On 11 April 2023, FDA issued Final guidance meant to assist drug and medical device makers in developing risk-based monitoring strategies for clinical investigations involving drugs, biologics and medical devices.

This guidance provides information on risk-based approaches to monitoring the conduct of clinical investigations of human drug and biological products, medical devices, and combination products.

Clinical investigation monitoring is a quality control tool for determining whether investigation activities are being carried out as planned. This guidance contains recommendations on planning a monitoring approach, developing the content of a monitoring plan, and addressing and communicating monitoring results. This guidance expands on the guidance for industry Oversight of Clinical Investigations – A Risk-Based Approach to Monitoring (August 2013) (the 2013 RBM guidance) by providing additional information to facilitate sponsors’ implementation of risk-based monitoring.

The document provides answers to the following questions:

• What is the purpose of the risk assessment and should sponsors document their methodologies and activities for assessing risk?
• Should sponsors monitor only risks that are important and identified during their initial risk assessment as likely to occur?
• What factors should sponsors consider when determining the timing, types, frequency, and extent of monitoring activities?
• How can a risk-based approach to monitoring that includes centralized monitoring help minimize missing data or protocol deviations?
• Should the risk-based monitoring approach include processes to ensure that appropriate blinding is maintained?
• What elements should sponsors include in monitoring plans?
• How should sponsors follow up on significant issues identified through monitoring, including communication of such issues?
• How should monitoring activities and the results of these activities be documented and shared with those involved in the investigation?

Download the guidance here. 

For any question on this topic, contact your consultant at PharMarketing or write to contact@pharmarketing.net

On May 18, 2023, the Federal Trade Commission (FTC) declared its intention to hold companies more accountable for their collection and use of consumers’ health information. The FTC voted unanimously on May 18 to update the Health Breach Notification Rule (HBNR) to cover more vendors of personal health records that access or send unsecured personal health record data.

What is the Health Breach Notification Rule (HBNR) ?

Following the American Recovery and Reinvestment Act of 2009 and after receiving comments from the public, the FTC issued the Health Breach Notification Rule (eCFR :: 16 CFR Part 318 -- Health Breach Notification Rule).

The FTC’s Health Breach Notification Rule applies only to health information that is not secured through technologies specified by the Department of Health and Human Services. Also, the FTC’s Rule does not apply to businesses or organizations covered by the Health Insurance Portability & Accountability Act (HIPAA). In case of a security breach, entities covered by HIPAA must comply with HHS’ breach notification rule.

The rule requires vendors of personal health records (PHR) and related entities that are not covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals, the FTC, and, in some cases, the media of a breach of unsecured personally identifiable health data.

It also requires third party service providers to vendors of PHRs and PHR-related entities to provide notification to such vendors and PHR-related entities following the discovery of a breach.

Protecting the privacy and security of personal health data is a high priority for the FTC, which has brought several cases in recent years involving the misuse of consumers personal health data, including two enforcement actions that alleged HBNR violations.

Earlier in May 2023, the FTC announced a proposed order settling allegations that fertility app Premom violated the HBNR.

In February 2023, the FTC announced its first enforcement action under the HBNR against telehealth and prescription drug discount provider GoodRx Holdings Inc.

The FTC says GoodRx and Premom each violated the rule by failing to notify users about the companies’ unauthorized disclosure of users’ personally identifiable health information to third parties.

Under the FTC’s Rule, companies that have had a security breach must:

• Notify everyone whose information was breached;
• In many cases, notify the media; and
• Notify the FTC.

The FTC has designed a standard form (https://web.archive.org/web/20...)for companies to use to notify the FTC of a breach and periodically posts a list of breaches (https://web.archive.org/web/20...) for which it’s received notice under the Rule. A brochure for businesses,

Complying with the FTC’s Health Breach Notification Rule, explains who’s covered by the Rule and offers guidance on what to do in case of a breach. FTC enforcement began on February 22, 2010.

For breaches involving the health information of 500 or more individuals, entities must notify the FTC as soon as possible, and in any case no later than ten business days after discovering the breach. Breaches involving the health information of fewer than 500 individuals may be reported in an annual submission that includes all breaches within the calendar year that fall within this category.

Since 2009, the FTC was notified of ONLY 3 BREACHES involving the health information of 500 or more individuals,

What are the Changes proposed by the FTC?

The Federal Trade Commission is seeking comment on proposed changes to the Health Breach Notification Rule (HBNR) that include clarifying the rule’s applicability to health apps and other similar technologies.

Since the rule’s issuance, health apps and other direct-to-consumer health technologies, such as fitness trackers, have become commonplace.

The proposed changes to the rule come as business practices and technological developments increase both the amount of health data collected from consumers, and the incentive for companies to use or disclose that sensitive data for marketing and other purposes.

“We are witnessing an explosion of health apps and connected devices, many of which aren’t covered by HIPAA, collecting vast amounts of sensitive consumer health information. When this information is breached, it is more vital than ever that mobile health app developers and others covered by the Health Breach Notification Rule provide consumers and the FTC with timely notice about what happened,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The proposed amendments to the rule will allow it to keep up with marketplace trends, and respond to developments and changes in technology.”

As part of a regular review of Commission rules, the FTC in 2020 sought comment on whether changes were needed to the HBNR.

In September 2021, the FTC issued a policy statement affirming that health apps and connected devices that collect or use consumers’ health information must comply with the Health Breach Notification Rule. After reviewing the public comments and consistent with the policy statement, the Commission has proposed the following changes to the HBNR:

• Revising several definitions to clarify the rule’s application to health apps and similar technologies not covered by HIPAA. This includes modifying the definition of “PHR identifiable health information” and adding two new definitions for “health care provider” and “health care services or supplies”;
• Clarifying that a “breach of security” under the rule includes an unauthorized acquisition of identifiable health information that occurs as a result of a data security breach or an unauthorized disclosure;
• Revising the definition of “PHR related entity” in two ways that pertain to the rule’s scope. For example, it makes clear that only entities that access or send unsecured PHR identifiable health information to a personal health record — rather than entities that access or send any information to a personal health record — qualify as PHR related entities;
• Clarifying what it means for a personal health record to draw PHR identifiable health information from multiple sources;
• Authorizing the expanded use of email and other electronic means of providing clear and effective notice of a breach to consumers;
• Expanding the required content that should be provided in the notice to consumers. For example, the notice would be required to include information about the potential harm stemming from the breach and the names of any third parties who might have acquired any unsecured personally identifiable health information;
• and Adding changes to improve the rule’s readability and promote compliance.

The public will have 60 days after the notice is published in the Federal Register to submit comments on the proposed changes to the rule. Information on how to submit a comment can be found in the notice. Once processed, the comments will be posted to Regulations.gov.

Read the press release from the FTC here: FTC Proposes Amendments to Strengthen and Modernize the Health Breach Notification Rule | Federal Trade Commission

Read the proposed updates to the HBNR here: Health Breach Notification Rule NPRM and Appendix A (ftc.gov)

For any question on this topic, contact your consultant at PharMarketing or write to contact@pharmarketing.net

1. In the EU/EEA/UK, redacted patient data are still considered as personal data: yes / no
   
   Yes. And this is because it has been demonstrated by researchers that somebody can still reidentify a person from a redacted data set. This is a major difference in the definition of personal data between Europe and countries outside Europe.
   
   
2. We have controls in place to make sure that our home based employees in Europe are actually working. Is it authorised to monitor data subjects like this? yes / no / it depends
   
   It depends: in most countries in EU/EEA/UK, work laws prohibit such permanent monitoring. In some countries outside Europe, this can be accepted. 
   
   3. Organisations should draft one Data Protection Impact Analysis for each and every Clinical Study they run; this applies also to small entities: yes / no
   
   No. Data Protection Authorities in EU/EEA/UK clearly stated that they are flexible and that organisations are not mandated to draft one DPIA for each clinical study, provided that all the clinical studies present the same risk for the private life of the patients. In other words, if all the medical research you run present the same risk for the private life of the patients, then you can draft only one generic DPIA and it will be compliant with GDPR.
   But if one day you decide to launch a new study which will generate a new risk, for example because some visits will be done at patients' homes, or because you will give tablets to the patients to answer a quality of life survey, then you should draft a DPIA for assessing the risks generated by these new ways of conducting the study.

For any question on this topic, contact your consultant at PharMarketing or write to contact@pharmarketing.net