Luis Salazar, CIPP

New Hampshire has become the unlikely front in the latest battle between the pharmaceutical industry and privacy advocates. In June 2006, New Hampshire passed its "Prescription Confidentiality Act," which bars the license, transfer, use or sale for any commercial purpose of patient-identifiable or prescriber-identifiable information. Supporters of the law argue that it protects the privacy of doctors and patients who use prescriptions, while at the same time helping control the rising healthcare costs. But the pharmaceutical industry - which has dubbed it the "Prescription Restraint Law" - argue that the measure is as unconstitutional as it is wrong-headed. They assert that the law will limit valuable information provided to prescribing doctors and researchers, all to the ultimate detriment of patients.

More than just a philosophical battle, privacy supporters - represented by the state of New Hampshire - and the pharmaceutical industry - led by IMS Health Incorporated and Verispan, LLC - recently concluded a five-day trial precipitated by the pharmaceutical industry's challenge to the law. The trial's outcome will likely have nationwide impact, as at least six other states have similar pending legislation. At the federal level, several congressmen have introduced The Prescription Privacy Protection Act, which would enact a similar law.

"Honey, Are You Sitting Down?"
Rep. Cindy Rosenwald sponsored the Prescription Confidentiality Act, New Hampshire House Bill 1346, in early 2006. Her husband - a cardiologist - had alerted her to a pharmaceutical sales representative's intimate knowledge of his prescription histories. In fact, although most consumers are completely unaware of it, there is a long-established and widespread practice of collecting specific information from pharmacies about every prescription they fill and selling it to pharmaceutical manufacturers.

In Rosenwald's view, as expressed in the bill's introduction, "Not only is patient identity inappropriately used for pharmaceutical marketing, but the identity of the prescribers - doctors, nurse practitioners, optometrists and assistants - is routinely bought and sold for marketing. … The use of personal identities prove an unwarranted intrusion into professional privacy and, more to the point, it adds to the financial burden of New Hampshire's health care system by increased pharmaceutical costs for the state, our consumers, and our businesses."

The law bars any pharmacy, pharmacy benefits manager, insurance company or other similar entity from licensing, transferring, using or selling prescription information containing patient-identifiable and prescriber-identifiable data for commercial purposes, other than the limited purposes of pharmacy reimbursement, care management and the like. It also specifically defines "commercial purpose" as including advertising, marketing, promotion or any activity that could be used to influence sales or market share of a pharmaceutical product, influence or evaluate the prescribing behavior of an individual healthcare professional, or evaluate the effectiveness of a professional pharmaceutical sales force. It does not bar, however, the collection and use of patient and prescriber "de-identified" data by zip code, geographic region, or medical specialty for commercial purposes. It specifies that a violation of these terms is considered an unfair or deceptive act or practice, subjecting violators to civil and potentially criminal penalties.

It is interesting to note that the law passed quickly and almost unanimously, and, according to the Nashua Telegraph, prompted Rosenwald's cell phone call and excited exclamation to her husband, "Honey, are you sitting down? Guess what just happened?!" Rosenwald attributed the swift passage to the
simple fact that "New Hampshire folks don't like people invading their privacy." But at the same time, there were supposed economic concerns underlying its adoption, since legislators were of the opinion that pharmaceutical sales representatives used the information to drive the prescription of higher-priced medicine. New Hampshire's Medicaid costs for prescription drugs have risen 84 percent in the last five years.

The Industry's Challenge
A variety of pharmaceutical and medical players, including the New Hampshire Association of Chain Drug Stores, scientists from the Mayo Clinic and at least two health information companies, IMS Health and Verispan, LLC, opposed the measure. With $1.7 billion in annual sales, IMS Health is the world's leading provider of market intelligence to the pharmaceutical and healthcare industries. Similarly, Verispan provides a broad array of information, products and services to the healthcare industry, including market research audits, healthcare profiles and pharmaceutical data analysis and consulting. To these companies and others, the law is a step in the wrong direction.

"By effectively denying access to prescriber-identified data, the new law will have significant unintended consequences and go against the national movement towards making healthcare information more accessible and transparent," stated Robert H. Steinfeld, IMS Senior Vice President and General Counsel, in an IMS news release: "The success of initiatives to improve health care quality, and ensure patient safety and manage costs depends on access to more information, not less."

The opposition further points out that the database it creates with this pharmaceutical information is used for research that benefits all patients. As one New Hampshire think tank commentator told Medical Marketing & Media: "What the people voting for this didn't think about is that the database created by the tracking of prescriptions is not just extraordinarily valuable, it's also very expensive to create, and its creation is only possible because of its commercial use."

These arguments gained little traction, and, as noted, the law passed and became effective on June 30, 2006.

Within days, IMS Health and Verispan sued in U.S. District Court to have all, or part of the law, declared unconstitutional on the grounds that it constitutes a violation of the First Amendment and the Commerce Clause of the U.S. Constitution. Because the First Amendment is implicated, the state must show that the law passes the "Strict Scrutiny Test" - that is, it must be narrowly tailored to promote a compelling government interest, and if a less restrictive alternative would serve the government's purpose, the legislature must use that alternative. With respect to the Commerce Clause argument, the challengers must prove the law has a practical effect of controlling commerce that takes place wholly outside of New Hampshire's borders, constituting a per se violation of the Commerce Clause.

Although the Federal District Court in New Hampshire declined to enter an immediate injunction of the law, it "fast-tracked" the proceedings.

A number of states have considered similar "prescription confidentiality" legislation, including New York, Massachusetts, Pennsylvania, Illinois and California, which together represent roughly half of a national prescribing volume. The outcome could be a case of whither goes New Hampshire, so goes the nation. This is especially true in the privacy area, where states appear to take a "me too" approach to privacy legislation, as witnessed in the passage of data breach and security freeze laws throughout the country. The court's decision is expected in the next 30 days.

Luis Salazar is a shareholder with Greenberg Traurig and a founding member of the firm's Data Privacy and Security Law Taskforce. Salazar is also the drafter of the Privacy Policy Enforcement in Bankruptcy Act, an amendment to the Bankruptcy Code that prohibits bankrupt companies from misusing consumers' personally identifying information and provides for the appointment of a Consumer Privacy Ombudsman to advise Bankruptcy Courts on privacy issues. Salazar is based in the firm's Miami office and can be reached at


This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

Editor's Note:
At press time, The Privacy Advisor learned that U.S. District Court Judge Paul Barbadoro ruled in favor of Verispan LLC and IMS Health Inc. In his 54-page ruling, Barbadoro stated that ordinarily "states should be given wide latitude to choose among rational alternatives when they act to benefit the public interest." But he added, "However, when states adopt speech restrictions as their method, courts must subject their efforts to closer scrutiny." Watch for more coverage of this decision in upcoming issues of the Advisor.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»