Law in Marketing.

An individual could not pursue claims under the California Confidentiality of Medical Information Act (CMIA) against retail pharmacies that allegedly sold customer prescription information to data mining companies for marketing purposes because the individual failed to specify what individually identifiable information remained in the records after the pharmacies "de-identified" the information, the federal district court in San Diego has determined.

The CMIA prohibits health care providers, health care service plans, or contractors from disclosing medical information regarding patients without first obtaining authorization. It also prohibits health care providers from sharing or selling medical information for use in marketing.

The data mining companies (DMCs) installed software on the pharmacies' computer servers that captured and collated patient prescription information, which was then transferred to the DMCs' off-site servers and sold to pharmaceutical companies for use in structuring drug marketing programs directed at physicians.

The software installed on the pharmacies' computers de-identified the prescription information and assigned a number to each patient to allow correlation of that information without individually identifying patients.

"Medical Information"

"Medical information" is defined under the CMIA as "any individually identifiable information, in possession of or derived from a provider of health care ... regarding a patient's medical history, mental or physical condition, or treatment." Pharmacies were considered health care providers under the CMIA, the court noted.

"Individually identifiable information" is "medical information includ[ing] or contain[ing] any element of personal identifying information sufficient to allow identification of the individual, such as the patient's name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the individual's identity."

De-identified information would not constitute "medical information" under the CMIA, according to the court. The individual's assertion that the DMCs' software inadequately anonymized the data was conclusory and did not rise above the level of speculation. He did not specify what information remained after the de-identification process.

The individual also failed to allege that any pharmacy or DMC reverse-engineered the de-identified information to create individually identifiable information.

Breach of Contract, Invasion of Privacy

Because the individual failed to allege a violation of state law, his claims that the pharmacies breached a contractual undertaking to comply with state privacy laws also failed.

In addition, the individual could not pursue claims for violation of privacy under the California Constitution because he failed to allege a legally protected privacy interest related to the transfer of de-identified medical information, the court ruled.

The decision is London v. New Albertson’s Inc., CCH Privacy Law in Marketing ¶60,255.