Research on healthcare markets has to be noted here because often such market research now is being performed by, or for, units of organizations that have access to personal data collected for clinical research or disease management.
Obvious examples are the pharmaceutical enterprises, which analyze patterns and future projections of disease, the prescribing patterns of physicians and healthcare organizations, and the economic market for their current products and those under development. Much of this is no different from the market research performed by all businesses. Some is conducted by service companies that gather data, such as dispensing data from pharmacies, and convey them, in nonidentified form, to the drug companies. But what is special is that parts of the large firms may potentially have access, through the information amassed in their main innovative R&D research, to personally identifiable health data.
Several business developments of the past few years have raised this issue. Large research-based pharmaceutical firms have merged with large, highly computerized pharmacy supply companies to form pharmacy-benefit management businesses. Pharmaceutical companies have formed disease-management businesses (that is, supplying services, under contract, directly to patients such as diabetics). And pharmaceutical firms have acquired or formed networked physician informatics businesses. All of these activities are bringing these large companies much closer to patient care, and to large volumes of patient data.
May the commercial divisions of these companies access the personal healthcare data (such as the diabetics' data) for market research, or even carry out direct marketing to patients? Inversely, may the traditional R&D units (those that develop drugs, devices, and diagnostics) access the personal data collected by the affiliated pharmacy-benefit or disease-management businesses, to profile users of products or perform outcome studies or other analyses?
The temptations are obvious. A recent report from a panel of the National Research Council observed: "In many of these cases, specific agreements have been established to limit data sharing among affiliated companies, but the complex overlaps make security more difficult to ensure."59 Are effective barriers in place among these activities to protect the data-subjects? The companies should be urged to attend carefully to these matters.
(Also, commercial units of companies conduct product-acceptance research on health- related products, to gauge potential customers' opinions of product design, convenience, cost, packaging, and information. But this is little different from product research in other industries, except if the survey participants are identified as having particular diseases or disabilities. Informed consent and promises of nondisclosure can be incorporated.)
(59) NRC, Computer Science and Telecommunications Board, as cited in endnote (9).