This is page 2 of:
Supreme Court Casts Doubt On Whether Privacy Laws Control Retailers
In the pharmaceutical case, the court held that the Vermont legislature’s findings of fact—that such targeted marketing based upon physician prescribing practices would ultimately cause the cost of prescription medicines to rise as marketers pushed newer, more expensive and non-generic drugs on doctors—was insufficient to warrant such a “content-based” regulation. The pharmaceutical prescribing behavior could be used by the government for “evidence-based medicine,” to improve public health and delivery, or for education or medical research, but not for marketing.
As a result, the U.S. Supreme Court noted, “The statute thus disfavors marketing, that is, speech with a particular content. More than that, the statute disfavors specific speakers, namely pharmaceutical manufacturers.” Essentially, the Court found that the statute was a “ban” on a protected form of expression—marketing—aimed only at marketers. The Court likened this to other “bans” on protected expression, like censorship of books, which are prohibited by the Constitution.
The Court also found that the information provided by the doctors to the pharmacists (and then sold to the data brokers) in a sense “belonged” to the pharmacy, which could do whatever it wanted to with “information that the speaker already possesses.” The Court then went on to say “the creation and dissemination of information are speech within the meaning of the First Amendment,” so that the collection and use of the doctor’s information without the consent of either the doctor or the patient was a form of protected expression (as opposed to a commercial activity subject to reasonable regulation).
OK, so the physician information belongs to the pharmacies and they have a free speech right to use it, right? What about the doctor’s privacy rights? Nope, that’s not a legitimate interest here because, according to the Court, the statute was not really designed to protect doctor’s privacy. The Court noted that the law allowed pharmacies to sell the information for reasons other than marketing, such as healthcare research, and that it “permits insurers, researchers, journalists, the State itself and others to use the information.” Only marketers were left out.
Pointedly, the Court attempted to distinguish the approach taken by Vermont—no use of the information for marketing—from that taken for medical privacy under HIPAA. As the Court noted, “the State might have advanced its asserted privacy interest by allowing the information’s sale or disclosure in only a few narrow and well-justified circumstances,” as HIPAA does. “A statute of that type would present quite a different case than the one presented here.” The Court characterized HIPAA as a law that protects privacy and only allows the use of medical information in a few circumstances.
The problem with this analysis is that it is a complete mischaracterization of what HIPAA actually does. HIPAA allows the use of medical information for any purpose for which it is collected—medical diagnosis, treatment, payment, third-party payment and related purposes. It also allows the information to be collected and used (sometimes anonymously) for training, education, disease control, reporting, licensing, law enforcement and other regulatory purposes. In the end, HIPAA does almost the same thing that the Vermont law does—prohibits the use of medical information for non-medical purposes.
The “horror stories” that led to the passage of HIPAA—the sale of medical records to insurers, real-estate brokers, credit-card companies, financial institutions, etc.—are precisely the types of “misuse” for marketing purposes that the Vermont law tried to curtail.
So what the Court found was this:
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
