Most importantly: we need to start treating drug addiction, and long term pain, as the public health emergencies they are and we need to stop criminalising drug addicts.
> Diversion investigations involve, but are not limited to, practitioners and mid-level practitioners who write prescriptions for no legitimate medical need and/or outside the scope of legitimate medical practice, or sell prescriptions to drug dealers or abusers; pharmacists who falsify records and subsequently sell or abuse the drugs; pharmacists who fill prescriptions that they knew or should have known were illegitimate; employees who steal from inventory and falsify records to cover illicit sales; prescription forgers; and individuals who commit armed robbery of
pharmacies and drug distributors
But they don't need patient ID to track that down. They can use supplier data.
I'm also struggling to read the document. It's written in a specific, jargon heavy, way. Use of the word "subpoena" every time they mention patient data is a little bit reassuring, but it's still not great.
> CLIN 2001 Unlimited access to patient de-identified data, to be identified via subpoena, for class 2 to 5 prescription data which includes pharmacy, medical, and dental data. Fixed price per license per month
I'm still ploughing through the 60 pages to try to get my head around it.
Someone I know once got Opioids to take home after a hospital visit, she said she didn't want them, they urged her to take them anyway. Turns out the hospital was sponsored by the producer of the pills.
This is not just over-prescribing, this is intentionally creating addicts and should be criminalized asap.
>Someone I know once got Opioids to take home after a hospital visit, she said she didn't want them, they urged her to take them anyway. Turns out the hospital was sponsored by the producer of the pills.
> This is not just over-prescribing, this is intentionally creating addicts and should be criminalized asap.
I'll devils advocate. But only barely.
So, lets say your friend didn't take them, went home, and day 2 something gets way more sore. If she tried to go back to the hospital to tell them, there is a possibility she gets the wrong doctor, gets a note on her file as 'seeking', and then is up a creek without a paddle.
This doesn't take away from the issues with overprescription and marketing. But speaking as someone who had to learn about some of this, the hospital did the shitty but correct thing
Source: because of the sheer -volume- of ADD meds I have to take and my aspergers, I got a good course from my doc on understanding how not to accidentally look like a seeker
> Most importantly: we need to start treating drug addiction, and long term pain, as the public health emergencies they are and we need to stop criminalising drug addicts.
You might be (not at all) surprised to learn that the largest opposition to this shift is the DEA itself (It's the DEA's fault, for example, that it's so difficult for addicts to get Suboxone even when prescribed). In terms of lobbying dollars, #1 is the police and prison guards union.
So, task one talks about encrypted patient identifiers. This makes it sound like they're not going after patients, but are targetting pharmaceutical companies and doctors.
Task 1: Provide and maintain data on a minimum of 85 percent of all prescriptions for Schedule/Class II through V prescription drugs (additional non-controlled items may be requested for possible scheduling actions) written and/or filled in the United States and trust territories:
a) Prescription data shall include, but is not limited to:
• The number of prescriptions filled,
• The number of new prescriptions filled,
• The number of refills filled, by date filled,
• The name of the controlled substance
• The days’ supply for the patient (e.g. 5 days, 15 days, et.),
• The prescribers name and DEA registration number, and specialty
• An encrypted patient identifier to whom the prescription was written
• Date prescription was dispensed
• Payment Type: cash, government payer, commercial payer
• Dosing information: quantity and days’ sup
---
Here's the patient information they want:
> Patients
• Number of instances of more than one Schedule II prescription for the same drug, and written within three days of each other by different prescribers
• Number of instances of more than one Schedule II prescriptions for the same drug and written within three days of each other by the same prescriber
• Number of instances of more than two patients, with the same address, receive the same drug in the same quantity from the same doctor on the same day.
• Number of early refills Opiate and Benzo combine
• Number of early Schedule II
• Distance between patient and pharmacy
• Average distance between patient and pharmacy for a combination of Opiate, Benzo and a muscle relaxer.
• Distance between patient and pharmacy for Schedule II
• Distance between patient and prescriber
• Distance between patient and prescriber for Schedule II
• Number of Opiate and Buprenorphine combinations
• Number of Paid “cash” Schedule II
• Number of Oxycodone 30 MG and 15 MG within five days overlap
• Number of times Opioid Cough Syrup exceeds 90 day supply
• Number of Oxycodone 30 MG and Hydromorphone 8 MG within five days overlap
• Average MME Per Day
• Average Total MME per pharmacy visit
• Number of Opiate and Benzo combine within 3 days
• Number of Opiate and Benzo prescriptions for the same person on the same filled day at different pharmacies.
• Number of Opiate and Benzo prescriptions filled for the same person on the same day from different prescribers
• Number of Opiate and Benzo prescriptions written on the same day to the same person by different prescribers
• Number of Opiate and Benzo filled on the same person on the same day
• Number of Opiate and Benzo filled for the same person on the same day at the same pharmacy
They also say this:
> f) Fully HIPAA-compliant.
> Current pharmacy and prescription data updated on a daily basis.
> Task 2: Streamline process for requesting the unmasking of pharmacy information. (PII shall be
withheld or redacted unless specifically requested by subpoena.)
It would also be almost impossible to use expert determination, for this is often done using statistical methods that are impossible to apply on changing datasets (such as k-anonymity).
edit: They also ask for an "encrypted patient identifier".
Recently Schedule II prescriptions are reported to state or multi-state registries that local government officials including police can view at will.
My provider makes me sign an expansive privacy waiver to get my prescription. I gave up the drug for awhile because of it, I had to come crawling back and sign it.
The AMA embraces this total abdication of their responsibility to protect patient privacy. A federal registry is the natural next step.
As an attorney I cannot imagine selling out my clients the way MD's do.
Who trusts the DEA with de-identified, highly personal information like drug use and all your personal info? I worked with the VA medical system and it was very hard to get de-identified data and when you got it, you had to be extremely careful and always keep the patients' best interest of privacy in mind. Do I trust DEA agents, people who signed up to actively punish and criminalize disproportionately minority and addicted people?
It is an interesting question of why people join the various federal law enforcement agencies. Is the DEA, ATF, or others a "B" team compared to the FBI?
Ultimately, this information will find its way into the hands of other nation-states who will use it to blackmail US citizens. Like other US internal surveillance efforts this is counter productive to national security. The weakest and lowest cost surveillance for external powers is through the local apparatus (a single point of attack). Providing them with that is either stupid or treasonous.
>Do I trust DEA agents, people who signed up to actively punish and criminalize disproportionately minority and addicted people?
I can't read minds, but I think an equally likely formulation might be "people who signed up to enforce the law on the criminal organizations that perform most drug trafficking"?
I think most petty drug enforcement (of the kind that targets users, rather distributors) is by the states, not the federal government, and therefore much less likely to be done by the DEA.
I prefer when trust is not necessary, because the capabilities were never granted in the first place. Even if the government was trustworthy (it's not), there is no guarantee that it will stay trustworthy.
All types of revenue models will justify their actions based on the need for additional revenue. The "war" on "drugs" is a scam perpetuated by those who seek rationalization of their "job" to "fight" "drugs".
Meanwhile, Oregon.
There is no limit to the things those who profit from the activities will do to achieve their goals, including erroding our constitutional right to privacy and pursuit of happiness.
1. This assumes it’s impossible to disincentivize drug usage via really harsh penalties enforced by state power. But look at China, where they have very little drug usage, due to extremely harsh penalties, and extreme social stigma. Individuals don’t get “mind expanding” or therapeutic benefits of drugs, but at least the society is not paying the cost of externalities of drug usage (see San Francisco’s Tenderloin).
2. Not all who do drugs are rational individuals with full information about what might happen if a chemical dependency is established. There are people pressured into drug usage by both legal mechanisms (Purdue Pharma) and illegal mechanisms (e.g a pimp creating a prostitute by forcing a drug addiction on that person). So the implication that there’s no bad actors, and it’s just the state enforcing draconian measures, misses very real cases of bad actors who should be stopped and punished. A legal system that pursues and removes bad actors can help society.
>But look at China, where they have very little drug usage, due to extremely harsh penalties, and extreme social stigma. Individuals don’t get “mind expanding” or therapeutic benefits of drugs, but at least the society is not paying the cost of externalities of drug usage (see San Francisco’s Tenderloin).
That's not the case though. China has lots of drugs, probably more than the US. Many of the powder based drugs in the US are made in China. When you go on a business trip there they flaunt all sorts of things from prostitution to drugs. As long as you're rich it's no problem.
>Not all who do drugs are rational individuals with full information about what might happen if a chemical dependency is established.
This is why in a perfect world we have to take a test to take certain drugs. It could be handled at the dmv. Once you're certified you can buy a specific quantity based on being an informed actor. It's how we handle other dangerous activities.
Can we get a source on very little drug usage in China?
From what I've read over the years, there actually is notable drug use in China for instance among factory workers.[1][2][3]
Also I'm sure lots of people on HN who are more intimately familiar with the Tenderloin can opine better than I but from what I understand, drug usage in Tenderloin is more of a symptom - not the core problem. Similarly, the drugs being used openly in Tenderloin are not the ones that individuals normally tout as "mind expanding" or therapeutic.
1. externalities related to drug use are largely a consequence of their status as illegal. a lack of public awareness and any reasonable regulation create a situation where illicitly substances are orders of magnitude more dangerous than they need to be. To use china as a stand in here ignores a lot of history as well as fundamental differences in social organization that make assumptions non-portable to a western context
2. so what? do we fix their lack of information but allowing the DEA to publish (demonstrably false and misleading) propaganda under a guise of 'think of the children'? To assume that the DEA themselves aren't seceptible to bad actors is downright naive, dangerous even. All evidence points to the fact that our drug policy has failed to mitigate any of the social costs related to drugs, and in most cases, has increased social burden.
> 1. This assumes it’s impossible to disincentivize drug usage via really harsh penalties enforced by state power. But look at China, where they have very little drug usage, due to extremely harsh penalties, and extreme social stigma. Individuals don’t get “mind expanding” or therapeutic benefits of drugs, but at least the society is not paying the cost of externalities of drug usage (see San Francisco’s Tenderloin).
And yet China is where literal tons of drugs like fentanyl and its derivatives are manufactured illicitly and shipped around the world.
Real story: NSA's data sharing with DEA et al in the course of illegal and unconstitutional parellel construction has showed said agencies just how much data they are missing out on... and now they want in.
Doctors often talk about how hard it is to treat patients because they're worried about being attacked for using drugs. This only makes their job harder.
Notice that we're talking about de-identified patient data here. There is a utility/privacy trade-off when using data containing private information: on the one hand, the patient's personal information must absolutely be protected, on the other hand, many processes could benefit from the information in such a data collection even without the knowledge of which data point belongs to which individual.
If de-identification is done right, it would be a bit of a stretch to talk about "surveillance" because that's the whole point of de-identification: remove any information from the records that allows a third-party to identify the underlying person from whom the data originated. Note especially that this includes inference attacks, i.e., not only should any occurrences of names be removed/masked but also any information that would allow an informed attacker to re-infer that information, i.e., cross-link the patient data back to a specific person.
The big elephant in the room, however, is the "If" at the beginning of the previous paragraph. As far as I see it, the problem lies not in wanting to establish some functionality that actually uses the collected information but whether appropriate privacy prerequisites have been put in place prior to that.
HIPAA already considers that too much under their safe habour rules, and k-anonymity (expert determination) can hardly be applied if you need to provide full zipcode and have a data-set that will grow/shrink over time.
33 bits of entropy to narrow down to a single individual. ~28 in USA
UID, Gender, Age group, Zipcode and City, plus of course your medication habits, is probably enough to deanonymize with a reasonable amount of confidence. Say age group is one of 8, age+gender is 5 bits of entropy. City zip is ~8. So that's 15 bits left on a good day.
Throw in any off-the-shelf targeted marketing data (usally worth 10-25 bits iirc) and you might as well use SSN as the patient ID.
As others noted, it is de-identified in name only. There is clearly sufficient information to make this something like a ROT13 analogue.
> If de-identification is done right
There is the rub, indeed. As a general rule, I don't trust de-identification. People mostly seem to reason poorly about how datasets can be merged and this has repeatedly failed.
Worse, I have seen it proposed to shut people up about privacy in situations where the proposer knew full well it would fail. De-identification was merely a prop in a con.
I would suggest that, if sensitive de-identified data is to be used by government, it go through a public trial challenge round. Let's let the public give a shot at it, it would build confidence and help suppress a little conspiratorial nonsense too, something we could use right now.
They should put their money where their mouth is and release the de-identified info of the high ranking DEA personnel. If they're so confident it's de-identified, it shouldn't be a problem. If that's a problem for them, the rest of us should definitely not trust it.
That's the rub isn't it? How can anyone think US Intel/LEO agencies will settle for de-anonymized anything? Their definition of anonymous seems to be "we didn't look at it yet."
Issue is once they target an individual as potentially abusing their prescription its only a matter of time before they seek a warrant to properly ID and raid that person. Guilty or innocent, those raids never go well for anyone or their dogs.
States already have similar registries that are not de-identified. Police or other local officials can review these registries almost at will. My provider requires patients to sign an expansive privacy waiver.
The US medical profession completely rolled over and sold out their patients. I can't figure out why, unless it is part of a deal to avoid being pursued or prosecuted for their part in creating the opioid crisis.
Just read through everything. This isn't just a wired RFP... its supercharged.
From Q&A:
> Answer: The provider of the information would need to have approvals to provide the
information to DEA and provide it without additional costs or approvals from the original
data provider. We would need it to be able to be analyzed outside of the host
environment so that we could take the results of the query and create our own reports and
dashboards and provide it to the necessary individuals in the field who could use the data
for investigative purposes.
So... this information is required to be provided to the DEA by law... but apparently some 3rd party entity is receiving it (I'll bet this is for LexisNexus) with apparently no restrictions on how its used and now the DEA is going to pay a stupid amount of money so they can do whatever shady shit they have planned.
I know that from an ethical standpoint, the RFP is iffy, but from a technical standpoint, I find it fascinating. Basically a big RDBMS with a bunch of stored procedures. Maybe something fancy like Tableau in front of it. The hard part would be getting the data sanitized and into the DB, and access control. Probably lots of encryption requirements as well.
Also note this is an RFP, so the decision to do it has already been made, this is basically the procurement of the service happening here.
Readit News
Most importantly: we need to start treating drug addiction, and long term pain, as the public health emergencies they are and we need to stop criminalising drug addicts.
> Diversion investigations involve, but are not limited to, practitioners and mid-level practitioners who write prescriptions for no legitimate medical need and/or outside the scope of legitimate medical practice, or sell prescriptions to drug dealers or abusers; pharmacists who falsify records and subsequently sell or abuse the drugs; pharmacists who fill prescriptions that they knew or should have known were illegitimate; employees who steal from inventory and falsify records to cover illicit sales; prescription forgers; and individuals who commit armed robbery of pharmacies and drug distributors
The US does massively over-prescribe opioids. There have been doctors who were careless in who they prescribed to. There have been "pill mills" https://www.theguardian.com/us-news/2019/oct/02/opioids-west...
But they don't need patient ID to track that down. They can use supplier data.
I'm also struggling to read the document. It's written in a specific, jargon heavy, way. Use of the word "subpoena" every time they mention patient data is a little bit reassuring, but it's still not great.
> CLIN 2001 Unlimited access to patient de-identified data, to be identified via subpoena, for class 2 to 5 prescription data which includes pharmacy, medical, and dental data. Fixed price per license per month
I'm still ploughing through the 60 pages to try to get my head around it.
This is not just over-prescribing, this is intentionally creating addicts and should be criminalized asap.
> This is not just over-prescribing, this is intentionally creating addicts and should be criminalized asap.
I'll devils advocate. But only barely.
So, lets say your friend didn't take them, went home, and day 2 something gets way more sore. If she tried to go back to the hospital to tell them, there is a possibility she gets the wrong doctor, gets a note on her file as 'seeking', and then is up a creek without a paddle.
This doesn't take away from the issues with overprescription and marketing. But speaking as someone who had to learn about some of this, the hospital did the shitty but correct thing
Source: because of the sheer -volume- of ADD meds I have to take and my aspergers, I got a good course from my doc on understanding how not to accidentally look like a seeker
You might be (not at all) surprised to learn that the largest opposition to this shift is the DEA itself (It's the DEA's fault, for example, that it's so difficult for addicts to get Suboxone even when prescribed). In terms of lobbying dollars, #1 is the police and prison guards union.
Task 1: Provide and maintain data on a minimum of 85 percent of all prescriptions for Schedule/Class II through V prescription drugs (additional non-controlled items may be requested for possible scheduling actions) written and/or filled in the United States and trust territories:
a) Prescription data shall include, but is not limited to:
---Here's the patient information they want:
> Patients
They also say this:> f) Fully HIPAA-compliant.
> Current pharmacy and prescription data updated on a daily basis.
> Task 2: Streamline process for requesting the unmasking of pharmacy information. (PII shall be withheld or redacted unless specifically requested by subpoena.)
You are missing the page before:
>Non-specific patient demographics (gender; age group; city, state, and zip code of residence)
This doesn't seem HIPAA compliant according to the safe habor rules: https://www.hhs.gov/hipaa/for-professionals/privacy/special-...
It would also be almost impossible to use expert determination, for this is often done using statistical methods that are impossible to apply on changing datasets (such as k-anonymity).
edit: They also ask for an "encrypted patient identifier".
Jail the doctors. They are getting bribes from drug companies.
My provider makes me sign an expansive privacy waiver to get my prescription. I gave up the drug for awhile because of it, I had to come crawling back and sign it.
The AMA embraces this total abdication of their responsibility to protect patient privacy. A federal registry is the natural next step.
As an attorney I cannot imagine selling out my clients the way MD's do.
I also don't think DEA agents [signed up to punish minorities]. You might be projecting your bias.
Drug enforcement was, from the beginning, founded in racism and anticommunism: https://qz.com/645990/nixon-advisor-we-created-the-war-on-dr...
I can't read minds, but I think an equally likely formulation might be "people who signed up to enforce the law on the criminal organizations that perform most drug trafficking"?
I think most petty drug enforcement (of the kind that targets users, rather distributors) is by the states, not the federal government, and therefore much less likely to be done by the DEA.
Deleted Comment
Meanwhile, Oregon.
There is no limit to the things those who profit from the activities will do to achieve their goals, including erroding our constitutional right to privacy and pursuit of happiness.
RIP America.
1. This assumes it’s impossible to disincentivize drug usage via really harsh penalties enforced by state power. But look at China, where they have very little drug usage, due to extremely harsh penalties, and extreme social stigma. Individuals don’t get “mind expanding” or therapeutic benefits of drugs, but at least the society is not paying the cost of externalities of drug usage (see San Francisco’s Tenderloin).
2. Not all who do drugs are rational individuals with full information about what might happen if a chemical dependency is established. There are people pressured into drug usage by both legal mechanisms (Purdue Pharma) and illegal mechanisms (e.g a pimp creating a prostitute by forcing a drug addiction on that person). So the implication that there’s no bad actors, and it’s just the state enforcing draconian measures, misses very real cases of bad actors who should be stopped and punished. A legal system that pursues and removes bad actors can help society.
That's not the case though. China has lots of drugs, probably more than the US. Many of the powder based drugs in the US are made in China. When you go on a business trip there they flaunt all sorts of things from prostitution to drugs. As long as you're rich it's no problem.
>Not all who do drugs are rational individuals with full information about what might happen if a chemical dependency is established.
This is why in a perfect world we have to take a test to take certain drugs. It could be handled at the dmv. Once you're certified you can buy a specific quantity based on being an informed actor. It's how we handle other dangerous activities.
From what I've read over the years, there actually is notable drug use in China for instance among factory workers.[1][2][3]
Also I'm sure lots of people on HN who are more intimately familiar with the Tenderloin can opine better than I but from what I understand, drug usage in Tenderloin is more of a symptom - not the core problem. Similarly, the drugs being used openly in Tenderloin are not the ones that individuals normally tout as "mind expanding" or therapeutic.
[1] https://pubmed.ncbi.nlm.nih.gov/30359871/ [2] http://www.xinhuanet.com/english/2019-06/26/c_138175718.htm [3] https://www.csmonitor.com/World/Asia-Pacific/2015/0503/Break...
2. so what? do we fix their lack of information but allowing the DEA to publish (demonstrably false and misleading) propaganda under a guise of 'think of the children'? To assume that the DEA themselves aren't seceptible to bad actors is downright naive, dangerous even. All evidence points to the fact that our drug policy has failed to mitigate any of the social costs related to drugs, and in most cases, has increased social burden.
And yet China is where literal tons of drugs like fentanyl and its derivatives are manufactured illicitly and shipped around the world.
How do you know these are the reasons?
If de-identification is done right, it would be a bit of a stretch to talk about "surveillance" because that's the whole point of de-identification: remove any information from the records that allows a third-party to identify the underlying person from whom the data originated. Note especially that this includes inference attacks, i.e., not only should any occurrences of names be removed/masked but also any information that would allow an informed attacker to re-infer that information, i.e., cross-link the patient data back to a specific person.
The big elephant in the room, however, is the "If" at the beginning of the previous paragraph. As far as I see it, the problem lies not in wanting to establish some functionality that actually uses the collected information but whether appropriate privacy prerequisites have been put in place prior to that.
They ask for: Gender, Age group, Zipcode and City
HIPAA already considers that too much under their safe habour rules, and k-anonymity (expert determination) can hardly be applied if you need to provide full zipcode and have a data-set that will grow/shrink over time.
https://www.hhs.gov/hipaa/for-professionals/privacy/special-...
edit: oh, and it seems they also ask for a "encrypted patient identifier", definitely doesn't seem kosher
UID, Gender, Age group, Zipcode and City, plus of course your medication habits, is probably enough to deanonymize with a reasonable amount of confidence. Say age group is one of 8, age+gender is 5 bits of entropy. City zip is ~8. So that's 15 bits left on a good day.
Throw in any off-the-shelf targeted marketing data (usally worth 10-25 bits iirc) and you might as well use SSN as the patient ID.
> If de-identification is done right
There is the rub, indeed. As a general rule, I don't trust de-identification. People mostly seem to reason poorly about how datasets can be merged and this has repeatedly failed.
Worse, I have seen it proposed to shut people up about privacy in situations where the proposer knew full well it would fail. De-identification was merely a prop in a con.
I would suggest that, if sensitive de-identified data is to be used by government, it go through a public trial challenge round. Let's let the public give a shot at it, it would build confidence and help suppress a little conspiratorial nonsense too, something we could use right now.
The US medical profession completely rolled over and sold out their patients. I can't figure out why, unless it is part of a deal to avoid being pursued or prosecuted for their part in creating the opioid crisis.
From Q&A:
> Answer: The provider of the information would need to have approvals to provide the information to DEA and provide it without additional costs or approvals from the original data provider. We would need it to be able to be analyzed outside of the host environment so that we could take the results of the query and create our own reports and dashboards and provide it to the necessary individuals in the field who could use the data for investigative purposes.
So... this information is required to be provided to the DEA by law... but apparently some 3rd party entity is receiving it (I'll bet this is for LexisNexus) with apparently no restrictions on how its used and now the DEA is going to pay a stupid amount of money so they can do whatever shady shit they have planned.
Also note this is an RFP, so the decision to do it has already been made, this is basically the procurement of the service happening here.