It's time for the life sciences industry to rethink its relationship with HIPAA

Direct patient participation by life science manufacturers has been at an all-time high. I don't just mean direct-to-consumer advertising. Manufacturers are increasingly attracting patients through digital tools, support programs, wearable devices, and more. Whether sending drug reminders or analyzing patients’ behavior in real time to provide them with useful resources, these technologies have the potential to significantly improve lives.

However, through this direct patient involvement, there is a new development that life science organizations do not pay enough attention. As manufacturers play an active role in the patient’s healthcare journey, the line between manufacturers and healthcare providers/payers has become increasingly blurred.

In this article, we will examine how digital patient engagement complicates the relationship between the life sciences industry and HIPAA, even if the industry has not historically been regulated by HIPAA. We will also look at privacy and patient engagement strategies that manufacturers may learn from traditional HIPAA regulated entities.

A brief overview of HIPAA

HIPAA was launched in 1996 to increase the efficiency and effectiveness of the U.S. healthcare system. Since then, it has evolved greatly to illustrate electronic health information. HIPAA has set various rules for healthcare organizations to protect the privacy and security of sensitive health information. HIPAA calls this information Protected Health Information (PHI).

HIPAA is suitable for the following types of organizations, collectively referred to as overlay entities:

1. Healthcare providers (doctors, clinics, pharmacies, etc.)
2. Health Plans (Health Insurance, Medicare, Medicaid, etc.)
3. Healthcare house cleaning

HIPAA also regulates business partners, which are individuals or entities that can access PHI on behalf of PHI or provide certain services to covered entities.

HIPAA requires that the covered entity sign contracts with business partners to ensure that PHI is protected. These contracts are called Business Partner Agreements (BAAs).

Life Sciences and HIPAA – Traditional Perspectives

Life science manufacturers are not neatly fitting any of the categories listed in the above sections. Because the manufacturer is not directly involved in direct care or operation, it is not considered a cover entity.

Even after the introduction of HIPAA, the various patient support programs (PSPs) offered by manufacturers in the 2000s were primarily manual, paper-based, and authorizations required by patients so that manufacturers could access PHI. Since the authorization comes directly from the patient, the patient's provider does not need to sign a BAA with the manufacturer because the manufacturer does not access the PHI on behalf of the provider.

In other words, manufacturers are neither covering entities nor business partners in the HIPAA sense. But, it all comes before digital patient engagement is introduced.

Privacy and Life Science Patient Engagement

Digital tools revolutionize how manufacturers attract patients. Brands were previously limited to attracting patients through advertising, call centers and providers. Using digital manufacturers can attract patients through first party applications, websites, etc.

Whether patients are looking for telehealth services, in-person doctors, disease education, drug transport or something else, manufacturers can now provide tailor-made resources for patients to digitally.

However, this also means that companies previously had access to limited health information through manual processes, and digital platforms can now collect various health information such as patient behavior data, treatment history, laboratory results, and more.

Please note that such services usually require explicit authorization from patients so that their health information can be accessed.

Why new thinking around HIPAA is needed in life sciences

If patients explicitly authorize the collection of sensitive health information for support services, and the life sciences industry is generally not regulated by HIPAA, why should manufacturers be totally concerned about HIPAA?

I think there are two answers to this question:

1. Manufacturers play a more active role in care coordination and patient engagement through advanced digital health platforms and patient engagement programs.
2. Patients do not always understand the responsibilities of the various stakeholders involved.

We cannot predict whether the life sciences industry will one day be regulated by HIPAA, but it seems clear. Advances in digital technology and AI will only blur the lines between manufacturers and providers.

HIPAA with FTC and State Regulations

A common rebuttal I hear from pharmaceutical companies is that HIPAA does not apply to them and focuses primarily on FTC and state regulations.

Patients are not always clear about the privacy obligations of providers, payers and manufacturers. For example, if personalization of anonymous patient websites involves sensitive medical conditions and email follow-up in choice, if life science companies comply with the FTC, national regulations surrounding consent, option/option out, disclosure, etc., then they can participate, etc. But if this practice is seen by patients as invasive companies, even their brand is not compromised, even if there is no ftc or state laws.

Compliance under FTC regulations and state laws does not always guarantee patient satisfaction. Patient dissatisfaction can lead to significant brand losses. Given the increased scrutiny faced by the life sciences industry, manufacturers can only benefit from patients as they do with HIPAA-regulated entities.

Traditional HIPAA regulated entities tend to use safer methods, such as requiring visitors to appear in personalized content or ensuring email communications are universal/neutral rather than mentioning specific medical conditions.

Even if you haven't

Here are some actionable tips from some life science organizations that want to adopt a HIPAA compliance and privacy-first mindset:

1. Go beyond legal obligations – Avoid temptations and focus only on FTC and state regulations. Compliance alone does not always equal brand trust.
2. Think about PHI, not patient data – If you are collecting sensitive or potentially sensitive health data, use appropriate safety controls like PHI.
3. Verify patient identity – Do not assume the identity of the patient. Please use secure login when the content is sensitive.
4. Business Partner Agreement – Consider requiring suppliers and partners to sign a BAA-like contract before sharing PHI with them. If the supplier refuses to sign the BAA, consider willing competitors.
5. Agree must be explicit and granular – When it comes to patient consent, never assume that you have it, and don't make it too widespread.
6. Participate in privacy experts as soon as possible – Participate in the privacy team as early as possible. You should not modify your digital tools for privacy.
7. Control your technology stack – Invest in data platforms to help you collect, manage and share data with maximum flexibility. The ability to anonymize PHI before sharing PHI downstream must be turned off.

These practices will build accountability between suppliers and partners as regulations change and ultimately increase patient brand trust. These practices will help your privacy policy and help your privacy policy.

Author's Disclaimer: The opinions in this article are my own and do not represent the views of my employer.

Photo: Dzmitry Skazau, Getty Images

This article passed Mixed Influencer program. Anyone can post a view on MedCity News' healthcare business and innovation through MedCity Remacence. Click here to learn how.