Patient and physician privacy apparently are being compromised in all kinds of ways in Texas. In just the past few days, we've learned that:

* The Texas Department of State Health Services (DSHS) has sold or given away hospital patient data on more than 27 million hospital stays since 1999, according to a report by the Austin Bulldog, an investigative journalism nonprofit organization.

* The Texas Tribune reports that former state Rep. Bill Zedler (R-Arlington) "used his legislative authority to obtain a series of confidential records from the Texas Medical Board." Zedler reportedly reviewed files on five physicians, at least two of whom contributed to his campaign fund.

* A group of six independent pharmacies in the Lone Star State have sued CVS Caremark, charging that the company's Caremark pharmacy benefits management arm engaged in racketeering and violated HIPAA by gaining too much control over patient data and squeezed competition out of the retail pharmacy market.

"The suit claims CVS Caremark violates the firewall between the retail pharmacy and the pharmacy benefit manager [PBM] entities as required when the Federal Trade Commission approved the CVS and Caremark 2007 merger. Instead, the combined company built an information technology platform that straddles all of CVS Caremark's business segments, capturing in-depth patient data for marketing and other purposes in violation of HIPAA patient privacy laws," reads a press release from American Pharmacies, a for-profit pharmacy buying group that claims to be financing the legal action.

In an email to reporters, Austin, Texas-based patient privacy advocate Dr. Deborah Peel expresses support for the suit, and says pharmacy privacy violations are widespread. "It's important to understand that CVS Caremark is not alone in 'profiling' patients or selling the records of everyone who fills a prescription at a CVS store," Peel writes. "Daily data mining, theft and the sale of prescription records occurs in all 55,000 U.S. pharmacies. And every other corporation that that collects, stores, transfers or handles prescription records electronically [pharmacy chains, pharmacy benefits managers, hospitals, switching companies, data management corporations, etc., etc.] also steals and sells the records. This massive under-the-radar industry generates hundreds of billions/year in revenue."

In the case of the DSHS disclosures, attorney Jim Harrington, director of the Texas Civil Rights Project, told the Bulldog that the data sales represent a "wholesale invasion of families' medical privacy" and a "shocking breach of people's constitutional rights."
DSHS makes public through its website files on more than 200 kinds of information, including individuals' insurance coverage, whether the stay involved placement of a heart stent, sterilization, abortion performed due to rape and any tests or medications delivered while in the hospital.

Buyers can obtain two versions of the hospital patient files, one version containing complete personal info--which includes date of birth, date of admissions and discharge, and the patient's full address--and a second, "de-identified" version with some, but not all, personal information removed by DSHS. Data security experts claim that it's easy to re-identify people in de-identified data files by comparing them with other files, the Bulldog reports.

The data files DSHS distributes often go to non-physicians who use, sell, and re-sell hospital patient data, putting personal privacy at risk. The insurance lobby group America's Health Insurance Plans, in 2009, was one of many entities approved to buy the unrestricted research version patient data files. Since Jan. 1, 2009, 98 customers bought patient data from Texas. Several are listed in the Bulldog article.

For more information:
- read the investigative report in the Austin Bulldog
- check out this Texas Tribune story
- have a look at this New York Times "Prescriptions" blog item
- see this press release from American Pharmacies

Sandra Yin contributed to this article.

Related Articles:
HHS proposes stronger privacy protections under HIPAA
ACLU suit against Rhode Island HIE shows why privacy is so central to health IT
U.S. residents fear lack of EMR confidentiality