Biopharmaceutical companies of all sizes collect both PII and PHI from customers, vendors, patients, and current, former, and prospective employees. From a business perspective, these mandates provide guidelines to implement policies and procedures associated with consumer data management. They also outline mechanisms to ensure ongoing compliance and governance of data protection and set out directions on how to collect, store, manage, and share data with third parties.
Failure to comply with data privacy regulations can lead to statutory repercussions, such as fines and penalties, and even litigation. Such consequences negatively impact the company’s brand/reputation among patients and industry peers. Moreover, unauthorized disclosure of patient data can also lead to:
- Delay in clinical trials and regulatory approvals in situations where regulatory authorities order additional government investigations.
- Interruption or disruption in research and development activities due to litigation against the company.
- Loss of trust between the company and patients, physicians, and business partners (i.e., pharma company and contract clinical research organization).
On the contrary, having safeguards in place to identify and protect PII and PHI can result in benefits beyond regulatory compliance. It can trigger improvements in business processes and data management practices. It can help streamline the flow of data within the organization and increase transparency. This in turn makes reporting information to senior management easier and supports faster decision-making. Additionally, with greater awareness of security vulnerabilities, a company can develop appropriate risk mitigation strategies as needed.
Given the significance of PII and PHI data to biopharmaceutical companies, it is paramount to properly handle and safeguard data. A few considerations to keep in mind are:
Develop and publish privacy policies and procedures
Encourage collaboration between the IT, legal and compliance teams to align policies with current regulations in regions where the company operates. Management should take corrective actions to address any gaps. The policies should be clear and self-explanatory, and should explicitly call out the rights of the data subjects. Revisit and revise procedures periodically to stay current as regulations evolve.
Create a system and data inventory
Using these policies as a guidepost, conduct a data inventory to identify where your current digital ecosystem is collecting PII and PHI. Then develop and implement safeguards to protect the data from unauthorized access.
Invest in training employees
Employees with access to data platforms should understand their responsibilities for protecting PII and PHI. When aware of the consequences of policy violations, employees who handle data are less likely to deviate from it. Update employees at regular intervals with information regarding new security risks and any vulnerabilities identified.
Build a management review
Establish an internal review system to maintain compliance with security practices over time. Also, schedule periodic audits to test internal IT controls and data access restrictions, and to identify data breaches.
Considered together, these recommendations will help management establish a culture that supports data privacy. They build transparency, accountability, and execution of data protection strategies. Furthermore, they facilitate appropriate sharing of information with partners throughout the supply chain ecosystem.
Additionally, biopharmaceutical companies should be aware of the Health Insurance Portability and Accountability Act (HIPAA) governing PHI. HIPAA, unlike the legislations mentioned earlier, does not directly apply to the pharmaceutical industry. However, such companies are indirectly impacted in their interactions with providers, payors, patients, and others that have HIPAA compliance obligations. Hence, it still makes good business sense to enact data privacy protections to ensure that their HIPAA-covered partners meet their data obligations. It also warrants proper use of PHI within the organization to protect patient privacy.