Newsletter 62 May 2024

Is Artificial Intelligence Mandatory to Avoid or Reduce Diagnostic Wandering?

Opinion article by Bertrand Le Bourgeois, President, PharMarketing: Artificial Intelligence and Healthcare: Is Artificial Intelligence Mandatory to avoid or reduce Diagnostic Wandering? Or can a simple Data Base suffice?


To say it differently Is AI the Alpha and Omega for everything?


As you might have guessed, the answer is 'NO': a simple data base can greatly help for reducing the diagnostic wandering, and AI is not needed in a first step.


Bertrand Le Bourgeois is an engineer who graduated from Ecole Centrale in France and had the opportunity to develop systems with AI as soon as the 80s'. At that time AI was dedicated to industrial systems.


Bertrand has also a long experience in developing and implementing IT Business Systems across the board from Procurement to Sales through Finance, HR, Manufacturing, Supply Chain, Quality, Clinical and Analytics. Bertrand knows also relational databases, object oriented data bases, network databases (like Facebook's), and open source softwares.


Now that AI can be used by all citizens as a nearly 'free' tool and can process much more information thanks to the rise in power of IT servers and networks, we can see some confusion in the minds of non experts persons. The objective of this article is to explain with simple words and based on a simple example that AI is not the Alpha and Omega for everything, and when AI is not needed and when it is needed.


Take the example of Diagnostic Wandering: how can we propose a simple solution to GPs to identify the disease of a patient when the diagnostic is not easy to find? There are around 7000 rare diseases identified at this time, and if the number of patients for each disease is limited (by definition a disease is arre if the prevalence is less than 2 for 1000), the total number of patients who have a rare disease is enormous. For example, in France, a country with 67 million inhabitants, it is estimated that there are over 3 million patients with a rare disease, and over 30 million patients in Europe.


In other words, rare diseases are not so rare!


But, at the same time, a GP cannot know all the 7000 rare diseases, their symptoms, concomitant pathologies, etc.


So, a solution is greatly welcome to help GPs and reduce the waiting of patients to receive appropriate care.


The first idea that one can have is to develop an internet website, where GPs would access, enter symptoms, vital signs, biometric data of the patient (like age etc.), concomitant pathologies, treatment taken by the patient, results of biology tests, and then click on the 'search button'.


Then in an ideal world, the GP would receive a list of suggested diseases which match more or less the condition of the patient. Then, it would be up to the GP to review the proposed results and makes its opinion, or refer the patient to the appropriate medical doctor in the relevant pathology, or prescribe additional analysis to the patient.


Such a solution is a simple relational data base, where you can search according to different criteria, with a tool like SQL. Such a data base can be bought for around 500 euros, so it is really a commodity nowadays; then you nee will need to pay in addition for the website design, for the hosting, and for the person who will load all the data about the 7000 known rare diseases..


That's for a solution with a simple database.


Then you can decide to enhance the solution with an AI engine, to have the system learn from the patient data entered in the system, and based also on the final diagnostic given to the patient by a specialist of such rare disease. This will improve the accuracy to the responses given by the database, but it will be at a significant cost.


In summary, a simple data base can help reduce the Diagnostic Wandering of patients.


AI can bring more accuracy, but is not mandatory in the first place.


If you have questions on this topic, feel free to contat Bertrand at b.p.lebourgeois ( at ) pharmarketing.net


ICH M14 on Pharmacoepidemiological Studies That Utilize RWD reached step 2

On 24 May 2024, The ICH M14 Guideline on Pharmacoepidemiological Studies That Utilize Real-World Data for Safety Assessment of Medicines reached step 2.


Please note that the ISPE and the EMA already released Guidelines:


* International Society for Pharmacoepidemiology (ISPE) Guidelines for Good Pharmacoepidemiology Practices (GPP) published 1996, see here: https://www.pharmacoepi.org/re...


* EMA Guidelines on "Use of real-world evidence in regulatory decision making" published in June 2023: read here: Use of real-world evidence in regulatory decision making – EMA publishes review of its studies | European Medicines Agency (europa.eu)


While the number of pharmacoepidemiological studies utilizing Real-World Data (RWD) in a regulatory context have increased globally, currently, there are no ICH guidelines that focus on how to generate fit-for-purpose Real-World Evidence (RWE). Although many regions (Canada, China, EU, Japan, and US) have published guidelines related to general principles of planning and designing such studies, mainly for the purpose of medicine safety assessment, a lack of harmonisation in this area can cause challenges for sponsors and regulators.


The M14 describes the General Principles on Plan, Design, and Analysis of Pharmacoepidemiological Studies that Utilize Real-World Data for Safety Assessment of Medicines.


The guideline focuses on non-interventional pharmacoepidemiological studies using Real-World Data (RWD) and includes basic principles that may apply to these studies when real-world data elements are included. 


The purpose of this document is to recommend international standards for, and promote harmonization of, the general principles on planning, designing, and analyzing observational (non-interventional) pharmacoepidemiological studies that utilize fit-for-purpose data for safety assessment of medicines (drugs, vaccines, and other biological products). 


This document outlines recommendations and high-level best practices for the conduct of these studies, to streamline the development and regulatory assessment of study protocols and reports. These recommendations and practices also seek to improve the ability of the study 1protocol and/or results to be accepted across health authorities and support decision-making in response to study results.


Public consultation dates: TFDA, Chinese Taipei - Deadline for comments by 30 September 2024.


Download the new M14 guideline version here: https://database.ich.org/sites...




UK: The DPDI Bill is Dead!

Because of the general election now planned for July 4, the Data Protection and Digital Information Bill ('DPDI') passed by the Commons has fallen in the House of Lords.

UK Government was seeking 24/7 powers to snoop on the bank accounts of recipients of benefits and state pension.

The Bill has been scrapped thanks to Rishi Sunak’s announcement of a general election on July 4.


But this is not just down to good timing. If not for profit organisations like Open Rights Group ('ORG') and other organisations had not fought hard against the many controversial proposals in this Bill, it would have been on the statute books long ago – and this would have been disastrous for data protection rights in the UK and beyond.


The Committee on Civil Liberties, Justice and Home Affairs (LIBE Committee) had expressed several concerns to the the Chair of the European Committee in the House of Lords to warn that to warn that it could jeopardise the adequacy of the UK to the EU GDPR, and thus exchanges of personal data between EU/EEA on one side, and UK on the other side:


The key areas of concern noted by the LIBE Committee are:


  • Change to the definition of personal data
    The Committee notes that: “the Bill modifies the concept of “personal data” that is at the heart of the EU data protection regime”.


  • Threats to the independence of the Information Commissioner’s Office
    The letter notes that, “the Bill appears to further undermine, not merely the effectiveness, but beyond that the independence of the ICO”.


  • Data transfers
    The committee is “strongly concerned” that the Bill would lead to the “bypassing of EU rules on international transfers to countries or international organisations not deemed adequate under EU law”.


We will need to be vigilant when a new UK gov will be in place in fall, as the DPDI bill might come back to Parliament.


For any questions regarding the DPDI bill and data privacy in the UK in general, please write to our UK experts:

Andrei Catalina, Dave Edwards and Julianne Hull at contact@pharmarketing.net


Thailand: DPO and DPR are Mandatory for Life Sciences Organisations!

In a previous Newsletter, we announced the new Thailand's Personal Data Protection Act ('PDPA'), was voted in 2019 and came into application on 1st June 2022. 


In January 2022, Thailand officially appointed the Personal Data Protection Commission ('PDPC'), Thailand's Data Protection Authority. the PDPA is very similar to EU/EEA/UK GDPR.


Today we will focus on when it is mandatory to appoint a Data Protection Officer ('DPO') and when it is mandatory to appoint a Data Protection Representative ('DPR'), and which articles of the PDPA relate to these obligations.


If you are a pharma company, either a manufacturer of drugs, medical device, diagnostics or any other healthcare product, or a service provider, for example a CRO or a CDMO, a safety service company, you are most probably processing healthcare data from patients. If it is the case, and even if you collect process redacted patient data, such data are personal data and fall under the PDPA and is deemed as 'sensitive personal data' (exactly like in the GDPR).


Hence you it will mandatory for your company and your sub-contractors to appoint a DPO and a DPR as explained below:


  1. Data Protection Officer (‘DPO’): a DPO is mandatory for an organisation recruiting patients in Thailand for a medical research (articles 41.2 and 41.3 page 18 of PDPA law). We couldn’t see any geographic constraint on the DPO, so the DPO can be based anywhere in the world. The DPO must self-register with the Thai Data Protection Authority, the PDPC and a Data Controller (the sponsor of the study) and a Data Processor (a CRO for example) can share the same DPO (article 41.3 page 18).



  1. Data Protection Representative (DPR): article 37.5 of the PDPA states that it is mandatory if an organisation monitors people in Thailand (which is the case for medical research), or if the organisation processes sensitive data (like healthcare data); in a medical research, we match both criteria so a DPR is mandatory. Article 38.2 indicates that the only situations when a DPR is not mandatory is for small volumes of data (but all authorities in Europe consider that all clinical trials process large volumes of personal data, even phase 1 trials), or when processing ‘ordinary’ personal data, that is non sensitive personal data. A data processor must also appoint a DPR (article 38 page 17). The DPR must of course be based in Thailand. We couldn’t see anything in the PDPA about if a controller and its subcontractor can share a DPR, so we assume it is possible, as for the DPO.


If you want to receive the PDPA law translated in English, or if you need more insights on Thailand's PDPA law and how it applies for life sciences organisations, contact Bertrand at b.p.lebourgeois ( at ) pharmarketing.net

Focus on HIPAA

FOCUS on HIPAA


HIPAA: Did you Know that Redacted Patient Data fall under HIPAA?


HIPAA means Health Insurance Portability and Accountability Act of 1996 (CFR 45.160 and CFR 45.164). Enforcement of the Privacy Rule began April 14, 2003, for most HIPAA-covered entities. https://www.hhs.gov/hipaa/index.html


There is a common belief in the US where everybody agrees that if you redact all direct identifiers from a healthcare data set, it is not personal data anymore and the data set doesn't fall under HIPAA anymore.


This was what we believed until we read carefully the HIPAA again for one of our clients, a US CRO!


As you probably know, a data set is considered as fully anonymised (‘de-identified’) by HIPAA if you redact the following 18 identifiers (45 C.F.R. § 164.514(b).):


https://www.govinfo.gov/content/pkg/CFR-2020-title45-vol2/pdf/CFR-2020-title45-vol2-sec164-514.pdf


  1. Names
  2. All geographic subdivisions smaller than a State
  3. All elements of dates (except year)
  4. Phone numbers
  5. Fax numbers
  6. Email addresses
  7. Social security numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers
  13. Device identifiers and serial numbers
  14. Web Universal Resource Locators (URLs)
  15. IP addresses
  16. Biometric data
  17. Full face photographic images/ or a characteristic
  18. Any other unique identifying number, characteristic, or code (except a coded for allowing reidentification by allowed persons)


HIPAA says in page 15:

"Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and:(….) of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) That identifies the individual; or (ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual".


This last sentence is similar to the one of the GDPR article 4.1:

"‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an
identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an
identifier such as a name, an identification number, location data, an online identifier or to one or more factors
specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."


In conclusion, life sciences organisations doing business in the US, and receiving redacted patient data from hospitals or healthcare professionals in town, even if they are not Covered entities or Business Associates in the sense of the HIPAA should pay attention to this. If they are doing business both in the US and in Europe, we strongly recommend that they consider redacted patient data as Personal Data and they apply HIPAA and GDPR principles to such data.


This is especially important for service providers like CROs or Central labs who receive redacted patient data from hospitals, in order to demonstrate to their clients that they have belts and suspenders and are fully compliant in case of an inspection by an authority.


For more information on HIPAA, contact our experts at contact@pharmarketing.net: we are working for over 50 organisations processing US patient data, so we have extensive experience with these matters!

Breaches of Health Data:

Decisions of Authorities

European Data Protection Authorities published several decisions related to the processing of health data in the past months.


Such decisions shed light on the key measures to implement to stay compliant with privacy (and healthcare) laws and avoid a critical finding.


Thanks to GDPR hub NOYB for all these valuable information!


BELGIUM:


Fact:

The APB, the Belgium's DPA found that the administrator of a software platform allowing people to book doctor's appointments was a processor as it did not determine the purposes of the processing, and did therefore not have to respond to an access request. The purposes were determined by the health care institutions. Read more or edit on GDPRhub...


Takeaway: this is true for all companies providing digital therapeutic softwares (DTx), like video games that patients can use to monitor their health: the software provider is NOT acting as a Controller but as a Processor. This has an impact on who should answer a Data Subject Access Request and who should notify the local Data Protection Authority in case of a data breach.


ITALY:


Fact:

The Italian Data Protection Authority, the Garante, imposed a fine of €271,000 on LAZIOcrea S.p.A., a Processor, for inadequate security measures, that led to a two-day unavailability of multiple healthcare services in the Lazio Region: Read more on Garante per la protezione dei dati personali (Italy) - 10002324 - GDPRhub 


Takeaway: The GDPR considers that when a website is unavailable, it is a breach of personal data, because people cannot access to t heir personal information; this applies for a bank account, the website of a car rental company, and especially for patient electronic health records or health insurance records. We appreciate that a 100% service level is technically impossible, each organisation must put appropriate business continuity measures in place to avoid the unavailability of a public portal.


UNITED KINGDOM:


Fact:

The Information Commissioner's Office ('ICO'), UK's Data Protection Authority, imposed a €8,730 (£7,500) fine on the controller for violating UK GDPR security obligations by sending an email directed to HIV-positive individuals using CC instead of BCC, and noted that the use of BCC was a high-risk practice due to human error. Read more on GDPRhub...


Takeaway: implement a feature in your email server that delays the sending of emails by a few minutes: this will allow employees to delete an email if they hit the 'send' button and then realise they made an error. This a simple and efficient measure and several of our clients are doing this.


For any question on breaches of healthcare data, how to prevent them and what to do if one takes place, feel free to contact one of our expert Healthcare consultant at contact(at)pharmarketing.net

France launches a revision of its local Methodologies of Reference (MR)

As we already explained in past Newsletters, France is the only country in EU/EEA/UK* to oblige organisations to demonstrate compliance with local French guidelines called 'Methodologies of References' ('MR'). This applies to sponsors and their sub-contractors, whether they are based in France or outside France.


There are 8 MR for medical research and there is one for vigilance activities, one for Healthcare Data Warehouses, one for compassionate use, one for access to the French Health Data Hub, and some others. This way of doing is in opposition with the principle of accountability of the GDPR.


Organisations which don't comply with such MRs must request a specific authorisation from the French Data Protection Authority, the CNIL, before they launch their medical research or start collecting adverse events. This process for special authorisation takes several months.


The first MR was published in 2016; now with new practices like remore monitoring of sites or home trial visits, these MR need some updates: for example, Home Trial Visits are not compliant with MR-001 at this time and need some additional work. Hence the CNIL announced a revision work back in November 2023. 


This is why the CNIL launched a public consultation on May 16, which can be accessed here (French only): 

Participez à la concertation sur les référentiels santé et faites connaître vos priorités | CNIL


The deadline for submitting comments is 12 July 2024.


( * ) To be exhaustive, Ireland has also a similar MR, but it is for a very specific situation in clinical studies: when a patient is unconscious and is included in a clinical study: it describes how the consent of the patient should be obtained when he/she becomes conscious again.


For any question on French Methodologies of Reference and how to comply with them, contact our French Senior consultants Caroline at c.x.josse ( at ) pharmarketing.net or Karine at k.i.renault ( at ) pharmarketing.net. We have checklists in French and English which will make it easy for you to demonstrate your compliance with these MR.

EMA Public Consultation on Non-Interventional Studies using RWD

The European Medicines Agency (EMA) launched a public consultation on Non-Interventional Studies using RWD. The consultation will end on 31st August 2024.


Download the draft paper for comments: 

https://www.ema.europa.eu/en/documents/scientific-guideline/reflection-paper-use-real-world-data-non-interventional-studies-generate-real-world-evidence_en.pdf


For any question on Non-Interventional Studies using RWD contact one of our Senior Consultant at contact(at)pharmarketing.net


EMA - Revised CTIS transparency rules will become applicable on 18 June 2024

For all clinical trial applications submitted on or after 18 June 2024:


  • it will no longer be possible to defer the publication of data and documents
  • data and documents will be published according to established timelines for the trial category, population age and trial phase
  • publication of documents will be focused on key documents of interest.


Read more here: Launch of revised CTIS transparency rules - European Union (europa.eu)


  1. We are a small pharma company with less than 250 employees, so we don't need to draft a Register Of Processing Activities (ROPA): 


NO: article 30.5 of the GDPR says: ". The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10."


So, as the processings are not occasional, it is mandatory to draft a ROPA. In addition, most life science organisations will also tick the 2 other criteria: 1) They will likely process patient data which are 'special categories of data', and as we explained in a previous Newsletter, redacted patient data fall under the GDPR 2) some of the personal data processings are probably  likely to result in a risk to the rights and freedoms of data subjects, for example emdical research, medical information requests or vigilance activities.


2. Ok, so we agree that we have to draft a ROPA, BUT do we have to put one line for each different personal data processing, for example for each direct marketing campaign and for each clinical study?


Of course NO! The Data Protection Authorities in Europe are flexible: if all your direct marketing campaigns work the same in terms of the risks to the ^private life of people, then you can have ONLY ONE GENERAIC line in the ROPA for your direct marketing campaigns.

Same applies for your clinical studies.


A question on these items? Contact Bertrand at b.p.lebourgeois ( at ) pharmarketing.net

 


Share by: