OR WAIT 15 SECS
A summary of the key impacts new law, California Consumer Privacy Act (CCPA), will have on business practices related to data flow in specialty pharma, and more.
In many respects, data is the currency of our modern economy. Moreover, the collection, use, and exchange of data-ever so vital to the pharmaceutical industry-is becoming increasingly regulated and scrutinized by lawmakers, patients, and businesses that share data. While the industry has become well acquainted with HIPAA compliance, the introduction of the California Consumer Privacy Act (CCPA) has caused some uncertainty and left many scrambling for answers on required compliance.
Below, we set out a summary of the CCPA’s key impacts on business practices related to data flow in specialty pharmaceutical channels, including feedback on areas of particular note for drug manufacturers, specialty pharmacies, insurance companies, data aggregators, and hubs.
The CCPA became law in 2018 and took effect January 1, 2020. It requires businesses to clearly explain what information they collect, for what purpose, and with whom they share it, as well as outline individuals’ rights that are newly created by the law. Under the CCPA, Californians have the right to ask for a copy of their information and can ask that the business delete it. Additionally, Californians can ask that a business stop sharing their information with third parties where the business benefits monetarily or non-monetarily from such sharing (this is usually referred to as the CCPA “sales” opt-out right), as well as the right to equal service even where they exercise their rights under the CCPA. For example, businesses generally cannot charge different rates or provide a different level or quality of service just because someone has exercised their opt-out right.
Complicating things, the scope of personal information regulated by the CCPA is extremely broad and extends to any information that not only identifies an individual, but also any information that relates to, describes, is reasonably capable of being associated with, or could reasonably be linked (directly or indirectly) with a particular individual or household. This includes non-identifying information such as preferences, order history, adherence information, and even whether a patient has opened an email or clicked through a particular link, when maintained in a manner that is reasonably linked to an identifiable individual.
The CCPA applies to for-profit organizations that do business in California and meet any of the following criteria: (1) $25 million or more in annual revenue; (2) possesses the personal data of more than 50,000 consumers, households, or devices; or (3) earns more than half of its annual revenue selling consumers’ personal data. These criteria apply to a company regardless of whether any of its business operations are physically located within California and apply to the business as a whole, not only revenue or data that relate to California residents. In other words, if a business earns more than $25 million in revenue annually, even if only $1 million is attributable to business involving California residents, the CCPA would apply to that organization.
The CCPA provides exceptions for PHI governed by HIPAA and medical information governed by the California’s Confidentiality of Medical Information Act (CMIA), as well as for “patient information” held by HIPAA-covered entities or providers of healthcare governed by the CMIA, to the extent such entities maintain such “patient information” in the same manner as medical information or PHI under the CMIA or HIPAA, respectively. However, the CCPA does not define the phrase “patient information.” Therefore, it is not clear the type of non-PHI/non-medical information data that could qualify for this exception.
The roles played by many pharmaceutical manufacturers and specialty pharmacy hubs do not always fit neatly into the HIPAA-covered entity or business associate buckets, or such data does not qualify as PHI (e.g., it has been de-identified before sharing with the manufacturer), medical information or “patient information.” These complexities can make it challenging to determine whether the CCPA applies to certain data sets, and if it does, what are the organization’s compliance responsibilities. As a result, close attention should be given to the data types managed by your organization, including an assessment of whether it qualifies as PHI under HIPAA or medical information under the CMIA, or if your organization is holding “patient information” as a HIPAA-covered entity or CMIA-covered provider of healthcare. If the answer is “no,” then the CCPA likely applies to such data use and management. If the answer is “yes,” make sure you also consider other data sets that are not covered by the PHI/medical information/patient information exception, such as prescriber information and employee information.
Here are a few quick scenarios common in the pharmaceutical ecosystem.
For a hub collecting patient information from prescribers to perform services for patients, such as medication adherence calls, the information collected would only meet the “patient information” exception to the CCPA if the hub was acting as a business associate or covered entity. If the hub was acting pursuant to a HIPAA authorization where the data collection was not for HIPAA permitted use (i.e. treatment, payment, or healthcare operation), this data, even though “patient information,” would remain subject to the CCPA.
Arguably, because the hub is collecting information on behalf of the manufacturer, the manufacturer could be considered the “collector” under the CCPA and, therefore, required to provide notice of collection to patients at the point of collection-in this case, during the call. In most cases, the drug manufacturer contractually would require its vendor, such as the hub, to make its notice of collection available to patients during the course of the call. However, the CCPA is not clear and whether the hub would be independently obligated under the CCPA is uncertain.
In this scenario, we consider a data aggregator that, as the business associate of specialty pharmacies, receives prescriber- and patient-specific information from the specialty pharmacies, and is engaged by manufacturers to de-identify the data and perform data analytics.
Since the aggregator is not receiving the data from those data subjects, but rather the specialty pharmacies, the aggregator does not have any obligation to make available notices of collection to either prescribers or patients. However, aggregators should expect to receive requests by specialty pharmacies to amend their existing services contracts to include CCPA-compliant data processing terms with respect to prescriber information. The pharmacies will need to implement notices of collection to inform prescribers of their data collection and sharing practices.
Finally, where a business has California employees, the CCPA will apply. At the most basic level, this means that such businesses will need to provide their employees notices of collection (e.g., privacy notices) that outline the information collected about them, how it is used, and to whom it may be disclosed. Additionally, beginning January 1, 2021, businesses will also need to have in place mechanisms to process employees’ requests to access information about their data, to opt out of sales, etc.
The bottom line is that the various data sharing arrangements among partners in the specialty pharmaceutical channel require businesses-regardless of role in relation to patients-to carefully assess both the applicability of the CCPA’s requirements, as well as how to operationalize those that in fact apply.
Shannon L. Wiley is a member of Bass, Berry & Sims PLC in its Specialty Pharmacy & Pharmaceuticals Practice; Jaime L. Barwig is a member in the firm who counsels clients on a range of privacy, cybersecurity, and information management issues.