Data Privacy and Security


28


Data Privacy and Security





Approximately 30 or so years ago, with the advent of enormous changes in communication, personal computers, and medicine and society (greater mobility, the ascent of specialists and subspecialists in medicine), personal privacy and limiting of access to data began to appear as a new and major issue in medicine. With the internet and identity theft, the question of who has access to what data is now in the forefront of people’s and governments’ minds.


For many years, medical data were believed to be the property of the treating physician or hospital, and they were kept confidential by those parties. In the United States, Europe, and elsewhere, there was no right to privacy as defined by law, and sometimes patients were denied the right to obtain or even see their own medical records. The law that was in place in the United States was state law, which varied from state to state, offering inconsistent levels of protection. Similarly, in Europe and elsewhere, laws were national or local, such as they were.


That viewpoint has largely changed, and a person’s health data are now believed to be owned by that individual. There are now clear limitations on what third parties (physicians, hospitals, companies, and governments) can and cannot do with the data. In the United States, the federal government has enacted laws on privacy. The European Union now has rules and regulations that cover all member states (some of which have put forth additional and tougher privacy and security protections). Canada, Australia, Japan, and other countries have also tightened their privacy protections.


For the purposes of drug safety and pharmacovigilance, two major governmental acts, worth studying in detail, largely represent the state of privacy around the world: the U.S. Health Insurance Portability and Accountability Act (HIPAA) and the European Union (EU) Data Privacy Directive. In addition, a brief look at Canada’s and Japan’s privacy laws are presented. They are reviewed here and the implications and effects on drug safety are discussed.



imagesUnited States Health Insurance Portability and Accountability Act (HIPAA)


Unlike the European Union, the United States does not have one global law for data privacy and security. Rather, different parts, or “sectors,” of the country have different approaches. The healthcare sector is covered at the federal level by the Health Insurance Portability and Accountability Act (HIPAA) as well as various other state and local laws, regulations, and court cases. The final HIPAA rule went into effect at the end of 2000.


The regulations cover health plans, healthcare clearinghouses, and those healthcare providers (“covered entities”) who conduct certain financial and administrative transactions with paper or electronically. All medical records and other individually identifiable health information held or disclosed by a covered entity in any form, whether communicated electronically, on paper, or orally, are covered. Title I covers healthcare access, portability, and renewability of insurance. Title II requires national standards for electronic healthcare transactions and covers privacy, security, and unique identifiers (National Provider Identifier). Further information on HIPAA can be found on the HHS website (Web Resource 28-1), some of which (the privacy and security features) are summarized here:



  • Patient education on privacy protections. Providers and health plans are required to give patients a clear written explanation of how they can use, keep, and disclose their health information.
  • Ensuring patients’ access to their medical records. Patients must be able to see and get copies of their records and request changes and corrections. In addition, a history of most disclosures must be made accessible to patients.
  • Getting patient consent to release information. Patients’ authorization to disclose information must be obtained before sharing their information for treatment, payment, and healthcare operations purposes. In addition, specific patient consent must be obtained for other uses, such as releasing information to financial institutions determining mortgages, selling mailing lists to interested parties such as life insurers, or disclosing information for marketing purposes by third parties (e.g., drug companies).
  • Consent must not be coerced.
  • Providing recourse if privacy protections are violated.
  • Providing the minimum amount of information necessary. Disclosures of information must be limited to the minimum necessary for the purpose of the disclosure.

Covered entities are held to the following requirements:



  • Adopt written privacy procedures. These must include who has access to protected information, how it will be used within the entity, and when the information would or would not be disclosed to others. They must also take steps to ensure that their business associates protect the privacy of health information.
  • Train employees and designate a privacy officer. Covered entities must provide sufficient training so that their employees understand the new privacy protections procedures, and designate an individual to be responsible for ensuring the procedures are followed.
  • Establish grievance processes. Covered entities must provide a means for patients to make inquiries or complaints regarding the privacy of their records.
  • Psychotherapy. Psychotherapy notes (used only by a psychotherapist) are held to a higher standard of protection because they are not part of the medical record and are never intended to be shared with anyone else.
  • Penalties. Failure to comply may lead to civil or criminal penalties, including fines and imprisonment.

Information may be released in the following circumstances:



  • Oversight of the healthcare system, including quality assurance activities
  • Public health
  • Research approved by a privacy board or institutional review board
  • Judicial and administrative proceedings
  • Certain law enforcement activities
  • Emergency circumstances
  • Identification of the body of a deceased person or the cause of death
  • Activities related to national defense and security

This regulation clearly has implications for pharmacovigilance. Much discussion occurred and the Food and Drug Administration (FDA) ultimately issued a clarification of the issue.


The FDA fully recognized that pharmaceutical companies are required by law and regulation to maintain databases of adverse events occurring in individuals who have taken their products, reported by health professionals. The data identify the person making the report and may or may not identify the individual. The data come both from clinical trials of new products and from the postmarketing data of drugs already on the market.


Although in such data there is often no specific patient identification (e.g., name and address), there may be sufficient patient data such that it would be possible in many cases, with only minimal effort, to identify the patient based on the known data (e.g., hospital, dates of hospitalization, age or birth date, patient initials, sex, diagnosis, treatment, and hospital course). These data are often required to be submitted to health authorities and are necessary for clinical and epidemiologic evaluation of the adverse event and safety profile of the drug. It is vitally important to know that certain events occur in special populations (e.g., only in children, females, or the elderly). There is a broad consensus in the industry and in the health authorities that these data are vital for maintaining and protecting public health. Removal of these demographic data would make the data much less useful for safety and epidemiologic analyses. Identification of safety problems occurring with both new and old drugs would suffer if the flow of these data were hindered.


The FDA addressed this in the March 2005 Guidance for Industry: Good Pharmacovigilance Practices and Pharmacoepidemiologic Assessment (see Web Resource 28-2). The FDA notes: “It is of critical importance to protect patients and their privacy during the generation of safety data and the development of risk minimization action plans. During all risk assessment and risk minimization activities, sponsors must comply with applicable regulatory requirements involving human subjects research and patient privacy.”


It is also clear that “covered entities,” such as pharmacists, physicians, or hospitals, are permitted to report AEs without problem from HIPAA. The FDA notes: “The Privacy Rule specifically permits covered entities to report adverse events and other information related to the quality, effectiveness, and safety of FDA-regulated products both to manufacturers and directly to FDA (45CFR164.512(b)(1)(i) and (iii), and 45CFR164.512(a) (1)).” See Web Resource 28-3.


In various subsequent initiatives and documents, FDA has reiterated its commitment to protecting privacy. See, for instance, the Sentinel Initiative (Web Resource 28-4), in which the commissioner notes that all safety safeguards and requirements must be followed in this new drug safety strategy.


Thus, there is a broad understanding that drug safety data may be reported to manufacturers (sponsors) and to the FDA.



imagesThe European Union and the Privacy Directive

Only gold members can continue reading. Log In or Register to continue

Related posts:

  1. SOPs, Working Documents, Manuals, Guidelines
  2. Adverse Events with New Chemical Entities, Generics, Excipients, Placebos, and Counterfeits
  3. Drug Labeling
  4. Pregnancy and Lactation

Stay updated, free articles. Join our Telegram channel
Tags:
Oct 1, 2016 | Posted by in GENERAL SURGERY | Comments Off on Data Privacy and Security

Full access? Get Clinical Tree
Get Clinical Tree app for offline access