On this page
- Who is actually buying patient data?
- Channel 1: insurance claims, and the discount-card trap
- Channel 2: medical claims mining
- Channel 3: pharmacy data feeds
- Channel 4: lab history databases
- Channel 5: EHR network queries
- Channel 6: the patient's own consent
- What should a practice actually do?
- Frequently asked questions
An addiction medicine physician recently asked us a question his patients ask him: when you prescribe naltrexone, who else can see it? We went digging through statutes, FTC complaints, and network policy documents to find out. The answer surprised us: the privacy risk is almost never the state databases doctors worry about, and it is almost never the EHR itself. Patient data reaches insurance underwriters through six specific channels, and a cash-pay practice can close or narrow most of them.
This matters most for the conditions where a paper trail has a price: addiction medicine, psychiatry, anything a patient would rather keep between themselves and their doctor. A single naltrexone fill in the wrong database reads as an alcoholism diagnosis to a life-insurance underwriter, and patients know it. It is one of the most common reasons people avoid treatment altogether.
This is general information, not legal advice. The rules below interact with state law, and anything load-bearing should be confirmed with your own attorney.
Who is actually buying patient data?
Not health insurers. The Affordable Care Act bars health plans from underwriting individuals on health status, so your patient's medical history cannot raise their health premiums. The buyers are life, disability, and long-term-care insurers, and what they do is legal and consent-based: when your patient applies for coverage, they sign a broad authorization, and the insurer pulls their history from specialized data bureaus within seconds.
The two that matter are Milliman IntelliScript and ExamOne ScriptCheck (owned by Quest Diagnostics). Both are consumer reporting agencies regulated under the Fair Credit Reporting Act, the same law that governs credit bureaus. ExamOne says it works with pharmacy benefit managers (PBMs, the middlemen that process nearly every prescription claim in the country) covering more than 70 percent of the market. Milliman advertises prescription fills "from the previous day." An underwriter reading one of these reports sees drug, dose, fill dates, and prescriber, going back five to seven years.
So the real question is: how does a prescription, a lab result, or a chart note get into those systems in the first place? Six ways.
Channel 1: insurance claims, and the discount-card trap
The backbone. When a pharmacy bills insurance, the claim lands in a PBM database, and PBM databases are the bureaus' primary source. The FTC said it plainly in its 2007 complaint against Milliman: the company "obtains an insurance applicant's five-year prescription drug history from the PBMs."
A cash-pay practice closes this channel by default: no claim is ever created (every practice on Eureka runs cash-pay, so this channel starts closed). But there is a trap most patients and many doctors miss. A discount card is not cash. When a patient uses GoodRx or a pharmacy's house savings card, the transaction is adjudicated through a PBM on the same rails as an insurance claim, with the patient's name and date of birth attached. The FTC's 2023 complaint against GoodRx documents the mechanics. Some registers apply a savings card automatically. A patient who wants a private fill should say the phrase "true cash, no discount card" at the counter.
Channel 2: medical claims mining
Milliman sells a second product that scans medical claims, and its own marketing says what it looks for: substance use disorders, high-risk psychiatric conditions, and encounters at substance-abuse treatment facilities. The office visit that produced the prescription can out a diagnosis even if the prescription never does, because the visit's claim carries a diagnosis code.
This channel has one clean answer: a practice that bills no payer emits no claims. There is nothing to mine. If you are transitioning away from insurance, this is a privacy argument for the move that few doctors ever hear.
Channel 3: pharmacy data feeds
Here is the uncomfortable one: genuinely paying cash at a chain pharmacy no longer guarantees privacy. Chains furnish fill data to data networks regardless of how the patient paid, and ExamOne names retail pharmacy chains as direct sources alongside PBMs. Milliman's 2025 network report brags about capturing "risk-loaded, niche transactions from specialty, compounding, and institutional pharmacies, as well as from 'cash' or other off-insurance fills."
The counter is pharmacy choice. A cash-only pharmacy that never adjudicates claims and signs no data-sale contracts has no pipe to the bureaus. Independent pharmacies and compounders generally leave a smaller footprint than chains. For patients who need the strongest version, in-office dispensing or in-office administration (for example, buy-and-bill injectable medications paid in cash) creates no pharmacy record at all.
Eureka solves this with sensitive prescription routing, in beta now: prescriptions flagged as sensitive route to vetted cash-only pharmacies rather than the patient's default chain, and the patient gets the discount-card warning built into the process. Doctors on the platform can ask us for access.
Channel 4: lab history databases
Underwriters do not just see prescriptions. ExamOne's LabPiQture product returns up to seven years of clinical laboratory results performed by Quest Diagnostics and LabCorp, and, according to Gen Re's published evaluation, it returns the diagnosis codes the ordering doctor wrote on the requisition. A routine liver panel ordered with an alcohol-related diagnosis code becomes underwriter-visible even if no prescription ever leaks.
The counter is the same shape as channel 3: routing. Regional laboratories, in-office testing, and specialty labs sit outside the two big networks. Keeping requisition codes accurate but minimal is simply good practice. Sensitive lab routing is the second half of the Eureka beta.
Channel 5: EHR network queries
Most EHRs participate in nationwide record-sharing networks, Carequality and CommonWell being the big names. Participation means connected systems anywhere in the country can request your patients' charts, and the response goes out machine to machine. The networks were built so an emergency room can pull records at 2 AM, and for that they are genuinely useful.
But Carequality's own policy documents include a "Coverage Determination" purpose that covers life and disability insurance requests, and data vendors serving underwriters openly advertise their reach into health information exchanges and EHR networks. Responding to non-treatment queries is voluntary, and the industry's own disputes over mislabeled queries (the Epic and Particle Health fight was exactly this) show the honor system under strain.
The strongest position is not being on the grid at all. Eureka's EHR is connected to none of these networks, by design, and every record release follows our written records-release policy: verified, confirmed with the patient, one at a time, with a human in the loop. Under HIPAA, a third-party authorization request is permissive, not mandatory, so a practice is allowed to verify carefully and respond deliberately. The one thing that is never slowed down is the patient's own access to their own records, which is their legal right on a 30-day clock and the correct moral answer besides.
What about the state prescription databases? For most sensitive prescriptions the answer is better than doctors expect: PDMPs track controlled substances, and access is limited to prescribers, pharmacists, boards, and law enforcement, not insurers. But the rules are state-specific and they move. Ohio, for example, has required pharmacies to report naltrexone dispensed for substance use disorder since 2019, and Maryland now requires pharmacies to report every prescription fill to its state health exchange. Check your states, and if you prescribe controlled substances, know the PDMP rules you already work under.
Channel 6: the patient's own consent
Two things stay open no matter what a practice does, and they should. First, MIB, the insurers' shared clearinghouse, holds coded flags from the patient's prior insurance applications; nothing a doctor or pharmacy does touches it. Second, at application time the patient signs authorizations and answers direct questions about their treatment history, and those questions must be answered honestly. Lying on a life-insurance application is fraud, and it voids the policy exactly when a family would need it.
That is the bright line in all of this. Everything in channels 1 through 5 is lawful data minimization: preventing passive trails from forming, months or years before any application exists. Channel 6 belongs to the patient. The practical advice for a patient who anticipates needing coverage is timing: put life and disability policies in place before starting treatment, and pull their own bureau files first so there are no surprises.
What should a practice actually do?
In order of leverage:
- Run cash-pay. Channels 1 and 2 close by default. No claim, no signal. (Eureka practices are cash-pay by design.)
- Know your EHR's network posture. Ask your vendor whether you are on Carequality, CommonWell, or TEFCA, what purposes it responds to, and whether you can go treatment-only. If you cannot get a straight answer, that is an answer. (Eureka is on none of them.)
- Adopt a written records-release policy. Classify every incoming request, verify before releasing, confirm with the patient, and log everything. Ours is public and you are welcome to copy from it.
- Route sensitive fills deliberately. Cash-only pharmacies for prescriptions that carry stigma, and teach every such patient the discount-card trap. (Eureka does this for you: sensitive Rx routing is in beta.)
- Route sensitive labs deliberately. Outside the two big networks, with minimal accurate requisition codes. (The other half of the Eureka beta.)
- Teach patients their FCRA rights. Their bureau files are free, disputable, and worth pulling before any insurance application.
Most of this is workflow any practice can adopt. Some of it is infrastructure. Eureka was built cash-pay-first with no network participation, the records-release policy above is how our releases already work, and sensitive prescription and lab routing is in beta now: if you run a practice where patients need this, ask us about it.
Frequently asked questions
- Do state prescription monitoring programs report to insurance companies?
- Almost never. PDMPs track controlled substances (plus a few state-specific drugs of concern), and access is generally limited to prescribers, pharmacists, licensing boards, and law enforcement. In our review of eight states, only Arizona grants health insurers any PDMP access, and even there the law bars using it for payment decisions or credentialing. The databases insurers actually use are commercial prescription-history bureaus, which are fed by claims and pharmacy data, not by PDMPs.
- Can a patient see what insurers would see about them?
- Yes, free. The prescription bureaus are consumer reporting agencies under the Fair Credit Reporting Act, so every patient can request their own file and dispute errors: Milliman IntelliScript at rxhistories.com or 877-211-4816, ExamOne by mail, and MIB at mib.com or 866-692-6901. A patient considering life or disability coverage should pull all three before applying.
- Is helping patients with prescription privacy legal?
- Minimizing passive data trails is lawful: paying cash, choosing a pharmacy that does not sell data, routing labs thoughtfully. What is never acceptable is misrepresenting anything on an insurance application. Applications ask direct questions about treatment history, and answering them falsely is fraud that can void a policy. Privacy work happens upstream of the application, not on it.