The pharma industry has always relied heavily on the practice of personal data being collected, stored, and managed safely. Of course, this was much easier in terms of safety and privacy when everything was created in paper form, but as computers have become increasingly prevalent over the course of the last few decades, it has become harder maintain strict levels of data privacy in pharma and biotech. This data and information include personal data, patient and medical data, clinical research and development information, marketing information, as well as data relating to patient outreach.
Within the pharma and biotech sectors, companies must adhere to strict consumer protection regulations, something which has become even tighter in the wake of GDPR in 2018, which looks at the protection of all consumer data within companies that have dealings with the EU (whether that company is based in an EU country or not).
When handling personal data, pharmaceutical companies must comply with regulations that apply directly to them such as consumer protection and FTC regulations, laws that apply to their customers such as HIPAA, and a growing number of international laws that impose greater restrictions on the use of information such as Europe’s forthcoming General Data Protection Regulation (GDPR).
- FTC and Consumer Protection
Marketing initiatives by pharmaceutical companies are largely regulated by consumer protection laws enforced by the FTC, including TCPA and CAN-SPAM. If found to be in violation of these laws, pharmaceutical companies can face severe liability. For example, in February 2018 Vertex Pharmaceuticals Inc. sought approval of a $4.75 million settlement relating to an alleged violation of the TCPA involving fax-advertisements sent by Vertex without the recipients’ consent.
To avoid liability, pharmaceutical companies are required, in most cases of email, phone, text, and fax marketing, to: obtain consumer consent; allow consumers to opt-out of receiving future communications; include conspicuous identification of the communication as an advertisement; and maintain internal measures to protect sensitive consumer information. Importantly, many of the regulations imposed by TCPA and CAN-SPAM do not apply to: communications regarding warranties, recalls, and safety/security; emergency communications; communications used to confirm or facilitate an agreed-to commercial transaction; and communications relating to changes in terms, features, or account balances relating to ongoing business relationships.
Throughout the varied stages of pharmaceutical research, development, and marketing, pharmaceutical companies and their representatives may interact with healthcare providers regulated by HIPAA as “covered entities.” While generally not directly subject to HIPAA themselves,1 pharmaceutical companies risk HIPAA liability if they are found to have induced the misuse of, or conspired to misuse, protected health information (“PHI”) of patients. Such potential HIPAA liability has often directly and indirectly impacted the interactions that pharmaceutical companies have with healthcare providers and other covered entities. For example, it is common for pharmaceutical companies to internally structure their data privacy and security policies to mitigate potential HIPAA non-compliance and to ensure that the covered entities with which they do business are meeting their HIPAA obligations.
Since the end of May 2018, any organisation that has links to the European Union in some way, whether that is through manufacturing, goods and services, or consumer contacts in the EU, became subject to the new GDPR. What this has meant is that any organisation that comes under this regulation, must have stringent processes and protocols in place to securely process personal information and data, demonstrating compliance with a statutory framework that has promised to be ultra-robust. Any organisation that is deemed to contravene these regulations are liable to face a hefty fine that could be as much as 20 million Euro, or up to 4% of turnover worldwide.
As the pharma and biotech sectors had already become areas where the security and privacy of data had become an important part of daily life, due to the type of data and information being held, and the way it is collected and stored, GDPR brought about an even greater urgency to get things right. Data must now be organised in a way that is very easy to find upon request, and where an EU data subject can request that the data is ‘forgotten’. Consent is everything with personal data these days, and in industries such as the biotech and pharma sectors, it is more important than ever to gain consent from every single person and organisation where data is retrieved and stored.
In sectors where there is a highly regulated space, such as with pharma and biotech, it is vital that there is a robust process and protocol in place to deal with data privacy and to ensure cybersecurity is at a high and consistent level. With pharma, healthcare, and biotech, there is often sensitive information and other challenges that must be overcome. Working with an IT company that understands these sectors and can put together a firm plan of action to deal with any challenges to data breaches and can adhere to strict regulatory conditions, will help those companies within the pharma, biotech, and healthcare sectors to comply, and to be ready for anything.