Inattention by the Food and Drug Administration to privacy issues in its safety programs for high-risk drugs has left patients vulnerable to having their sensitive medical information used in marketing campaigns, a privacy advocate has charged.
The criticism came last week from Pam Dixon, executive director of the World Privacy Forum, during a two-day, joint public workshop in Washington by the FDA and the Agency for Healthcare Research and Quality. The goal of the workshop was to improve FDA-mandated risk-minimization action plans, or RiskMAPS.
The World Privacy Forum is a not-for-profit privacy advocacy organization whose previous foray into healthcare privacy issues was a report last year about the growing threat to patients and healthcare providers posed by medical identity theft.
It also comes as federal efforts are under way to address what have been called potential "barriers" to healthcare information exchange by state privacy laws that are permitted under HIPAA to be more stringent than the privacy floor established by the broader, but weaker, federal law.
"The FDA has not paid attention to privacy standards that should be applied to RiskMAP programs," Dixon said in her four-page written testimony. "Unfortunately, this lack of FDA attention has resulted in inappropriate and unethical marketing to patients using patient information gathered for treatment purposes. If these marketing activities were being covered by HIPAA-covered organizations, the activities would be illegal. These activities may well be illegal in California, which has a strong state-level medical privacy law that goes beyond HIPAA. The FDA needs to set privacy standards for RiskMAPs that resolve this problem."
RiskMAPs fall into three categories: provider education programs; reminder systems intended to guide providers and patients in prescribing or taking high-risk drugs; and performance-linked access systems through which patients are required to provide personal information as a prerequisite to being allowed to receive the high-risk medication.
The scope of the HIPAA privacy rule is limited to a defined list of so-called covered organizations, basically healthcare providers, payers and claims clearinghouses. Thus, HIPAA rules don't apply to RiskMAPs, according to Dixon, a point conceded by operators of one of the RiskMAP programs.
In her testimony, Dixon specifically named an Internet-based, performance-linked access system called iPledge, for the drug isotretinoin, which is an effective treatment for severe acne, but which is known to cause birth defects when used by pregnant women. The stated goal of the iPledge program is to prevent women from using the drug when they are pregnant.
Among the dozens of answers in the tiny type on the frequently-asked-questions section of the Web site, the word "privacy" is absent, but HIPAA does appear with the following disclaimer to providers: "Under HIPAA, covered entities are defined as three groups, health plans, healthcare providers and healthcare clearinghouses. Pharmaceutical manufacturers are not included in any of these groups, therefore, the manufacturers of isotretinoin are not covered entities under HIPAA, and HIPAA does not apply to the iPledge program."
A privacy statement on the Web site tells users that iPledge "collects information about your transactions" without elaborating what those transactions might be. It also notes that iPledge "may combine information about you that we have with information we obtain from business partners or other companies." Again, how that other information is obtained, from whom and for what purpose is also not explained.
Again, who those marketing partners are, or what offers they might make, are undisclosed.
The iPledge program was approved by the FDA as a RiskMAP in 2005 and, despite complaints and a request for delay by the American Academy of Dermatology, participation became mandatory in March 2006 for physicians, pharmacists and patients to prescribe, sell or receive treatment using isotretinoin.
The program is operated under the auspices of four manufacturers of branded versions of isotretinoin. But the iPledge Web site does not mention that the pharmaceutical companies are responsible for operating the program, nor does it name the pharmaceutical contract research organization, Covance, of Princeton, N.J., that manages iPledge on their behalf. The drug companies, Barr Laboratories, Mylan Pharmaceuticals, Ranbaxy Laboratories and Roche Laboratories and their phone numbers are listed, but their role in the program is not explained. The FDA is scarcely mentioned on the site, most commonly as a place to report a pregnancy, but its role in approving the program is not explained.
"The drug companies come up with it, the FDA approves it, and the drug companies administer it," Dixon said in a telephone interview about RiskMAPs' development. "The data goes directly to the drug manufacturers. There is absolutely no (consumer) control of the information. You have absolutely no right or ability to opt out of the marketing of your data, and its sensitive data, your contraceptive choices, your pregnancy test results, your name, partial Social Security number, date of birth and address. They've got a lot of information on you."
Covance received a copy of Dixon's written testimony with a request for comment on her privacy concerns. Mona Terrell, spokeswoman for the iPledge program, said in an e-mail response: "The companies that manufacture isotretinoin and manage the iPledge program take patient privacy very seriously and do everything within their power to guard against misuse of patient information."
Terrell said this about iPledge operations: "Access to all patient information in the system is restricted through layers of authentication and authorization requirements. Identified patient information is never provided to the manufacturers. All data reported out of the iPledge system to the manufacturers or FDA is de-identified at the time the report is created. De-identified patient information may be provided to the manufacturers only when necessary to meet regulatory and drug safety requirements, such as reporting of pregnancy or other adverse events. The marketing partners are the four manufacturers of isotretinoin. As we stated earlier, identified patient information is never provided to the manufacturers for any purpose, including marketing."
Terrell did say, "The companies plan to review the privacy statement with the goal of making the wording consistent with actual practice."
In an e-mail response to a request for comment on Dixon's testimony, FDA spokesman Paul Richards said that the "FDA understands the important role sponsors and applicants have to protect patients and their privacy during the generation of safety data and the development of risk minimization action plans."
In 2005, the FDA issued a guidance document to the industry on the development, implementation and evaluation of RiskMAPs, Richards said.
The guide states that it is "of critical importance to protect patients and their privacy" and that "sponsors must comply with applicable regulatory requirements involving human subjects research and patient privacy." The guide points specifically to the privacy rule protections under HIPAA, but Richards also noted that the industry must comply with federal requirements for human subject protection under Title 21 of the Code of Federal Regulations, part 50 and 56.
The privacy section of the code says that Information about individuals in (FDA) records shall be collected, maintained, used and disseminated so as to protect the right to privacy of the individual to the fullest possible extent consistent with laws relating to disclosure of information to the general public, the law enforcement responsibilities of the agency, and administrative and program management needs. The specific section on human research subjects requires that patients must be given consent before their information is used, but is silent on its re-use for marketing.
What do you think? Write us with your comments at [email protected]. Please include your name, title and hometown.