Prescription Data Used To Assess Consumers - Records Aid Insurers but Prompt Privacy Concerns

By Ellen Nakashima - Washington Post Staff Writer - Monday, August 4, 2008
Health and life insurance companies have access to a powerful new tool for evaluating whether to cover individual consumers: a health "credit report" drawn from databases containing prescription drug records on more than 200 million Americans.

Collecting and analyzing personal health information in commercial databases is a fledgling industry, but one poised to take off as the nation enters the age of electronic medical records. While lawmakers debate how best to oversee the shift to computerized records, some insurers have already begun testing systems that tap into not only prescription drug information, but also data about patients held by clinical and pathological laboratories.

Traditionally, insurance companies have judged an applicant's risk by gathering medical records from physicians' offices. But the new tools offer the advantage of being "electronic, fast and cheap," said Mark Franzen, managing director of Milliman IntelliScript, which provides consumers' personal drug profiles to insurers.

The trend holds promise for improved health care and cost savings, but privacy and consumer advocates fear it is taking place largely outside the scrutiny of federal health regulators and lawmakers.

Ingenix, a Minnesota-based health information services company that had $1.3 billion in sales last year -- and Wisconsin-based rival Milliman -- say the drug profiles are an accurate, less expensive alternative to seeking physician records, which can take months and hundreds of dollars to obtain. They note that consumers authorize the data release and that the services can save insurance companies millions of dollars and benefit consumers anxious for a decision.

"Some insurers can make a decision in the same day, or right on the spot," Franzen said. "That's the real 'value-add.' "

But the practice also illustrates how electronic data gathered for one purpose can be used and marketed for another -- often without consumers' knowledge, privacy advocates say. And they argue that although consumers sign consent forms, they effectively have to authorize the data release if they want insurance.

"As health care moves into the digital age, there are more and more companies holding vast amounts of patients' health information," said Joy Pritts, research professor at Georgetown University's Health Policy Institute. "Most people don't even know these organizations exist. Unfortunately the federal health privacy rule does not cover many of them. . . . The lack of transparency with how all of this works is disturbing."

Ingenix and Milliman create the profiles by plumbing rich databases of prescription drug histories kept by pharmacy benefit managers (PBMs), which help insurers process drug claims. Ingenix, for instance, has servers in the PBM data centers, updating the drug files as frequently as once a day, said John Stenson, senior vice president of consulting for Ingenix, which is a division of UnitedHealth Group. The corporation also owns UnitedHealthcare, the nation's second-largest insurer.

When an insurer makes an online query about an applicant, Ingenix or Milliman's servers scour the data and within minutes or less return reports to a central server at the company. The server aggregates the information going back as far as five years, including the drugs and dosages prescribed, dates filled and refilled, the therapeutic class and the name and address of the prescribing doctor.

Then comes the analysis.

Ingenix's MedPoint tool provides insurers a "pharmacy risk score," or a number that represents an "expected risk" for a group of people, such as 30- to 35-year-old women who have taken prescription drugs, Stenson said. Higher scores imply higher medical costs.

Milliman's IntelliScript codes drugs red, yellow or green, according to the insurer's instructions, with red signaling the greatest risk, Franzen said. Red codes could include the so-called AIDS cocktail drugs and cancer medications, he said.

The companies receive data only on individuals who are in clients in PBMs' databases, generally excluding, say, people who pay for drugs in cash. The profiles cost insurers about $15 a search. IntelliScript gets about 1 million queries from insurers a year, largely individual health insurers.

The system can save money for insurers, said Richard Dick, an entrepreneur who built the database system that Ingenix acquired in 2002.

For instance, if MedPoint produces a report that an individual has been on the highest dose of the cholesterol-reducing drug Zocor for 18 monts, the insurer "would be able to know that you have a very high, near-intractable cholesterol problem," Dick said, and could avoid a costly blood test.

From a business standpoint, it makes no sense for an insurer to sell a plan with a $200 monthly premium if the company knows that the consumer is taking medications that cost $400 every six months, industry experts said. That is why having access to an "objective" source of third-party information is valuable, said Tia Goss Sawhney, a Chicago area health insurance actuary who has used both companies' tools. "Though most people tell the truth most of the time, there are people out there who don't, who leave out something that's incredibly relevant, who may even be able to defraud a company," she said. "That's important because ultimately the people who tell the truth have to pay for those who don't."

Franzen, whose firm expects revenue of $575 million this year, said his clients tell him that about 10 percent of applicants do not disclose pertinent medical conditions in their applications that are later revealed by prescription drug history.

Some health experts worry that insurance companies can make faulty assumptions by looking at prescription drug records, because many drugs have multiple uses.

"I had a patient on Amitriptyline for migraines and they were denied life insurance because it's also an antidepressant," said physician Kate Atkinson of Amherst, Mass. "I had to explain it wasn't being used for depression." Another patient was on Prozac -- not for depression, but for menopausal hot flashes. "I wrote an appeal letter, and they still wouldn't give it to her," Atkinson said.

The field is growing rapidly. Realtime Solutions Group, a company in Woodridge, Ill., is testing whether lab data can be aggregated with prescription and other data for underwriting purposes. The firm is working with two major commercial labs and three large insurers, using thousands of real applicants. Initial results are promising enough that the company plans to proceed to the data-analysis stage, company co-founder Tedd Determan said.

Services such as MedPoint are just "one of many tools" underwriters use to make coverage decisions, said Tyler Mason, a spokesman for UnitedHealthcare, which uses MedPoint. A high-risk score on a profile will often lead to requests for more information from the applicant, he said.

Ingenix and Milliman officials stress that they provide data only with the patient's consent, as required by the Health Insurance Portability and Accountability Act (HIPAA), a 1996 law that governs personal health records information. But HIPAA does not give the Department of Health and Human Services the ability to directly investigate or hold accountable entities, such as pharmacy benefit managers or companies such as Ingenix and Milliman, who are not covered by HIPAA.

A health privacy proposal pending in Congress would expand federal officials' ability to regulate such "downstream" organizations, audit their activities and impose civil fines. The bill also includes a prohibition on the sale of electronic medical records.

Tim Sparapani, senior legislative counsel at the American Civil Liberties Union, said that the products that Ingenix and Milliman are marketing represent the "commodification" of electronic medical records by third parties. "We've got to stop these practices before the marketplace is fully developed and patients lose all control over their medical information," he said.

The field is growing rapidly. Realtime Solutions Group, a company in Woodridge, Ill., is testing whether lab data can be aggregated with prescription and other data for underwriting purposes. The firm is working with two major commercial labs and three large insurers, using thousands of real applicants. Initial results are promising enough that the company plans to proceed to the data-analysis stage, company co-founder Tedd Determan said.

"A lot of insurance companies are starting to use this type of data," said Determan, who co-founded IntelRx, a company that mined prescription databases and was sold to Milliman in 2005. "They said, 'All right. Prescription data is working, let's go and look at other types of data, too.' It's because of the success of one, that we're going after others."

In February, the Federal Trade Commission issued an order saying that MedPoint and IntelliScript are consumer reports under the Fair Credit Reporting Act, so the companies must notify insurers that consumers denied insurance on the basis of these reports have the right to request a copy of the report and that errors be corrected. The FTC's order followed a settlement of allegations that the companies violated the credit-reporting law by failing to provide such notice to insurers.
Bob Gellman, an independent privacy consultant in Washington, said the FTC's decision not to fine the companies sends "the message that it is okay to ignore the law." That, he said, "is absolutely outrageous."

As more health records become electronic, he said, more parties will compete to sell more comprehensive patient data to insurers, driving down data prices. "It will all likely be lawful," Gellman said, "but consumers will likely continue to have no real meaningful choices if they want insurance."

Dick, who conceived the idea of linking the pharmacy databases for underwriting purposes a decade ago, said the pharmacy benefit managers understood the system's privacy implications. He said their attitude seemed one of, " 'Ooh, this is a 60 Minutes' story in the making.' Generally, they wanted to make it a super-secret database, restricted to underwriting."

But now, he said, "there's a huge case for it being opened up for all legitimate access," whether for a patient in an emergency room or for federal government purposes. The key, he said, is full transparency.

He said he has created a privacy tool that requires users to consent before specific data, such as prescription histories, can be released. To work, he said, the tool must be independent of all who hold the data.

"Otherwise," he said, "you have the fox in charge of the henhouse."

Staff researcher Magda Jean-Louis
Read more in the Washington Post

Some Austin hospitals screening for superbug, isolating patients

Procedure brings controversy but could become more commonplace as MRSA spreads.
By Mary Ann Roser - AMERICAN-STATESMAN STAFF - Monday, July 30, 2007

Worried about the spread of a superbug that no longer responds to penicillin and some other common antibiotics, hospitals across the country — including some in Central Texas — are starting to test new patients for the bacteria and isolate those identified as carriers.

Some hospitals even isolate patients who are at risk of being carriers of MRSA, or methicillin-resistant Staphylococcus aureus, a bacterium that experts say has become drug-resistant largely because of overuse of antibiotics.

The Seton Family of Hospitals, the largest health system in Central Texas, says it isolates people at high risk of carrying MRSA but hasn't decided whether to do testing. St. David's HealthCare hospitals and Cornerstone Hospitals say they test high-risk patients and isolate those who test positive for the bacteria.

The bacterium, which in recent years has taken root in some football locker rooms and jails, causes infections that look like a pimple or spider bite. The wound usually clears up after treatment, often with vancomycin, one of the strongest antibiotics, or by draining the abscess.

But MRSA can invade the bones, joints, blood, heart valves and lungs, creating a potentially lethal infection for the elderly or people with weakened immune systems.

Hospitals, which are full of people who fit that description, have seen MRSA infections spiral. A broad survey of the nation's health care facilities found that 34 out of every 1,000 hospital patients had active MRSA infections, and an additional 12 were carriers, the Association for Professionals in Infection Control and Epidemiology reported last month.

The report's author, Dr. William Jarvis, and MRSA expert Dr. Lance Peterson, a physician and epidemiologist at Evanston Northwestern Healthcare in Evanston, Ill., said that although the report did not examine death rates from MRSA, a conservative estimate is that 10 percent of hospital patients with the infections die.

Jarvis is a consultant and former director of a program specializing in hospital infections at the U.S. Centers for Disease Control and Prevention.

Health care experts are divided over how far hospitals should go to detect and contain the bacteria. There are no national requirements, and the CDC offers basic guidelines but recommends that hospitals decide for themselves the best approach.

"Some places across the country screen everybody; some just look at their high-risk populations," said Joanne Dixon, director of infection control at Seton. "We need to make a sound decision here."

Evanston Northwestern's three hospitals, which admit 40,000 patients a year, became the first in North America to test all patients for MRSA two years ago, Peterson said.

At the end of the first year, in July 2006, it found 1,260 MRSA infections, 90 percent of which were picked up in the hospital, Peterson said. Once the hospital began testing all patients and isolating those who were infected or carrying MRSA, the number dropped to 80, Peterson said.

"You have to do a lot of surveillance," he said, adding that the testing program costs $600,000 a year.

The infection control association's report found that just 28 percent of the facilities it surveyed test patients for MRSA.

And Peterson said that up to 30 percent of people in some high-risk groups are MRSA carriers and may not know it. High-risk patients include anyone receiving invasive procedures — from dialysis to heart surgery — that could give the bacteria an opening and those transferred from places where MRSA can be easily spread, such as nursing homes, jails and other hospitals.

"If we had this level of avian influenza on Earth, we'd have everyone screaming," Jarvis said. "I'm hoping it is a wake-up call to . . . hospital administrators and CEOs of hospitals that it's a very significant problem that we now have evidence-based data on how we can reverse it."

The association has urged hospitals to be more aggressive about MRSA.

President Denise Murphy said facilities getting the best results in controlling the bacteria identify the hot spots in their facilities for spreading MRSA, test high-risk patients and take extra precautions with those who test positive, stress good handwashing procedures by staff members and disinfect patient rooms daily.

Seton, which operates seven acute-care hospitals in Central Texas, has been isolating patients at high risk for the bacteria since 1996, Dixon said. Seton said positive MRSA tests at its hospitals have increased 11 percent in the past three years.

St. David's HealthCare, which operates five acute-care hospitals in Central Texas, started testing patients at high risk for MRSA in May, following a policy its parent company, HCA, instituted nationwide.

The hospitals swab a patient's nose to test for the bacteria, said Karen Degtoff, infection control coordinator at St. David's.

If the test shows that the patient is an MRSA carrier, he or she is put in isolation, which means staff members take special precautions when treating the patient, such as wearing a gown and gloves. Visitors also are instructed to wear protective garb, Degtoff said.

The patients may be restricted to their rooms, depending on their condition and whether their recovery depends on walking. Those who leave their rooms are told to wear a gown and gloves, hospital officials said.

Dr. Steve Berkowitz, chief medical officer for St. David's HealthCare, said that since testing started, 11 percent of patients facing high-risk procedures, such as heart bypass or orthopedic surgery, have tested positive for MRSA.

But not all doctors agree with what local hospitals are doing, and some patients have been downright bewildered.

Norman Tolpo, 71, of Austin said he was put in isolation after testing positive as a carrier for MRSA while he was a patient at St. David's Medical Center in Austin in early June.

Tolpo said he found the restrictions baffling and inconsistent. He protested to the staff that he didn't have an active infection and asked why all incoming patients — and the staff — weren't tested.

Even without an active infection, a person who is a carrier can still spread MRSA, he was told.

"Let's say they get nasal secretions on their hands and they shook the hand of a nurse," Berkowitz said. "It could still be spread to another person."

Michael Killiam, Tolpo's family practice physician, said Tolpo has raised some valid points. "If you're going to be consistent, you've got to test everybody," Killiam said.

The CDC does not recommend testing hospital staff members, and hospital officials said they think proper handwashing and protective garb is enough.

And Murphy, the association president, doesn't endorse testing all patients.

"We believe you need to use finite resources wisely by doing a risk assessment," said Murphy, who said she lost her mother to a hospital infection. "If we had all the money in the world, it would be different."
Read more & listen to report