Predicting Drug Diversion: The Use of Data Analytics in Prescription Drug Monitoring


Equifax just completed the acquisition of Appriss Insights,[1] who is rebranding as Bamboo Health.[2] How much data sharing goes on between the entities? Just as Appriss’ NarxCare score[3] is a black box[4], never subjected to peer review or outside scrutiny[5], this reorganization seems designed to hide data sharing. Monitoring of controlled substance prescribing is a recent phenomenon that owes its appearance to the opioid epidemic. Doctors are now put in a position to be law enforcement, counterintuitive to their training. As medical students, physicians learn to conduct a history and physical. The patient’s story is a center piece of the history, and there is a truth bias. Physicians are being asked to doubt what patients tell them and approach each encounter as someone who is “drug-seeking.” This harms the physician-patient relationship directly.

There is a historic conflict around what constitutes the practice of medicine, particularly in regard to physician prescribing of controlled substances.[6] With the passage of the Harrison Narcotics Act in 1914, Congress sought to address the non-medical use of narcotics.[7] Drafted as tax law, the Harrison Act required anyone authorized to manufacture or distribute narcotics to register with the Treasury Department, pay a fee and keep records.[8] For the first time,  possession, use, and distribution of narcotics were criminalized. Physicians were easier than unlicensed distributers to target and bring to court.[9]

A series of Supreme Court decisions transformed narcotics control from tax revenue to a cabining of physician prescribing. Prescribers could no longer treat patients with their drugs of choice to prevent withdrawal, as addiction was viewed as a vice.[10] The first argument to allow alleviation of pain and suffering was Linder v. United States, when prescribing for withdrawal symptoms was permitted.[11] In 1968, Congress established the Bureau of Narcotics, housed in the Justice Department for the enforcement of federal drug laws.[12] The Controlled Substance Act (CSA) was passed in 1970, beginning the accelerated ‘War on Drugs’. The CSA created five schedules of controlled substances based upon medical use and abuse potential.[13] Prescribers were now required to register with the Attorney General, the law required that prescriptions “must be for a legitimate purpose acting in the usual course of professional practice.”[14] The CSA created a closed chain for controlled substance distribution which was designed to monitor legal products as they were transferred among DEA registrants to prevent diversion to the illicit market.[15] The DEA manages diversion by maintaining strict control over availability of substances through quotas, registration, record keeping, and security requirements from manufacturer to patient.[16] The DEA has a way to track suspicious ordering without the need to resort to protected health information (PHI), and has since the initiation of the CSA. The DEA is responsible for the production numbers of opioid quotas.

Prescription Drug Monitoring Programs (PDMP) began on paper as a set of law enforcement tools. The first  program, in New York in 1918, was rescinded after three years.[17] California started one through the Bureau of Narcotic enforcement in 1939 followed by Hawaii in 1943.[18] When Illinois chose to begin one in 1961, it was housed in the Department of Health.[19] As other states began their programs, all were used for Schedule II drugs and required duplicate or triplicate prescription forms that relied on tracking serial numbers.  In 1977, the Supreme Court ruled in Roe v. Whalen that these PDMPs were not unconstitutional.[20] The Court felt that PDMPs did not violate confidentiality and were part of state police powers. This ruling was based on paper, static PDMPs with very limited information. In 1990, Oklahoma was the first state to mandate electronic transmission of PDMP data.[21] From 2000-2017, twenty-seven electronic PDMPs were established.[22] In 2010, five states had mandatory prescriber query laws; by 2021, forty states had mandatory query laws.[23] Forty-seven states allow interstate sharing of data.[24] Unlike their paper predecessors, today’s PDMPs have a wealth of personal information.[25] They track Schedule II-V drugs and some track unscheduled medications. Prescriptions reveal information from diagnosis to location.

Only Missouri does not currently have a PDMP.[26] Twenty are housed in the Board of Pharmacy, nineteen in the Department of Health, six in professional licensing agencies, five in law enforcement, three in substance abuse agencies, and one in a consumer protection agency.[27] In addition to scheduled drugs, they track “drugs of concern.”[28] Many have alternate data from child welfare cases, drug court, drug arrests and convictions, medical marijuana dispensing, Narcan dispensing, disciplinary information of registrants, and lost or stolen drug reports.[29] Insurance companies and marijuana dispensaries are being given access to PDMPs. Thirty-eight PDMPs give prescribers an unsolicited report card comparing them to other prescribers.[30]

Forty-two of the fifty-two PDMPs have Appriss’ algorithm embedded within them, which uses the “NarxCare” score, a three digit score, for narcotics, sedatives, and stimulants. It leverages a black box algorithm that has never been subject to outside or peer evaluation. The ‘NarxCare’ patent was originally from a 2011 filing by the National Boards of Pharmacy.[31] When the patent was renewed in 2015 it was transferred to Appriss. All of the validation of NarxCare was internal, retrospective, case control studies of Ohio data from 2009-2015.[32] Appriss claims to be a clinical support tool and on the website markets NarxCare as “Up Front, Every Patient, Every Time”, but only reveals some of the data used to generate the score:

  • Number of prescribers;
  • Number of pharmacies;
  • Amount of medication;
  • Presence/amount of potentiating medication
  • Number of overlapping prescriptions


Appriss is seeking access to CLUE (an auto database), SIRIS (a banking database), and MIDEX (a real estate database) which the recent purchase by Equifax makes likely.[33] Appriss asserts that their internal studies “validate the NarxCare scores. Such self-serving assertions hardly quell the concerns identified, the initial innovator of a black-box software platform faces strong financial incentives not to disprove its own algorithm.”[34] Their model fails transparency. It is a retrospective cohort which means selection bias and often errors of conclusion (correlation is not causation). In a retrospective study, there are too many confounding variables. The study population was selected for having the targeted health outcome which confounds the contextual information and is not accounted for in the study population. In constructing the NarxScore, no alternative hypotheses were accounted for. They had a lack of independence and had an overarching assumption which puts great limits on the data integrity. NarxCare is also based solely on data from Ohio which then creates questions about its generalization to expand beyond that geographic region.[35] Appriss did not disclose any tests of reliability and validity.[36] Algorithms need post marketing surveillance audits.[37]

The Odds Ratio (OR) is a measure of association between an exposure and an outcome. The OR represents the odds that an outcome will occur given a particular exposure, compared to the odds of the outcome occurring in the absence of that exposure.[38]  Risk is a probability, a proportion of those exposed with an outcome compared to the total population exposed.  An OR of 10.1 means there is a 1010% increase in the odds of an outcome with a NarxCare (Overdose Risk) score of 200-290, and so forth. Looking at Table 2 From the Appriss White Paper pictured below, we see that in Ohio the Overdose Risk 0-190 represents an OR of 1.0; Overdose Risk 200-290 OR = 2; Overdose Risk 300-390 OR = 4; Overdose Risk 400-490 OR = 8; Overdose Risk 500-590 OR = 14; Overdose Risk 600-690 OR = 24; Overdose Risk 700-790 OR = 38; Overdose Risk 800-890 OR = 72; and Overdose Risk 900-990 OR = 417.  Importantly, this is not the same as saying a multiplication of the likelihood of an outcome. Rather this is a measure of a chance that a projected likelihood will occur.[39]



The confidence interval (CI) is the 95% probability that the true OR (chance) would be likely to lie between the upper and lower limits, assuming there is no bias or confounding in the data. Confidence intervals are a general guide to the amount of random error in the data. The width of the CI indicates the amount of random error in an estimate. Pictured below, for Overdose Risk of 200-290 with an OR of 2, the true OR is 10.1 with a 95% CI of (7.8, 13); for Overdose Risk of 300-390 with OR of 4 the true OR is 10.0 with CI (7.7, 12.9); for Overdose Risk of 400-490 with OR 8 the true OR is 16.3 with CI (12.7, 20.9); for Overdose Risk of 500-590 with OR 14 the true OR is 31.7 with CI (24.7, 40.6); for Overdose Risk 600-690 with OR 24 the true OR is 56.1 with CI (43.1, 73); for Overdose Risk 700-790 with OR 38 the true OR is 76 with CI (55.9, 103.3); for Overdose Risk 800-890 and OR 72 the true OR is 101.3 with CI (66.2, 155.2) and finally for Overdose Risk 900-990 with OR 417 the true OR is 168.1 with CI (48, 588). These are large errors.



The Appriss NarxCare model overpredicts overdose risk. Highlighted in the graph above are the errors at 56%, 60%, and 125%. A calculated 54 times means where 90 MME (morphine equivalents) it should really be reflected as 4500 MME. As a comparison, an estimated 200,000 dead from COVID-19 would be 10,000,000 dead.[42]

The Appriss model is a smart database that purports to use artificial intelligence to predict an individual’s probability of developing opioid use disorder. The NarxCare predicted risk scores do not appear to correlate with the individual specific treatment effect of receiving opioids.[43] Professor Kilby, an economics professor, constructed an algorithm similar to Appriss and used a more comprehensive database. There is inherently algorithmic unfairness in machine learning applications arising from the researcher’s choice of the objective function.[44] The algorithm identifies high risk for opioid use disorder based on a few key demographic characteristics thereby flagging complex chronic pain patients with comorbidities as high risk. Models trained with the typical risk-prediction objective function do not produce a valid proxy for the object of interest: patient-level heterogeneous treatment effects.[45] The algorithm falsely discriminates against rural patients, those who have suffered trauma, having multiple prescribers due to no fault of their own (especially now that most doctors are employees) or relocation due to jobs, and cash payments due to indiscriminate need of prior authorizations.[46] The algorithm falsely sees these variables as doctor shopping and indicators of drug diversion or substance abuse.

Prescription drug monitoring has exacerbated, rather than mitigated the overdose crisis. Some patients may choose to forgo treatment due to unwanted surveillance and law enforcement involvement. Monitoring incentivizes physicians to avoid these substances, even when medically indicated, to avoid scrutiny as they fear the DEA. Prescription drug monitoring has led to a dramatic spike in illicit drug use and overdoses. The data analytics in PDMPs perpetuate biases and have a disproportionate impact on the underprivileged. Most concerning is that law enforcement can access and mine data without individualized suspicion, probable cause, or any judicial review. This has led to the inappropriate targeting of prescribers. The PDMPs are criminal and regulatory surveillance tools dressed up as public health.[47] They are used to help the DEA identify who they perceive might be suspicious patients, prescribers, and pharmacists who they feel might be diverting narcotics.[48] The DEA uses administrative subpoenas to search databases. When challenged by states (on Fourth Amendment and Due Process grounds) the DEA has successfully defended their actions invoking the third-party doctrine.[49] Professor Oliva contends that these warrantless searches violate the Fourth Amendment under Carpenter.[50] This is particularly relevant since PDMPs are no longer static, passive databases with limited information, but have become smart databases replete with personal health information. They rely on robust data analytics with black box algorithms that have never been subjected to independent verification.[51]


Overdose deaths have spiked and in fact have been driven by illicitly manufactured fentanyl, an increase of over 540% from 2014-2016 as shown in figure 2 above. The trope that the opioid overdose crisis is due to physician overprescribing is erroneous.[52] Prescription painkiller deaths leveled off and had been overestimated to begin with.[53] Opioid prescribing started declining with the introduction of PDMPs consistent with the discriminatory and chilling effect on prescribing for chronic pain patients many have described:[54] As pictured below, Prescription opioid use declined to 60% of the peak volume in 2011 and continues to decline.


For patients who purportedly became addicted after receiving a pain prescription, over 75% did not get those medications directly from physicians.[55] The implementation of PDMPs has not been associated with a reduction in drug overdoses.  In a subsample analysis of states with PDMPs in operation for 5 or more years, the programs were found to be associated with significantly higher mortality rates in legal narcotics, illicit drugs, and other and unspecified drugs.[56]

Despite the harm and disparate impacts on marginalized populations, expansion continues as evidenced most recently by Equifax’s purchase of Appriss and Appriss’s rebranding. In addition, the DEA submitted a Request for Proposal, (“RFP”) for their own nationwide database to streamline the subpoena process.[57] An RFP is a description of the service they are seeking ad a call for bids. They are seeking prescription level data at the national, state, and local levels. The RFP includes the ability to rank the top prescribers both nationwide and statewide for Schedule II and Schedule III substances, including fentanyl, oxycodone, hydrocodone, tramadol and buprenorphine (a drug used to treat substance use disorder). They are also seeking to target pharmacies with the same ranking criteria. Given the amount of data that the Department of Justice would have direct access to on a regular basis, this is monitoring of the population on an unprecedented scale.

Algorithms such as Appriss’s NarxCare are marketed as clinical decision support tools which makes them subject to FDA regulation. The FDA regulates medical devices, and software as a medical device is part of Clinical Decision Support tools.[58] Section 3060 of the twenty-first  Century Cures Act exempts five categories of Clinical Decision Support tools.[59] For Software as a Medical Device, the FDA seeks a valid clinical association between the software’s output and its targeted clinical condition.[60] The company must show that the software processes input data to generate accurate, reliable output that achieves the intended purpose in the context of clinical care for the target population.[61] Since PDMPs have not shown that they reduce overdose deaths nor improve patient outcomes, NarxCare scoring would fail these FDA safety and effectiveness criteria. In Section 3060, software is exempt from regulation if it is administrative support software, unrelated to diagnosis, cure, mitigation, prevention or treatment of a disease or condition, an electronic health record or used to store and transfer lab data – as long as it does not analyze the data. There is a final exemption concerning software that aggregates patient data and provides recommendations to health care professionals about prevention, diagnosis, or treatment of a disease or condition. This exemption depends on the health care professional being able to “independently review and reject the recommendations that such software presents.”[62] The key is that health care professional needs to not rely on the software for decision making for the vendor to avoid regulation.[63] NarxCare scores are presented to prescribers in an unavoidable fashion in the PDMP. Laws are in place to mandate checking the PDMP prior to prescribing and many are now integrated into electronic health records.

Professor Oliva contends that the FDA should be regulating this data analytic software, as the NarxScore is simply presented to prescribers as a risk score without any way to independently evaluate its veracity.[64] Given the harms from PDMP use, the increased overdoses, the difficulty for chronic pain patients to obtain needed medications, PDMPs are certainly ripe for regulation. Most importantly, the intrusion upon privacy by these entities, without any consent from patients is concerning. Receiving a prescription should not mean giving the government your medical history. It certainly should not mean giving it to Equifax.





[1] Equifax, Equifax Completes Acquisition of Appriss Insights (Oct. 01, 2021),

[2] Bamboo Health, (last visited Oct. 23, 2021) .

[3] NarxCare Score is their proprietary predictive algorithm used in prescription drug monitoring programs nationwide. Bamboo Health, NarxCare, (last visited Oct. 23, 2021).

[4] A blackbox algorithm is one whose inputs and operations are not visible to the interested party. It is an impenetrable system. (last visited Nov. 11, 2021).

[5] November 1, 2021 a study is being published purported to be a comprehensive external verification of NarxCare however it only looks at Ohio and Indiana via a one-time self-administered survey. Gerald Cochran, et al., Validation and Threshold Identification of a Prescription Drug Monitoring Program Clinical Opioid Risk Metric With the WHO Alcohol, Smoking, and Substance Involvement Screening Test (Nov. 1, 2021),

[6] Diane E. Hoffman, Treating Pain v. Reducing Drug Diversion and Abuse: Recalibrating the Balance in Our Drug Control Laws and Policies, 1 St. Louis j. health L. & pol’y 231, 257 (2008).

[7] Id. at 259.

[8] Id.

[9] Id.

[10] Id. at 261-62.

[11] Id.

[12] Id at 263

[13] 21 U.S.C. §§ 812, 822.

[14] Id..

[15] Jennifer D. Oliva, Prescription Drug Policing: The Right to Health-Information Privacy Pre and Post Carpenter 69 Duke L. J. Duke L.J. 775, 782 (2020).

[16] Id. Databases of every sale, delivery, and disposal are kept in ARCOS (Automation of Reports and Consolidated Orders System).

[17] See generally,  Prescription Drug Monitoring Program Training and Technical Assistance Center  (“PDMP TTAC”), History of Prescription Drug Monitoring Programs (Brandeis Univ.) (2018).

[18] Id.

[19] Id.

[20] Id.

[21] PDMP TTAC, PDMP Policies and Capabilities Results from 2020 State Assessment (2021),

[22] Id.

[23] Id.

[24] Id.

[25] Olivia, supra note 14 at 775.

[26] Appriss Health, Up Front, Every Patient, Every Time,

[27] Id.

[28] Id. These include gabapentin, butalbital and ephedrine.

[29] Id.

[30] Id.

[31] Application No, 13/234,777, September 16, 2011, James Huizenga for the Department of Justice.

[32] Huizenga J.E., et al., NarxCHECK Score as a Predictor of Unintentional Overdose Death , Appriss, Inc., (Oct. 2016),

[33] Id. See also Jennifer D. Oliva Dosing Discrimination Regulating PDMP Risk Scores 110 Ca. L. Rev. (forthcoming 2022).

[34] Id. 

[35] Kristine Whalen, Risk Scoring in the PDMP to Identify At-Risk Patients, (Appriss Health ed.,  2020);

Chelsea Canan et al, Automatable Algorithms to Identify Mon-medical Opioid Use Using Electronic Data: a Systematic Review, 24(6) J. Am. Med. Info. Assoc. 1204-10 (2017).

[36] Angela E. Kilby, Algorithmic Fairness in Predicting Opioid Use Disorder using Machine Learning, N.E. Univ.  (Mar. 2020).

[37] Id.

[38] Terri Lewis, Analysis of the Appriss Narx Model 12 J. Advanced Rsch. Dynamic. Control Sys.  (forthcoming 2022).

[39] Id.

[40]Whalen, supra note 35.


[41] Neil K. Anand, Institute of Advanced Medicine and Surgery. Dr. Anand reached out to Appriss in 2020 seeking the raw data used in their analysis for independent study as mentioned in their excerpt. The contact was no longer working for Appriss and the other parties were non-responsive.


[42] Kilby, supra note 36.

[43] Id. ; Chelsea Canan et al, Automatable Algorithms to Identify Mon-medical Opioid Use Using Electronic Data: a Systematic Review, 24(6) J. Am. Med. Info. Assoc. 1204-10 (2017).

[44] Id.

[45] Id.

[46] Jennifer D. Oliva Dosing Discrimination Regulating PDMP Risk Scores 110 Ca. L. Rev. (forthcoming 2022).

[47] Jennifer D. Oliva, Prescription Drug Policing: The Right to Health-Information Privacy Pre and Post Carpenter, 69 Duke L.J. 775 (Jan. 2020).

[48] Id.

[49] Id.

[50] Id.

[51] Id.

[52] Maia Szalavitz, Why Trump’s Opioid Plan Will Harm More People Than It Will Save, SELF (Mar. 28, 2018), [].

[53] The CDC issued a correction from its original number of 32,445 lowering by 53% to 17,087.;;

[54] Kilby, supra note 36.

[55] Id.

[56] Young Hee Nam, et al., State Prescription Drug Monitoring Programs and Fatal Drug Overdoses, 23 Am. J. Mgmt. Care. 5 (May 2017).

[57] DEA RFP 15DDHQ20R00000021

[58] Oliva, supra note 46.

[59] See generally An Act to Accelerate the Discovery, Development, and Delivery of 21st Century Cures, Pub. L. No. 114-255 (West 2016),

[60] Oliva, supra note 46.

[61] Id.

[62] Oliva, supra note 47.

[63] Id.

[64] Id.