Microsoft word - pharmaprivacypolicies.doc
Pharmaceutical Compliance with Fair Information Practice
by John Mack Introduction
According to a Pew Internet & American Life Project survey (November, 2000), 89% of health
seekers on the Internet are concerned that a health Web site might sell or give away information
about what they did online. A 2000 Cyber Dialogue survey commissioned by the Internet
Healthcare Coalition and the California Healthcare Foundation, found that only 14% of online
health seekers have a “high level of trust” of Pharmaceutical company or product web sites.
Fueled by recent privacy laws, such as the Gramm-Leach-Bliley Act and the Health Insurance
Portability and Accountability Act, establishing trust and confidence with stakeholders, from
regulators to customers, has become a business imperative for the pharmaceutical industry. Fair Information Practice Principles
Over the past quarter century, government agencies in the United States, Canada, and Europe
have studied the manner in which entities collect and use personal information – their
"information practices" – and the safeguards required to assure those practices are fair and
provide adequate privacy protection. The result has been a series of reports, guidelines, and
model codes that represent widely-accepted principles concerning fair information practices.
Common to all of these documents are several core principles, including:
• NOTICE: data collectors must disclose their information practices before collecting
personal information (PI) from consumers
• CHOICE: consumers must be given options with respect to whether and how PI collected
from them may be used for purposes beyond those for which the information was provided
• ACCESS: consumers should be able to view and contest the accuracy and completeness
• SECURITY: data collectors must take reasonable steps to assure that information
collected from consumers is accurate and secure from unauthorized use
• ONWARD TRANSFER (CHAIN OF TRUST): to disclose information to a third party, such
as an advertiser, organizations must apply the NOTICE and CHOICE principles. Where an organization wishes to transfer information to a third party that is acting as an agent, such as a fulfillment vendor, it may do so if it makes sure the third party subscribes to the same principles as the organization.
• DATA INTEGRITY: An organization should take reasonable steps to ensure that data is
reliable for its intended use, accurate, complete, and current.
• ENFORCEMENT: the use of a reliable mechanism to impose sanctions for
How Do Pharma Privacy Policies Measure Up?
How well do pharmaceutical companies’ privacy policies comply with Fair Information Practice
principles? To determine this, an analysis was performed on 21 top selling prescription products
worldwide (data from 2000). Publicly available privacy policies were accessed during the week of
January 28, 2002 from product web sites and evaluated against a set of 5 principles, including
Notice, Choice, Access, Security, and Chain of Trust. Each principle was assigned a value of 20
points. Policies were examined to determine if they complied fully or partially with each principle
and a numerical score (“Privacy Compliance Index”) was awarded based on the sum of the
scores (MAX=100).1 The results are presented below.
P rivacy C o m p lian ce In d ex
Inde x P oints
FIGURE 1: Plot of Privacy Compliance Index for Top Selling Rx Drugs
Compliance by Product
# of Principles
FIGURE 2: Detail Compliance Profile Showing Full, Partial, and Non-compliance
Chain of Trust
TABLE 1: Summary of Compliance with 5 Fair Information Practice Principles
procedures have not been implemented in many cases. Therefore, to avoid any trouble with the
FTC, companies understandably do not promise what they cannot deliver.
Access poses a difficult problem not just for pharma companies, but for “covered entities” (e.g.,
healthcare providers) under HIPAA (Health Information Portability and Accountability Act). Our
analysis only required that privacy policies somehow allow consumers to view voluntarily-supplied
personal information companies had about them and correct or delete this information. It didn’t
require that any special technology or automated tools be used to allow direct access to
databases. Still, many companies, according to their policies, do not provide any means of
access even if just a person to call or e-mail. It may be that the flow of data through and out of
these companies is not controlled in a manner that would allow access let alone deletion.
The Issue of Trust
Pharmaceutical product web sites can be more useful to consumers if they interacted more with
them and provided personalized services and tools that help consumers manage their chronic
conditions and comply with their treatment, including taking their medications and refilling
prescriptions. But, in order to provide this level of service, more and more personally identifiable
health information needs to be collected and maintained. Pharmaceutical companies may be
reluctant to do this on their own sites if they do not have adequate data collection practices and
policies in place. Nevertheless, the competitive advantage will go to the company that does follow
best privacy and security practices. These companies will engender the highest level of trust
among consumers allowing them to fully utilize the benefits of the Internet.
1. For more detailed information about the methodology and scoring system, contact VirSci at
215-504-4164 or send email to firstname.lastname@example.org or visit www.virsci.com.
PO Box 760
Newtown, PA 18940
Measuring the Quality of Surgical Care:Structure, Process, or Outcomes?John D Birkmeyer, MD, FACS, Justin B Dimick, MD, Nancy JO Birkmeyer, PhDWith widespread recognition that surgical outcomesstandard in cardiac surgery and in hospitals of the De-vary by providersurgeons and hospitals are increas-ingly being asked to provide evidence of the quality ofIn this article, we consider the relativ
Salvatore Sansalone – Curriculum Vitae Senior Lecturer in Urology University of Tor Vergata Rome, Italy Personal information: born on August 1st, 1971, in Locri, Reggio Calabria, Italy. Medical degree in 2001: Faculty of Medicine and Surgery, “Tor Vergata” University in Rome, Italy; thesis entitled “PSA Screening in Prostate Carcinoma” published in Professional bac