Luis Salazar, CIPP

New Hampshire has become the unlikely front in the latest battle between the pharmaceutical industry and privacy advocates. In June 2006, New Hampshire passed its "Prescription Confidentiality Act," which bars the license, transfer, use or sale for any commercial purpose of patient-identifiable or prescriber-identifiable information. Supporters of the law argue that it protects the privacy of doctors and patients who use prescriptions, while at the same time helping control the rising healthcare costs. But the pharmaceutical industry - which has dubbed it the "Prescription Restraint Law" - argue that the measure is as unconstitutional as it is wrong-headed. They assert that the law will limit valuable information provided to prescribing doctors and researchers, all to the ultimate detriment of patients.

More than just a philosophical battle, privacy supporters - represented by the state of New Hampshire - and the pharmaceutical industry - led by IMS Health Incorporated and Verispan, LLC - recently concluded a five-day trial precipitated by the pharmaceutical industry's challenge to the law. The trial's outcome will likely have nationwide impact, as at least six other states have similar pending legislation. At the federal level, several congressmen have introduced The Prescription Privacy Protection Act, which would enact a similar law.

"Honey, Are You Sitting Down?"
Rep. Cindy Rosenwald sponsored the Prescription Confidentiality Act, New Hampshire House Bill 1346, in early 2006. Her husband - a cardiologist - had alerted her to a pharmaceutical sales representative's intimate knowledge of his prescription histories. In fact, although most consumers are completely unaware of it, there is a long-established and widespread practice of collecting specific information from pharmacies about every prescription they fill and selling it to pharmaceutical manufacturers.

In Rosenwald's view, as expressed in the bill's introduction, "Not only is patient identity inappropriately used for pharmaceutical marketing, but the identity of the prescribers - doctors, nurse practitioners, optometrists and assistants - is routinely bought and sold for marketing. … The use of personal identities prove an unwarranted intrusion into professional privacy and, more to the point, it adds to the financial burden of New Hampshire's health care system by increased pharmaceutical costs for the state, our consumers, and our businesses."

The law bars any pharmacy, pharmacy benefits manager, insurance company or other similar entity from licensing, transferring, using or selling prescription information containing patient-identifiable and prescriber-identifiable data for commercial purposes, other than the limited purposes of pharmacy reimbursement, care management and the like. It also specifically defines "commercial purpose" as including advertising, marketing, promotion or any activity that could be used to influence sales or market share of a pharmaceutical product, influence or evaluate the prescribing behavior of an individual healthcare professional, or evaluate the effectiveness of a professional pharmaceutical sales force. It does not bar, however, the collection and use of patient and prescriber "de-identified" data by zip code, geographic region, or medical specialty for commercial purposes. It specifies that a violation of these terms is considered an unfair or deceptive act or practice, subjecting violators to civil and potentially criminal penalties.

It is interesting to note that the law passed quickly and almost unanimously, and, according to the Nashua Telegraph, prompted Rosenwald's cell phone call and excited exclamation to her husband, "Honey, are you sitting down? Guess what just happened?!" Rosenwald attributed the swift passage to the
simple fact that "New Hampshire folks don't like people invading their privacy." But at the same time, there were supposed economic concerns underlying its adoption, since legislators were of the opinion that pharmaceutical sales representatives used the information to drive the prescription of higher-priced medicine. New Hampshire's Medicaid costs for prescription drugs have risen 84 percent in the last five years.

The Industry's Challenge
A variety of pharmaceutical and medical players, including the New Hampshire Association of Chain Drug Stores, scientists from the Mayo Clinic and at least two health information companies, IMS Health and Verispan, LLC, opposed the measure. With $1.7 billion in annual sales, IMS Health is the world's leading provider of market intelligence to the pharmaceutical and healthcare industries. Similarly, Verispan provides a broad array of information, products and services to the healthcare industry, including market research audits, healthcare profiles and pharmaceutical data analysis and consulting. To these companies and others, the law is a step in the wrong direction.

"By effectively denying access to prescriber-identified data, the new law will have significant unintended consequences and go against the national movement towards making healthcare information more accessible and transparent," stated Robert H. Steinfeld, IMS Senior Vice President and General Counsel, in an IMS news release: "The success of initiatives to improve health care quality, and ensure patient safety and manage costs depends on access to more information, not less."

The opposition further points out that the database it creates with this pharmaceutical information is used for research that benefits all patients. As one New Hampshire think tank commentator told Medical Marketing & Media: "What the people voting for this didn't think about is that the database created by the tracking of prescriptions is not just extraordinarily valuable, it's also very expensive to create, and its creation is only possible because of its commercial use."

These arguments gained little traction, and, as noted, the law passed and became effective on June 30, 2006.

Within days, IMS Health and Verispan sued in U.S. District Court to have all, or part of the law, declared unconstitutional on the grounds that it constitutes a violation of the First Amendment and the Commerce Clause of the U.S. Constitution. Because the First Amendment is implicated, the state must show that the law passes the "Strict Scrutiny Test" - that is, it must be narrowly tailored to promote a compelling government interest, and if a less restrictive alternative would serve the government's purpose, the legislature must use that alternative. With respect to the Commerce Clause argument, the challengers must prove the law has a practical effect of controlling commerce that takes place wholly outside of New Hampshire's borders, constituting a per se violation of the Commerce Clause.

Although the Federal District Court in New Hampshire declined to enter an immediate injunction of the law, it "fast-tracked" the proceedings.

A number of states have considered similar "prescription confidentiality" legislation, including New York, Massachusetts, Pennsylvania, Illinois and California, which together represent roughly half of a national prescribing volume. The outcome could be a case of whither goes New Hampshire, so goes the nation. This is especially true in the privacy area, where states appear to take a "me too" approach to privacy legislation, as witnessed in the passage of data breach and security freeze laws throughout the country. The court's decision is expected in the next 30 days.

Luis Salazar is a shareholder with Greenberg Traurig and a founding member of the firm's Data Privacy and Security Law Taskforce. Salazar is also the drafter of the Privacy Policy Enforcement in Bankruptcy Act, an amendment to the Bankruptcy Code that prohibits bankrupt companies from misusing consumers' personally identifying information and provides for the appointment of a Consumer Privacy Ombudsman to advise Bankruptcy Courts on privacy issues. Salazar is based in the firm's Miami office and can be reached at


This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

Editor's Note:
At press time, The Privacy Advisor learned that U.S. District Court Judge Paul Barbadoro ruled in favor of Verispan LLC and IMS Health Inc. In his 54-page ruling, Barbadoro stated that ordinarily "states should be given wide latitude to choose among rational alternatives when they act to benefit the public interest." But he added, "However, when states adopt speech restrictions as their method, courts must subject their efforts to closer scrutiny." Watch for more coverage of this decision in upcoming issues of the Advisor.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum returns to Washington, DC April 21, delivering renowned keynote speakers and a distinguished panel of legal and privacy experts.

Asia Privacy Forum 2017

The Forum returns to Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region. Call for Speakers open!

Privacy. Security. Risk. 2017

This year, we're bringing P.S.R. to San Diego. The Call for Speakers is now open. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

European policy debate, multi-level strategic thinking and thought-provoking discussion. The Call for Speakers is open until March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»