When HIPAA Doesn’t Apply

Navigating Data Privacy and Security Considerations: Outlining the common data transactions between drug companies and the HIPAA-regulated entities they interact with-plus steps pharma can take to secure and protect its own data.

From research and development through postmarketing approval activities, data continues to inform and drive decision making in the life sciences industry. Consequently, there are multiple data protection and integrity considerations throughout a drug or medical device product’s lifecycle-many of which are highly scrutinized. Under the current privacy framework in the US, a single piece of information may weave in and out of a regulatory framework based on the type of data or of the entity receiving or disclosing it. As a result, data privacy and security considerations can become complicated and nuanced in the absence of a mandated baseline or regulatory standard, like the Health Insurance Portability and Accountability Act (HIPAA), to govern the data transaction.

In most cases, pharmaceutical and biotech companies are not directly regulated by HIPAA, although there are exceptions. More typically, such companies are indirectly impacted by HIPAA in their interactions with providers, payers, patients, and others that have HIPAA compliance obligations and/or HIPAA-granted rights. Absent a HIPAA benchmark for their privacy and security choices, drug companies must develop their own standards informed by US Federal Trade Commission (FTC) principles and state law. In some instances, this flexibility is welcome, but it is not without the potential challenge related to the lack of a clear regulatory safe harbor. Compliance with certain baseline expectations borrowed from existing frameworks is advised to protect against potential liability, especially in light of the FTC’s more opened-ended privacy expectations and enforcement. This article illustrates common data transactions between drug companies and HIPAA-regulated entities and provides an initial checklist (see bottom) that stakeholders may wish to use to begin an internal dialogue about data privacy and security issues.

Historic and current regulatory oversight: How did we get here?

For historical reasons underpinned by changes in health insurance coverage, HIPAA was drafted and ratified with a focus on inclusion of stakeholders within the reimbursement corridor (providers and plans) rather than the life sciences industry. At the time of the act’s passage, HIPAA included forward-looking provisions that moved the goalposts on a number of privacy and security benchmarks; for example, minimum security program requirements and the inclusion of limitations on uses-not just disclosures-of data. 

In addition, by enumerating permitted uses and disclosure of protected health information (PHI) where a patient/beneficiary’s written authorization was not required, HIPAA contributed to the public’s reasonable expectations with regard to the balancing of public benefit and personal privacy. More than 20 years later,

however, HIPAA increasingly reflects common sense, basic security measures, and not aggressive, best-in-class requirements. And it has shaped, even set, a data use and disclosure framework even when the parties to the data transaction are not HIPAA regulated. It is not uncommon to see companies describing themselves as “HIPAA compliant” even when they are not subject to HIPAA; HIPAA has become a marketing strategy and a privacy compliance shorthand. 

The FTC, on the other hand, can be a source of direct enforcement for commercial entities regardless of whether they are HIPAA regulated. It describes itself as the country’s primary privacy and security enforcer of consumer data in support of its mission to prohibit firms from engaging in deceptive or unfair acts or practices. Fair information practices (FIPs) are internationally deployed information privacy standards disseminated by numerous government entities, including the FTC, as well as trade groups. Although compliance with FIPs is advised as a best practice, FIPs are only principles, unlike the HIPAA Privacy and Security Rule’s mandatory enumerated requirements. The FTC does not have corresponding regulations and adds additional layers of compliance requirements and complexity in making the determination when a life sciences company has “complied enough.”

Data exchanges & HIPAA interactions

Contracting

Usually, life sciences companies are not directly regulated by HIPAA as a covered entity (CE) or business associate (BA), but often must structure their transactions, projects, and internal data programs in a HIPAA-compliant way to ensure partnering CEs and BAs meet their data obligations. CEs and BAs frequently attempt to mitigate the potential for downstream non-compliance and typically mandate HIPAA and other data privacy and security compliance provisions in contracts with life sciences companies. In our experience, however, privacy, security, and data protection programs may be siloed within an organization’s divisions and significant inconsistencies in the complexity of these programs exist across and within the life sciences industry. Absent an analogous baseline HIPAA standard, the checklist below (click to enlarge) may be useful to life sciences companies seeking to build their privacy and security infrastructures.

Written authorizations

Life sciences companies analyze research data for a variety of purposes-to develop new drugs, broaden the intended use of existing drugs, conduct real-world evidence and comparative effectiveness analyses, compete against biosimilars, and undertake targeted product surveillance to identify trends. In some cases, life sciences companies will need PHI for these activities, some of which will require that the individual execute a HIPAA written authorization for the disclosure of PHI to the company. The authorization must be written in plain language and include a specific and meaningful description of the data, the purpose of the requested use or disclosure, the identities of the disclosing and receiving parties, the process for revocation, an expiration date, and a signature. 

Excluding activities

HIPAA permits the use and disclosure of PHI when expressly authorized by a patient/beneficiary or when such use or disclosure is expressly permitted without authorization by the Privacy Rule. In certain circumstances, a life sciences organization may play a direct role in patient care, serving as a non-covered entity healthcare provider. For example, when a device company uses PHI to counsel a surgeon to determine the appropriate size, type, or other specifications of a prosthetic device for use in a surgery, the company is providing “treatment.” Under HIPAA, this disclosure of PHI to a medical device company for the covered provider’s own treatment purposes is permitted without the patient’s authorization. 

Although the particular agency guidance concerns a medical device example, as the guidance was sought by that industry, it would seem that the same logic would apply in those cases where a non-device life sciences company received PHI to assist with treatment.  The public disclosure pathway also allows the disclosure of PHI to a drug company without an authorization when, for example, a CE makes an adverse event report to the manufacturer of an FDA-regulated product. 

Determinations of whether HIPAA applies to other biopharma activities have occurred incrementally through agency guidance, Q&A, and other interpretive activities. Life sciences companies would benefit from thoughtfully and regularly monitoring data privacy and security guidance and enforcement activities to preserve compliance with evolving standards.

Future use

Research data is typically collected by a CE and provided to a drug developer for a particular study. Years later, when the company seeks to use or disclose this same data for an unanticipated purpose, it can be less clear what the firm can or should do. At the time of drafting the authorization, sponsors and researchers may be unable to anticipate all future possible uses and disclosures of data derived from a single clinical trial. 

Today, legal and normative considerations are implicated as drug companies analyze whether an authorization’s scope as originally drafted was appropriately broad and included the new proposed use. One other consideration should be to manage subjects’ expectations within the authorization to ensure it appropriately describes downstream use of their PHI and whether the data will be protected under the same HIPAA requirements that apply to the original CE.

De-indentification

Drug companies use de-identified data to track surveillance, prescribing, and other patient trends. HIPAA de-identified data is not deemed PHI under HIPAA and may be used or disclosed by a CE without authorization. When a life sciences company’s activities are not regulated under HIPAA’s two de-identification pathways, there is no clear regulatory standard or trustworthy best practice to determine when data becomes identifiable. The risk of re-identification of believed-to-be-de-identified data continues to evolve due, in part, to technological advancement coupled with an always-growing quantity of data. Big data and analytical capabilities exacerbate this issue by attributing single data points of health information to a particular individual, thereby rendering the data identifiable. The industry is left to resolve when data is de-identified. The implementation of prospective internal guardrails may decrease or mitigate the risk of re-identification.

Customer communications

Communication with current customers, for example, related to a new formulation of a currently-prescribed drug is another activity where a drug company or its vendor may be subject to HIPAA. Written authorization is necessary before PHI may be used or disclosed for marketing purposes by HIPAA-regulated entities, but is not required for every communication with a customer. Generally, life sciences companies should keep in mind that the characterization of a communication as treatment, a healthcare operation, or marketing is imperative to analyzing whether a written authorization is required or an exception is appropriately met (e.g., refill reminders). 

Checklist tool

In the absence of a clear regulatory standard, drug companies still have opportunities to implement best practices to mitigate potential data liability and enforcement. Basic privacy literacy is vital to protecting companies from liability, negative publicity, and steep enforcement actions by minimizing human error and maximizing aligned public expectations. Regardless of the size of a company, there is often a demonstrated need for implementation of a comprehensive privacy program designed for all emerging data-driven activities that the industry leverages. Although this implementation may be resource intensive, bolstering data privacy compliance is an industry differentiator that simultaneously preserves and maintains relationships with CEs.

Jennifer S. Geetter is a partner and Shelby Buettner an associate, both at McDermott Will & Emery