It Is Time For The Life Sciences Industry To Rethink Its Relationship with HIPAA

Direct patient engagement by life sciences manufacturers is at an all-time high. I am not just referring to direct-to-consumer advertising. Manufacturers are increasingly engaging patients through digital tools, support programs, wearables, etc. Whether it is sending medication reminders or analyzing patients’ behavior in real-time to provide them with helpful resources, these technologies have the potential to improve lives significantly.

However, with such direct patient engagement, there is a new development that not enough life sciences organizations are paying attention to. As manufacturers play an active role in the patients’ healthcare journey, the boundaries between manufacturers and healthcare providers/payers are becoming increasingly blurry.

In this article, we will look at how digital patient engagement has complicated the relationship between the life sciences industry and HIPAA, even though the industry has not historically been regulated by HIPAA. We will also dive into privacy and patient engagement strategies that manufacturers may learn from traditional HIPAA regulated entities.

A brief overview of HIPAA

HIPAA was introduced in 1996 to improve the efficiency and effectiveness of the US healthcare system. Since then, it has evolved significantly to account for electronic health information. HIPAA establishes various rules for healthcare organizations to protect the privacy and security of sensitive health information. HIPAA refers to this information as Protected Health Information (PHI).

HIPAA applies to the following types of organizations, collectively known as covered entities:

Healthcare providers (doctors, clinics, pharmacies, etc.)

Health plans (health insurance, Medicare, Medicaid, etc.)

Healthcare clearinghouses

HIPAA also regulates business associates, which are individuals or entities that have access to PHI on behalf of or provide certain services to a covered entity.

HIPAA requires that covered entities sign a contract with a Business Associate to ensure that the PHI is protected. These contracts are known as Business Associate Agreements (BAA).

Life Sciences and HIPAA – the traditional view

Life Sciences manufacturers don’t neatly fit into any of the categories listed in the section above. Manufacturers were not considered covered entities since they were not directly involved in direct care delivery or operations.

Even after the introduction of HIPAA, various Patient Support Programs (PSP) offered by manufacturers in the 2000s were mostly manual, paper-based, and required signed authorization from patients so that PHI could be accessed by manufacturers. Since the authorization came directly from patients, there was no need for the patient’s provider to sign a BAA with the manufacturer, as the manufacturer was not accessing PHI on behalf of the provider. 

In other words, manufacturers are neither covered entities nor business associates in the HIPAA sense. However, this was all before the introduction of digital patient engagement.

Privacy and life sciences patient engagement

Digital tools have revolutionized how manufacturers engage patients. Brands were previously limited to engaging patients through advertising, call center, and providers. With digital, manufacturers can engage patients through first party apps, websites, etc.

Whether the patient is looking for telehealth services, in-person physicians, disease education, shipping of medication, or something else, manufacturers now have the ability to provide tailored resources to patients digitally.

But, this also means where companies could previously only access limited health information through manual processes, digital platforms now enable the collection of a wide variety of health information such as patient behavioral data, treatment history, lab results, etc.

Please note that such services typically require explicit authorization from the patient so that their health information can be accessed.

Why new thinking around HIPAA Is needed in life sciences

If patients are explicitly authorizing the collection of sensitive health information to get support services, and if the life sciences industry is typically not regulated by HIPAA, why should manufacturers care about HIPAA at all?

The answer to this question has two facets, in my opinion:

Manufacturers are playing a more active role in care coordination and patient engagement through advanced digital health platforms and patient engagement programs.

Patients don’t always understand the responsibilities of the various stakeholders involved.

We cannot predict whether the life sciences industry will actually be regulated by HIPAA someday, but one thing seems clear. Advancements in digital technologies and AI will only blur the line between manufacturers and providers further. 

HIPAA vs. FTC and state regulations

A common retort I hear from pharma companies is that HIPAA doesn’t apply to them, and that they are mainly concerned with FTC and state regulations.

Patients are not always clear on the privacy obligations of providers, payers, and manufacturers. For example, anonymous patient website personalization involving sensitive medical conditions and opted-in email follow-ups may be okay for life sciences companies to engage if they are compliant with FTC and state regulations around consent, opt-ins/opt-outs, disclosure, etc. However, if such practices are viewed by the patient as too intrusive, companies risk their brand being tarnished even though no FTC or state laws were broken.

Compliance under FTC regulations and state laws doesn’t always guarantee patient satisfaction. Patient dissatisfaction can lead to significant brand damage. Given the increased scrutiny faced by the life sciences industry, manufacturers would only benefit by thinking like HIPAA regulated entities when engaging patients.

Traditional HIPAA regulated entities tend to use a safer approach, like requiring the visitor to log into a patient portal before they are presented with personalized content or ensuring that email communications are generic/neutral as opposed to mentioning specific medical conditions.

Think like a HIPAA-regulated entity even if you are not (yet)

Here are a few actionable tips for life sciences organizations looking to adopt a HIPAA compliance and privacy-first mindset:

Go beyond legal obligations – Avoid the temptation to only focus on FTC and state regulations. Compliance alone does not always equal brand trust.

Think PHI, not patient data – If you are collecting sensitive or potentially sensitive health data, treat it like PHI with the appropriate security controls.

Verify patient identity – Do not assume patient’s identity. Use secure logins when the content is sensitive. 

Business Associate Agreements – Consider asking vendors and partners to sign a BAA-like contract before sharing PHI with them. If a vendor refuses to sign a BAA, consider competitors who would be willing.

Consent must be explicit and granular – When it comes to patient consent, never assume you have it and never make it overly broad.

Engage privacy experts early on – Involve privacy teams as early as possible. You shouldn’t retrofit your digital tools for privacy.

Gain control over your tech stack – Invest in data platforms that help you collect, manage, and share data with maximum flexibility. The ability to turn off website tracking by untrustworthy vendors and the ability to anonymize PHI before sharing it downstream are a must.

These practices would help future-proof your privacy strategy as regulations change, create accountability among vendors and partners, and ultimately increase brand trust among patients.

Author’s disclaimer: The opinions in this article are my own, and don’t represent the views of my employer.

Photo: Dzmitry Skazau, Getty Images

This post appears through the MedCity Influencers program. Anyone can publish their perspective on business and innovation in healthcare on MedCity News through MedCity Influencers. Click here to find out how.