The Intersection of Privacy and Compliance Plans

Compliance plans should not just be a binder on a shelf, but should be a “living, breathing” document that contains policies and procedures that effectively deal with the business and regulatory realities that pharmaceutical and device manufacturers are facing.

This is particularly true with regard to privacy issues. Recent media reports of mismanagement of personal information has resulted in an increased focus on the prevention of improper disclosure or compromise of sensitive information and has become a focal point for consumers and regulators. This has led to increased scrutiny of business practices across all industries.

Privacy concerns touch on almost all aspects of the activities of pharmaceutical and device manufacturers. Manufacturers face unique challenges as they seek to establish a corporate culture that ensures data protection through policies and procedures without impeding the necessary exchange of patient and clinical information.

In implementing a compliance plan, manufacturers should pay special attention to the privacy and security laws that affect its operations, including the Federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). HIPAA’s goal is to provide enhanced protections against unauthorized disclosures of private health information (“PHI”).

In most cases, manufacturers are not considered “covered entities” or “business associates” under HIPAA. However, there are many situations where HIPAA is applicable to a manufacturer. Further, regardless of their role, manufacturers’ relationships will be affected by HIPAA because the parties that they are conducting business with are covered entities subject to HIPAA.

There are a number of privacy issues which should be addressed in any compliance plan, including:

Communications with the FDA and other governmental entities
Communications between manufacturers and the Food and Drug Administration (“FDA”) is constantly taking place and many of these communications involve or include PHI. A manufacturer must ensure that such communications comply with applicable guidelines with respect to the disclosure of PHI. There are a number of exceptions under HIPAA that allow such transmission under limited circumstances, including:

  • reporting adverse events, product defects, problems, or biological product deviations;
  • tracking FDA-regulated products; and
  • product recalls, repairs, or replacement.

Marketing and Educational Activities
The public is increasingly seeking information about their medical issues and potential treatments on-line. Manufacturers utilize social media as a marketing tool to promote their products and disseminate information about healthcare, but due to the lack of guidance from the FDA implementing limiting parameters, as well as the hardship with monitoring and reporting adverse events, manufacturers have struggled with the use of social media, including online advertising, blogs, and other social media posts. HIPAA privacy regulations may also be applicable to information transmitted between healthcare providers and sales representatives for educational or marketing programs. Manufacturers must put in place policies and procedures to ensure that all of their marketing and educations activities are compliance with applicable law, including HIPAA and FDA guidance.

Data Mining
The increase of online activities by consumers has resulted in manufacturers beginning to mine data from such activities. Any compliance plan must carefully address the myriad of privacy concerns raised, and law implicated, by data mining activities.

Adherence and equipment maintenance programs
Manufacturers are increasingly focusing on patient adherence to treatment protocols, as well as partnering with providers to assist in the long-term maintenance of devices and equipment. These activities typically involve the collection, use and storage of patient data and can implicate HIPAA. Manufacturers must ensure that policies are in place to deal with their particular circumstances.

Clinical Research
Clinical research obviously involves PHI and such activities must be structured in compliance with all applicable laws, including HIPAA and FDA requirements.

Security of Information
Technology is resulting in manufacturers coming into contact with increasing amounts of PHI. The collection and retention of such PHI can pose a serious security and privacy threat if appropriate safety measures aren’t implemented. HIPAA regulations require that security safeguards be implemented, including but not limited to encryption technology on networks and equipment, effective use of passwords, and the use of secure servers.

In addition to HIPAA, there are country and state specific laws governing the privacy of health information that must be taken into account in the compliance plan. For example, the European Union Data Protection Directive, which requires, among other things:

  • Notice and consent to process personal data;
  • Explicit consent to process sensitive data;
  • Imposes limitations on trans-border data flows; and
  • Requires processor agreements.

Countries in the former Soviet Block, Asia, Scandinavia, and Americas are creating laws with similarities to the European model.

Because of the constantly changing nature of technology, and its use in interactions between consumers and pharmaceutical and device manufacturers, it is imperative that manufacturers ensure that their policies and procedures take into account the business realities they are facing, as well as ensuring that their activities are compliant with applicable law.