Ad Age Deputy Editor Judann Pollack answered her home phone one evening in February. It was a robocall with a recorded message: "Hello! Do you or does anyone in your family have…" The name of a disease followed. "It was really freaky," said Ms. Pollack, "to hear this recorded voice asking about such a personal matter that, as far as I knew, was known only to our family doctor, pharmacy and insurance company."
The call was from a clinical research recruitment company called Acurian, which did not respond to requests for comment about how it gained access to what is clearly sensitive health data. But was it personalized, which crosses legally boundaries? Technically not, because the robocaller did not target by name but by household, in this case limiting the pool of candidates to three.
To the average consumer, this feels like a personal violation. But to the $291 billion prescription drug industry, it's simply efficient targeting via legitimate data collection. And there lies the crux of the problem: to many in the health-care industry, the rules regulating their marketing practices are like a virtual straightjacket; to privacy advocates and some consumers, they are far too loose.
Industry execs suggest there are several ways that phone call to Ms. Pollack might have come about. There are health-information sites such as QualityHealth and WebMD's MedicineNet.com; on the surface they are simply health and medical content publishers, but their true business models revolve around data collection through site registrations, surveys and email newsletter signups. Magazine publishers have similar roles as health data providers.
Ms. Pollack says no one in her family used any of those sites.
But there's much more out there. Health data powerhouse IMS Health offers marketers prescription data from physicians, hospital treatment and discharge records and prescription data from "tens of thousands" of pharmacies. All of that information, IMS assures on its website, is de-identified, according to HIPAA rules.
The 1996 federal law limits use of data gathered by hospitals and other entities such as insurers and pharmacies, but it doesn't apply to all health data.
HIPAA rules prevent marketers from targeting individuals directly based on prescription-drug-transaction data. HIPAA requires data be de-identified before it's shared with partners, and once it's stripped of names and other identifiable data, companies could have free rein to share and sell it the way they would other purchase data or online behavioral information, depending on what uses the consumer OK'd when it was collected.
"It's in the wild. That data is no longer covered by HIPAA if it's been de-identified," said Pam Dixon, executive director of World Privacy Forum.
Just how "de-identified" all of this data is remains up for debate. Data analysis and additional data sets can help circumvent the lack of identifiable information by isolating narrow niches of patients.
"The question of how and if information can be de-identified in a digital landscape given how discrete data elements can be recombined over time -- the so-called mosaic effect -- is tricky," said Julia Jacobson, a privacy and marketing law partner at McDermott Will and Emery.
Does it even matter if the data is anonymized if the consumer feels shocked or violated by targeted marketing?
While no one expects drug makers to go back to the dark ages of non-targeted marketing, health care and other industries dealing with sensitive data need to stop speaking legalese and start learning the language of the people they say they're trying to help. And they should think twice about using certain types of information altogether.
But the overwhelming response from industry is a defensive one. "We don't use personally identifiable information," "the data is completely anonymized" and "everything is opt-in" are the go-to phrases. This defensive stance completely misses the mark.
"I think that a lot of the people who are kind of on a witch hunt for some dirt on this really don't understand it," said Bill Drummy, CEO and founder of Heartbeat Ideas. He stressed that some of his clients require consumers to opt-in multiple times to allowing health data to be used for marketing purposes because "they are so concerned about getting bad PR or doing something that would be a violation of patient trust."
Asaf Evenhaim is adamant about his firm's dedication to privacy. As CEO of health-care data analytics firm Crossix, which has a relationship with Nielsen Catalina Solutions, he stressed that the company only uses non-HIPAA covered data and avoids using behavioral data when it creates consumer segments for pharma client campaigns.
And maybe the focus on marketing is a bit of a red herring anyway. Some say regulators should focus on preventing uses of data for purposes that could have far more detrimental effects than simply creeping out consumers.
"The real problem is when insurance companies or employers are purchasing this kind of data and making decisions about you based on the data," said Ms. Dixon. She noted that sophisticated analytics allow insurance firms and other companies to combine public records, demographic and geographic data with purchase data to attribute scores to individuals that gauge things such as likelihood to take prescription medications as instructed. Those scores can trigger automated reminders to take medications, or inform insurance rates, for example.
Concluded Ms. Dixon, "So much data is flowing that it has absolutely overrun the protections that exist."