CVS Caremark says it is careful about patient data. “In very limited circumstances, we exchange aggregated, de-identified data with third parties to assist the health care community in understanding patient use of prescription medications with the goal of achieving better health outcomes,” said Carolyn Castel, a company spokeswoman.

Selling data to drug manufacturers is still allowed, if patients’ names are removed. But the stimulus law tightens one of the biggest loopholes in the old privacy rules. Pharmacy companies like Walgreens have been able to accept payments from drug makers to mail advice and reminders to customers to take their medications, without obtaining permission. Under the new law, the subsidized marketing is still permitted but it can no longer promote drugs other than those the customer already buys.

The ban on marketing is even more strict in California, where Walgreens is fighting off a class-action lawsuit filed on behalf of customers who received the subsidized mailings before the state outlawed them in 2004. Michael Polzin, a Walgreens spokesman, defended the mailings as a cost-cutting measure. “Patients who fail to properly take their medication cost the U.S. health care system $177 billion a year,” when they fall sick and need treatment, he said.

The data mining industry, meanwhile, is challenging laws in New Hampshire, Maine and Vermont that ban collecting and selling prescription information to drug makers, which use it to decide which doctors to market to.

The companies in the case, IMS Health and Verispan, now part of the private company SDI Health, said the identities of patients were removed. “At no time does SDI ever receive any identifiable patient information nor any means to identify any patient from the data we handle. All data is de-identified prior to transmission to SDI,” said Andrew Kress, chief executive of SDI.

Privacy advocates and a judge in the case argued that de-identified information could easily spin out of control. “This information quickly finds its way into other databases, including those of insurance carriers and pharmacy benefits managers,” Judge Bruce M. Selya wrote in a federal appeals court decision upholding the New Hampshire law.

IN another big change, the stimulus law provides $19 billion to push doctors toward installing electronic records systems. It is a milestone on the road toward President Obama’s goal of digitizing all medical records within five years. But digitization creates the potential for more abuses by hackers, as well as blackmail and insurance fraud.