It probably seemed to be good idea when it was conceived: by aggregating data on users’ queries about flu or fevers, Google.org (the philanthropic arm of the search engine company) could create a near-real-time map of the spread of flu outbreaks. Public health managers could then respond more quickly, gearing up hospitals and clinics, and possibly saving some of the 36,000 lives lost each year to flu. The New York Times called the new Google FluTrends service “a fruitful marriage of mob behavior and medicine.”

The backlash was nearly instantaneous. “When you sneeze, does Google tell the Feds?” asked writers at The Register, a U.K. tech website. “[T]here is an obvious privacy concern,” wrote the leaders of the Electronic Frontier Freedom Foundation and Patient Privacy Rights, two organizations concerned with data privacy. “Search histories reveal personal information, and medical inquiries are particularly sensitive.” Behind this immediate concern, these and other patient-privacy advocates are worried about how Internet searches, e-mail communications or databases can be mined for personal data on medicine and medical conditions.

So it goes on the battlefield of privacy versus knowledge in healthcare. The ability to track disease progressions, or to amalgamate adverse medical events, could have enormous value to the healthcare system. For their part, pharma companies could match treatment regimens more closely to patient conditions, or enhance outcomes through managing patient-adherence programs. But the cut-out that keeps personal information that has not been freely provided to healthcare managers avway from them, or pharma companies, remains a significant obstacle.

In terms of explicit regulation, the biopharma industry is mostly off the hook: as defined by the Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA), the pharma industry is, at best, a “business associate” of the “covered entities” for whom HIPAA was explicitly written. The main responsibility for maintaining patient record privacy resides with covered entities such as healthcare providers and insurance companies. HIPAA privacy rules require covered entities to engage their downstream business associates in data-sharing agreements that take “reasonable safeguards” to protect demographic and other health information, the ability for the first-line sources of patient data to establish iron-clad chain-of-custody over the potentially sensitive patient data once it’s left their hands is questionable at best.

But there is obvious value for pharma marketers to have access to patient data, both in terms of evidence-based medicine, and for targeting potential or actual customers of pharmaceutical products more precisely. A related privacy battle is being waged over how privileged information about individual medical doctors is for the pharma industry (see p. 8).
Behind these issues looms the revolution in electronic health records, or even just e-prescribing, that everyone is counting on as a way to modernize and streamline healthcare. And behind that are new frontiers in genetic testing and screening, which has the potential to put individuals’ own DNA markers out on the Web.

Privacy matters
Privacy about medical care isn’t a matter of polite discreetness; it can play into life-changing consequences about work, families, neighbors and communities. “Many people are afraid their employers could view expensive, chronic healthcare conditions as a long-term performance liability or cost burden, and then use that information against them, to deny employment, promotion or insurance coverage,” says Richard Minoff, president and CEO of Dorland Global Corp. (Philadelphia), a marketing consultancy and healthcare communications agency.

Similarly, managing many disease states — cancer, HIV, sexually transmitted diseases, impotence — “becomes very emotional for the patient,” adds Jim Joseph, Executive Vice President and Managing Director of Saatchi & Saatchi Consumer Health + Wellness (New York). “Many people fear what might happen if their employers, neighbors, landlords were to find out, so for them, discretion and the ability to control any information about their condition is of paramount importance.”

RICHARD MINOFF, DORLAND GLOBAL

While direct, targeted outreach by a drug companies — outreach that is clearly based on the company’s prior knowledge of an individual’s disease state, or experience with or interest in some disease state or medication — might be considered more of an annoyance than a form of information abuse, if such targeted outreach is not handled properly, it can backfire.

Drug manufacturers and their service providers such as marketing consultants and advertising agencies say that they are sticking closely to the spirit — if not the letter — of the federal law that governs privacy in the U.S., and voluntarily maintaining the same requirements that pertain to covered entities under the HIPAA Privacy Rule. “Whether or not pharma companies are regulated by the letter of the law, there’s an issue of ethics at play here,” says Dorland’s Minoff. “If you go beyond the bounds of appropriate behavior, you’re going to get more than just your hand slapped.”

But privacy advocates say that reliance on some a nebulous, dashed-line responsibility — a voluntary “gentleman’s agreement” between covered entities and pharma marketers to do the right thing — creates a situation that is ripe for misunderstanding or abuse. “The whole idea of how sensitive healthcare-related information can be appropriated — and misappropriated — as it flows from primary care providers through an ever-more-diffuse and anonymous stream of players in the downstream information supply chain can provoke a lot of paranoia among patients, who often wonder: ‘If a pharma company has my data, who else has my data, where did they get it from, and who might they try to sell it to next?’” says Khaled El Emam, chief technology officer for Privacy Analytics (Ottawa, ON), a maker of de-identification software that enables the safe secondary use of sensitive medical data.

 KHALED EL EMAM, PRIVACY ANALYTICS

HIPAA: Functional but flawed
Since the Privacy Rule — which establishes requirements related to the use and disclosure of individuals’ health information (called “protected health information”) —went into effect in 2000 (and subsequent modifications published on August 14, 2002) — it has had a direct impact on covered entities, and an indirect but no less important impact on drug companies who routinely interact with them as they carry out their various business, marketing and research activities.

The Privacy Rule protects all “individually identifiable health information” (called Protected Health Information, or PHI) that is held or transmitted by a covered entity or its business associates, in any form or media, whether electronic, paper or oral.

One of HIPAA’s fundamental shortcomings, according to privacy advocates, is that the Privacy Rule only applies directly to a limited number of “covered entities” in the overall healthcare supply chain but does not pertain to the full spectrum of downstream organizations that will ultimately be involved in collecting, processing, and using health-related records and patient data, for research, marketing and other purposes.

And the stakes get even higher when one envisions the more widespread sharing of nationwide patient data once an interconnected, electronic health records (EHR) system is established, an environment that “will likely diminish the ability of any particular covered entity to supervise the activities of its own business associates, much less to validate the legitimacy of other participants or of record queries within the national network,” wrote Michael Greenberg, a policy analyst for the non-profit research organization Rand Corp. (Santa Monica, CA) and Research Director of LRN-Rand Center on Corporate Ethics, Law and Governance, in an article published in the Journal of Health & Biomedical Law, (“Patient Identifiers and the National Health Information Network: Debunking a False Front in the Privacy Wars,” Vol. IV, No. 1, pp. 31-68, 2008). “The probable result will be to expand privacy risks for protected health information.”

Privacy advocates say that basic HIPAA protections will be further eroded, as no healthcare provider will realistically be able to exert adequate control over distributed records during the increasingly fluid electronic exchange of health records and patient data over a nationwide, interconnected health IT network. To date, the prospect of establishing a Universal Patient Identifier (UPI) system as one way to build greater privacy protection into the nascent nationwide health IT system has generated considerable policy debate and political resistance, and it appears the jury’s still out.

An October survey by a group called the Employee Benefit Research Institute (Washington, DC) indicated that while more than half (55%) of U.S. residents like the idea of having electronic medical records and felt it was extremely important or very important for healthcare providers to use electronic medical records, only 12% of respondents were confident or extremely confident that their electronic health information would remain confidential, while 62% said they aren’t confident that their electronic medical records would remain private.

The current lack of a palpable regulatory hammer is also a problem. “Possibly the complaint most consistently lodged against the Department of Health and Human Services (HHS), as chief federal privacy regulator, has been the lack of enforcement of the Privacy Rule,” says Greenberg of Rand. “Although HIPAA provides for both civil and criminal penalties for wrongful disclosure or use of protected health information by covered entities, advocates complain that HHS has declined to enforce the law.”

An investigation by the Des Moines Register last summer found that some 38,000 complaints had been filed with the Office of Civil Rights of HHS since 2003, but more than half of them were disposed with no investigation. Nearly 7,000 were resolved by issuing warnings or instructions to healthcare providers to correct deficiencies in their practices. (In the common condition of the fox guarding the henhouse, many of the violations involve employees improperly examining the privileged data of patients, subordinates or fellow employees.)

When it comes to additional safeguards that could be put in place to keep patient information flowing across interoperable, electronic healthcare networks from being misappropriated or misused, Greenberg notes that options include criminalizing unauthorized access to medical information, requiring organizations that traffic in health care information to notify patients of breaches of security, prohibiting the misuse of patient care information, prohibiting secondary uses and/or commercial aggregation of patient-specific information, prohibiting employer or insurer access to patient-specific genetic information, and prohibiting discrimination on the basis of medical information.

Honoring that ‘gentlemen’s agreement’
Despite not being covered directly by HIPAA, many of today’s drug manufacturers are taking it upon themselves to exercise the same level of care — to act “as if” they were subject to the same requirements — as covered entities. “The privacy of the individual is sacrosanct,” says Jody Fisher, VP, marketing for data aggregator SDI (Yardley, PA). “But in addition to ethical considerations, there are strong business incentives for us as aggregators, too.”

Because SDI is next in line in the chain-of-custody for valuable patient data, “it’s our duty to help those first-line providers of patient data to remain HIPAA-compliant, and to help them to certify that the privacy of their patients remains protected,” says Fisher. “We wouldn’t have any clients if we couldn’t maintain HIPAA-compliance requirements for the data we handle, before we disseminate it to our own downstream clients.”

JODY FISHER, SDI

SDI (which now owns Verispan) is one of several organizations that are collectively dubbed “data miners” by the patient-privacy advocates. IMS Health offers “anonymized” longitudinal patient data; another big player is TNS Healthcare, which has a focus on consumer behavior in advertising/promotion contexts as well as prescriber data. Big players in patient compliance programs are also in the data-mining business; the inVentiv Health subsidiary Adheris (Burlington, MA), to name one, was cited by the Consumer Federation of California as being the main beneficiary of a bill that was under consideration in the California legislature to encourage the development of patient-adherence programs in conjunction with pharmacies. But, as with the overall issues surrounding patient privacy, the strongest criticism is leveled at companies that compile data used by insurers (and, it is implied, by employers), such as Ingenix (Eden Prairie, MN) or Milliman Intelliscript (Brookfield, WI).

Ingenix, a subsidiary of insurer UnitedHealth, claims to have records on 200 million Americans, thereby effectively being a national EHR repository almost by default. The biggest PBMs, too, have tens of millions of prescription records available to be mined.

Getting consumers to opt in
Pharma marketers are more or less off the hook for HIPAA compliance rules when patients or consumers opt in to information sources or programs run by the pharma companies (at least as the companies’ own use of these data are concerned). But industry experts advise a high degree of caution for patient privacy, both in gathering the information and how it is used.

When establishing one-to-one communication with individual patients is the drug company’s goal, the standard opt-in process provides a useful mechanism for satisfying HIPAA’s privacy requirements, by ensuring that the patient has given the drug company permission to continue the conversation. “It gets you to the people who are really information seekers, and are truly receptive to the messages you are trying to deliver,” says Minoff of Dorland Global.

While some may see the opt-in process as a burden, others disagree. “We work on 14 brands at nine pharma companies, and we really don’t want to talk to consumers who don’t want to talk to us,” says Joseph of Saatchi & Saatchi. “It’s not about trying hard to manipulate the outreach and force marketing information on people who don’t want it. It’s a waste of resources to reach out to individuals who don’t really want to engage. The goal is to build a more intimate relationship, provide useful information and tools and support on a deeper level, through greater personal connection.”

Meanwhile, when patients are given an option to ‘opt out’ with every piece of communication, “they very rarely take it. They just want to know they can,” adds El Emam of Privacy Analytics. “It gives people a sense of control — they want to feel as if they have control over their own information.”

JIM JOSEPH, SAATCHI & SAATCHI

When designing survey questions to collect patient-specific health and medication information— for which the patient’s opt-in consent provides the mechanism to continue — companies should only collect what they’re actually going to use, says John Mack, president of VirSci Corp. (Newtown, PA), a marketing consultant. “I always advise my clients not to ‘throw in everything but the kitchen sink’ because this can backfire.”

“If pharma companies are going to use private information, they need to gather it in a way that’s going to help build a long-term, trusted relationship with the patient,” adds Mack, who is also editor of Pharma Marketing News and the Pharma Marketing blog. “We’ve all seen incursions into privacy occurring at a scale never before seen. As consumers become more wary about privacy abuses, they tend to be less willing to share sensitive information, especially when the request seems excessive or intrusive.”

JOHN MACK, VIRSCI

In fact, to gain and retain the trust of their would-be customers, Mack recommends that pharma companies never send out any disease- or product-related information unsolicited; rather, they should use a “double opt-in” procedure, whereby a consumer who has come looking for some particular type of information first signs up using their email address (the first level of opt-in) and then the pharma company sends a first communication that simply says “Click here if you want to receive this information (the second level of opt-in). “This guards against someone else signing you up to receive information you don’t want, or giving your name to companies when you’d rather they did not,” says Mack.

The power of de-identified patient data
When it comes to identifying and analyzing healthcare trends, and gaining insight into patient behavior, nationwide aggregate databases that compile data from doctors’ offices, hospitals, pharmacies, laboratories, government agencies and health registries can provide great value to drug manufacturers, pharma marketers and advertising agencies. Because the information comes directly from first-line providers of healthcare services, it is subject to protection under the HIPAA Privacy Rule.

In order for others to access such useful healthcare data without knowledge of the individual patient, it must first be de-identified. This process involves the removal of more than a dozen key personal identifiers, as defined by HIPAA. “PHI is stripped off on the providers’ end, before it leaves their firewalls. After any PHI has been stripped off the record, the provider replaces it with a serial linking code that cannot be reverse-engineered. There is literally no way to re-identify any individuals whose information is included in our aggregated databases,” says Fisher of SDI.

While the use of de-identified aggregated data doesn’t address the pharmaceutical industry’s desire to connect directly with receptive patients on a one-on-one basis, it still provides countless opportunities to help marketing teams to tailor their marketing strategy, and revise their messaging. For instance, with no risk to individual patient privacy, de-identified, aggregated data can be used to analyze trends and build models and profiles that can help marketing teams to build more-effective DTC campaigns and direct-to-physician outreach,” says El Emam of Privacy Analytics.

When data are gathered from hundreds of disparate sources and then anonymized using de-identification techniques, drug companies can slice and dice the data to look at trends and gain greater insight into how patients think, how they interact with their medications, how they experience side effects and manage ongoing compliance, says Minoff of Dorland Global.

“The process usually starts when the marketing team says ‘Wouldn’t it be great if we could…?” adds Fisher of SDI. “When pharma marketers take advantage of these tools to tailor their approach as opposed to a more-scattershot approach, they get more bang for the buck and can carry out competitive benchmarking.”

Using de-id data to boost patient compliance
In a roundabout way, the use of de-identification techniques can also help particular drug companies to improve their one-on-one outreach efforts aimed at improving patient compliance. Pharma companies everywhere are working to develop effective strategies for boosting patient compliance with prescription drug therapies, yet the HIPAA requirements make it difficult for drug companies to establish direct, unsolicited contact with individual patients.

“The biggest challenge in patient compliance relates to medication literacy — many patients just don’t understand the disease or the treatment regimen, and the doctor typically has just six minutes with the patient. That’s not enough time to adequately describe what needs to be done,” says Dan Berman, CEO of PharmaCentra LLC (Atlanta). “And HIPAA creates a barrier that keeps the drug companies from getting involved directly with the patients to provide compliance support they may need.”

For the purpose of providing direct support tools to improve medication adherence, PharmaCentra offers the patent-pending WellTouch service as a direct bridge between drug companies and patients taking their medications via a voluntary opt-in. “We stay in touch to keep them on schedule,” says Berman. “Doctors like it because it’s one less thing they have to do, and patients like it because they get the support they need but we never provide any information about them back to the drug companies.”

DAN BERMAN, PHARMACENTRA

The information flows both out to patients, and back to manufacturers: “With our program, we reach forward to influence the patient, and we feed the privacy-protected intelligence gained from our personal interactions with patients back to the pharma companies so they can both refine their ongoing compliance support messaging and to better inform both patients and prescribers,” says Berman.

For example, Berman says: “If we learn that a lot of chronic-disease patients taking a particular medication are waiting 8 weeks (for symptoms to appear) instead of 6 weeks before engaging in another course of therapy, the drug company can then re-adjust their messaging to both doctors and patients, to emphasize the need to stay on the 6-week dosing schedule, even if the patient is non-symptomatic.”

Meanwhile, through the one-on-one compliance-support that PharmaCentra provides to patients who have voluntarily enrolled in the program, Berman says: “We’re not only able to increase compliance and improve the clinical outcome for the patient, but to directly impact ROI for the drug company, by impacting and tracking ongoing sales,” says Berman. “For any given drug franchise, we typically see 20-30% lift in prescription sales for patients enrolled in our compliance-support program.”

Privacy in the realm of Web 2.0: Beware of backlash
As the Google FluTrends incident shows, the Internet presents an array of new tracking and identification resources never envisioned when HIPAA was originally written. Pharma marketers are, at best, dabbling in the latest Web 2.0 social networks, and industry experts say that they should proceed very cautiously.

Today, more and more consumers — 75% of all Americans, according to a December 2007 Pew study — are turning to the Internet to carry out research on medical conditions and therapy options, and to request information from drug companies. And a growing number of individuals are taking advantage of the interactive nature of today’s Internet, sharing very personal health-related information about themselves on social-networking sites such as Facebook and MySpace, and through the myriad chat rooms and blogs.

“Many people involved in these social networking sites don’t realize that the information they share can be viewed or accessed as widely as it can, so they don’t do an internal cognitive risk assessment about what they are willing to divulge there,” says El Emam of Privacy Analytics. “Should a drug company mine that information and then use it to send marketing outreach back to them? That’s a loaded question these days, and I think drug companies should tread very lightly into these uncharted waters.”

“I would view any direct outreach by pharma companies based on information mined from social networking sites — even something as benign as an email inviting that person to visit a website, join a chat room or opt in to receive further information — to be spam,” says Minoff. “While it may not technically represent a violation of the HIPAA Privacy Rule, companies doing that are liable to face a swift smackdown in terms of consumer backlash and bad publicity.”

“The recipient may love to receive the useful, targeted information from a drug company, but they may think it’s just so Big Brother-ish that a pharma company is sending them information about medications or medical conditions that they’ve been discussing on their social networking site,” says Mack of VirSci. “Pharma marketers would love to get in on this, but my advice to them is: ‘Be a marketer, don’t be a creep.’ These are the types of activities that are going to make privacy even more of a concern among consumers.” PC