Pharmaceutical Compliance with Fair Information Practice Principles by John Mack Introduction According to a Pew Internet & American Life Project survey (November, 2000), 89% of health seekers on the Internet are concerned that a health Web site might sell or give away information about what they did online. A 2000 Cyber Dialogue survey commissioned by the Internet Healthcare Coalition and the California Healthcare Foundation, found that only 14% of online health seekers have a “high level of trust” of Pharmaceutical company or product web sites. Fueled by recent privacy laws, such as the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act, establishing trust and confidence with stakeholders, from regulators to customers, has become a business imperative for the pharmaceutical industry. Fair Information Practice Principles Over the past quarter century, government agencies in the United States, Canada, and Europe have studied the manner in which entities collect and use personal information – their "information practices" – and the safeguards required to assure those practices are fair and provide adequate privacy protection. The result has been a series of reports, guidelines, and model codes that represent widely-accepted principles concerning fair information practices. Common to all of these documents are several core principles, including:
• NOTICE: data collectors must disclose their information practices before collecting
personal information (PI) from consumers
• CHOICE: consumers must be given options with respect to whether and how PI collected
from them may be used for purposes beyond those for which the information was provided
• ACCESS: consumers should be able to view and contest the accuracy and completeness
• SECURITY: data collectors must take reasonable steps to assure that information
collected from consumers is accurate and secure from unauthorized use
• ONWARD TRANSFER (CHAIN OF TRUST): to disclose information to a third party, such
as an advertiser, organizations must apply the NOTICE and CHOICE principles. Where an organization wishes to transfer information to a third party that is acting as an agent, such as a fulfillment vendor, it may do so if it makes sure the third party subscribes to the same principles as the organization.
• DATA INTEGRITY: An organization should take reasonable steps to ensure that data is
reliable for its intended use, accurate, complete, and current.
• ENFORCEMENT: the use of a reliable mechanism to impose sanctions for
How Do Pharma Privacy Policies Measure Up? How well do pharmaceutical companies’ privacy policies comply with Fair Information Practice principles? To determine this, an analysis was performed on 21 top selling prescription products worldwide (data from 2000). Publicly available privacy policies were accessed during the week of January 28, 2002 from product web sites and evaluated against a set of 5 principles, including Notice, Choice, Access, Security, and Chain of Trust. Each principle was assigned a value of 20 points. Policies were examined to determine if they complied fully or partially with each principle and a numerical score (“Privacy Compliance Index”) was awarded based on the sum of the scores (MAX=100).1 The results are presented below. P rivacy C o m p lian ce In d ex Inde x P oints FIGURE 1: Plot of Privacy Compliance Index for Top Selling Rx Drugs Compliance by Product # of Principles FIGURE 2: Detail Compliance Profile Showing Full, Partial, and Non-compliance Breakdown (only one product is shown if multiple products share same privacy policy) Fair Information Percent Full Percent Partial Percent Non- Practice Principle Compliance Compliance compliance Notice Chain of Trust Access Security Choice ALL TABLE 1: Summary of Compliance with 5 Fair Information Practice Principles
Figure 1 shows the Privacy Compliance Index for 21 top selling prescription drugs. Celebrex – the only product to have a TRUSTe-certified privacy policy – tops the list with a perfect score of 100. This compares with an analysis made in July, 2001 in which it received a score of 16. Grouped by company, Pharmacia (Celebrex) and Merck (Zocor, Vioxx, Cozaar) score the highest and GSK (Paxil, Augmentin) and Pfizer (Zoloft, Norvasc, and Lipitor) score the lowest. Figure 2 demonstrates that many polices are non-compliant or only partially compliant with one or more principles. Table 1 summarizes the overall degree of compliance with each of the 5 principles. Only 1 of 21 products comply fully with all 5 principles. It is evident that pharmaceutical companies have the most difficulty complying with Choice, followed by Security and Access. This reflects the fact that very few companies wish to provide users with the ability to limit disclosures to third parties. When it comes to security, many policies are vague at best (e.g., “[We] will safeguard any information you share with us.”). We suspect that policies are intentionally vague or silent on these issues because sufficient security measures and standard operating
procedures have not been implemented in many cases. Therefore, to avoid any trouble with the FTC, companies understandably do not promise what they cannot deliver. Access poses a difficult problem not just for pharma companies, but for “covered entities” (e.g., healthcare providers) under HIPAA (Health Information Portability and Accountability Act). Our analysis only required that privacy policies somehow allow consumers to view voluntarily-supplied personal information companies had about them and correct or delete this information. It didn’t require that any special technology or automated tools be used to allow direct access to databases. Still, many companies, according to their policies, do not provide any means of access even if just a person to call or e-mail. It may be that the flow of data through and out of these companies is not controlled in a manner that would allow access let alone deletion. The Issue of Trust Pharmaceutical product web sites can be more useful to consumers if they interacted more with them and provided personalized services and tools that help consumers manage their chronic conditions and comply with their treatment, including taking their medications and refilling prescriptions. But, in order to provide this level of service, more and more personally identifiable health information needs to be collected and maintained. Pharmaceutical companies may be reluctant to do this on their own sites if they do not have adequate data collection practices and policies in place. Nevertheless, the competitive advantage will go to the company that does follow best privacy and security practices. These companies will engender the highest level of trust among consumers allowing them to fully utilize the benefits of the Internet. Notes 1. For more detailed information about the methodology and scoring system, contact VirSci at 215-504-4164 or send email to [email protected] or visit www.virsci.com. John Mack VirSci Corporation PO Box 760 Newtown, PA 18940 215-504-4164 215-504-5739 FAX [email protected]
Neurotherapeutics: The Journal of the American Society for Experimental NeuroTherapeutics Idiopathic Inflammatory Myopathies: Current and Future Department of Neurology, University of Wuerzburg, Josef-Schneider-Strasse 11, Wuerzburg, 97080 Germany Summary: Idiopathic inflammatory myopathies (notably poly- also used. There are no defined guidelines or best treatmentmyositis and dermatomyosi
The Catamaran™ Preferred Drug List (PDL) is a guide identifying preferred medicines within select therapeutic categories. The PDL is an abbreviated drug list which includes the most commonly prescribed Tier 1 and Tier 2 medicines. Tier 1 drugs are listed in lowercase italics and Tier 2 drugs are listed in CAPS. This listing is revised periodical y as new drugs and new prescribing infor