MODULE D: Privacy Overview Basic Principles of Privacy by Gail Obrycki, MSMT, ASCP, CIPP

Privacy-Compliance-TrainingGZ Obrycki

Privacy Overview- ver. Mar. 2010

MODULE D: Privacy Overview

Basic Principles of Privacy by Gail Obrycki, MSMT, ASCP, CIPP



Objectives

provide you with an overview of the basic principles of data privacy

explain how US and global privacy legislation and law enforcement actions impact business Impact on Clinical Research

provide an overview of “Security” provide you with information about Regulators’

inspection activity provide an overview of Data Transfer requirements

e.g. Safe Harbor provide resource information



What do we mean by Privacy

has a different meanings to different people based on culture and region core to an individual’s identity, autonomy and freedom generally involves control over one’s personal information: collection, use,

storage, disclosure, access for amending and/or deleting personal information held,

Why are companies focusing on “Privacy”: Comply with Laws Concerned with ever increasing data threats (identity theft, phishing, botnet

attacks), and enforcement activities (e.g. monetary fines, civil penalties) Build trust and be transparent with its customers, clients and employees

(Company Image/Competitive Advantage)



Identity Theft Has Become a Major Concern

Number one complaint to US FTC $50+ billion in global annual losses 50+% conducted by employees and

contractors Part-time and temporary workers three times

more likely to commit Medical Identity theft on the rise

results in erroneous entries being put into existing medical records, and can involve the creation of fictitious medical records in the victim’s name. is a crime that can cause great harm to its victims

leaves a trail of falsified information in medical records that can plague victims’ medical and

financial lives for years. most difficult to fix after the fact Source: http://www.worldprivacyforum.org/medicalidentitytheft.html

Sources: (Javelin/BBB 1/06; Gartner 7/03; Experian-Gallup 8/05; FDIC 2/06; FTC 1/06; SMU 8/04)



Common Vulnerabilities

Key Vulnerabilities and Risk. Third-party vendor data handling and transfers Lost laptops, portable media and back-up tapes Over collecting or unlawfully using SSNs Improper access or broad access controls Paper handling and dumpster diving Unauthorized software or use of peer-to-peer networks (iPods and file

sharing) Phishing, web/email vulnerabilities (if SSNs) Mobile and home-based workforce Call centers and in branch social engineering Use of such information in authentication processes with customers (online,

phone, fax)



Hot Privacy Topics

Issues E-Medical records Personal Health Records Pharmacogenomics (use of genetic markers to develop

personalized drugs) Social Networking e.g. Facebook Behavioral targeting Portable device security



Social Origins of Privacy

Rooted in oldest texts and cultures known to man-concept of privacy noted in Qur’an, Bible, laws of classical Greece, Jewish law and ancient culture of China

the context of Human rights evolved after WWII 1948 as part of the Universal Declaration of Human Rights 1950 in the European Convention for the Protection of

Human Rights and Fundamental Freedom 1970 in the German state of Hesse the first known modern

data protection law 2 models: Comprehensive law (e.g. EU Data

Protection Directive) vs Sectoral law (e.g. HIPAA)



Privacy Concepts

Notice- is the clear and conspicuous disclosure to individuals indicating what personal information is collected, and how it is used and shared.

Choice/Consent-is giving individuals the opportunity to determine what information can be collected, how it is used, and with whom it is shared (e.g. opt-out to receive marketing materials)

Access- is making the personal information about individuals available to them to review, modify, or delete.

Minimization-is collecting only the information needed for the intended purpose. Disclosure to third parties/Onward Transfer-means the information that is

disclosed is what has been described in the notice wherever the information goes. Data Quality or Integrity-means the information is accurate, complete and relevant

to the purposes for which it was collected Security-is taking reasonable steps to protect personal information from

unauthorized access, use, or sharing. The level of protection must be commensurate with the type of personal information being processed

Dispute Resolution-is a process individuals can follow to inquire into and resolve their concerns about how their information has been processed.

Enforcement-having a mechanism for assuring compliance with the principles, recourse for individuals to whom the data relate affected by non-compliance, and consequences when the principles are not followed.

Note: Principles are common to most Privacy laws, Privacy rights built into countries’

constitutions, US Dept. of Commerce Safe Harbor



Privacy Definitions

Personal Information (PI): may also be known as Personal Data or Personally Identifiable Information means any information or set of information that identifies or that can be used to identify, locate or contact an individual. Under discussion- Personal Information that has been encoded, or

anonymized Protected Health Information (PHI) under HIPAA is a subset of PI

Processing: any operation or set of operations that is performed upon Personal Information, whether or not by automatic means, including, but not limited to, collection, recording, organization, storage, access, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, making available, alignment, combination, blocking, deleting, erasure, or destruction



What are we protecting? Personal information (PI) is data that can identify an individual, such

as Name, Initials Address SSN Phone number E-mail address Photographs, fingerprints

Data tied to any of the above, also includes consumer and employee e-mail, internal reports, expressions

of interest on particular topics, IT logs of originating IP addresses, other Internet transmission data, particular web pages viewed, (Behavioral advertising),

Sensitive information Health data-disease history, biometric identifies such as

retinal scans, DNA? Financial data-pin codes, account numbers As defined by EU Data Protection Directive: race, ethnicity,

sex/orientation, religious belief, political opinion, trade union membership, physical/mental health or conditions, criminal record



Privacy Rights

Whenever an organization Collects Personal Information about an individual Uses (and secondary use) and discloses Personal

Information Processes it (Maintains, stores, transfers)

Regulator Expectations: Provide notice of uses and disclosures Provide choice to opt in or opt out Provide access to stored data for correction Use reasonable security measures to protect the

information commensurate with the type of Personal Information being processed.



Global Laws Increasing

EEA , Argentina, Armenia, Australia, Austria, Bahrain, Belgium, Botswana, Brazil, Bulgaria, Cameroon, Canada, Canada - Northwest Territories and Nunavut, Chile, Cote d'Ivoire, Croatia, Cyprus, Czech Republic, Denmark, Dubai, Egypt, Ethiopia, Finland, France, Germany, Ghana, Greece, Hong Kong, Hungary, Iceland, Ireland, Israel, Italy, Japan, Jordan, Kazakhstan, Kenya, Kuwait, Lebanon, Lithuania, Mauritius, Mexico, Morocco, Netherlands, New Zealand, Nigeria, Norway, Peru, Poland, Portugal, Qatar, Romania, Russia, Saudi Arabia, Singapore, South Africa, South Korea, Spain, Sweden, Switzerland, Taiwan, Tanzania, Thailand, Tunisia, Turkey, Uganda, Ukraine, United Arab Emirates, United Kingdom, United States, Uzbekistan, Zambia



Privacy Laws that Impact Business

US-Sectoral Laws HIPAA-Health Insurance Portability and Accountability Act HITECH-Health Information Technology for Economic and Clinical Health Act FCRA-Fair Credit Reporting Act-impacts employment re credit checks COPPA-Children’s Online Privacy Protection Act-impacts marketing to children CAN-SPAM-Controlling Assault on Non-Solicited Pornography and Marketing TSR-Telemarketing Sales Rule, DNC-Do Not Call, DNF-Do Not Fax GLBA-Gramm-Leach Bliley-impacts Financial information FTC Act (unfair and deceptive practices) GINA-Genetic Information Nondiscrimination Act

Ex-US Countries with Comprehensive Privacy laws (e.g. EEA, Japan, Argentina, Canada,

Australia) Some are only recognized as having ”adequate” protections by the EU Canada and Argentina-yes, Australia and Japan-no

Countries with sectoral laws or as part of their constitution privacy as part of Medical practice, laws around “communications” e.g. US HIPAA, Taiwan

Computer-Processed Personal Data Protection Law, and Taiwan Medical Care Act, privacy as part of country constitutions ( Colombia, Paraguay, Venezuela, Ecuador, Uruguay)

EU- Data Protection Directive Safe Harbor as it relates to EU Directive



Health Information Portability and Accountability Act (aka HIPAA)

US law that requires health care organizations or covered entities, and providers to meet certain privacy and security standards with respect to protected health information (PHI).

HIPAA sets the floor for privacy protections of PHI. HIPAA requirements are the common national standards for which covered entities must adhere to for the protection of patient’s privacy.

There may be state laws that provide additional stronger privacy protections which a covered entity would need to comply.

Depending on where the covered entity is located will dictate the privacy requirements for that entity.

Other companies that may not be considered a covered entity but may be indirectly affected by privacy regulations if covered entities supply the data. e.g. a company’s sponsored Healthcare plan



Privacy Rule and Security rule

Privacy Rule regulation went into effect on April 14, 2003. requires patients be provided with: notice, access to their medical

records, control over how their health information is used and disclosed, avenues for recourse if their medical privacy is compromised e.g. Hospital Privacy Office

Covered entities must have in place various processes to support and administer those rights e.g. written procedures, training, Privacy office/officer

Security Rule Covered entities must have in place policies and procedures to

comply with standards for safeguards to protect the confidentiality, integrity and availability of electronic protected health information.



Health Information Technology for Economic and Clinical Health Act (aka HITECH)

Most significant change for Covered Entities for privacy and security since HIPAA’s enactment (under ARRA-American Recovery and Reinvestment Act)

Subjects Business associates of Covered Entities to federal regulation for the first time, requiring compliance to privacy and data security requirements of HIPAA

Fundamentally different enforcement environment under new Administration

New guidance and significant regulatory activity required Under the watchful eye of US Dept. of HHS-OCR : will be notified of

breaches



Impact on Business Associates

What is a Business Associate?

A service provider or vendor, such as a technology company, that has access through its clients to individually identifiable health information covered by HIPAA (“PHI”)

Business Associates participate in, perform for, or assist CEs (health care providers, health insurers or health care clearinghouses) with certain functions or activities

Activities can include claims processing or administration, data analysis, utilization review, quality assurance, billing, benefit management, practice management



HITECH Breach Notification Requirements

First federal data breach notification requirement Approx 45 Individual states have own Breach Notification law

Very broad definition of breach Unauthorized acquisition, access, use or disclosure of

PHI which compromises the security or privacy of such PHI

Very broad notice requirement Fundamental change to healthcare industry Covered entities (CEs) must notify individuals Business Associates must notify CEs Very specific in terms of content of notice, method of notice and

timing of notice



The Role of State Law

HITECH Act and HIPAA preempt conflicting state laws, but leave intact state laws with more stringent requirements on the handling of health information

Most States have a Breach Notification law with specific notification requirements, some of which include medical information such as: California

Effective January 1, 2009, AB 211 and SB 541: require providers of health care to establish and implement appropriate

administrative, technical and physical safeguards to protect privacy of a patient’s medical information

establish new oversight mechanisms and penalties to enforce privacy standards SB 541 contains breach notification requirements

Note: New Jersey has a Breach notification law re SSN, PIN, credit cards, drivers lic. # but does not include medical information but HIPAA still applies

Companies must meet new common denominator of minimum standards by monitoring and complying with patchwork of laws in every state in which one operates



FTC Breach Notification

Effective September 2009, breach notification requirements apply to vendors (e.g. Google) of personal health records (PHRs)

• A PHR is defined as “an electronic record of individually identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or for the individual.”

Example of where this might apply in clinical research

Use of e-PRO (eDiaries) Patient enters information on signs and symptoms, quality of life, etc into e-diary during the course of a trial. The data is under the control /entered by the subject. Diaries may be supplied by and the data processed by a vendor

who then provides the data back to the Sponsor who them provides data back to trial site. Data becomes part of the subjects medical record.

Vendor may provide help desk support for the trial subjects.



Expanded HIPAA Enforcement

New tiered civil penalty structure Penalties will be based upon “intent” behind the violation Fines of up to $1.5 million are possible

Explicit authority for state AGs to enforce HIPAA rules The extent to which AGs will need to follow the

enforcement rule is not yet clear May result in different or inconsistent interpretations of

HIPAA Mandatory audits by HHS



Enforcement Congress provided civil and criminal penalties for covered entities that misuse PHI.

OCR may impose monetary penalties up to $100 per violation, up to $25,000 per year, for each requirement or prohibition violated. Criminal penalties apply for certain actions such as knowingly obtaining PHI in violation of the law.

Criminal penalties can range up to $50,000 and one year in prison for certain offenses; up to $100,000 and up to five years in prison if the offenses are committed under “false pretenses”; and up to $250,000 and up to 10 years in prison if the offenses are committed with the intent to sell, transfer or use the PHI for commercial advantage, personal gain or malicious harm.

Office of Civil Rights can investigate Civil monetary penalties imposed by OCR

Dept of Justice can prosecute Criminal penalties imposed by DOJ

Local State AGs can investigate and prosecute as well

Link to OCR to enforcement activity: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/index.html



Noted FTC Enforcement Cases

Petco Case (2005)-failure to encrypt data and thus was accessible to persons other than the consumer

Gateway Learning Case (2004)-change in privacy policy with failure to notify and receive consumer consent

Microsoft Case (2002)-Security misrepresentation and lack of data minimization

DSW Case (2006)-unauthorized access to PI and failure to employ reasonable and appropriate security measures

ChoicePoint Case (2006)-disclosure of sensitive information-violated Fair Credit Reporting Act-failed to have reasonable procedures to screen subscribers-$10 M in penalties plus additional $5 M for consumer redress

Eli Lilly Settles FTC Charges Concerning Security Breach unauthorized and unintentional disclosure of sensitive personal information collected

from consumers through its Web sites Lilly to implement an information security program to protect consumers' privacy Fines and 20 year FTC Order



Privacy in Clinical Research

Global Privacy laws and regulations apply Site Personnel and subject Personal Information Enforcement by Health Regulators and local DPAs

ICH/GCPs/CFR requirements for notice and consent, patient confidentiality

IRB/EC responsible for protecting subject’s rights In US, HIPAA authorization required in addition to subject informed

consent HIPAA has section on Clinical Research and has potential impacts



Impact of HIPAA on Clinical Research

Vendors working on behalf of a sponsor may contact investigators to confirm or clarify reported information.

Laboratories send test results back to the covered entity. Recruitment vendors identify patients potentially meeting

study eligibility criteria who are interested in participating in the study and provide this information to investigators. These activities may involve the disclosure of PHI for purposes of determining the number of / identify patients meeting study eligibility criteria.

Electronic data capture vendors may allow investigators to access previous information entries.

Communications to potential subjects



Impact: Communications to potential trial subjects funded by Pharma Companies

Written communications made on or after February 2010 about a product or service that encourage recipients to purchase that product or service will be classified as “marketing” if a covered entity receives direct or indirect remuneration (payment) for making the communication. Exception: Communications that describe a drug or biologic

that is currently being prescribed for the recipient of the communication and any payment received by the covered entity is reasonable in amount.

Concern has been expressed that this could prohibit a pharmaceutical company from paying a healthcare provider or health plan to send communications to patients encouraging enrollment in a clinical trial. Can a communication about a clinical trial be construed as encouraging the purchase or use

of a product or service? What if the communication highlights the potential benefits of participation?



Impact: Minimum Necessary

Previously CEs required to limit use and disclosure of PHI to the “minimum

necessary” to accomplish the intended purpose. Does not apply to disclosures for treatment. Does not apply to uses or disclosures pursuant to an authorization.

“Minimum necessary” not defined.

HITECH Act No later than August 2010, HHS must issue guidance on what

constitutes “minimum necessary.” Until guidance issued, CEs must “to the extent practicable” limit

disclosures to a limited data set. A limited data set requires removal of direct identifiers such as name, contact info, SSN, account numbers,

etc.

A CE disclosing PHI must determine what constitutes the ‘minimum necessary’ to accomplish the intended purpose of the disclosure.



Impact: Source Document Verification and Adverse Event Reporting

Concern that new rules around “minimum necessary” standard, in combination with increased enforcement penalties, could have effect on ability to source document verify subject’s records and adverse event reporting. Possibly could lead some healthcare providers and health

plans to be less willing to provide all the information relevant to the trial or an adverse event



Impact: Psychotherapy Notes

Previously A CE was required to obtain an authorization for any use or

disclosure of psychotherapy notes, other than for treatment. An authorization for use or disclosure of psychotherapy notes could

not be combined with any other authorization. “Psychotherapy notes” defined as notes recorded by a mental

health professional documenting or analyzing the contents of conversation during a counseling session.

HITECH Act HHS is required to study the definition of “psychotherapy notes” with

regard to including in such definition “test data that is related to direct responses, scores, items, forms, protocols, manuals, or other materials that are part of a mental health evaluation” and to revise the definition based on this study.

Broadening of the “psychotherapy notes” definition could impact disclosure of such information as part of a limited data set, pursuant to an IRB waiver, as preparatory to research, or for public health activities (e.g., reporting adverse events).



Best Privacy Practices for Trial Sites

Have a designated privacy officer/privacy office to manage incidents and report to agency or IRB as required

Have an understanding of local privacy laws impact on what they do If using a vendor, have appropriate contractual protections and ensure

vendor understands breach reporting requirements Have an understanding of local IRB requirements regarding PHI

breaches to Sponsor and policy around review of site’s medical records for potential trial subjects

Have documented processes re Informed consent process (and HIPAA authorization), access to medical records, secure transmission of subject information to Sponsor, de-Identification process, and secure storage and destruction of subject’s files

Have training records for site personnel re local privacy requirements and site’s policies and procedures

Have security safeguards in place with regards to subject’s study file and medical records

Have an escalation process in place for Breaches and handling Regulatory Inspection activities



EU Commission-EU Data Protection Directive

5 institutions involved- Council, Commission, Parliament, Courts of Justice and Auditors

EU Directive 95/46/EC-multiple Articles within Directive reference DP-Article 29 most important for privacy

Commission (Internal Market Directorate) most important for DP-”Working Party” (DPA)

Directive focus on protection of individuals with regard to the processing of personal data and on the free movement of such data

Directive outlines minimum privacy requirements and requirements for cross border transfers to countries without recognized privacy practices e.g. US, Australia,

Enforcement by Data Protection Agencies in each Country



EU Data Protection Directive

Sets the floor for privacy, local countries may have stricter interpretation

Principles of Notice, Choice, Legitimate purpose, Access/ Rectification, Data Quality, Confidentiality/Security

Specific rules for Sensitive data: legitimate purpose, explicit consent, contract requirements, security controls e.g. encryption

Enforcement mechanism: Data Protection Authorities Data Transfer Mechanisms: model contracts, BCRs, Safe Harbor Local Privacy requirements for Data processing: consents,

Notifications to DPA, works councils, inter-company agreements



International Enforcement trends

General trends Convergence of medicines regulatory/DPA enforcement and regional collaboration

among authorities Increasing awareness of industry practices among regulators Proliferation of National & Regional Data Privacy Laws- Over 70 countries worldwide &

growing Greater Enforcement by Regulators-More DPA activity generally Health-sector specific audits

Denmark, Sweden

Risks increasing for Pharmaceutical companies conducting clinical research

medical health data; vulnerable data subjects; data transfers and disclosures; use of multiple vendors and consultants

Sanctions include monetary fines, criminal liability; imprisonment, invalidation of study data, halting of data flows



Medicines Regulators Inspection Activity

Post 2004 - focus on privacy-aspects of clinical trials in light of Directive 2001/20

Review of consent documentation, transfer of patient data, security measures, etc.

Inspection activity reported in: France, UK, Denmark, Netherlands

Expect similar trends in non-EU jurisdictions based on ICH GCP



DPA Inspections

Most common triggers National notifications Individual complaints Targeted sector reviews DPA to DPA referrals

Pharma-specific investigations in CR, Poland, Portugal and Spain

DPA inspections on the rise Dawn raids reported in Italy, France,



Pharma-specific developments

Outsourcing to vendors of trial activities

Pharmacogenomics to create designer drugs

The struggle to define “personal data” relating to bio-samples and concerns with genetic data

Medicines regulators/ECs focusing on privacy Appropriateness of consent, secondary uses,

breaches



Data Transfers

Mechanisms to transfer Personal Information out of a country Safe Harbor (EEA region and Switzerland) Binding Corporate Rules Model Contracts Consent

Many companies going the Safe Harbor route or a combination of the above depending on type of data



Safe Harbor

Background: October 1998 – EU Data Protection Directive goes into effect prohibiting the transfer of personal data to non-EU countries that do not provide “adequate” privacy protection US and the EU committed to bridging the privacy gap and maintaining high levels of privacy protection thus enabling trans-border data flows FTC Act permitted both sides to maintain their positions:

US companies made voluntary commitments EU was satisfied that those commitments were legally binding

The Safe Harbor Framework Includes: 7 Privacy Principles: Notice, Choice, Onward Transfer, Access, Data Integrity, Security, Enforcement 15 FAQ’s EU’s “adequacy” determination Series of letters between the European Commission, Department of Commerce, Federal Trade Commission, and Department of Transportation

Why is this ImportantAllows for the transfer of data out of a EU or Switzerland to US for processing; HOWEVER local privacy requirements must still be met such as providing notice and choiceAllows companies to contract with vendors to process data on their behalf



Sample list of Pharmaceutical companies with Safe Harbor certifications

• Amersham Health• Baxter International• Eli Lilly & Co• Ethicon Endo Surgery• LifeScan• Merck & Co., • Pharmacia Corporation• Pfizer• Protcor & Gamble• Wyeth Pharmaceuticals • Novartis



Basic Security Requirements

Administrative controls (e.g. privacy oversight, written policies, training)

Physical controls (e.g. secure access to records)

Logical/Technical controls ( e.g. Disaster recovery, password protections, encryption, access/authentication controls)



Privacy and Security Tips at Home→

If asked for personal data, find out how it will be used and how it will be protected.

If you shop online, do not provide personal data to a website until you have checked for indicators that the site is secure, like a padlock icon on the browser’s status bar or a website URL that begins with “https”.

Read privacy policies of the Web sites you visit to discover how your data is used and with whom it will be shared

Beware of “phishing.” If you receive an email from an address that you do not recognize, do not open it. It may be an email from what appears to be a legitimate company asking for your personal data. Never reply to, or click on links or pop-ups in email that ask for personal data unless you are sure it is the business that is supposed to receive it. Do some checking first before you provide your personal data.

Protect passwords. Never share them. Change them often. Ensure they have at least 8 characters and include numbers and symbols. Do not use common words.



Privacy and Security Tips at Home

Know what personal data you have in your home files and on your computer.

Lock it away. Secure your laptop at home and in your car. Secure your important personal paper records at home in a locked desk draw when you are away from home. Secure mail and your portable storage devices. Secure your laptop in the trunk not the back seat of your car.

Be mindful of your cash withdrawal machine transactions and where the machines are located. .

Use a credit card from a reputable company. The credit card company monitors activities and will notify you if something appears wrong. They will also cover certain expenses in event of a theft. A bank debit card may not do this.

Encrypt electronic files and folders containing personal data.



Resource Information Links

In the US, contact the Federal Trade Commission at 1-877-382-4357 or visit ftc.gov to file a complaint or get additional information on consumer issues

Consumer information on children’s privacy, identity theft, and privacy and security, is available on the FTC’s Web site at:

http://www.ftc.gov/bcp/menus/consumer/data/child.shtm http://www.ftc.gov/bcp/menus/consumer/data/idt.shtm http://www.ftc.gov/bcp/menus/consumer/data/privacy.shtm

HIPAA Privacy Rule: http://privacyruleandresearch.nih.gov/

Data Privacy Day: http://dataprivacyday2010.org/

IAPP-International Association of Privacy Professionals: https://www.privacyassociation.org/

AICPA.org

HHS- http://www.hhs.gov/ocr/privacy/



Documents

MODULE D: Privacy Overview Basic Principles of Privacy by Gail Obrycki, MSMT, ASCP, CIPP