Microsoft word - pharmaprivacypolicies.doc

Pharmaceutical Compliance with Fair Information Practice
Principles
by John Mack
Introduction
According to a Pew Internet & American Life Project survey (November, 2000), 89% of health
seekers on the Internet are concerned that a health Web site might sell or give away information
about what they did online. A 2000 Cyber Dialogue survey commissioned by the Internet
Healthcare Coalition and the California Healthcare Foundation, found that only 14% of online
health seekers have a “high level of trust” of Pharmaceutical company or product web sites.
Fueled by recent privacy laws, such as the Gramm-Leach-Bliley Act and the Health Insurance
Portability and Accountability Act, establishing trust and confidence with stakeholders, from
regulators to customers, has become a business imperative for the pharmaceutical industry.
Fair Information Practice Principles
Over the past quarter century, government agencies in the United States, Canada, and Europe
have studied the manner in which entities collect and use personal information – their
"information practices" – and the safeguards required to assure those practices are fair and
provide adequate privacy protection. The result has been a series of reports, guidelines, and
model codes that represent widely-accepted principles concerning fair information practices.
Common to all of these documents are several core principles, including:
• NOTICE: data collectors must disclose their information practices before collecting personal information (PI) from consumers • CHOICE: consumers must be given options with respect to whether and how PI collected from them may be used for purposes beyond those for which the information was provided • ACCESS: consumers should be able to view and contest the accuracy and completeness • SECURITY: data collectors must take reasonable steps to assure that information collected from consumers is accurate and secure from unauthorized use • ONWARD TRANSFER (CHAIN OF TRUST): to disclose information to a third party, such as an advertiser, organizations must apply the NOTICE and CHOICE principles. Where an organization wishes to transfer information to a third party that is acting as an agent, such as a fulfillment vendor, it may do so if it makes sure the third party subscribes to the same principles as the organization. • DATA INTEGRITY: An organization should take reasonable steps to ensure that data is reliable for its intended use, accurate, complete, and current. • ENFORCEMENT: the use of a reliable mechanism to impose sanctions for How Do Pharma Privacy Policies Measure Up?
How well do pharmaceutical companies’ privacy policies comply with Fair Information Practice
principles? To determine this, an analysis was performed on 21 top selling prescription products
worldwide (data from 2000). Publicly available privacy policies were accessed during the week of
January 28, 2002 from product web sites and evaluated against a set of 5 principles, including
Notice, Choice, Access, Security, and Chain of Trust. Each principle was assigned a value of 20
points. Policies were examined to determine if they complied fully or partially with each principle
and a numerical score (“Privacy Compliance Index”) was awarded based on the sum of the
scores (MAX=100).1 The results are presented below.
P rivacy C o m p lian ce In d ex
Inde x P oints
FIGURE 1: Plot of Privacy Compliance Index for Top Selling Rx Drugs
Compliance by Product
# of Principles
FIGURE 2: Detail Compliance Profile Showing Full, Partial, and Non-compliance
Breakdown (only one product is shown if multiple products share same privacy policy)
Fair Information
Percent Full
Percent Partial
Percent Non-
Practice Principle
Compliance
Compliance
compliance
Notice
Chain of Trust
Access
Security
Choice
ALL
TABLE 1: Summary of Compliance with 5 Fair Information Practice Principles
Figure 1 shows the Privacy Compliance Index for 21 top selling prescription drugs. Celebrex – the only product to have a TRUSTe-certified privacy policy – tops the list with a perfect score of 100. This compares with an analysis made in July, 2001 in which it received a score of 16. Grouped by company, Pharmacia (Celebrex) and Merck (Zocor, Vioxx, Cozaar) score the highest and GSK (Paxil, Augmentin) and Pfizer (Zoloft, Norvasc, and Lipitor) score the lowest. Figure 2 demonstrates that many polices are non-compliant or only partially compliant with one or more principles. Table 1 summarizes the overall degree of compliance with each of the 5 principles. Only 1 of 21 products comply fully with all 5 principles. It is evident that pharmaceutical companies have the most difficulty complying with Choice, followed by Security and Access. This reflects the fact that very few companies wish to provide users with the ability to limit disclosures to third parties. When it comes to security, many policies are vague at best (e.g., “[We] will safeguard any information you share with us.”). We suspect that policies are intentionally vague or silent on these issues because sufficient security measures and standard operating procedures have not been implemented in many cases. Therefore, to avoid any trouble with the
FTC, companies understandably do not promise what they cannot deliver.
Access poses a difficult problem not just for pharma companies, but for “covered entities” (e.g.,
healthcare providers) under HIPAA (Health Information Portability and Accountability Act). Our
analysis only required that privacy policies somehow allow consumers to view voluntarily-supplied
personal information companies had about them and correct or delete this information. It didn’t
require that any special technology or automated tools be used to allow direct access to
databases. Still, many companies, according to their policies, do not provide any means of
access even if just a person to call or e-mail. It may be that the flow of data through and out of
these companies is not controlled in a manner that would allow access let alone deletion.

The Issue of Trust
Pharmaceutical product web sites can be more useful to consumers if they interacted more with
them and provided personalized services and tools that help consumers manage their chronic
conditions and comply with their treatment, including taking their medications and refilling
prescriptions. But, in order to provide this level of service, more and more personally identifiable
health information needs to be collected and maintained. Pharmaceutical companies may be
reluctant to do this on their own sites if they do not have adequate data collection practices and
policies in place. Nevertheless, the competitive advantage will go to the company that does follow
best privacy and security practices. These companies will engender the highest level of trust
among consumers allowing them to fully utilize the benefits of the Internet.

Notes
1. For more detailed information about the methodology and scoring system, contact VirSci at
215-504-4164 or send email to [email protected] or visit www.virsci.com.
John Mack
VirSci Corporation
PO Box 760
Newtown, PA 18940
215-504-4164
215-504-5739 FAX
[email protected]

Source: http://www.virsci.com/PharmaPrivacyPolicy_Analysis.pdf