VIEWPOINT: Healthcare Information Organizations vs. New Hampshire: Striking the Appropriate Balance Between Privacy and Free Speech

Lydia Payne-Johnson, CIPP, and Mike Hubbard

Protecting certain consumer information obviously is an important and legitimate function of government. But at the same time, our democratic society also requires that other types of information remain accessible to the public, and that people have the right to share ideas freely and openly.

Drawing that line between the legitimate need for privacy and protecting the public's right to communicate can be tricky. Sometimes, lawmakers misjudge that delicate balance and create laws that unfairly restrict free speech in the name of privacy.

Such was the case in New Hampshire, where state legislators passed the Prescription Restraint Law, a first-in-the-nation bill that made it illegal to sell or license prescription information that identified the prescribing physician for defined commercial purposes, even though the information did not identify any patient. The bill was passed after lobbying by the state's physicians, not because of a groundswell of public opposition to the practice of sharing this information. Nor was there any evidence that the practice adversely had affected patients or consumers, or that barring this information would lower drug prices.

On the other hand, healthcare information companies made a compelling case that protecting access to this information was in the best interests of the public. The aggregated data collected from pharmacies provides critical data on healthcare trends. The plaintiffs argued that improving the nation's healthcare system depends upon more information, not less. More importantly, they also asserted that access to such data was protected by the First Amendment.

While a small state like New Hampshire only accounts for a small number of prescriptions written in the United States, the Prescription Restraint Law carried chilling ramifications for free speech advocates. If the New Hampshire law had been allowed to stand, more states may have passed similar bills. The law also forced the health information companies to reconfigure their national data collection processes.

Two leading health information organizations, Verispan and IMS Health, challenged New Hampshire's Prescription Restraint Law on Constitutional and Dormant Commerce Clause grounds.

Attorneys for Verispan and IMS Health argued that the law unconstitutionally restricted their free speech by denying them the ability to disseminate truthful information that the healthcare information organizations lawfully possessed.

They noted that patient privacy already was protected during the data collection process, as the information collected does not identify any patient. The data collection companies also had agreed on voluntary restrictions allowing doctors to keep their prescription information from being provided to pharmaceutical sales representatives.

Verispan and IMS Health also explained that the data collection process protects patient safety. By knowing physician prescribing habits, drug companies are able to quickly disseminate relevant information about those medicines. Should a drug recall be required, the system allows drug companies to contact physicians in a direct and timely manner.

The information also is used to conduct long-term public health studies. For example, data collected in this manner has been used in studies on childhood asthma in low-income urban areas. The American Medical Association (AMA) is on record opposing the restrictions on the collecting and disclosing of this data, as are the Biotechnology Industry Organization and researchers from the Mayo Clinic, the University of Wisconsin and the Harvard-MIT Division of Health Sciences and Technology. Many in New Hampshire noted that the law, if allowed to stand, likely would curtail biotech research in the state. In fact, the U.S. Department of Health and Human Services strongly has encouraged the use of patient deidentified data where possible (See www.wcsr.com/resources/ pdfs/Handbook.pdf for more information).

But the key to the legal argument was the constitutionality of the restrictive new law. The plaintiffs argued that the New Hampshire law illegally curtailed their rights to disseminate commercial speech.

In April, 2007, a U.S. District Court judge in  New Hampshire agreed with Verispan and IMS Health and struck down the Prescription Restraint Law as unconstitutional. U.S. District Court Judge Paul Barbadoro wrote that the law "unconstitutionally restricted speech without directly serving the state's substantial interests…(and) alternatives exist that would achieve the state's interests as well as or better without restricting speech." (IMS Health Inc. vs. Ayotte, No. 06-cv-280-PB D.N.H. Apr. 30, 2007)

However, the fight isn't over. The New Hampshire case currently is on appeal and two neighboring states - Maine and Vermont - passed nearly identical laws as the New Hampshire dispute was in progress. Those laws are scheduled to take effect January 1, 2008. Healthcare information organizations expect to present federal challenges to these state laws and other similar laws that may be adopted in the future.

Lydia Payne-Johnson is an attorney and president of LPJohnson Consulting LLP in West Orange, N.J., specializing in privacy governance. She is the former Chief Privacy Officer with Morgan Stanley and most recently completed an engagement with Verispan, LLC.

Mike Hubbard is the leader of Womble Carlyle's Privacy and Data Protection Team and practices in the firm's Raleigh, N.C. office. Womble Carlyle has 530 attorneys in 11 offices from Baltimore to Atlanta.

Editor's Note: Lydia Payne-Johnson is a former consultant to Verispan. Mike Hubbard is Verispan's external Counsel on privacy.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»