1 pharmaceutical regulatory and compliance congress dean forbes, esq. director of corporate privacy...
TRANSCRIPT
1
Pharmaceutical Regulatory and Compliance Congress
Dean Forbes, Esq.Director of Corporate Privacy
Global Compliance and Business PracticesNovember 16, 2004
2
IPPC
What is the IPPC?
• The International Pharmaceutical Privacy Consortium (IPPC) has membership is an association with membership from 17 international pharmaceutical companies.
• The IPPC provides a forum for dialogue on approaches to privacy and information security issues facing the pharmaceutical industry, and to develop strategies and tools for managing and protecting the privacy of personal data.
3
Three Perspectives on Privacy• Consumer:
How do I know that my doctor / pharmacist are treating information about me appropriately?
If I provide my personal information to manufacturer X, can I trust manufacturer X to use my information appropriately?
• Research participant: If I take part in this research project, can I be sure
that health information about me will be treated confidentially?
• Chief Privacy Officer: How do I ensure that my company is compliant
with the myriad of federal and state privacy laws?
4
Consumer’s Perspective
5
GAO Report: Public Ill-Informed• Government Accountability Office issued report in September
on “First-Year Experiences under the Federal Privacy Rule”
• Report concludes that the general public is not well informed about their rights under the HIPAA Privacy Rule Nearly 2/3 of HIPAA complaints received by OCR were
found to fall outside scope of Privacy Rule
• 35% of complaints involved accusations of actions that are not prohibited
• 20% involved entities that are not “covered entities” Covered entity privacy notices are long and confusing
6
NCVHS Hearings
• National Committee on Vital and Health Statistics charged with advising Secretary of HHS on implementation of HIPAA Privacy Rule
• NCVHS Subcommittee on Privacy and Confidentiality held hearings in July 2004 on effect of Privacy Rule on marketing
• Findings conveyed in September 1 letter to HHS Secretary
7
NCVHS Hearings: HPP Witness Witness of Health Privacy Project testified that marketing provisions of Privacy Rule are insufficient in following respects:
1. Retail pharmacies are not required to inform their customers when pharmacies are paid by drug manufacturers to send letters and other communications
2. Some product promotion materials are mailed to individuals without any envelope, thereby disclosing information about the individual’s diagnosis
3. When a covered entity receives compensation from a third party to promote its products or services, this communication should be considered marketing rather than treatment or case management communications
11
Research Participant’s Perspective
12
Recommendations of HHS Secretary’s Advisory Committee on Human Research Protections
• Human subjects research is a complicated endeavor, governed by Common Rule, FDA regulations and now HIPAA
• Existing regulations and policy (pre-HIPAA) required the protection of subjects’ privacy In some areas, the application of HIPAA to the research context
has unnecessarily complicated research activities Cost of research should not be increased unless meaningful
protections are achieved • Complexity adds to confusion, both to subjects and researchers • HHS should consider the overall welfare and interests of
subjects, not simply their privacy interests alone and in the abstract, when revisiting these aspects of HIPAA
13
Responding to Consumers:State Privacy Legislation
14
States Proposing Pharma Privacy Legislation (2003-2004)
• California
• Florida
• Illinois
• Massachusetts
• Nebraska
• New Hampshire
• New York
• North Carolina
• North Dakota
• Texas
• Washington
• Wisconsin
15
Examples of Impact of State Privacy Laws onPharmaceutical Company Activities
Extends HIPAA-Like Requirements (e.g., notice, access, amendment)
Limits Disclosure by Pharma
Impacts Clinical Research
Impacts Pharma DTC
Impacts Pharma Programs Run Through Pharmacies & Health Plans
Impacts Contact with Physicians
16
Extends HIPAA-Like Requirements (e.g., notice, access, amendment)
Example: Adopts HIPAA Privacy Rule requirements but changes definition of covered entity
(a) Notwithstanding any general or special law to the contrary, the Department of Public Health shall adopt 45 CFR Parts 160 and 164, as promulgated on August 14, 2002, in their entirety, with the changes specified in this act.
(b) “§ 160.103 Definitions.” is amended as follows:“Covered entity” means any person who, for commercial, financial or professional gain, monetary fees, dues, or on a cooperative, non-profit or pro-bono basis, engages, in whole or in part, and with real or constructive knowledge, in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information.
17
Limits Disclosure By Pharma
Example: Limits disclosure by pharma; prohibits conditioning of treatment on patient signing an authorization
(a) A pharmaceutical company may not require a patient, as a condition of receiving pharmaceuticals, medications, or prescription drugs, to sign an authorization, release, consent, or waiver that would permit the disclosure of medical information that otherwise may not be disclosed.
(b) A pharmaceutical company may not disclose medical information provided to it without first obtaining a valid authorization from the patient.
18
Impacts Clinical Research
Example: Requires anyone who uses or discloses health information for research to obtain authorization
(a) “Covered entity” means any person who collects or maintains protected health information.
(b) A covered entity may disclose protected health information to a person performing health research, regardless of the source of funding of the research, for the purpose of conducting health research, only if the person performing health research has obtained the express written authorization of the individual.
19
Impacts Pharma DTC
Example: Requires anyone who uses or discloses health information for marketing to obtain authorization
(a) “Covered entity” means any person who collects or maintains protected health information.
(b) A covered entity must obtain express written authorization to use or disclose protected health information for marketing
20
Impacts Pharma Programs Run Through Pharmacies and Health Plans
Example: Defines “marketing” as making a communication about a product in exchange for remuneration(a) “Marketing” means to make a communication about a product or service to encourage recipients of the communication to purchase or use the product or service, but does not include communications made as part of the treatment of a patient for the purpose of furthering treatment unless the covered entity receives direct or indirect
remuneration from a third party for making the communication. (b) A covered entity shall not use protected health information in its possession to provide marketing services to any entity.
21
Impacts Contact with Physicians
Example: Prescriber Data Opt-Out List
(a) “Prescribing data of a physician” means information that sets forth a prescription written by a physician in combination with any item that individually identifies the physician, including a unique identifier assigned for tracking purposes.
(b) A person may not transmit, sell, or release to a third party, in exchange for remuneration, any prescribing data of a physician, if the physician has placed his or her name on the list described in subdivision (c).
(c) The Attorney General shall maintain a DO NOT USE list on its Web site for physicians licensed in the state to place their names. The Attorney General may contract with a third party for the creation or maintenance of the
list.
22
Chief Privacy Officer’s Perspective
23
Privacy Is a Challenge• Requires understanding how personal data is used within the corporation
Pharma companies communicate with consumers through a variety of media and for a variety of purposes. Uses and disclosures of personal information vary by program.
• Requires understanding and keeping up-to-date with myriad of privacy regulations and guidance
US federal privacy laws State privacy laws
• HIPAA • COPPA • California
• TCPA • TSR • Texas
• CAN-SPAM Consumer protection laws Foreign laws
• FTC • EU Data Protection Directive
• State AGs • EU Member State Laws
• Canada PIPEDA
• Etc.
24
Current US Privacy Environment: Snapshot
• Stringent marketing requirements effective in Texas and California. States continue to consider legislation to close HIPAA “gaps” and require “opt-in” for marketing
• Continued interest by DOJ in privacy practices of pharma companies
• Criticism of pharma industry practices by some consumer privacy groups. Litigation pending
25
Pharma Privacy Challenges
• Global organizations
• Complex data
Pharmacovigilance
Medical research
• Complex business operations
• Public and regulatory mistrust of industry
26
Current Environment
• Governments around the world beginning to draft and enact comprehensive privacy and data protection laws to: remedy privacy violations that occurred under
previous authoritarian regimes promote electronic commerce by setting up
uniform rules promote consistency among privacy laws of
trading partners
• Conflicting national privacy laws, however, continue to make compliance and global data transfers challenging
27
European Union
• Myriad of national laws and interpretations
• No one compliance option resolves all issues
• EU expansion in May 2004
• Increased enforcement a reality
29
APEC Privacy Standard• Privacy Subgroup of the E-Commerce Steering
Committee developing Asia-Pacific Privacy Standard, with protocols for handling data transfers
• Released consultation draft of an APEC Privacy Framework in March 2004
• Released Privacy Framework on 29 October 2004• Framework seeks to balance information privacy with
business need and commercial interests• Framework notes:
• unnecessary restrictions adversely impact global economies• free flow of information is essential to sustain economical and
social growth
30
APEC Principles• I. Preventing Harm• II. Notice• III. Collection Limitation• IV. Uses of Personal Information• V. Choice• VI. Integrity of Personal Information• VII. Security Safeguards• VIII. Access and Correction• IX. Accountability
31
Privacy Office
• Role
• Responsibilities
• Organizational Design and Placement
• Access to Senior Management
32
Strategic Considerations
• Organization-wide position on privacy compliance
• Privacy principles
• Regulatory environment
• Risk management
• Influencing environment
33
Coordination
• Reporting developments
• Providing guidance on changes
• Ensuring compliance with emerging requirements
• Conducting privacy training programs
34
Outreach
• Regulators
• Industry associations
• Stakeholders