Federal Trade Commission
Public Workshop on Consumer Information Privacy
Consumer Privacy 1997 - - Comment, P954807
April 15, 1997
April 14, 1997
Mr. Donald C. Clark
RE: Consumer Privacy 1997 -- Request to Participate, P954807
Consumer Privacy 1997 -- Comment, P954807
Dear Mr. Clark:
We write in response to the Federal Trade Commission Notice regarding the Public Workshop to be held June 10-13, 1997. Please accept this letter as written request for me to participate on behalf of IMS in Session Two, as referenced above. Our comments for two of the questions specific to this session are attached.
It is my understanding that the formal record will remain open through the conclusion of the workshop and for some period of time thereafter. In the event we have anything further to include or substitute, it will be submitted accordingly.
I thank you for your consideration of our request to participate in the workshop and for the handling and distribution of our comments. Please do not hesitate contacting me at the above number or our Washington contact, Gary Friend at 202-822-8882, in the event there are any questions.
Robert N. Merold
Enclosure: Letter (6)
I. Background of IMS America and Markets Served
"IMS America is a leader and an essential partner in the advancement of health, providing critical data, global intelligence, and knowledge-based solutions to the health care community."(1)
IMS is the world's largest provider of health information services, with data collection activities in over 80 countries. The company's activities include tracking the prescription decisions of physicians and the sales of pharmaceutical products. Disease incidences and physician treatment patterns are tracked as well and entail using doctor-level panels and computerized medical information.
The scope of work involved in performing these activities properly is without peer. In the US alone, the company processes over 72 billion records per month requiring some 10,000 computer tape mounts. The volume of information on an annual basis exceeds the total contents of the Library of Congress.
IMS is one of many companies developing complex, patient-level databases to serve the needs of the medical, scientific and health care management community, addressing issues related to outcomes research, best practices and health economics. The application of privacy practices is tied to many areas including the company's collection of patient-level data, done in the US and in six European countries, the latter of which all have existing omnibus data protection laws.
In principal, the information and decision support tools provided by IMS serve the totality of the health care industry. They are critical resources in the industry's efforts to improve human health, provide the best care possible to patients and continually control or reduce the costs associated with providing care.
The segments within the health care industry served directly or indirectly by IMS are listed below:
II. Information Collection and Use
2.2 To what extent is the collection, compilation, sale or use of personally identifying, as opposed to aggregate personal information, important for marketing on-line and for market research? What privacy concerns, if any, are raised by the collection or use of aggregate personal information in this context?
The answer to this question necessitates breaking the activities noted into two components -- collection versus all subsequent compilation, aggregation and disclosure activities. In most cases, market research, especially that performed in the health care arena, results in creating aggregations of data, which do not reveal individually identifiable information. The quality and utility of these aggregations, however, do rely on beginning with patient-level data.
For medical information, the differentiation between patient data and patient-level data is important to understand. Patient data contain personally-identifiable elements such as name, address or phone number, whereas patient-level data are medical information without these attendant identifiers so-called "anonymized data". With anonymized data, the identity of the person to whom the data are associated is not known.
Many methods are used today to protect privacy in the migration from patient data to patient-level data to aggregate data. Among the most secure is data encryption, which can be used to create a non-personally-identifiable ID for patient-level data. The "keys" to the encryption algorithm are held by a neutral third-party, ideally outside the data collection or storage environment. Doing so protects the anonymity of the ID number and precludes accidental or intentional breaches of privacy.
Such an anonymous ID serves dual needs harmoniously. First, it protects an individual's privacy interests. The number does not contain any embedded intelligence and can not be reverse-engineered to the identity of a person, except by the trusted third-party who otherwise possess such knowledge independently. Second, it provides a vehicle to link records, for example, over time for longitudinal analyses, which is vital to understand treatment patterns and their effectiveness.
It is our experience and opinion that proper aggregations do not pose any material privacy concerns. Proper implies that the data can not be disaggregated to identifiable levels and that the aggregations in and of themselves contain large enough cell counts to mask identities.
This type of aggregation is routinely applied when presenting the results from market research, social research, clinical studies and in the dissemination of tract level census results. In all of these studies, the responsible data collection agency is aware of the individual or household identity but it protects that identity in the aggregation results. In order to carry out
longitudinal patient-level studies it is essential to be able to track anonymized healthcare information on individuals over a period of time. Although the results are aggregated, the provision of those results is dependent upon the existence of a non-personally identifiable ID.
2.9 What industry principles, recommendations or guidelines have emerged since the June 1996 Workshop? Please discuss whether they are permissive or mandatory, whether they include sanctions for non-compliance, and the extent to which they have been implemented within the industry.
As a matter of practice, the health care industry must be aggressive in its application of privacy principles. The uses of medical information touch on the most sensitive of related topics, yet are essential to improving the health of and care provided to individuals. This result can be achieved only in an environment of public trust, where sensitive data are handled responsibly, with no reasonable possibility of uninformed disclosure.
IMS, specifically, undertakes many steps to establish a responsible, secure and systematic approach to privacy protection. It is reviewed continuously and, as needed, updated to keep pace with or remain ahead of societal expectations and health care industry needs, while simultaneously respond to changing public policies. The components of these steps include:
Step 1: Baseline Components
Step 2: Non-Identifiable, Patient-Level Data Components
Step 3: Identifiable Patient Data Components
Step 4: Components Ac
IMS has actively practiced these principles since we first began collecting patient level information several decades ago. And, natural consequence is an on-going dialogue with many other sectors of the healthcare community, especially data sources, to promote best practices of privacy protection. While nothing formal has emerged since the June 1996 hearings we have noticed an increased awareness and vigilance concerning privacy protection. More parties are taking more actions, especially in the area of upgrading technology systems, to protect privacy and prevent unintended disclosures of personally-identifiable information.
As noted previously, the application of these principles within IMS is taken seriously. Independent of whatever privacy measures are afforded by a legal regime, IMS utilizes strict contractual obligations in its data collection and dissemination activities. They are among the most effective means of imposing accountability on all parties for their actions and performance. These contracts include provisions for auditing and enforcement, preventing unauthorized secondary uses of personally identifiable data, protecting the integrity of a system and providing a means for addressing non-compliance.
Commensurate with the sensitivity of the data in question, both legal and monetary penalties are utilized to enforce compliance. Failure to follow prescribed guidelines can result in service or employment termination and/or monetary damages.
1. Company Vision Statement
2. Significant portions of the material provided were taken from a paper prepared by IMS in response the NTIA Request for Papers on Privacy and Self-Regulation, dated January 2, 1997.