That seems ... bizarre. Does something like HIPAA not prevent companies from using pharmacy patient data against their regular sales info on the same person? I get It's supposed to be anonymized data, but how can they figure out who's buying Ozempic vs not for this specific comparison?
Welcome to the world of "clean rooms", often used with tricky consumer data like this [1].
I recently was a Tech PM for a large ad/marketing agency and we utilized them for effectiveness of movie goers for a large studio. Essentially, we wanted to see who saw our ads on social media _AND_ set top boxes _AND_ searched for the movie title in particular Zip codes.
Obviously highly specific data that fingerprints a single user wouldn't be given to us by Meta, Comcast, and Google (first-party data), but we can ship that data to a "clean room" who will venn-diagram it together to get us our ultimate numbers, per Zip code, to find effectiveness/reach.
Wal-mart being a first party with both of their doors (retail and pharmaceutical) presumably can do this all themselves with their own data scientists looking at register receipts.
I’ve spent a bunch of time with HIPAA. It’s a lot less protective than most people think.
Practically (though it’s more nuanced), if data is truly anonymous, they can use it however they want. The challenge is getting data to be truly anonymous. It’s very difficult once you want to identify geographic or regional data. Age, gender, and zip code creates plausible identity in many places.
For HIPAA purposes, there is no such thing as anonymized info if someone can coax out zip code, gender, and birth date. That's the current SotA standard in terms of k-deanonymization.
And yes. BAA's apparently allow companies to throw that shit around like hot cakes. Remember, it isn't actually illegal until someone has been sued for it, and they lose (no settlement).
