With the creation of the Internet and the databasing of so much data about everything and everyone, data security, protection, hacking and privacy have become major issues.
We’d like to briefly review here the HIPAA and current EU system in place and their impacts on drug safety and pharmacovigilance (PV). The EU situation is very complex as the system that was in place from 1996 to 2016 has been replaced with a new system. We will review the US and original EU systems in this post and in the next post the new US-EU Privacy Shield System. We’ll emphasize the particular impact on drug safety and PV.
In the US, the operative law is HIPAA: Health Insurance Portability and Accountability Act of 1996. This is a very large document covering many areas. In regard to privacy and security the key features include:
- Providers and health plans are required to give patients a clear written explanation of how they can use, keep, and disclose their health information.
- Ensuring patients’ access to their medical records. Patients must be able to see and get copies of their records and request changes and corrections.
- Getting patient consent to release information. In addition, specific patient consent must be obtained for other uses, such as disclosing information for marketing purposes by third parties (e.g., drug companies).
- Consent must not be coerced.
- Providing recourse if privacy protections are violated.
- Providing the minimum amount of information necessary. Disclosures of information must be limited to the minimum necessary for the purpose of the disclosure.
- Adopt written privacy procedures.
- Train employees and designate a privacy officer.
- Establish grievance processes for patients to make inquiries or complaints regarding the privacy of their records.
- Failure to comply may lead to civil or criminal penalties, including fines and imprisonment.
The FDA issued a guidance in 2005 in which they noted that “It is of critical importance to protect patients and their privacy during the generation of safety data and the development of risk minimization action plans. During all risk assessment and risk minimization activities, sponsors must comply with applicable regulatory requirements involving human subjects research and patient privacy.”
This is a controversial topic right now with various investigations into Russian tampering with elections, with Facebook providing data on 50 million users, with major health care institutions being hacked, etc. How this plays out remains to be seen.
Impact on DS and PV
The FDA has noted that HIPAA does not prevent reporting of drug safety matters: “The Privacy Rule specifically permits covered entities to report adverse events and other information related to the quality, effectiveness, and safety of FDA-regulated products both to manufacturers and directly to FDA.”
In regard to drug safety and PV, this led to several process changes in pharmaceutical companies and governmental agencies. Databased safety data, including adverse events, is either anonymized or the data allowing identification of individuals is in restricted areas of the database and the personnel who have access to this are also limited.
Reporting of SAEs and other safety issues to the FDA (E2B, MedWatch/CIOMS forms) are now largely anonymized for the patient and often for the reporter. Anonymized means that any data that can lead to the identification of the patient is withheld. This would include names, contact information, birth date (but not age), specific hospital names and dates of admission, etc. This has been going on now for nearly two decades and has not produced any significant difficulties in drug safety and pharmacovigilance, though it can make getting follow up information more difficult. Also in general, there have not been many instances where patients request changes to MedWatch forms. The FDA accepts this system. However, there are instances where courts have tried to obtain the details of anonymized information.
The European Union, however, has and has had stricter laws in place to protect patient privacy and data security. The original 1995 safety directive (95/46) has been repealed. A new directive (Directive (EU) 2016/680) was issued 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.
In addition, a new regulation was put in place: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
A good summary of the data privacy requirements in the EU can be found here.
Processing of Data
The EU laws both in the original system and the new system are much broader than HIPAA and cover all sorts of personal information including race, political and religious views, union membership, genetic data and more. The laws cover what the EU calls “processing” of information which is any operation regarding collection, recording, organization, storage alteration, retrieval disclosure, dissemination, etc.
The processing of personal data is forbidden in the EU unless:
- The individual has given consent
- The processing is necessary to meet a legal obligation
- The processing is needed to protect the vital interests of that person
- The processing is needed to carry out a task in the public interest
- “Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional…”
- “Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy.”
The person has the right to see all the data processed about him or her as well as the right to changes and corrections to incorrect or incomplete data. The data must be accurate and relevant to the purpose they are collected for, should not contain more information than is necessary, and should not be kept longer than necessary. The person may object at any time to the processing of personal data for direct marketing.
The person has the “right to erasure” or the “right to be forgotten”. This means that the person may request that the data be erased (removed) if it is no longer necessary to be kept, if consent is withdrawn or if data was unlawfully processed. Processing is restricted if the person contests the accuracy. Each EU member state must create a supervisory authority to monitor data privacy.
Transferring of Data
Data may not be transferred to a third country if there is an inadequate level of data protection there. In other words, the EU data protection travels with the data even if it leaves the EU.
In regard to the United States, the European Commission has determined that the US does not have an adequate level of data protection and thus data should not be transferred to the US unless provisions are put in place to ensure adequate protection. Stopping data transfer to the US is obviously not feasible in practicality, as data travels around the world quite freely in most cases and is necessary in banking, commerce, police work and of course in drug safety and PV.
To solve this, under the previous EU data protection requirements, the US Department of Commerce worked with the EU to set up the “Safe Harbor” system. This allowed firms to put in place policies which met the requirements of the EU for data transferred from there.
Under the Safe Harbor, companies developed tighter SOPs limiting personnel access to non-anonymized data. Sometimes the personal details remained in the EU and the anonymization was done there. Sometimes the personal details were not entered into the safety database but kept in separate files (or even on paper) in the EU and thus were not accessible to personnel in the US. The commercial safety databases and “electronic case report” databases developed mechanisms to limit the fields particular individuals could see in order to maintain anonymity. This applied both in clinical trials and in post-marketing cases. It was largely successful and data continued to be transferred.
As noted, the EU court determined that the previous system was not legal, the Safe Harbor system was ended and a replacement system was rapidly developed in 2016/17. The Safe Harbor system was replaced by the EU-US Privacy Shield system, which we will discuss in detail in the next post.