On 28 February 2024, US President Joe Biden issued an executive order protecting US citizens' sensitive data from 'countries of concern' : China, Cuba, Iran, North Korea, Russia and Venezuela. Read more here.

Health data falls under this order, which will impact data brokers, and life sciences organisations in the US who provide services to organisations in these 6 countries, for example a global CRO based in the US providing clinical services to a sponsor in China. 

And what if the data set is redacted? Even if in the US such redacted personal data doesn't fall under HIPAA and are NOT considered as personal data anymore, we advise also not to share such pseudonymised data with these 6 countries, as it has been demonstrated by researchers that somebody could still reidentify the patients.

The only solutions are either to stop such transfers to these 6 countries, or to fully anonymise the personal data, but anonymising completely it takes a lot of time, is very costly and removes the scientific meaning the the data set.

==> ACT immediately to avoid penalties and review your personal data processings with a Risk Based approach!

For any question on how to comply in a simple way, contact us at contact ( at ) pharmarketing.net

On 31 March 2024, the "My Health My Data" Law will enter into force in the US state of Washington. This law will apply to nontraditional health care providers, which are currently not subject to HIPAA or other healthcare privacy laws in the US.

The law, HB 1155 - 2023-24 is addressing the collection, sharing, and selling of consumer health data.

As of today, healthcare privacy laws in the US (like HIPAA) apply only to hospitals and to employer-sponsored health care plans. 

The "My Health My Data" will not apply to entities regulated by federal health care law, like hospitals, but it will apply to any other type of organizations that collect and process health data from consumers based in the state of Washington.

This includes a great number of organisations selling personal care, cosmetics or consumer goods and that, for most of them collect Adverse Events ('AEs') that consumers experience, in order to monitor the AEs and improve the quality of the products they make or sell. 

This will also include companies that collect and resell health data records, so called 'data brokers'.

Such organisations might become subject to more complaints from consumers, as the MHMD makes it simple for them to complain and claim money.

What should companies do to prepare and mitigate the risk?
Such companies should conduct a risk analysis to evaluate the risk to the private life of consumers (not the risks to their company), as it is already the case in Europe with the EU GDPR.

Then they should check that they have adequate security measures in place, and that they are transparent with consumers on what they do with their personal data.

A simple solution to reduce the risk is to anonymize the data base: if the goal of such companies is to track the defaults of the products they sell and improve their quality, they don't need to know the identity of the consumer; And by redacting the direct identifiers of the consumers, the data set becomes immediately completely anonymised and doesn't fall under the MHMD Law anymore.

What about companies working in clinical research?

The MHMD Law should not apply to organisations collecting or processing health data as part of Clinical Research: as per ICH guidelines, they are supposed to receive ONLY REDACTED personal data, that is with no personal identifiers: as a consequence, such redacted data are not considered as personal data anymore in the US, and these companies don't fall under the MHMD Law.

Read the MHMD future law here: Washington State Legislature

If you would like to discuss with us on the MHMD law, contact Bertrand at b.p. lebourgeois ( at ) pharmarketing.net

The ASEAN, the Association of Southeast Asian Nations, released their own Model Contractual Clauses ('MCCs'). These can be used on a voluntarily basis when an organisation based in an ASEAN country transfers personal data to the EU.

The Asean has 10 member states: Brunei, Cambodia, Indonesia, Laos, Malaysia, Myanmar, Philippines, Singapore, Thailand and Vietnam.

There are 3 situations:

1) Data flows from ASEAN to EU: The parties may adopt the ASEAN MCCs for this scenario. The Joint Guide helps EU companies understand the similarities and differences between the ASEAN MCCs and the EU SCCs, and how to meet the requirements under the ASEAN MCCs. The Joint Guide also aims to help ASEAN companies understand and implement measures that go beyond what is needed under the ASEAN MCCs.
This may help in streamlining processes and saving costs when companies expand their operations and business to the EU

2) Data flows from EU to ASEAN: The parties should put in place a Data Transfer Agreement ('DPA'). Such DPA should contain the Standard Contractual Clauses provided by the EU Commission. 

3) Data flows within the ASEAN region: This Joint Guide aims to help companies trading within the ASEAN region to develop data governance policies and implement best practices that are aligned with the principles of the ASEAN Framework on Personal Data Protection. With the Joint Guide, this will not only help companies better navigate the regulatory landscape for data transfers with the EU, but also open future possibilities
with other regions in the world.

Read more:

Joint-Guide-to-ASEAN-Model-Contractual-Clauses-and-EU-Standard-Contractual-Clauses.pdf

Andrei Danila is a freelance data scientist located in the United Kingdom, with a background in Management for Digital Transformation. 

He is currently finishing his Masters' degree in environmental data science at Imperial College London. Prior to his Data Science career, Andrei worked as a Project manager in a health-tech startup, where, among other responsibilities, he collaborated with the company's DPO to ensure compliance.

Andrei will be acting as UK Data Protection Representative for 3 clients of PharMarketing.

The Joint Commission of Chile started to meet to look at potential modifications to the Chile an regulation on personal data protection ('Regulación Chilena sobre Protección de Datos Personales' or 'RCPDP').

The Commission, made up of 10 parliamentarians and chaired by Senator Luz Ebensperger held its first session on 23 January 2024. 

The Commission will continue to work on the RCPDP and also on the creation of the Data Protection Authority ('DPA') of Chile, the Agencia de Protección de Datos Personales ('APDP').

This first session was also attended by the Undersecretary of the Ministry of General Secretariat Macarena Lobos, who presented the government's proposals on this matter. The Joint Commission agreed to continue the debate in March, after the legislative break of the Chilean congress.

The Chilean Executive Branch proposes modifications to the bill that creates a Consolidated Registry of Debts

The Undersecretary of the Treasury Heidi Berner presented before the Economy Commission of the Chilean Senate the 13 modifications proposed by the Executive Branch to the bill that establishes the Consolidated Debt Registry. These modifications aim to unify the financial oversight regulations with the privacy standard, reinforce sanctions, add information duties, reinforce the public-private nature of the system, improve the complaints procedure and establish a catalog of progressive sanctions, among others.

Read more here https://www.trendtic.cl/2024/0...

For one of our clients selling a Digital Therapeutics ('DTx') software embedding Artificial Intelligence ('AI') in the EU, we propose 3 scenarios to determine if the company acts as a Data Controller or a Data Processor. We also discuss if the software company is allowed to reprocess patient data to optimise the AI algorithm. Finally, we share the opinion of a lawyer from a local EU Data Protection Authority on this matter.

In addition, the DTx software has been approved recently for reimbursement in one country of the EU, and therefore new specific guidelines apply regarding this healthcare product, in addition to GDPR. We also discuss this aspect here.

This client sells a software to medical doctors and other healthcare professionals (HCP), to monitor the visual acuity of patients. The patients connect at regular times to the software on their smartphone or a tablet and do some exercises. Then the HCP gets alerts if the algorithm embedded in the software identifies a decrease of visual acuity.

This Digital Therapeutics (DTx) software has been approved for reimbursement in one country of the EU, and therefore new specific guidelines apply regarding this healthcare product, in addition to GDPR. Hence we reviewed if our Client, the software provider, could still consider itself as a Data Controller. This was important as our client wanted to reuse patient data (pseudonymised of course), to improve the algorithm.

We propose 3 scenarios to determine if the DTx company acts as a Data Controller or a Data Processor. We also share the opinion of a lawyer from a local Data Protection Authority on this matter.

1) Scenario 1: Data Controller

The DTx sofware company, when it developed its software, defined itself the objectives and the means of the personal data processing. 

Regarding the objectives, it defined which patient data to collect and which KPI to track. In terms of means, it developed the software tool. 

This is the definition of a data controller per the General Data Protection Regulation ('GDPR').

2) Scenario 2: Joint Controller (or Co-Controller)

We could consider that both the DTx software company and the HCP define the objectives and the means of the personal data processing, because even if the software company developed the software independently first, the software was improved by many different remarks and contributions from HCPs.

So, we can consider that the way the software works follows the clinical care best practices in ophthalmology for surveillance of visual acuity. By the way, most of the times such product is developed jointly with experts in the medical field.

What does it change to be Joint controller compared to being a Controller? 

Not much; if both the HCP and the DTx company are joint controllers, it means that both share responsibility and need to react promptly in case one of them receives a Data Subject Access Request or if one of them witnesses or suspects a personal data breach.

3) Scenario 3: Processor

The DTx software company could say that it acts as a sub-contractor to the HCP, so the HCP decides when to use the software, and the HCP is a controller and the DTx company is a Processor in the sense of Privacy laws.

What does it change to be a Processor compared to being a Controller or a Joint controller?

If the DTx company is just a Processor, in case of a incoming DSAR or of a personal data breach, only the HCP (=Controller) is allowed and is mandated to respond and react. The role of the DTx company is 'just' to support the HCP so that the HCP can respond to the DSAR and to the data breach in due time.

4) Is the DTx software company allowed to reprocess the patient data to improve the KPIs and when notices are sent to the HCP?

The first question one can ask, is whether the DTx company owns the personal data of the patients or not. This depends on how the contract between the DTx company and the HCP on one side, and the contract between the DTx and the patient on the other side, are formulated.

In any case, the patient needs to ne informed that its healthcare data will be reused for the objective of improving the algorithm of the software. In some countries like Germany, Italy, Spain and Poland (this list is not exhaustive), the express consent of the patient might be mandatory.

The second question is whether this reprocessing of patient data is a new personal data processing or not. The answer is yes: All Data Protection Authorities ('DPAs') in the EU/UK consider that when you put all patient data collected in the past in a new data base to reprocess it, it's a new personal data processing with its own objectives. It is called by some DPAs a 'Healthcare Data Warehouse' ('HDW').

The DTx software company should analyse the risks to the private life of the patients of this new personal data processing and draft mandatory deliverables per privacy regulations: add the processing to the ROPA, conduct a risk analysis ('Data Privacy Impact Assessment' - 'DPIA'), etc. The DTx software company should ask a formal approval to its local DPA before proceeding with the reuse of patient's data, and check that they comply with any existing local guidance for HDW.

Another way to approach it is the following: if Privacy laws would not allow the DTx software company to reprocess redacted patient data to improve its product, it would mean that no software vendor or machine manufacture can reuse data to improve its product; and this would have important consequences on the safety of the product and subsequently on public health.

Similarly, a car manufacturer could not analyse the way its car reacts to the driving of car users (which are redacted personal data) to improve the way the breaks or the suspensions of the car react to the driving to guarantee a safe driving.

So in summary, yes, the DTx sofware company is allowed to reprocess the patient data to improve the algorithm, but several conditions need to be met.

5) What did the Lawyer of a local EU Data Protection Authority say about this?

The healthcare lawyer from the local EU Data Protection Authority said that the DTx software company can remain as Data Controller for the processing of the personal data collected from patients when the DTx is prescribed by a healthcare professional ('HCP') to a patient.

But then the DTx software company will be a sub-contractor of the HCP when the HCP uses the software.

If you are in a similar situation and need support, feel free contact Bertrand at b.p.lebourgeois@pharmarketing.net

On 15 February 2024, the FDA submitted a guidance document for review and comment on the Use of Data Monitoring Committees in Clinical Trials.

Comments should be submitted by 15 April 2024.

This guidance is intended to assist sponsors of clinical trials in determining when a data monitoring committee (DMC) a data and safety monitoring committee (DSMC), or an independent data monitoring committee (IDMC) would be useful for trial monitoring and what procedures and practices should be considered to guide their operation. 

When finalized, this guidance will supersede the final guidance for clinical trial sponsors entitled “Establishment and Operation of Clinical Trial Data Monitoring Committees,” issued in March 2006. This draft guidance is not final nor is it in effect at this time.

Access and comment the new proposed guidance here: https://www.fda.gov/regulatory...

Our senior consultant Eugen Stefanut, MD, based in Romania, recently developed a Quality Management System ('QMS') for a small company developing a portal to recruit patients in clinical trials.

Eugen developed quickly a simple QMS that is robust enough to make this company compliant with ICH.

If you also need support to develop a QMS, contact Eugen at e.l.stefanut@pharmarketing.net

As U.S. federal regulators fine-tune a strategy to push the healthcare sector into strengthening its cybersecurity posture, they are dusting off a HIPAA compliance audit program that's been dormant for the last seven years. A new round of HIPAA audits for regulated entities is in the works.

Read the article of Bank Info Security here and the article in the Federal Register here

At the same time, the National Institute of Standards and Technology ('NIST') released a new Guide (NIST SP 800-66 Rev.2) explaining how to comply with HIPAA, see here.

These audits and this guide apply to the so called 'Covered Entities' by HIPAA, that is clinics and hospitals. But if HIPAA doesn't apply directly to drug or medical manufacturers, CROs and central labs, they will probably receive requests from Covered Entities in their compliance journey.

And also...HHS Office for Civil Rights Delivers Annual Reports to Congress on HIPAA Compliance and Breaches of Unsecured Protected Health Information, read here.

Need more infos on HIPAA and other US Privacy Laws and Guidelines? Contact us at contact @ pharmarketing.net