Skip to : [Content] [Navigation]
 

MX

 
 
Email article link Print article

Originally Published MX November/December 2001

GOVERNMENTAL & LEGAL AFFAIRS

Global Data Privacy and Security

Part 2: The Impact of Privacy Laws on Medical Product Development

By implementing privacy and security programs, medtech manufacturers can turn compliance with patient data laws into a competitive advantage.

Edward J. Green and Lisa J. Acevedo

In the United States and abroad, public concern about the privacy of personally identifiable health information has led to a variety of new laws and regulations governing the use and disclosure of personal data.

The first installment of this article (MX, September/October 2001) provided an overview of both U.S. and international laws governing data privacy and security, including the Health Insurance Portability and Accountability Act (HIPAA), the European Union’s Data Privacy Directive, and U.S. safe harbor principles.1-3 This installment offers practical tips on how medtech manufacturers can effectively meet data privacy and security legal challenges, avoid pitfalls, and use these legal requirements to meet patient and customer needs in order to successfully market and sell medical devices.

Privacy Laws and Product Development

The impact of privacy laws may be most greatly felt by manufacturers of so-called "smart" devices—that is, devices and related software that enable them to collect or communicate personal health information, often via the Internet. Manufacturers have no legal obligation to market products that meet privacy laws. Nevertheless, most manufacturers’ customers will have some obligation to comply with these laws and will base their purchasing decisions on a product’s ability to facilitate their compliance.

For example, U.S. customers will expect such smart devices to incorporate security measures to assist them in complying with the HIPAA security standards. However, of equal importance to such customers will be whether the product is designed to facilitate compliance with the HIPAA privacy regulations. Customers in other countries will likewise want to acquire products that assist them in complying with their own privacy laws.

There are products on the market that advertise their HIPAA compliance. However, it is important to note that compliance with HIPAA as well as other privacy laws involves much more than a technical solution. Rather, compliance involves changes in the behavior of staff, and implementation of policies and procedures designed to effectuate the principles embodied in such privacy laws. Use of a product alone cannot guarantee compliance with privacy laws. Nevertheless, customers will want to acquire products that will assist them in their efforts to comply with privacy laws.

To meet these challenges and to gain a competitive advantage, manufacturers must address customers’ privacy and security requirements early in the product development process. At the beginning of the process, the development team must assess whether the prospective product’s functionality will implicate privacy and security laws. If the answer is yes, then part of the analysis of the requirements surrounding the prospective product should include development of an understanding of the hurdles these laws may place on development of the product or on customers’ willingness to acquire the product.

During the design phase of the product development process, special attention must be devoted to ensuring that the prospective product is designed to include functionality necessary to facilitate customers’ compliance with privacy and security requirements. Given the technical aspects of smart devices, many such products may be designed to focus on compliance with security requirements. Manufacturers of such products may fail to consider features that could also assist customers in their compliance with privacy requirements. Attention to such features may translate into increased marketability of products.

To reach the marketplace, the majority of devices must undergo some type of submission to FDA or another competent authority internationally. As a result, it is important to consider during the design phase that any privacy and security functionality incorporated into the product will have to be validated and described in the regulatory submission.

Even after the product has been designed, privacy and security laws may continue to affect its progress to market. For example, HIPAA regulations contain requirements for personal health information generated in clinical trials. Thus, if the product will be used in clinical trials in the United States, manufacturers will have to contend with HIPAA. Although the majority of the requirements address the conduct of the study institution and its investigators, manufacturers may find that they cannot use personally identifiable health information generated in the trials as freely as they could previously.

Even if the clinical trial occurs in a foreign country, privacy laws may still influence the process. If a trial is conducted in a member state of the European Union (EU), the privacy directive or local law will apply to the handling of personal information. If personal information is transmitted to the United States, then the manufacturer must certify its compliance with the safe harbor principles or obtain governmental approval for the data transfer. The same holds true even if the product is simply undergoing beta testing, if the manufacturer will be accessing or processing personal information collected, stored, or disclosed by the device.

Information obtained from subjects in a clinical trial can often be valuable to future research. If such information is personally identifiable and is to be transmitted from the eu to the United States, the safe harbor principles provide that companies can avoid having to obtain new consent for future uses by notifying individuals that their personal information may be used in future and perhaps different research activities. However, if the personal information will be used in a manner that is not consistent with general research, then a new consent must be obtained.

Marketing Activities

For manufacturers that use Web sites and other on-line services to market to customers and patients, the privacy laws can influence personal information collection activities conducted via such sites. If personal information is collected on-line in an EU country and transferred to the United States, both the EU privacy directive and the safe harbor principles are implicated. In the United States, if the site collects personal information from children under the age of 13 or could be deemed to be targeted toward children (e.g., asks for age, uses graphics that the Federal Trade Commission could interpret as being targeted to children), then the site must comply with the Children’s On-Line Privacy Protection Act of 1998 (COPPA).4 Potential HIPAA implications must be assessed if the Web site or on-line service collects health information—especially if physicians or other healthcare providers or health plans are involved.

Given that the common objective of all the various privacy laws is to place boundaries around access to personal information, market research efforts may be affected. In the United States, personally identifiable information is commonly shared among clinical affairs and marketing staff with the thought that such intracompany sharing between employees or departments is not the same as a disclosure to an outside third party. Privacy laws may restrict the ability of marketing personnel to obtain such valuable personal information from other departments within the company.

Transactions with Third Parties

Whenever manufacturers engage in transactions with third parties that involve the use or disclosure of personal information, they must consider privacy laws. For example, a manufacturer may enter into a joint venture with another manufacturer or company to market a joint Web site that collects personal information. In that case, it would be important to draft a contract that clearly sets forth who would control the personal information and have access to it. It would also be important to understand the other company’s privacy policies and practices, as well as its technology to support security. In addition, appropriate notice would have to be provided to the individuals submitting their personal information to inform them of each company’s role in using their personal information.

Privacy laws may also come into play when manufacturers hire third parties to handle tasks for them. Many companies outsource the hosting and management of their information databases, which contain personal information, to third parties. Compliance with the safe harbor principles, for example, would require the manufacturer to enter into an agreement obligating the third-party hosting company to provide the same level of privacy protection required by the safe harbor principles. This same requirement would apply to any third-party consultants brought into a company and provided access to personal information.

Manufacturers must be especially careful of promises they make in their privacy policies about selling personal information. In their zeal to assure consumers that the company will take all steps to keep personal information private, companies may assure that personal information will never be sold. Making such a broad promise, however, could have unintended results. Such customer information is presumably a valuable company asset. However, if the company or business were subsequently put up for sale, a promise never to sell personal information could prohibit the company from including the personal information in the sale.

Creating an Effective Privacy Program

The most effective method for a manufacturer to meet privacy and security challenges is to create and implement a company privacy and security program. Incorporating such a program into the company will provide benefits beyond just legal compliance. An effective privacy program can provide a company with a significant competitive advantage. Implementation of privacy and security principles through a privacy program helps to ensure that devices meet or exceed customer needs. An effective privacy program can help the manufacturer generate customer and patient trust; customers will feel confident engaging in transactions involving personal information, and patients will be more willing to provide such information.

The following sections offer a synopsis of the key steps involved in developing and implementing a privacy program. These steps apply to both small companies and large companies with global operations. The only differences will be in the size of the implementation teams, the number of individuals who will work on the project, and the scale of the resources devoted to the project.

Create and Empower a Task Force. The first step to privacy program implementation is to organize a fairly small, crossfunctional committee or task force of high-level decision makers within the company. The task force is responsible for overseeing the program, providing advice, resolving issues, and identifying both internal and external resources. The task force also identifies and empowers a deployment team. The task force should meet with the deployment team on a regular basis to monitor the program and provide guidance.

The task force and privacy program cannot succeed without the support of senior management. Rolling out such a program will require company personnel to take on additional tasks. As a result, if senior management does not make privacy program implementation a company priority, the project may become stalled.

Establish the Deployment Team. The deployment team should be composed of crossfunctional members, with at least one project manager. The deployment team is responsible for working with outside counsel to develop privacy policies, procedures, and other tools needed to assist personnel in rolling out the program. The deployment team will identify areas of high risk and take steps to assess existing information practices. The deployment team will also develop and roll out an implementation plan.

Conduct an Assessment. One of the most difficult aspects of incorporating privacy principles into a company’s operations is identifying all areas within the company where personal information is used and understanding information flows both within and outside the company. One purpose of the assessment is to assist in these endeavors. The other purpose is to assess current information practices against legal requirements. Information systems must also be assessed against security requirements.

Develop an Implementation Plan. Developing an implementation plan makes rollout of the program more efficient and manageable. The plan should assign responsibilities, create timelines, and set milestones. It should attach all tools developed internally and by outside counsel, such as training materials, checklists, policies, and template documents.

Deployment Phase. The program should be deployed to high-risk areas first. The deployment team must continuously monitor implementation and escalate issues, when necessary, to the task force. The deployment team must be prepared to remain flexible and creative, and to implement changes where necessary.

Audit Phase. Once the privacy and security program has been implemented, the company must audit its efforts to determine the effectiveness of the program. Audits can also be used as a mechanism for continuous improvement. Given the broad scope of the program, auditing efforts should begin at high-risk areas.

Marketing Privacy and Security Savvy

Manufacturers should take steps to ensure that their privacy and security efforts translate into a competitive advantage. Tools should be developed to explain the privacy and security features of medical devices to the company’s customers. The sales force should be trained on the company’s privacy policies and program, as well as on the customer tools, so that they can effectively market features of the company’s products and services that are designed to meet customers’ privacy and security needs.

Informing customers and patients that the company cares about privacy and has taken steps to protect it will enhance the company’s image and credibility in its e-health initiatives. This can translate into a competitive advantage and financial success.

REFERENCES

1. Department of Health and Human Services, "Individually Identifiable Health Information; Privacy Standards," Health Insurance Portability and Accountability Act of 1996, PL 104-191, August 21, 1996.

2. Directive on Data Protection, 95/46/EC, October 24, 1995.

3. Safe Harbor Privacy Principles (Washington, DC: Department of Commerce, 2000); available from Internet: http://www.export.gov/safeharbor/sh_documents.html.

4. Children’s On-Line Privacy Protection Act of 1998, U.S. Code, vol. 15, sec. 6501.

Edward J. Green is a partner and Lisa J. Acevedo is a senior associate in the health law department of the law firm of Foley & Lardner (Chicago).

Illustration by Kazuaki Iwasaki/The Stock Market

Copyright ©2001 MX