IMS Health Files for IPO – Is It Legal?

On January 2nd, IMS Health Holdings announced it will sell stock on the New York Stock Exchange. IMS joins other major NYSE-listed corporations that derive significant revenue from selling sensitive personal health data, including General Electric, IBM, United Health Group, CVS Caremark, Medco Health Solutions, Express Scripts, and Quest Diagnostics.

  • IMS buys and aggregates sensitive “prescription and promotional” records, “electronic medical records,” “claims data,” “social media” and more to create “comprehensive,” “longitudinal” health records on “400 million” patients.
  • All purchases and subsequent sales of personal health records are hidden from patients.  Patients are not asked for informed consent or given meaningful notice.
  • IMS Health Holdings sells health data to “5,000 clients,” including the US Government.
  • Despite claims that the data sold is “anonymous”, computer science has long established that re-identification is easy.
  • See brief 3-page paper by Narayanan and Shmatikov at: http://www.cs.utexas.edu/~shmat/shmat_cacm10.pdf)
  • See Prof. Sweeney’s paper on re-identifying patient data sold by states like WA at: http://thedatamap.org/risks.html
  • “Our solutions, which are designed to provide our clients access to our deep healthcare-specific subject matter expertise, take various forms, including information, tailored analytics, subscription software and expert services.” (from IMS Health Holding’s SEC filing)

 

Quotes from IMS Health Holding’s SEC filing:   “We have one of the largest and most comprehensive collections of healthcare information in the world, spanning sales, prescription and promotional data, medical claims, electronic medical records and social media. Our scaled and growing data set, containing over 10 petabytes of unique data, includes over 85% of the world’s prescriptions by sales revenue and approximately 400 million comprehensive, longitudinal, anonymous patient records.”   IMS buys “proprietary data sourced from over 100,000 data suppliers covering over 780,000 data feeds globally.”

How can this business model be legal?  How can companies decide that US citizens’ personal health data is “proprietary data,” a corporate asset, and sell it?  If personal health data ‘belongs’ to anyone, surely it belongs to the individual, not to any corporation that handles, stores, or transmits that information.

Americans’ strongest rights to control personal information are our rights to control personal health information. We have constitutional rights to health information privacy which are not trumped by the 2001 elimination of the right of consent from HIPAA (see: http://patientprivacyrights.org/truth-hipaa/ ). HIPAA is the “floor” for privacy rights, not the ceiling. Strong state and federal laws, and medical ethics require consent before patient data is used or disclosed. 10 state constitutions grant residents a right to privacy, and other states constitutions have been interpreted as giving residents a right to privacy (like TX).

Surely FTC would regard the statement filed with the SEC as evidence of unfair and deceptive trade practices. US patients’ health data is being unfairly and deceptively bought and sold.  Can the SEC deny IMS Health the opportunity to offer an IPO, since its business model is predicated on hidden purchase and sale of Americans’ personal health data?

If we can’t control the use and sale of our most sensitive personal information, data about our minds and bodies, isn’t our right to privacy worthless?

deb

To view the full article published in Modern Healthcare visit:  IMS Health Files for IPO