Since its inception, the pharmaceutical industry has used and relied on personal data. Today, personal data is integral to nearly all business operations of pharmaceutical manufacturers, including clinical research and development, marketing, and patient outreach. However, the use of personal data has existed in an increasingly regulated space.
When handling personal data, pharmaceutical companies must comply with regulations that apply directly to them such as consumer protection and FTC regulations, laws that apply to their customers such as HIPAA, and a growing number of international laws that impose greater restrictions on the use of information such as Europe’s forthcoming General Data Protection Regulation (GDPR).
1. FTC and Consumer Protection
Marketing initiatives by pharmaceutical companies are largely regulated by consumer protection laws enforced by the FTC, including TCPA and CAN-SPAM. If found to be in violation of these laws, pharmaceutical companies can face severe liability. For example, in February 2018 Vertex Pharmaceuticals Inc. sought approval of a $4.75 million settlement relating to an alleged violation of the TCPA involving fax-advertisements sent by Vertex without the recipients’ consent.
To avoid liability, pharmaceutical companies are required, in most cases of email, phone, text, and fax marketing, to: obtain consumer consent; allow consumers to opt-out of receiving future communications; include conspicuous identification of the communication as an advertisement; and maintain internal measures to protect sensitive consumer information. Importantly, many of the regulations imposed by TCPA and CAN-SPAM do not apply to: communications regarding warranties, recalls, and safety/security; emergency communications; communications used to confirm or facilitate an agreed-to commercial transaction; and communications relating to changes in terms, features, or account balances relating to ongoing business relationships.
Throughout the varied stages of pharmaceutical research, development, and marketing, pharmaceutical companies and their representatives may interact with healthcare providers regulated by HIPAA as “covered entities.” While generally not directly subject to HIPAA themselves,1 pharmaceutical companies risk HIPAA liability if they are found to have induced the misuse of, or conspired to misuse, protected health information (“PHI”) of patients. Such potential HIPAA liability has often directly and indirectly impacted the interactions that pharmaceutical companies have with healthcare providers and other covered entities. For example, it is common for pharmaceutical companies to internally structure their data privacy and security policies to mitigate potential HIPAA non-compliance and to ensure that the covered entities with which they do business are meeting their HIPAA obligations.
On May 25, 2018, all organisations that are established in the European Union (EU) or target goods and services to EU customers will be subject to the GDPR. Under the GDPR, organisations that process the personal information of EU data subjects will have to demonstrate compliance with a robust statutory framework or else face steep fines of up to 20 million Euros or 4 percent of worldwide turnover, whichever is higher.
The regulation expands and formalises many rights that existed under the EU Data Protection Directive. It also requires that organisations inventory their data and document the legal basis for processing personal information. Further, the GDPR provides EU data subjects with rights they may exercise in connection with their data such as the “right to be forgotten”.
One of the most pertinent changes is an new definition of consent – which must be informed, freely given and specific; this specificity requirement may inhibit secondary uses of clinical data which is often repurposed in the pharmaceutical industry for purposes for which an individual may not have provided specific consent.
4. Security breaches
The loss or unauthorised access to or disclosure of personal information may trigger breach notification statutes. In the United States, for example, 48 states and several territories have implemented breach notification statutes that require organisations that have experienced a “security breach” to notify affected individuals. Accompanying state statutes are federal laws that apply to specific sectors, such as HIPAA and the Gramm-Leach-Bliley Act, as well as international laws, such as the forthcoming GDPR breach notification statute which requires notification to a regulatory body within 72 hours of becoming aware of a “serious” breach.
Existing in a highly regulated space is not new for the pharmaceutical industry. Nonetheless, the evolving privacy legal landscape will continue to pose significant compliance challenges. Given the sensitivity of the data handled by these organisations, pharmaceutical companies will need to make protecting the security and privacy of personal information a top priority. Further, legal and compliance personnel will need to continue to monitor state, federal, and international laws for new guidance and regulations.
1HIPAA does not generally regulate pharmaceutical companies because they are neither covered entities nor business associates. Pharmaceutical manufacturers do not qualify as health plans, healthcare clearinghouses, or healthcare providers, and therefore are not covered entities. Similarly, pharmaceutical companies do not typically provide services for or “on behalf of” covered entities, and therefore do not usually act as business associates.
By Kim Gold, Esq., and Anna Rudawski, Esq., Norton Rose Fulbright US LLP