Last year, New York's Governor Andrew Cuomo signed into law the Internet System for Tracking Over-Prescribing (I-STOP) Act, which establishes a database of prescriptions for certain addictive medications and requires physicians and pharmacists to use that database to screen for duplicate prescriptions from multiple doctors. The objective is obviously to control the abuse of prescriptions to obtain the addictive pharmaceuticals.
The impetus for this legislation was a 2011 quadruple execution-style murder, by an addict, at the Haven Pharmacy on Long Island. The killer was sentenced to what will surely amount to life without parole, and his wife received 25 years for her complicity.
One of the victims was 17-year-old Jennifer Mejia, whose only crime was working at her gainful employment at the pharmacy when the killer came in and opened fire. I did not know Jennifer or her family, but the news of her murder hit me especially hard because when I was 17 years old, I, too, was employed part-time after school at a local small town pharmacy.
This was back in the early 1970's, before Section 1203(d) of the Tax Reform Act of 1976 amended I.R.C. § 6109 to require the use of Social Security Numbers in the taxation process, a giant step towards their ubiquity in today's society. It is safe to say that, with few exceptions if any, the only SSNs in the pharmacy's records were those of the employees. None of the records were computerized; each customer had an index card with his or her prescription history. Other high school students (one of whom happened to be a classmate of mine) came in a few evenings per week to maintain the record cards by typing them on the typewriter. [The most advanced information technology used by the drugstore was not for the purpose of maintaining customer records, but rather, was the teletype terminal used in store's ever-contracting sideline business as the town's Western Union telegram franchisee; I thus had occasion to deliver more than a few Western Union telegrams during the course of my employment there.]. The information security measures in place at the pharmacy in those days were the norm for businesses at the time, but would be considered insignificant by today's commercial standards. Even so, the Old Man did make abundantly clear that information regarding customers' personal medical situations, including and especially the drugs they were prescribed, was nobody else's business, and that he would view breaches of such confidentiality with greater disdain and alarm than things such as coming in late or goofing off on the job. My successor in the position received a mild reprimand for the fender bender he had with the store's delivery station wagon; I am sure that the Old Man would not have given him a second chance had he blabbed about a customer's specific prescriptions to a third party. The technology and society have changed tremendously since the early 1970's. We are now able to keep pharmacy customer records in real time, and coordinate the pharmacy's records with the physician's records, not to mention the healthcare insurance records. New York's I-STOP database has just gone live, and, Newsday reports, "In its first three days of use, New York State's new online system for tracking prescription pill abuse discovered at least 200 instances of apparent doctor shopping, when patients visit a number of doctors in search of prescriptions for pain pills." As with any other database containing personal information, there are advantages and disadvantages, plusses and minuses, and potential for good and for harm. In no particular order, the following ponderables and imponderables come to mind; do feel free to add to the list when you comment:
The patient's name; the patient's residential address; the patient's date of birth; the patient's gender; the date on which the prescription was issued; the date on which the controlled substance was dispensed; the metric quantity of the controlled substance dispensed; the number of days supply of the controlled substance dispensed; the name of the prescriber; the prescriber's identification number, as assigned by the DEA; the name or identifier of the drug that was dispensed; and the payment method, together with "such other information as is required by the [New York State Department of Health] in regulation."
The date of birth is of obvious interest to genealogists. As matters currently stand, the I-STOP data is not to be disclosed to the public. But with the sheer numbers of physicians and pharmacists who must access it, there are obvious security issues.
- B. Those security issues noted above are all the more salient in light of the Affordable Care Act's effective incentives for businesses to cut costs by hiring less full-timers and more part-timers, thereby avoiding the responsibility to offer healthcare coverage. Governmental employers are also getting in on the act as well, as are colleges and universities. This mean not only more individuals involved, but a workforce whose job tenure, and identity with and loyalty to their employers will, in many cases, be quite attenuated.
- C. The statute itself is devoid of SSNs. But the database might also include "such other information as is required by the [New York State Department of Health]." It is not difficult at all to imagine the DOH adding SSNs as a parameter.
- D. Nor is it difficult to imagine identity thieves obtaining prescriptions in the name of identity theft victims.
- E. The big chain pharmacies are already maintaining databases which include the purchases of non-prescription items, and are already using such information to personally target their marketing to their customers. I regularly receive promotional coupons from Rite Aid for the types of items I frequently purchase there. I started receiving a spate of coupons for candy, which I personally do not consume or purchase. Sure enough, my wife, who sometimes uses my Rite Aid customer rewards card, had been purchasing candy at Rite Aid. Query: What is there to prevent the I-STOP database from being used or misused to market products or services to consumers?
- F. The real time verification which was actually achieved by the I-STOP program, and proven successful by the detection of questionable cases, surely offers lessons to the IRS in how it might approach detecting identity theft in the filing of tax returns.
Bottom Line: Those concerned with promoting information security should be watching New York's I-STOP program. Identity thieves certainly will be watching it and testing it.