Embracing HIPAA's Ethics

August 1, 2002

Pharmaceutical Executive

Pharmaceutical Executive, Pharmaceutical Executive-08-02-2002,

To win consumers' trust and loyalty, pharma companies should look to the privacy regulations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to guide their direct-to-consumer (DTC) and web strategies.

To win consumers' trust and loyalty, pharma companies should look to the privacy regulations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to guide their direct-to-consumer (DTC) and web strategies.

HIPAA provides the standard for using and managing individually identifiable health information. Its underlying ethical principles are based on the cornerstones of the Fair Information Practices Act of 1974: disclosure, authorization, and clarity.

This article highlights HIPAA's basic tenets and how they affect pharma companies. It also discusses how companies can benefit from working with nonprofits that are dedicated to privacy compliance and accreditation.

"Opt-in" is the standard ap-plied to collecting and transferring health information. That standard makes the company that tries to obtain and use the information responsible for gaining prior authorization. Even then, consumers must be clear about how the information will be collected and used before they can grant permission to use it.

HIPAA privacy regulations apply only to covered entities that electronically transmit or store individually identifiable health information. Typically, that does not include pharma companies.

So, why should the industry be concerned about HIPAA? Because business associates of healthcare companies that perform functions on behalf of the covered entity are affected, and many pharma companies likely fall into that category. More and more, pharma companies are becoming involved in patient care treatment programs and gaining increased access to clinical health information through clinical trials and online care management programs.

Competitive Advantage

The business associate rule gives pharma companies an important reason to develop comprehensive privacy policies: competitive advantage. After all, covered entities will be careful to align with organizations that won't put them or their reputations at risk.

HIPAA has two types of permission for use of individually identifiable health information. "Consent" is for information used in conjunction with treatment, payment, or healthcare operations. "Authorization" is for any other use, such as marketing or DTC advertising. How a pharma company initially obtains and ultimately uses individually identifiable information determines the type of permission needed.

The safest approach for pharma companies collecting and using personal health information is "opt-in" authorization-whether the information comes from an individual or a healthcare system, says Donald Kemper, CEO of Healthwise and chairman of Hi-Ethics, an organization that develops consumer privacy, security, and quality standards: "The elements of clear disclosure for that authorization should include the type of information, the purpose it's used for, who it is shared with and for how long, and how to revoke permission."

Another good reason for pharma companies to embrace HIPAA precepts is the important matter of trust. Gaining personal health information requires building trust with patients. Pharma must create an environment in which consumers feel comfortable providing a gateway to their personal health data.

Skeptical Consumers

The public wants to access a wide array of information from pharma websites. At the same time, they are skeptical about the information they find there. Jupiter Re-search reports that only one in ten consumers trusts pharma sites to provide accurate health information. And consumers are less than enthusiastic about giving data to pharma sites to institute ongoing contact.

To enhance consumer confidence, pharma companies might partner with third-party health sites. Through such intermediaries, companies can sponsor related content and provide disease management resources and community support activities while benefiting from the sites' expertise in building privacy trust with end users.

GlaxoSmithKline worked with WellMed to develop a health risk assessment specific to herpes for GSK's educational website, www.herpeshelp.com. Instead of creating online resources on established consumer sites, GSK designed its own patient education site with an assessment giving consumers a private, personalized report, counseling and support, treatment op-tions, and links to chat rooms.

Patient's Rights Recognized

HIPAA also gives patients the right to control who has access to their health information and the right to correct errors in their records. Pharma companies can go a long way toward overcoming consumer skepticism by following the ethical principles inherent in HIPAA standards.

Jupiter Research suggests that pharma sites create privacy policies that incorporate key HIPAA provisions regarding disclosure, chain of trust, consumer control, and security. In doing so, companies would be smart to seek guidance from the many online health companies and self-regulating organizations that have worked for years to develop policies and security measures.

Those groups know that protecting individuals' privacy and confidentiality is key to their success. They understand the importance of a privacy policy based on the principles of disclosure, authorization, and clarity. Following in the footsteps of those internet trailblazers, pharma companies might develop policies that outline their commitment to privacy protection. Those policies should address:

  • personally identifiable information and individual health information that the company collects from consumers

  • what "cookies" are and how they are used

  • how the company makes use of personal consumer information, including aggregate data

  • the company's relationship to third parties

  • consumers' privacy choices, describing how they can change or remove personal information.

Pharma companies considering the use of online technologies to support DTC marketing should do everything possible to ensure they properly obtain or use individually identifiable health information. For those who don't, the penalties can be severe.

Entities covered under HIPAA, or their business associates, are subject to criminal penalties. Even companies that fall outside of HIPAA run the risk of damaging their public images. The use of trusted online health intermediaries who have experience dealing with conflicting privacy regulations can help pharma companies avoid costly mistakes.