Drug Company May be Circumventing HIPAA by Using Patient Data

by | Dec 18, 2014

As reported recently on Bloomsberg News, pharmaceutical companies are using patient PHI to market their products, even though they are not allowed to have access to this information in accordance with HIPAA regulations,

HIPAA covered entities are not allowed to release patient information to third parties for the purposes of marketing, yet pharmaceutical companies are obtaining the data from a different source. Drug companies are now looking for assistance from online data agencies that can provide them with the data they need to directly market products to the persons most likely to use their drugs.

Marketing data is very useful for drug companies as it allows them to market their products more effectively. The market for a particular treatment may be very small in terms of penetration so using traditional advertising methods is less likely to produce the required number of sales. However, if a drug company could get a list of patients who had been diagnosed with a condition that their drug treats, the successof its direct marketing efforts would increase substantially. However under HIPAA, pharmaceutical companies are  allowed access to this data.

Internet organizations track website visitors and assign them with a unique identification number. This number can then be utilized to link the patient to their medical condition. The patient is identified, but since no name has been given there is no HIPAA breach. Pharmaceutical companies can obtain valuable data about patient’s illnesses and medical treatments and it can then use that information to provide them with targeted adverts.

Privacy groups are worried that PHI is being provided for marketing purposes, yet the practice falls outside of HIPAA regulations which only cover healthcare organizations, pharmacies and their clients.

The data collection technique is known as matchback and it is used extensively in online marketing. In the case of healthcare data, data collection companies buy records from pharmacy benefit managers and run complicated algorithms to match records with people. The transformed data is sold on to the drug companies with codes assigned, and this allows focused adverts to be displayed to them. The vast majority of consumers who have visited a pharmacy are likely to have been given a code, and that code could be in use by pharmaceutical companies.

Consumers who are aware they are being presented with adverts specific to medical conditions they suffer from are likely to be view in those adverts because of the information in their medical information. However, search engines also track users and present adverts based on previous searches.

In the case of completed internet searches for products, tracking individuals is perfectly reasonable marketing tactic. However, privacy groups are worried about the level of medical information for that is sale on the internet and the practice is breaching a consumer’s right to privacy.

Pharmaceutical companies claim that the technique is necessary in order to recover money for drug development, especially when faced with the expiration of a patent. They use a company that makes a link between two data sets, but the individuals remain totally anonymous. They know you have a condition and what drugs you use, they just do not know you specifically by name. Drug companies conducting marketing campaigns using this technique argue that the practice is perfectly legal.

Not all pharmaceutical companies are of this opinion however. GlaxoSmithkline for example has halted all matchback activity due to concerns over patient privacy. On the other hand, AstraZeneca has no such problem with the technique and uses it for all of its digital marketing.

The Office for Civil Rights enforces HIPAA, but when contacted by Bloomberg, it did not comment as it was not familiar with the practice or matchback. Matchback may not breach HIPAA or disclose sensitive information; however it is a marketing method that consumers should be made aware of, although currently patients are not given the chance to opt out.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy