Effecting Online Privacy Policies

As privacy has captured national headlines this year, some pharmaceutical firms have bottlenecked e-business initiatives to reduce risks of violating consumer privacy or creating public relations disasters.

But many firms risk over-regulating themselves because of ambiguity surrounding high-profile privacy policies, which include Federal Trade Commission requirements, the recent “safe harbor” program and the Healthcare Insurance Portability and Accountability Act. Pharmaceutical firms need to demystify privacy to help ensure that their Internet marketing efforts are legal and ethical, but also effective.

Privacy takes center stage. The healthcare industry had numerous incidents this year involving consumer and physician privacy. Industry concerns were heightened this summer when some leading pharmaceutical firms faced criticism for affiliating with a database marketing company. This marketing firm tracked consumers’ movement – in some cases without their consent – through Web sites, then sold the data back to drug companies.

In another recent example, the American Medical Association is responding to criticism of its intention to sell its physician database information to companies eager to market to the AMA’s 650,000 members. And just last month, The New York Times reported on pharmaceutical companies using “hi-tech stealth” to learn and influence physician prescribing habits.

Increasing consumer concerns. U.S. consumers increasingly are using the Internet to find health information. Studies indicate that 86 percent of online adults currently do so. Yet Americans are more concerned about the loss of personal privacy online than they are about crime and taxes, according to a recent Harris Interactive/National Consumers League survey. Of those 37 million online users who do not use online health information, according to Cyber Dialogue, New York, 6.3 million primarily cite privacy and security concerns.

Extreme self-regulation. Since there is no major U.S. law on privacy, organizations are largely self-regulated. Pharmaceutical firms, of course, function in a highly regulated industry, so they have existing infrastructure to review and approve marketing initiatives. Most pharmaceutical firms have cross-functional “copy clearance” teams, which include legal and medical affairs, to monitor Food and Drug Administration actions so that marketing efforts align with company-specific policies.

These committees are typically the default function for setting privacy policy, yet their individuals often fail to understand privacy and technology issues. As a result, some committees hamper “aboveboard” marketing efforts in an attempt to reduce risk, which may put their firms at a competitive disadvantage. By contrast, firms that are educated about privacy can increase the speed and effectiveness of ethical and legal marketing activities. Pharmaceutical firms can take specific steps to heighten their understanding of privacy as it affects healthcare, and help ensure that the ambiguity associated with privacy policy does not encumber e-business progress.

Monitor and observe basic guidelines. Most privacy rulings – either guidelines issued by nonprofit groups or requirements released by the government groups – are intuitive and easy to follow.

For example, the FTC privacy requirements can be summarized as follows: give notice to the consumer that information is being collected; give consumers a choice on whether they want the information to be collected; provide consumers access to the data that have been collected; and guarantee that the data will be secure, and not stolen or misplaced.

These key themes are inherent in most policy related to privacy. Other classic red flag privacy issues involve tracking (using cookies) without consent and combining offline and online databases.

Numerous pharmaceutical manufacturers also are taking note of HIPAA, since it is the first U.S. online privacy restriction to directly concern most firms. HIPAA guidelines require health payers, providers and clearinghouses to implement measures such as common identifiers, shared code sets, stricter security and privacy and standard formats for electronic processing.

As customer relationship management becomes more widespread in the prescription drug industry, there are potential HIPAA implications for firms engaged in the collection and/or sharing of consumer information.

For example, if a pharmaceutical firm with a blockbuster anxiety drug collects a consumer’s name via the Internet, can that individual’s data be shared with another team marketing a newly launched sleep aid? If so, how is that data captured and secured, and what exactly can be done with it? What ability does a consumer have to view and amend personal health data captured by a pharmaceutical firm?

Do not “practice medicine.” Pharmaceutical firms are relatively new at marketing directly to consumers, and drug manufacturers are protected from some liability because a “learned intermediary” – a healthcare provider – is the actual administrator of their products.

So what happens when a top-selling prescription drug brand collects consumer names and disseminates personalized disease state information? Is it practicing medicine?

Several major pharmaceutical firms are – either directly or through third parties – developing free Web sites for physicians. These sites are designed to reduce costs of care, simplify patient-provider communication and help pharmaceutical marketers get close to the point of care.

Drug marketers will need to be especially sensitive to the degree to which they participate in the communication between these physicians and their patients. Pharmaceutical firms need to monitor carefully their actions as they work with other entities toward improving the quality of patient care.

Do not hide behind a third party. When the database marketing company was exposed by The Washington Post in August for “surreptitiously tracking computer users across the Internet on behalf of pharmaceutical companies,” the firm and its clients (including 11 pharmaceutical companies) received negative press. Pharmaceutical firms must recognize that they can face criminal and civil sanctions and, worse yet, public relations disasters for privacy violations of their vendors. A solid privacy policy calls for due diligence of the privacy practices and technological security of partners.

Globalize corporate privacy policy. There are numerous privacy bills before Congress, and many are predicting the introduction next summer of a U.S. privacy law – which could mandate opt in and provide for FTC sanctions. However, meeting U.S. legal requirements does not necessarily create effective global policy.

The European Union bans the transfer of personal information about European citizens to third-party countries that lack “adequate” privacy protections. U.S. pharmaceutical firms collecting consumer data in Europe can be sanctioned unless they agree to join a recently established “safe harbor” self-regulatory program. Many nations take privacy more seriously than the United States, and since pharmaceutical marketing efforts are typically global, so, too, should be a firm’s policy practice.

Watch the watchdogs. The privacy debate has broader ethical implications, and there are three prominent Internet health groups setting standards for healthcare companies. These groups – Internet Healthcare Coalition, Health Internet Ethics and Health on the Net – each have set their own general (albeit sometimes vague) principles.

For example, “eHealth Code of Ethics” calls for firms to disclose information and inform and educate users about the limitations of online healthcare. Pharmaceutical firms should participate in conversations with these organizations to understand their guidelines and reduce the inevitable public relations damage associated with violating them.

Ensure enterprisewide security. Nearly every privacy guideline or requirement has a provision calling for security of private data. Promoting privacy requires that companies maintain security measures such as strong authentication for all users, multilayer security perimeters and intrusion detection. These measures need to exist not only within the enterprise, but also between the pharmaceutical firm and the third parties with which it shares data, including clinical trial companies, e-detailing firms and online disease state management companies. Companies should conduct periodic network risk assessments, and ongoing policy development and training to help ensure that data intended to be private remains so.

Educate and communicate. Just as each pharmaceutical firm has its own way of interpreting FDA policy decisions and procedures, each firm will have a different threshold for decisions related to privacy. It is critical that corporations carefully design privacy policies and effectively communicate them – internally and externally.

In the pharmaceutical industry, consumer privacy affects the enterprise from each stage of the drug development cycle through launch and beyond. So education involves far more than posting a token privacy policy on company Web sites. Organizations need to develop comprehensive policies addressing fundamental privacy questions and revisit these periodically.

• Kevin H. Nalty is a business development manager at KPMG Consulting LLC, Radnor, PA, which helps major pharmaceutical firms with e-business integration. His e-mail address is [email protected]

Related Posts