Transcript What is the IPPC? - Global Health Care, LLC

Pharmaceutical Regulatory and
Compliance Congress
Dean Forbes, Esq.
Director of Corporate Privacy
Global Compliance and Business Practices
November 16, 2004
1
IPPC
What is the IPPC?
• The International Pharmaceutical Privacy Consortium (IPPC) has
membership is an association with membership from 17
international pharmaceutical companies.
• The IPPC provides a forum for dialogue on approaches to privacy
and information security issues facing the pharmaceutical
industry, and to develop strategies and tools for managing and
protecting the privacy of personal data.
2
Three Perspectives on Privacy
• Consumer:


How do I know that my doctor / pharmacist are
treating information about me appropriately?
If I provide my personal information to
manufacturer X, can I trust manufacturer X to use
my information appropriately?
• Research participant:

If I take part in this research project, can I be sure
that health information about me will be treated
confidentially?
• Chief Privacy Officer:

How do I ensure that my company is compliant
with the myriad of federal and state privacy laws?
3
Consumer’s Perspective
4
GAO Report: Public Ill-Informed
• Government Accountability Office issued report in September on
“First-Year Experiences under the Federal Privacy Rule”
• Report concludes that the general public is not well informed
about their rights under the HIPAA Privacy Rule
 Nearly 2/3 of HIPAA complaints received by OCR were
found to fall outside scope of Privacy Rule
• 35% of complaints involved accusations of actions that
are not prohibited
• 20% involved entities that are not “covered entities”
 Covered entity privacy notices are long and confusing
5
NCVHS Hearings
• National Committee on Vital and Health
Statistics charged with advising Secretary of
HHS on implementation of HIPAA Privacy
Rule
• NCVHS Subcommittee on Privacy and
Confidentiality held hearings in July 2004 on
effect of Privacy Rule on marketing
• Findings conveyed in September 1 letter to
HHS Secretary
6
NCVHS Hearings: HPP Witness
Witness of Health Privacy Project testified that marketing
provisions of Privacy Rule are insufficient in following
respects:
1.
Retail pharmacies are not required to inform their
customers when pharmacies are paid by drug
manufacturers to send letters and other
communications
2.
Some product promotion materials are mailed to
individuals without any envelope, thereby disclosing
information about the individual’s diagnosis
3.
When a covered entity receives compensation from a
third party to promote its products or services, this
communication should be considered marketing rather
than treatment or case management communications
7
Research Participant’s Perspective
11
Recommendations of HHS Secretary’s Advisory
Committee on Human Research Protections
• Human subjects research is a complicated endeavor, governed
by Common Rule, FDA regulations and now HIPAA
• Existing regulations and policy (pre-HIPAA) required the
protection of subjects’ privacy


In some areas, the application of HIPAA to the research context has
unnecessarily complicated research activities
Cost of research should not be increased unless meaningful
protections are achieved
• Complexity adds to confusion, both to subjects and researchers
• HHS should consider the overall welfare and interests of
subjects, not simply their privacy interests alone and in the
abstract, when revisiting these aspects of HIPAA
12
Responding to Consumers:
State Privacy Legislation
13
States Proposing Pharma Privacy Legislation (2003-2004)
•
•
•
•
•
•
California
Florida
Illinois
Massachusetts
Nebraska
New Hampshire
•
•
•
•
•
•
New York
North Carolina
North Dakota
Texas
Washington
Wisconsin
14
Examples of Impact of State Privacy Laws on
Pharmaceutical Company Activities

Extends HIPAA-Like Requirements (e.g., notice,
access, amendment)

Limits Disclosure by Pharma

Impacts Clinical Research

Impacts Pharma DTC

Impacts Pharma Programs Run Through
Pharmacies & Health Plans

Impacts Contact with Physicians
15
Extends HIPAA-Like Requirements (e.g., notice,
access, amendment)
 Example: Adopts HIPAA Privacy Rule requirements
but changes definition of covered entity
(a) Notwithstanding any general or special law to the contrary, the
Department of Public Health shall adopt 45 CFR Parts 160 and 164, as
promulgated on August 14, 2002, in their entirety, with the changes
specified in this act.
(b) “§ 160.103 Definitions.” is amended as follows:
“Covered entity” means any person who, for commercial, financial or
professional gain, monetary fees, dues, or on a cooperative, non-profit
or pro-bono basis, engages, in whole or in part, and with real or
constructive knowledge, in the practice of assembling, collecting,
analyzing, using, evaluating, storing, or transmitting protected health
information.
16
Limits Disclosure By Pharma
 Example: Limits disclosure by pharma; prohibits
conditioning of treatment on patient signing an
authorization
(a) A pharmaceutical company may not require a patient, as a condition
of receiving pharmaceuticals, medications, or prescription drugs, to
sign an authorization, release, consent, or waiver that would permit the
disclosure of medical information that otherwise may not be disclosed.
(b) A pharmaceutical company may not disclose medical information
provided to it without first obtaining a valid authorization from the
patient.
17
Impacts Clinical Research
 Example: Requires anyone who uses or discloses
health information for research to obtain authorization
(a) “Covered entity” means any person who collects or maintains
protected health information.
(b) A covered entity may disclose protected health information to a
person performing health research, regardless of the source of funding
of the research, for the purpose of conducting health research, only if
the person performing health research has obtained the express written
authorization of the individual.
18
Impacts Pharma DTC
 Example: Requires anyone who uses or discloses
health information for marketing to obtain
authorization
(a) “Covered entity” means any person who collects or maintains
protected health information.
(b) A covered entity must obtain express written authorization to use or
disclose protected health information for marketing
19
Impacts Pharma Programs Run Through
Pharmacies and Health Plans
 Example: Defines “marketing” as making a
communication about a product in exchange for
remuneration
(a) “Marketing” means to make a communication about a product or
service to encourage recipients of the communication to purchase or
use the product or service, but does not include communications made
as part of the treatment of a patient for the purpose of furthering
treatment unless the covered entity receives direct or indirect
remuneration from a third party for making the communication.
(b) A covered entity shall not use protected health information in its
possession to provide marketing services to any entity.
20
Impacts Contact with Physicians
 Example: Prescriber Data Opt-Out List
(a) “Prescribing data of a physician” means information that sets forth
a prescription written by a physician in combination with any item that
individually identifies the physician, including a unique identifier
assigned for tracking purposes.
(b) A person may not transmit, sell, or release to a third party, in
exchange for remuneration, any prescribing data of a physician, if the
physician has placed his or her name on the list described in
subdivision (c).
(c) The Attorney General shall maintain a DO NOT USE list on its Web
site for physicians licensed in the state to place their names. The
Attorney General may contract with a third party for the creation or
maintenance of the list.
21
Chief Privacy Officer’s Perspective
22
Privacy Is a Challenge
•
Requires understanding how personal data is used within the corporation

•
Pharma companies communicate with consumers through a variety of media and for
a variety of purposes. Uses and disclosures of personal information vary by
program.
Requires understanding and keeping up-to-date with myriad of privacy
regulations and guidance

US federal privacy laws
 State privacy laws
• HIPAA • COPPA
• California
• TCPA
• Texas
• TSR
• CAN-SPAM

Consumer protection laws
 Foreign laws
• FTC
• EU Data Protection Directive
• State AGs
• EU Member State Laws
• Canada PIPEDA
• Etc.
23
Current US Privacy Environment: Snapshot
• Stringent marketing requirements effective in
Texas and California. States continue to
consider legislation to close HIPAA “gaps”
and require “opt-in” for marketing
• Continued interest by DOJ in privacy
practices of pharma companies
• Criticism of pharma industry practices by
some consumer privacy groups. Litigation
pending
24
Pharma Privacy Challenges
• Global organizations
• Complex data

Pharmacovigilance

Medical research
• Complex business operations
• Public and regulatory mistrust of industry
25
Current Environment
• Governments around the world beginning to
draft and enact comprehensive privacy and
data protection laws to:



remedy privacy violations that occurred under
previous authoritarian regimes
promote electronic commerce by setting up
uniform rules
promote consistency among privacy laws of
trading partners
• Conflicting national privacy laws, however,
continue to make compliance and global data
transfers challenging
26
European Union
•
Myriad of national laws and
interpretations
•
No one compliance option resolves
all issues
•
EU expansion in May 2004
•
Increased enforcement a reality
27
APEC Privacy Standard
• Privacy Subgroup of the E-Commerce Steering
Committee developing Asia-Pacific Privacy Standard,
with protocols for handling data transfers
• Released consultation draft of an APEC Privacy
Framework in March 2004
• Released Privacy Framework on 29 October 2004
• Framework seeks to balance information privacy with
business need and commercial interests
• Framework notes:
• unnecessary restrictions adversely impact global economies
• free flow of information is essential to sustain economical and
social growth
29
APEC Principles
•
•
•
•
•
•
•
•
•
I. Preventing Harm
II. Notice
III. Collection Limitation
IV. Uses of Personal Information
V. Choice
VI. Integrity of Personal Information
VII. Security Safeguards
VIII. Access and Correction
IX. Accountability
30
Privacy Office
• Role
• Responsibilities
• Organizational Design and
Placement
• Access to Senior Management
31
Strategic Considerations
• Organization-wide position on
privacy compliance
• Privacy principles
• Regulatory environment
• Risk management
• Influencing environment
32
Coordination
• Reporting developments
• Providing guidance on changes
• Ensuring compliance with emerging
requirements
• Conducting privacy training programs
33
Outreach
• Regulators
• Industry associations
• Stakeholders
34