See No Evil
A Boston woman afflicted with a rare pregnancy disorder discovers that hundreds of people, including medical insurers, have accessed her private hospital records. A California college student who purchased products from a health Web site finds the site inadvertently posted his name, home phone number, and credit card information. While searching online health sites for menopausal treatments for his mother, a Pennsylvania businessman is profiled by marketers as a middle-aged woman. Those are just a few illustrations of the lack of privacy in the rapidly converging worlds of health and the Internet.
Consumer fears about the protection of personal health information online are skyrocketing. Ninety-five percent of Web surfers have significant concerns about the loss of privacy, reports Forrester Research in its study "Personalization vs. Privacy." Moreover, according to a Pew Internet & American Life Project survey released last fall, 86 percent of Net users believe that health-related Web sites might pass along information they reveal online.
As a result, some pharmaceutical companies have bottlenecked their e-business initiatives. Many companies, in fact, risk over-regulating themselves because of ambiguity surrounding high-profile privacy policies, including the Healthcare Insurance Portability and Accountability Act (HIPAA), Federal Trade Commission (FTC) requirements, and the recent "Safe Harbor" plan, created by the US Department of Commerce to protect the privacy of Europeans, that sanctions US companies that fail to comply with it
This article details the steps pharma companies can take to enhance e-business while maintaining effective ethical and legal marketing. Rather than halt Internet activities, companies need to demystify the privacy issue and find ways to market products while respecting the confidentiality of consumer health information.
Several recent incidents raised the banner of concern for both consumers and physicians. Leading pharma companies faced criticism last summer for affiliating with a database marketer that tracked consumers’ movements through Web sites—in some cases without their consent—and sold the data back to the pharma companies.
Last fall, the New York Times reported that drug manufacturers used "hi-tech stealth" to learn about and influence physician prescribing habits. Even the American Medical Association recently drew fire for planning to sell its physician database information to companies eager to market to AMA’s more than 800,000 members.
Several privacy bills are before Congress, yet in the absence of major online privacy laws, US organizations remain largely self-regulating. Although most pharma companies have cross-functional "copy clearance" teams to monitor FDA actions and ensure their marketing efforts align with government policies, team members often fail to grasp the scope of privacy and technology issues. As a result, a few individuals may hamper legitimate marketing efforts in an attempt to reduce risk, placing their companies at a competitive disadvantage.
Most privacy rulings—either guidelines issued by nonprofit groups or requirements released by government agencies—are intuitive and easy to follow. For example, FTC privacy requirements call for Web sites to
Those key themes are inherent in most privacy policies. Another classic red-flag issue involves tracking without consent, then linking that online activity with offline consumer databases. Such tracking is typically accomplished by "cookies," ID codes stored by Web servers on an individual’s computer allowing companies to recognize that computer and track information. Cookies are commonplace and simplify Web surfing by helping consumers receive personalized information and remember their passwords. But companies thwart FTC requirements when they use them covertly, linking cookie data to consumers without consent.
Many pharma manufacturers also are taking note of HIPAA, because it is the first US online privacy restriction to directly concern them. HIPAA guidelines require health payers, providers, and clearinghouses to implement measures such as common identifiers, shared code sets, stricter security, and privacy standards for electronic processing.
As customer relationship management becomes more widespread in the prescription drug industry, potential HIPAA implications for companies engaged in the collection and/or sharing of consumer information will rise. For instance, if a pharma com-pany with a blockbuster anxiety drug collects a consumer’s name from the Internet, can that information be shared with another team marketing a newly launched sleep aid? If so, how is that data captured and secured, and what exactly can be done with it? And does the consumer have an opportunity to view and amend such personal health information?
The field of e-privacy touches several constituents, from pharmaceutical regulators, marketers, and technologists to consumers, physicians, government agencies, and privacy advocate groups. As the market matures, universal standards will emerge, consumers will understand their rights and risks, and pharma companies will develop increased clarity about what constitutes safe practices.
Until then, those companies need to monitor their policies to make smart business decisions and avoid public relations disasters.
Pharma companies are relatively new at marketing directly to consumers, and companies are protected from some liability because a "learned intermediary"—a healthcare provider—actually administers their products.
So what happens when a company with a top-selling prescription drug brand, through a third party, collects consumers’ names and disseminates personal information about their diseases? Is that practicing medicine? For example, MSWatch.com, a multiple sclerosis information and patient-support site, is sponsored by Teva Marion Partners to promote and improve compliance with Copaxone (glatiramer). The site gives consumers tools to monitor their diseases, so disclaimers urge visitors to seek a doctor’s advice rather than practice self-management. The site also uses SoftWatch’s relationship-management platform to comply with HIPAA; through rule-based access-control mechanisms, users filter what authorized caregivers, such as physicians and nurses, can see.
Protocol Driven Health Care, which creates such self-care Web sites as MyAllergy.com and MyAsthma.com, also provides a password-protected means for consumers to modify, update, and view personal information. Those sites are reacting to privacy issues, but other pharma sites appear less concerned, especially those masquerading as unbiased disease- state portals that are actually custom-developed by pharma marketing teams.
Other major pharma companies are, either directly or through third parties, developing free Web sites for physicians. Those sites are designed to reduce costs of care, simplify patient–provider communication, and, of course, help pharma marketers get closer to the point of care. Marketers need to be sensitive to how much they participate in the communication between doctors and their patients.
Last year, when the Washington Post exposed a database marketing company for "surreptitiously tracking computer users across the Internet on behalf of pharmaceutical companies," the marketer and its clients—including 11 pharma companies—garnered negative press and the threat of lawsuits. By using cookies, the company recorded consumers’ activities while they surfed the Web sites of 11 pharmaceutical clients. The company said it did not collect individuals’ names but was able to predict basic demographic information about Web site visitors and the content they visited or downloaded.
This summer, many expect the introduction of the first US privacy law providing FTC sanctions and requiring companies to ask consumers if they want inclusion in a marketing database. However, meeting US legal requirements is not the same as creating an effective global policy. The European Union, for example, bans the transfer of personal information about European citizens to third-party vendors in countries that lack "adequate" privacy protections.
In response to the broad ethical implications of the privacy debate, three prominent Internet health groups are setting standards for healthcare companies. Internet Healthcare Coalition (IHC), Health Internet Ethics, and Health on the Net all have their own general, albeit sometimes vague, principles.
For example, IHC’s e-health code of ethics calls for companies to educate users about the limitations of online healthcare. Hi-Ethics, an affiliation of such top health sites as AOL, Medscape, and InteliHealth, recently developed a standards program to make it easier for consumers to protect personal details they submit to health sites. Its "seal program" is being certified through TRUSTe, a nonprofit organization that monitors compliance with voluntary privacy standards.
Last December, FTC Commissioner Orson Swindle asked if companies were doing enough to address the issues surrounding online privacy. At the eHealthcareWorld conference in New York, Swindle urged the industry to self-police or risk government intervention.
Pharma companies should participate in conversations with watchdog organizations to understand their guidelines and reduce the inevitable public relations damage associated with violating them. By appeasing consumer fears and gaining the trust of third-party groups, pharma companies may find individuals more receptive to revealing private information. Consumers want timely and relevant information about products, and they are more likely to volunteer personal data if they have assurances that the information will be used respectfully.
Nearly every privacy guideline or requirement has a provision calling for the security of private data. Promoting privacy requires companies to maintain security measures such as strong authentication for all users, multilayer security perimeters, and intrusion detection. Those measures should exist not only within the enterprise but also among pharmaceutical companies and the third parties with which they share data, such as clinical trial companies, e-detailing organizations, and online disease-state-management companies.
For example, a pharma company marketing an anxiety-reducing agent offered a free information packet to those willing to provide their names and addresses. For a short period, those records were visible to individuals on the brand team, to the Web site’s development organization, to the literature fulfillment house, and to any hacker who could bypass a simple password screen. A periodic network risk assessment would prevent that.
According to Forrester’s privacy report, most executives believe they are addressing privacy concerns simply by displaying their privacy policies. But only 20 percent encrypt data and a mere 10 percent conduct internal audits. Companies need to increase network security standards and create "audit trails" that capture and document who sees information and how and when it’s used.
Just as each pharma company has its own way of interpreting FDA procedures, each has a unique perspective on handling privacy issues. Nevertheless, all pharma companies need to construct effective policies now—not next year.
Once they develop and promote privacy and security policies, companies need to train all employees, from medical affairs to marketing, in their implementation. An effective way to accomplish that is through brief, Internet-based e-learning. Courses that expedite awareness of security and privacy issues demonstrate to consumers and their lawyers that the company takes privacy seriously.
Consumers want the proprietary information pharma companies have about products, diseases, and treatments, but they don’t trust companies to place their needs first. Consumers will continue to have privacy anxiety until they are assured that companies are exercising legal, ethical, and respectful marketing practices. In fact, the pharma companies that demonstrate they are worthy of consumer trust will have a distinct competitive advantage as people expand their reliance on the Internet for health management.
Supply Chain Strategy: Managing risk and opportunity in a changing global landscape