Legislative and Regulatory Update Diane Bowers, CASRO President CASRO Data Collection Conference November 19, 2009
2009 Pharma market research state and Federal Massachusetts Vermont Minnesota Proposed Federal Sunshine Act incorporated into Health Care reform bills HITECH Act (revision of privacy and security requirements under HIPAA) HHS Rule (effective 9/23/09; enforced 2/22/10) Applies to HIPAA-covered entities and their Business Associates FTC Rule (effective 9/17/09; enforced 2/16/10) Applies to those vendors of Personal Health Records and third-parties that are not covered by HIPAA
HHS Rule 2009 Expands requirements re disclosure and reporting of security breaches of protected health information Applicable to both covered entities and Business Associates Recommendation: Business Associate agreements must be modified (CASRO 3P) FTC Rule Establishes requirements re disclosure and reporting of security breaches of personal health records (PHR) by nonprofit organizations and their third parties that collect, sell, or use PHR Recommendation: Non-profit PHR vendors and third parties must establish policies/procedures to ensure compliance
FTC Sears Settlement 2009 Inadequate disclosure of software program that tracked and collected information on consumers online browsing and transactions Digital Fingerprinting Technology DF deploys an algorithm that analyzes a large number of technical characteristics and settings to generate a unique identifier that can identify a specific computer (a Machine ID or Device Id) Has emerged as an effective solution to address duplication and fraud, and to improve quality control Algorithm components not PII (exception may be IP address in Europe) Canada working to ensure that research use of DF does not violate Canadian privacy law
Digital Fingerprinting CASRO Position and Guideline DF is an effective quality control that maintains the integrity of web based research. Like any other computing technology, DF must be employed responsibly and transparently consistent with personal and data privacy laws and in accordance with ethical and professional standards. The use of DF pursuant to standards and guidelines that appropriately protect respondent privacy rights is an ethical practice Such use of DF is consistent with US privacy and data protection laws Gather more data, research, etc. to determine whether the use of DF complies with the privacy regulations in other jurisdictions
Digital Fingerprinting Establish practices that protect respondents, practitioners, clients, and the industry Conspicuously address in privacy policy (also consider notification at survey start or other points where Machine ID is generated) Include privacy framework requirements in research agreements, MSAs, subcontractor agreements, etc. Store only essential information for only as long as necessary Privacy training for staff, including how data can be used, shared and who can access. Revise Code of Standards as appropriate
2010 Legislative/Regulatory Issues Health Care and pharma Computing technologies Data and personal privacy Mobile communications US Safe Harbor re EU data protection
Challenges Maintaining Self-Regulation Questions about research quality Declining response rates; Online and panel research Research use of new technology Internet, mobile communications, networking Differences in national and international privacy laws Differences in research practices and protocols Across research sectors: academic, government, businesses Across national boundaries: US, EU, rest of globe More demand for proof of professionalism and quality
Maintaining Self-Regulation Solutions Establishment of quality measures and credentials Online panel research guidelines and metrics ISO process standard for market, opinion, and social research (20252) certification ISO process standard for access panels (26362) certification Enforcement of mandatory Codes Assurance of US Safe Harbor compliance with EU data and personal privacy directive Focus on research integrity Review, reassess research principles Differentiation from marketing, sales, advertising More collaboration among research associations and research sectors