We’ve talked about this a bit before. I won’t give the whole history, but you can visit Green Mountain Daily’s Pharmacy Fishing Archive for all the stories about collection of personal data by Vermont State Police on medical data from pharmacists throughout the state of Vermont.
Well, it’s just gotten a bit more interesting. In some of the earlier discussion (I don’t recall how much of this was private discussion and how much was posted online) involved a database to try to get a handle on illegal prescription drug use. What I didn’t realize at the time was that the Department of Health had already begun developing that database and has, in fact, put out bids for the creation of it.
I’m a tech geek and know databases and secure information management extensively. After the fold, I’ll try to explain exactly what this database can do, doing my best to translate tech geek into standard human English.
For those of you who are tech geeks yourselves, this may sound like I’m talking down to you. I apologize, but I want this to be understood by the general public, and I want to be thorough.
I’m going to begin by quoting a few items from the requirements set forth by the state for the database:
The contractor will collect data on all Schedule II, III, and IV controlled substances
dispensed by VT licensed pharmacies.
(You can see what drugs fall into the various schedules through the Department of Justice)
A complete record for each prescription dispensed will be stored for six years, and shall be available for query during this period.
“Available for query” means that any authorized user can, at any time, look up information up to six years in the past.
The following data elements will be collected by the application from dispensing pharmacies:
1. Patient full name
2. Patient date of birth
3. Patient’s complete address
4. Prescriber name
5. Prescriber DEA#
6. Pharmacy Identification
7. Pharmacist’s name or initials
8. Generic or brand name of drug dispensed
9. National Drug Code for the drug dispensed
10. Quantity of drug dispensed
11. Dosage
12. Number of days supply dispensed
13. Number of refills prescribed
14. Date drug dispensed
15. Source of payment
16. If the patient is an animal, the patient’s name and species, along with the owner’s full name, DOB, and address.
I think this is mostly self-explanatory; from what I understand, people who prescribe medications have Drug Enforcement Agency codes which ID them to Federal Officials. I’m assuming source of payment is relevant because cash payments are believed to be more likely in criminal transactions than credit car payments.
More from the requirements:
The contractor will be an Application Service Provider, hosting the Vermont Prescription Monitoring System (VPMS). The contractor shall utilize and maintain all hardware and software for the VPMS application, throughout the life of the resulting contract.
This may take some explanation. Here’s the deal: an “Application Service Provider” means that the person who handles this bid will, themselves, be hosting the system. In other words, instead of having it housed on secure servers by the state itself, a private company will be holding onto all the data.
This means that although the company will be required to maintain strict security codes, there’s little the State of Vermont can do to guarantee that security. There is no motive for the company hired to do this work to reveal security breaches on their part, because doing so could place their corporate interests in jeopardy.
Really, for me, this is what it boils down to:
- If we’re going to collect this data (I’m not convinced we need to, but if we do it, we need to do it better than this), it has to have a firewall of some sort with respect to access of data. Specifically:
- separate access for personal names (for routine data cleanup, elimination of duplicate records, etc.), which aren’t connected to medications or history, combined with…
- a set of criteria for revealing the names. I.e., if the same individual has prescriptions at four different pharmacies in a six-month period, then it can trigger a report which allows law enforcement to determine whether or not an investigation is warranted, but without those specific triggers, a warrant is required to obtain the information.
- If we’re going to collect this data, it needs to be housed somewhere where we can keep an eye on it, not where some corporation somewhere may or may not have any strong motivation to keep the information private
- The proposal itself uses the terms “HIPAA compliant” and “fully HIPAA compliant” without ever defining explicitly what is meant by those terms. These are terms which are relatively ambiguous, though they don’t sound this way on the surface. They’re open to so much interpretation that we need to be specific as to exactly what the Vermont Department of Health assumes HIPAA to require and how it expects to meet those requirements.
One final thought: having the information stored like this has real potential in politics down the line. Someone who opposes a sitting governor or legislator can easily covertly track down personal information about them and leak it to the press through the system as described in the proposal. To me, this is a very big deal.