OTHER MEDICAL RECORDS PRIVACY ISSUES: · EU Privacy · Privacy Litigation · State Laws June 10, 2001 The Second Annual Pharmaceutical Industry Regulatory & Compliance Summit Arlington, Virginia Kerry A. Kearney 412.288.3046 [email protected] Gary L. Kaplan 412.288.4268 [email protected] Reed Smith LLP 435 Sixth Avenue Pittsburgh, PA 15219 PGHLIB-0767808.04-KAKEARNE September 12, 2001 3:40 PM OTHER MEDICAL RECORDS PRIVACY ISSUES: EU Privacy; Privacy Litigation; State Laws TABLE OF CONTENTS Page European Union Privacy I. The EU Privacy Directive 1 II. The EU Safe Harbor for U.S. Companies Who Import Personal Data from EEC 3 III. EU Standard Clauses 5 IV. Application of EU Privacy Directive to U.S. Drug Companies 6 States' Privacy Enforcement Activities Against Pharmaceutical Company Promotions I. State Enforcement Action Related to Patient Confidentiality 8 Privacy Lawsuits I. Suits Relating to Medical Privacy 10 II. Court Actions Based On Alleged Violations Of Online Privacy 12 Privacy State Laws and Preemption 15 Appendix A U.S. Safe Harbor for European Union Privacy : Department of Commerce Website Welcome to the Safe Harbor A 1 Safe Harbor Workbook A 2 Checklist for Joining A 16 Safe Harbor List (companies who have joined) A 17 Information Required for Safe Harbor Certification A 19 Certifying an Organization's Adherence to the Safe Harbor Form A 21 Safe Harbor Overview A 24 Safe Harbor Documents A 28 July 21, 2000 Cover Letter from Acting Under Secretary Robert S. LaRussa to U.S. Organizations A 30 Safe Harbor Privacy Principles A 32 Frequently Asked Questions (FAQs) A 35 July 17, 2000 Letter from U.S. Department of Commerce to Commission Services transmitting the Safe harbor Privacy Principles and FAQs, etc. A 57 Appendix B Draft European Union Standard Clauses for Inclusion in Agreements Between EEC Data Exporters and Non-EEC Data Importers Introduction B 1 Clauses B 5 Annex B 7 Annex to Contract B 15 European Union Privacy I. The EU Privacy Directive A. Why do U.S. pharmaceutical companies care about EU Privacy? Pharmaceutical companies who import data from overseas must be aware of privacy requirements in the country which exports the data. Although many countries have now adopted privacy regulations applicable to the handling and export of personal data (e.g. Canada and Australia), the EEC regulations are the most complex and onerous. These EU privacy regulations apply to pharmaceutical companies’ collection of information from employees who work overseas, as well as to personal data from adverse event reports, clinical trials and websites. B. European Community Directive on Data Protection (“EU Privacy Directive”) was adopted by fifteen countries of the European economic community (“EEC”) on October 24, 1995. The EU Privacy Directive took effect October 25, 1998. C. The EU Privacy Directive established principles for privacy protection and the free flow of data within the fifteen country EEC. D. The Directive prohibits transfers of personally identifiable information to non EEC countries unless "adequate" privacy standards are observed. The Privacy Directive applies to personal data about EU nationals collected over the Internet by companies, no matter where those companies are located and may apply to every e- commerce company or website operator in the United States. The EU Privacy Directive provides the following definitions for personal data and the processing of personal data: 1. Personal data is defined as any information relating to an identity or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. 2. The processing of personal data is defined as any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. E. The EU Privacy Directive provides: 1. Personal data must be processed fairly and lawfully. 2. Personal data must be accurate. 3. Data can only be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. 4. Personal data must be kept in a form which permits identification of the subject of the data for no longer than is necessary, for the purposes for which the data was collected. 5. Data subject must give unambiguous consent to the gathering and processing of personal data. 6. If consent was not obtained from the data subject, personal data cannot be processed. 7. Personal data revealing racial or ethnical origin, political opinions, religious or philosophical beliefs, trade union membership is entitled to heightened protection. The processing of data concerning health or sex life is prohibited. 8. Data subject has the right to object, on request and free of charge, to processing of personal data for marketing. 9. The processor of data must provide to the data subject: (a) the identify of the processor of the data; (b) the purposes of the processing; (c) the recipients or categories of recipients of the data; (d) the existence of the right of access to and the right to verify the data; and (e) that the personal data undergoing processing be identified as to its source. F. Chapter 4 of the EU Privacy Directive provides for the transfer of personal data to third countries only if: "[T]he member states shall provide that the transfer to a third country of personal data which are undergoing processing or intended for processing after transfer may take place, only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this directive, the third country in question ensures an adequate level of protection. The adequacy of the level of protection afforded by a third country shall -2- be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country." (emphasis added) II. The EU Safe Harbor for U.S. Companies Who Import Personal Data from EEC (See Information about Safe Harbor attached as Appendix A) A. July 26, 2000: European Commission announced U.S. Department of Commerce "safe harbors" to provide adequate protection for personal data transferred from the EU to the U.S. 1. Under the "safe harbor," U.S. companies can voluntarily adhere to a set of data protection principles recognized by the EU commission as providing "adequate protection". 2. Participation in the "safe harbor" is optional, its rules are binding for those U.S. companies that decide to join. 3. Compliance with the "safe harbor" rules is backed by the law enforcement powers of the Federal Trade Commission. The EU Commission's adequacy finding on the "safe harbor" principals is binding on all fifteen member states. 4. The seven "safe harbor" principals are: 1. Notice: Notice must be provided to the subject of the personal data before the organization may use the personal data for a purpose different from the reason for collection of the personal data and prior to its release to a third party. An organization must inform individuals: · About the purpose for which it collects and uses information about them. · How to contact the organization with any inquiries or complaints. · The types of third parties to which it discloses the information. · The choices and means the organization offers individuals for limiting its use and disclosure. 2. Choice: Individuals must be provided with clear and conspicuous, readily available, and affordable mechanisms to exercise choice. An organization must offer individuals the opportunity to choose (opt out) whether: -3- · Their personal information is to be disclosed to a third party. · Their personal information is to be used for a purpose that is incompatible with a purpose for which it was originally collected. · If the personal data contains information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual, the subject of the information must be given affirmative or explicit (opt in) choice if the information is to be disclosed to a third party or used for a purpose other than that for which it was originally collected. 3. Onward Transfer: To disclose information to a third party, organizations must ascertain that the third party subscribes to the safe harbor principles or is subject to the EU Privacy Directive or another adequacy finding. 4. Security: Organizations must take reasonable precautions to protect personal data from loss, misuse and unauthorized access, disclosure, alteration and destruction. 5. Data Integrity: Personal information must be relevant for the purposes for which it is to be used. 6. Access: Individuals must have access to their personal data and be able to correct, amend, or delete that information where it is inaccurate. 7. Enforcement: Effective privacy protection must include: · Readily available and affordable independent recourse mechanisms by which each individual's complaints and disputes are resolved. · Follow-up procedures for verifying that privacy practices are true and that privacy practices have been implemented as presented. · Sanctions must be sufficiently rigorous to ensure compliance. 5. Data transfers to U.S. companies that choose to remain outside of the "safe harbor" is possible, under other allowed exceptions (e.g.