When HIPAA Doesn’t Apply

From research and development through post-market approval activities, data continues to inform and drive decision making in the life sciences industry. Consequently, there are multiple data protection and integrity considerations throughout a drug or medical device product’s lifecycle-many of which are highly scrutinized. Under the current privacy framework in the United States, a single piece of information may weave in and out of a regulatory framework based on the type of data or of the entity receiving or disclosing it. As a result, data privacy and security considerations can become complicated and nuanced in the absence of a mandated baseline or regulatory standard, like the Health Insurance Portability and Accountability Act (HIPAA), to govern the data transaction.

In most cases, pharmaceutical and biotech companies are not directly regulated by HIPAA, although there are exceptions. More typically, such companies are indirectly impacted by HIPAA in their interactions with providers, payors, patients, and others that have HIPAA compliance obligations and/or HIPAA-granted rights. Absent a HIPAA benchmark for their privacy and security choices,  drug companies must develop their own standards informed by US Federal Trade Commission (FTC) principles and state law. In some instances this flexibility is welcome, but it is not without the potential challenge related to the lack of a clear regulatory safe harbor. Compliance with certain baseline expectations borrowed from existing frameworks is advised to protect against potential liability, especially in light of the FTC’s more opened-ended privacy expectations and enforcement. This article illustrates common data transactions between drug companies and HIPAA-regulated entities, and provides an initial checklist that stakeholders may wish to use to begin an internal dialogue about data privacy and security issues.

Historic and current regulatory oversight-How did we get here?

For historical reasons underpinned by changes in health insurance coverage, HIPAA was drafted and ratified with a focus on inclusion of stakeholders within the reimbursement corridor (providers and plans) rather than the life sciences industry. At the time of the Act’s passage, HIPAA included forward-looking provisions that moved the goalposts on a number of privacy and security benchmarks, for example, minimum security program requirements and the inclusion of limitations on uses-not just disclosures-of data. In addition, by enumerating permitted uses and disclosure of Protected Health Information (PHI) where a patient/beneficiary’s written authorization was not required, HIPAA contributed to the public’s reasonable expectations with regard to the balancing of public benefit and personal privacy. More than 20 years later, however, HIPAA increasingly reflects common sense, basic security measures, not aggressive, best-in-class requirements. And, it has shaped, even set, a data use and disclosure framework even when the parties to the data transaction are not HIPAA regulated. It is not uncommon to see companies describing themselves as “HIPAA compliant” even when they are not subject to HIPAA-HIPAA has become a marketing strategy and a privacy compliance shorthand.

The FTC, on the other hand, can be a source of direct enforcement for commercial entities regardless of whether they are HIPAA regulated. The FTC describes itself as the country’s primary privacy and security enforcer of consumer data in support of its mission to prohibit companies from engaging in deceptive or unfair acts or practices. Fair Information Practices (FIPs) are internationally deployed information privacy standards disseminated by numerous government entities, including the FTC, as well as trade groups. Although compliance with FIPs is advised as a best practice, FIPs are only principles, unlike the HIPAA Privacy and Security Rule’s mandatory enumerated requirements. The FTC does not have corresponding regulations and adds additional layers of compliance requirements and complexity in making the determination when a life sciences company has “complied enough.”

Common Data Exchanges & Interactions with HIPAA

Contracting

Usually, life sciences companies are not directly regulated by HIPAA as a covered entity (CE) or business associate (BA), but often must structure their transactions, projects, and internal data programs in a HIPAA-compliant way to ensure partnering CEs and BAs meet their data obligations. CEs and BAs frequently attempt to mitigate the potential for downstream non-compliance and typically mandate HIPAA and other data privacy and security compliance provisions in contracts with life sciences companies. In our experience, however, privacy, security, and data protection programs may be siloed within an organization’s divisions, and significant inconsistencies in the complexity of these programs exist across and within the life sciences industry. Absent an analogous baseline HIPAA standard, the checklist below may be useful to life sciences companies seeking to build their privacy and security infrastructures.

Written Authorizations

Life sciences companies analyze research data for a variety of purposes-to develop new drugs, broaden the intended use of existing drugs, conduct real-world evidence and comparative effectiveness analyses, compete against biosimilars, and undertake targeted product surveillance to identify trends. In some cases, life sciences companies will need PHI for these activities, some of which will require that the individual execute a HIPAA written authorization for the disclosure of PHI to the life sciences company. The authorization must be written in plain language and include a specific and meaningful description of the data, the purpose of the requested use or disclosure, the identities of the disclosing and receiving parties, the process for revocation, an expiration date, and a signature.

Excluded Activities

HIPAA permits the use and disclosure of PHI when expressly authorized by a patient/beneficiary or when such use or disclosure is expressly permitted without authorization by the Privacy Rule. In certain circumstances, a life sciences company may play a direct role in patient care, serving as a non-covered entity health care provider. For example, when a device company uses PHI to counsel a surgeon to determine the appropriate size, type, or other specifications of a prosthetic device for use in a surgery, the company is providing “treatment.” Under HIPAA, this disclosure of PHI to a medical device company for the covered provider’s own treatment purposes is permitted without the patient’s authorization. Although the particular agency guidance concerns a medical device example as the guidance was sought by that industry, it would seem that the same logic would apply in those cases where a non-device life sciences company received PHI to assist with treatment. The public disclosure pathway also allows the disclosure of PHI to a life sciences company without an authorization when, for example, a CE makes an adverse event report to the manufacturer of a US Food and Drug Administration-regulated product. Other common CE-to-life-sciences-company disclosures of PHI still require authorization, for example patient assistance programs. Determinations whether HIPAA applies to other life sciences activities have occurred incrementally through agency guidance, Q&A, and other interpretive activities. Life sciences companies would benefit from thoughtfully and regularly monitoring data privacy and security guidance and enforcement activities to preserve compliance with evolving standards.

Future Use

Research data is typically collected by a CE and provided to a life sciences company for a particular study. Years later, when the life sciences company seeks to use or disclose this same data for an unanticipated purpose, it can be less clear what the company can or should do. At the time of drafting the authorization, sponsors and researchers may be unable to anticipate all future possible uses and disclosures of data derived from a single clinical trial. Today, legal and normative considerations are implicated as life sciences companies analyze whether an authorization’s scope as originally drafted (if such an authorization exists) was appropriately broad and included the new proposed use. One other consideration should be to manage subjects’ expectations within the authorization to ensure it appropriately describes downstream use of their PHI and whether the data will be protected under the same HIPAA requirements that apply to the original CE.

De-identification

Drug companies use de-identified data to track surveillance, prescribing, and other patient trends. HIPAA de-identified data is not PHI under HIPAA and may be used or disclosed by a CE without authorization. When a life sciences company’s activities are not regulated under HIPAA’s two de-identification pathways, there is no clear regulatory standard or trustworthy best practice to determine when data becomes identifiable. The risk of re-identification of believed-to-be-de-identified data continues to evolve due, in part, to technological advancement coupled with an always-growing quantity of data. Big data and analytical capabilities exacerbate this issue by attributing single data points of health information to a particular individual, thereby rendering the data identifiable. The industry is left to resolve when data is de-identified. The implementation of prospective internal guardrails may decrease or mitigate the risk of re-identification.

Customer Communications

Communication with current customers, for example, related to a new formulation of a currently-prescribed drug is another activity where a drug company or its vendor may be subject to HIPAA. Written authorization is necessary before PHI may be used or disclosed for marketing purposes by HIPAA-regulated entities, but is not required for every communication with a customer. Generally, life sciences companies should keep in mind that the characterization of a communication as treatment, a health care operation, or marketing is imperative to analyzing whether a written authorization is required or an exception is appropriately met (e.g., refill reminders).

Checklist Tool

In the absence of a clear regulatory standard, drug companies still have opportunities to implement best practices to mitigate potential data liability and enforcement. Basic privacy literacy is vital to protecting companies from liability, negative publicity, and steep enforcement actions by minimizing human error and maximizing aligned public expectations. Regardless of the size of a company, there is often a demonstrated need for implementation of a comprehensive privacy program designed for all emerging data-driven activities that the industry leverages. Although this implementation may be resource intensive, bolstering data privacy compliance is an industry differentiator that simultaneously preserves and maintains relationships with CEs.

Because a true privacy and security program is often more complicated than it looks, below is a series of questions and steps to reference for protecting data when there may not be a regulatory obligation to do so.

Checklist

o Assess the current limits, guardrails, and risks associated with enterprise data privacy and security

·       What types of data does the company touch and when?

·       Does the data currently exist or will it be created?

·       What is the purpose of the data use or disclosure?

o Review (and implement) global internal data privacy and security policies and procedures

·       Adhere to the practices, processes, and standards of the HIPAA pathway that a regulated entity would need to follow

·       Ensure consistency with HIPAA’s administrative, physical, and technical safeguards

·       Integrate the FTC’s FIPs principles that govern collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation, and accountability

·       Conduct and document training annually and upon hire

·       Regularly audit the effectiveness of the data privacy and security program

o Implement a third party supplier and vendor (e.g., cloud based data storage centers) qualification process to: (1) ensure that your data privacy and security policies and procedures align with the third party and any contractual obligations, and (2) confirm that the third party has an appropriate data privacy and security program

o Review existing contractual requirements for data privacy and security provisions

·       Determine whether your current data privacy and security program meets the requirements

o Review and, as necessary, modify authorization and informed consent forms; develop template future use language to be used in authorizations

o Review the fees paid to vendors for marketing-related services covered by HIPAA

·       Assess reasonableness and fair market value considerations

o Develop checklists and decision tree to accurately categorize different types of use and disclosures

o Develop prospective standards for de-identification

Jennifer S. Geetter is a partner at McDermott Will & Emery. She advises global life sciences, health care, and informatics clients on legal issues.

Shelby Buettner is an associate at McDermott Will & Emery. She advises pharma, medical device, and healthcare companies on FDA regulatory and compliance matters.