Privacy-Compliance-TrainingGZ Obrycki
Privacy Overview- ver. Mar. 2010
MODULE D: Privacy Overview
Basic Principles of Privacy by Gail Obrycki, MSMT, ASCP, CIPP
Privacy-Compliance-TrainingGZ Obrycki
Privacy Overview- ver. Mar. 2010
Objectives
provide you with an overview of the basic principles of data privacy
explain how US and global privacy legislation and law enforcement actions impact business Impact on Clinical Research
provide an overview of “Security” provide you with information about Regulators’
inspection activity provide an overview of Data Transfer requirements
e.g. Safe Harbor provide resource information
Privacy-Compliance-TrainingGZ Obrycki
Privacy Overview- ver. Mar. 2010
What do we mean by Privacy
has a different meanings to different people based on culture and region core to an individual’s identity, autonomy and freedom generally involves control over one’s personal information: collection, use,
storage, disclosure, access for amending and/or deleting personal information held,
Why are companies focusing on “Privacy”: Comply with Laws Concerned with ever increasing data threats (identity theft, phishing, botnet
attacks), and enforcement activities (e.g. monetary fines, civil penalties) Build trust and be transparent with its customers, clients and employees
(Company Image/Competitive Advantage)
Privacy-Compliance-TrainingGZ Obrycki
Privacy Overview- ver. Mar. 2010
Identity Theft Has Become a Major Concern
Number one complaint to US FTC $50+ billion in global annual losses 50+% conducted by employees and
contractors Part-time and temporary workers three times
more likely to commit Medical Identity theft on the rise
results in erroneous entries being put into existing medical records, and can involve the creation of fictitious medical records in the victim’s name. is a crime that can cause great harm to its victims
leaves a trail of falsified information in medical records that can plague victims’ medical and
financial lives for years. most difficult to fix after the fact Source: http://www.worldprivacyforum.org/medicalidentitytheft.html
Sources: (Javelin/BBB 1/06; Gartner 7/03; Experian-Gallup 8/05; FDIC 2/06; FTC 1/06; SMU 8/04)
Privacy-Compliance-TrainingGZ Obrycki
Privacy Overview- ver. Mar. 2010
Common Vulnerabilities
Key Vulnerabilities and Risk. Third-party vendor data handling and transfers Lost laptops, portable media and back-up tapes Over collecting or unlawfully using SSNs Improper access or broad access controls Paper handling and dumpster diving Unauthorized software or use of peer-to-peer networks (iPods and file
sharing) Phishing, web/email vulnerabilities (if SSNs) Mobile and home-based workforce Call centers and in branch social engineering Use of such information in authentication processes with customers (online,
phone, fax)
Privacy-Compliance-TrainingGZ Obrycki
Privacy Overview- ver. Mar. 2010
Hot Privacy Topics
Issues E-Medical records Personal Health Records Pharmacogenomics (use of genetic markers to develop
personalized drugs) Social Networking e.g. Facebook Behavioral targeting Portable device security
Privacy-Compliance-TrainingGZ Obrycki
Privacy Overview- ver. Mar. 2010
Social Origins of Privacy
Rooted in oldest texts and cultures known to man-concept of privacy noted in Qur’an, Bible, laws of classical Greece, Jewish law and ancient culture of China
the context of Human rights evolved after WWII 1948 as part of the Universal Declaration of Human Rights 1950 in the European Convention for the Protection of
Human Rights and Fundamental Freedom 1970 in the German state of Hesse the first known modern
data protection law 2 models: Comprehensive law (e.g. EU Data
Protection Directive) vs Sectoral law (e.g. HIPAA)
Privacy-Compliance-TrainingGZ Obrycki
Privacy Overview- ver. Mar. 2010
Privacy Concepts
Notice- is the clear and conspicuous disclosure to individuals indicating what personal information is collected, and how it is used and shared.
Choice/Consent-is giving individuals the opportunity to determine what information can be collected, how it is used, and with whom it is shared (e.g. opt-out to receive marketing materials)
Access- is making the personal information about individuals available to them to review, modify, or delete.
Minimization-is collecting only the information needed for the intended purpose. Disclosure to third parties/Onward Transfer-means the information that is
disclosed is what has been described in the notice wherever the information goes. Data Quality or Integrity-means the information is accurate, complete and relevant
to the purposes for which it was collected Security-is taking reasonable steps to protect personal information from
unauthorized access, use, or sharing. The level of protection must be commensurate with the type of personal information being processed
Dispute Resolution-is a process individuals can follow to inquire into and resolve their concerns about how their information has been processed.
Enforcement-having a mechanism for assuring compliance with the principles, recourse for individuals to whom the data relate affected by non-compliance, and consequences when the principles are not followed.
Note: Principles are common to most Privacy laws, Privacy rights built into countries’
constitutions, US Dept. of Commerce Safe Harbor
Privacy-Compliance-TrainingGZ Obrycki
Privacy Overview- ver. Mar. 2010
Privacy Definitions
Personal Information (PI): may also be known as Personal Data or Personally Identifiable Information means any information or set of information that identifies or that can be used to identify, locate or contact an individual. Under discussion- Personal Information that has been encoded, or
anonymized Protected Health Information (PHI) under HIPAA is a subset of PI
Processing: any operation or set of operations that is performed upon Personal Information, whether or not by automatic means, including, but not limited to, collection, recording, organization, storage, access, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, making available, alignment, combination, blocking, deleting, erasure, or destruction
Privacy-Compliance-TrainingGZ Obrycki
Privacy Overview- ver. Mar. 2010
What are we protecting? Personal information (PI) is data that can identify an individual, such
as Name, Initials Address SSN Phone number E-mail address Photographs, fingerprints
Data tied to any of the above, also includes consumer and employee e-mail, internal reports, expressions
of interest on particular topics, IT logs of originating IP addresses, other Internet transmission data, particular web pages viewed, (Behavioral advertising),
Sensitive information Health data-disease history, biometric identifies such as
retinal scans, DNA? Financial data-pin codes, account numbers As defined by EU Data Protection Directive: race, ethnicity,
sex/orientation, religious belief, political opinion, trade union membership, physical/mental health or conditions, criminal record
Privacy-Compliance-TrainingGZ Obrycki
Privacy Overview- ver. Mar. 2010
Privacy Rights
Whenever an organization Collects Personal Information about an individual Uses (and secondary use) and discloses Personal
Information Processes it (Maintains, stores, transfers)
Regulator Expectations: Provide notice of uses and disclosures Provide choice to opt in or opt out Provide access to stored data for correction Use reasonable security measures to protect the
information commensurate with the type of Personal Information being processed.
Privacy-Compliance-TrainingGZ Obrycki
Privacy Overview- ver. Mar. 2010
Global Laws Increasing
EEA , Argentina, Armenia, Australia, Austria, Bahrain, Belgium, Botswana, Brazil, Bulgaria, Cameroon, Canada, Canada - Northwest Territories and Nunavut, Chile, Cote d'Ivoire, Croatia, Cyprus, Czech Republic, Denmark, Dubai, Egypt, Ethiopia, Finland, France, Germany, Ghana, Greece, Hong Kong, Hungary, Iceland, Ireland, Israel, Italy, Japan, Jordan, Kazakhstan, Kenya, Kuwait, Lebanon, Lithuania, Mauritius, Mexico, Morocco, Netherlands, New Zealand, Nigeria, Norway, Peru, Poland, Portugal, Qatar, Romania, Russia, Saudi Arabia, Singapore, South Africa, South Korea, Spain, Sweden, Switzerland, Taiwan, Tanzania, Thailand, Tunisia, Turkey, Uganda, Ukraine, United Arab Emirates, United Kingdom, United States, Uzbekistan, Zambia
Privacy-Compliance-TrainingGZ Obrycki
Privacy Overview- ver. Mar. 2010
Privacy Laws that Impact Business
US-Sectoral Laws HIPAA-Health Insurance Portability and Accountability Act HITECH-Health Information Technology for Economic and Clinical Health Act FCRA-Fair Credit Reporting Act-impacts employment re credit checks COPPA-Children’s Online Privacy Protection Act-impacts marketing to children CAN-SPAM-Controlling Assault on Non-Solicited Pornography and Marketing TSR-Telemarketing Sales Rule, DNC-Do Not Call, DNF-Do Not Fax GLBA-Gramm-Leach Bliley-impacts Financial information FTC Act (unfair and deceptive practices) GINA-Genetic Information Nondiscrimination Act
Ex-US Countries with Comprehensive Privacy laws (e.g. EEA, Japan, Argentina, Canada,
Australia) Some are only recognized as having ”adequate” protections by the EU Canada and Argentina-yes, Australia and Japan-no
Countries with sectoral laws or as part of their constitution privacy as part of Medical practice, laws around “communications” e.g. US HIPAA, Taiwan
Computer-Processed Personal Data Protection Law, and Taiwan Medical Care Act, privacy as part of country constitutions ( Colombia, Paraguay, Venezuela, Ecuador, Uruguay)
EU- Data Protection Directive Safe Harbor as it relates to EU Directive
Privacy-Compliance-TrainingGZ Obrycki
Privacy Overview- ver. Mar. 2010
Health Information Portability and Accountability Act (aka HIPAA)
US law that requires health care organizations or covered entities, and providers to meet certain privacy and security standards with respect to protected health information (PHI).
HIPAA sets the floor for privacy protections of PHI. HIPAA requirements are the common national standards for which covered entities must adhere to for the protection of patient’s privacy.
There may be state laws that provide additional stronger privacy protections which a covered entity would need to comply.
Depending on where the covered entity is located will dictate the privacy requirements for that entity.
Other companies that may not be considered a covered entity but may be indirectly affected by privacy regulations if covered entities supply the data. e.g. a company’s sponsored Healthcare plan
Privacy-Compliance-TrainingGZ Obrycki
Privacy Overview- ver. Mar. 2010
Privacy Rule and Security rule
Privacy Rule regulation went into effect on April 14, 2003. requires patients be provided with: notice, access to their medical
records, control over how their health information is used and disclosed, avenues for recourse if their medical privacy is compromised e.g. Hospital Privacy Office
Covered entities must have in place various processes to support and administer those rights e.g. written procedures, training, Privacy office/officer
Security Rule Covered entities must have in place policies and procedures to
comply with standards for safeguards to protect the confidentiality, integrity and availability of electronic protected health information.
Privacy-Compliance-TrainingGZ Obrycki
Privacy Overview- ver. Mar. 2010
Health Information Technology for Economic and Clinical Health Act (aka HITECH)
Most significant change for Covered Entities for privacy and security since HIPAA’s enactment (under ARRA-American Recovery and Reinvestment Act)
Subjects Business associates of Covered Entities to federal regulation for the first time, requiring compliance to privacy and data security requirements of HIPAA
Fundamentally different enforcement environment under new Administration
New guidance and significant regulatory activity required Under the watchful eye of US Dept. of HHS-OCR : will be notified of
breaches
Privacy-Compliance-TrainingGZ Obrycki
Privacy Overview- ver. Mar. 2010
Impact on Business Associates
What is a Business Associate?
A service provider or vendor, such as a technology company, that has access through its clients to individually identifiable health information covered by HIPAA (“PHI”)
Business Associates participate in, perform for, or assist CEs (health care providers, health insurers or health care clearinghouses) with certain functions or activities
Activities can include claims processing or administration, data analysis, utilization review, quality assurance, billing, benefit management, practice management
Privacy-Compliance-TrainingGZ Obrycki
Privacy Overview- ver. Mar. 2010
HITECH Breach Notification Requirements
First federal data breach notification requirement Approx 45 Individual states have own Breach Notification law
Very broad definition of breach Unauthorized acquisition, access, use or disclosure of
PHI which compromises the security or privacy of such PHI
Very broad notice requirement Fundamental change to healthcare industry Covered entities (CEs) must notify individuals Business Associates must notify CEs Very specific in terms of content of notice, method of notice and
timing of notice
Privacy-Compliance-TrainingGZ Obrycki
Privacy Overview- ver. Mar. 2010
The Role of State Law
HITECH Act and HIPAA preempt conflicting state laws, but leave intact state laws with more stringent requirements on the handling of health information
Most States have a Breach Notification law with specific notification requirements, some of which include medical information such as: California
Effective January 1, 2009, AB 211 and SB 541: require providers of health care to establish and implement appropriate
administrative, technical and physical safeguards to protect privacy of a patient’s medical information
establish new oversight mechanisms and penalties to enforce privacy standards SB 541 contains breach notification requirements
Note: New Jersey has a Breach notification law re SSN, PIN, credit cards, drivers lic. # but does not include medical information but HIPAA still applies
Companies must meet new common denominator of minimum standards by monitoring and complying with patchwork of laws in every state in which one operates
Privacy-Compliance-TrainingGZ Obrycki
Privacy Overview- ver. Mar. 2010
FTC Breach Notification
Effective September 2009, breach notification requirements apply to vendors (e.g. Google) of personal health records (PHRs)
• A PHR is defined as “an electronic record of individually identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or for the individual.”
Example of where this might apply in clinical research
Use of e-PRO (eDiaries) Patient enters information on signs and symptoms, quality of life, etc into e-diary during the course of a trial. The data is under the control /entered by the subject. Diaries may be supplied by and the data processed by a vendor
who then provides the data back to the Sponsor who them provides data back to trial site. Data becomes part of the subjects medical record.
Vendor may provide help desk support for the trial subjects.
Privacy-Compliance-TrainingGZ Obrycki
Privacy Overview- ver. Mar. 2010
Expanded HIPAA Enforcement
New tiered civil penalty structure Penalties will be based upon “intent” behind the violation Fines of up to $1.5 million are possible
Explicit authority for state AGs to enforce HIPAA rules The extent to which AGs will need to follow the
enforcement rule is not yet clear May result in different or inconsistent interpretations of
HIPAA Mandatory audits by HHS
Privacy-Compliance-TrainingGZ Obrycki
Privacy Overview- ver. Mar. 2010
Enforcement Congress provided civil and criminal penalties for covered entities that misuse PHI.
OCR may impose monetary penalties up to $100 per violation, up to $25,000 per year, for each requirement or prohibition violated. Criminal penalties apply for certain actions such as knowingly obtaining PHI in violation of the law.
Criminal penalties can range up to $50,000 and one year in prison for certain offenses; up to $100,000 and up to five years in prison if the offenses are committed under “false pretenses”; and up to $250,000 and up to 10 years in prison if the offenses are committed with the intent to sell, transfer or use the PHI for commercial advantage, personal gain or malicious harm.
Office of Civil Rights can investigate Civil monetary penalties imposed by OCR
Dept of Justice can prosecute Criminal penalties imposed by DOJ
Local State AGs can investigate and prosecute as well
Link to OCR to enforcement activity: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/index.html
Privacy-Compliance-TrainingGZ Obrycki
Privacy Overview- ver. Mar. 2010
Noted FTC Enforcement Cases
Petco Case (2005)-failure to encrypt data and thus was accessible to persons other than the consumer
Gateway Learning Case (2004)-change in privacy policy with failure to notify and receive consumer consent
Microsoft Case (2002)-Security misrepresentation and lack of data minimization
DSW Case (2006)-unauthorized access to PI and failure to employ reasonable and appropriate security measures
ChoicePoint Case (2006)-disclosure of sensitive information-violated Fair Credit Reporting Act-failed to have reasonable procedures to screen subscribers-$10 M in penalties plus additional $5 M for consumer redress
Eli Lilly Settles FTC Charges Concerning Security Breach unauthorized and unintentional disclosure of sensitive personal information collected
from consumers through its Web sites Lilly to implement an information security program to protect consumers' privacy Fines and 20 year FTC Order
Privacy-Compliance-TrainingGZ Obrycki
Privacy Overview- ver. Mar. 2010
Privacy in Clinical Research
Global Privacy laws and regulations apply Site Personnel and subject Personal Information Enforcement by Health Regulators and local DPAs
ICH/GCPs/CFR requirements for notice and consent, patient confidentiality
IRB/EC responsible for protecting subject’s rights In US, HIPAA authorization required in addition to subject informed
consent HIPAA has section on Clinical Research and has potential impacts
Privacy-Compliance-TrainingGZ Obrycki
Privacy Overview- ver. Mar. 2010
Impact of HIPAA on Clinical Research
Vendors working on behalf of a sponsor may contact investigators to confirm or clarify reported information.
Laboratories send test results back to the covered entity. Recruitment vendors identify patients potentially meeting
study eligibility criteria who are interested in participating in the study and provide this information to investigators. These activities may involve the disclosure of PHI for purposes of determining the number of / identify patients meeting study eligibility criteria.
Electronic data capture vendors may allow investigators to access previous information entries.
Communications to potential subjects
Privacy-Compliance-TrainingGZ Obrycki
Privacy Overview- ver. Mar. 2010
Impact: Communications to potential trial subjects funded by Pharma Companies
Written communications made on or after February 2010 about a product or service that encourage recipients to purchase that product or service will be classified as “marketing” if a covered entity receives direct or indirect remuneration (payment) for making the communication. Exception: Communications that describe a drug or biologic
that is currently being prescribed for the recipient of the communication and any payment received by the covered entity is reasonable in amount.
Concern has been expressed that this could prohibit a pharmaceutical company from paying a healthcare provider or health plan to send communications to patients encouraging enrollment in a clinical trial. Can a communication about a clinical trial be construed as encouraging the purchase or use
of a product or service? What if the communication highlights the potential benefits of participation?
Privacy-Compliance-TrainingGZ Obrycki
Privacy Overview- ver. Mar. 2010
Impact: Minimum Necessary
Previously CEs required to limit use and disclosure of PHI to the “minimum
necessary” to accomplish the intended purpose. Does not apply to disclosures for treatment. Does not apply to uses or disclosures pursuant to an authorization.
“Minimum necessary” not defined.
HITECH Act No later than August 2010, HHS must issue guidance on what
constitutes “minimum necessary.” Until guidance issued, CEs must “to the extent practicable” limit
disclosures to a limited data set. A limited data set requires removal of direct identifiers such as name, contact info, SSN, account numbers,
etc.
A CE disclosing PHI must determine what constitutes the ‘minimum necessary’ to accomplish the intended purpose of the disclosure.
Privacy-Compliance-TrainingGZ Obrycki
Privacy Overview- ver. Mar. 2010
Impact: Source Document Verification and Adverse Event Reporting
Concern that new rules around “minimum necessary” standard, in combination with increased enforcement penalties, could have effect on ability to source document verify subject’s records and adverse event reporting. Possibly could lead some healthcare providers and health
plans to be less willing to provide all the information relevant to the trial or an adverse event
Privacy-Compliance-TrainingGZ Obrycki
Privacy Overview- ver. Mar. 2010
Impact: Psychotherapy Notes
Previously A CE was required to obtain an authorization for any use or
disclosure of psychotherapy notes, other than for treatment. An authorization for use or disclosure of psychotherapy notes could
not be combined with any other authorization. “Psychotherapy notes” defined as notes recorded by a mental
health professional documenting or analyzing the contents of conversation during a counseling session.
HITECH Act HHS is required to study the definition of “psychotherapy notes” with
regard to including in such definition “test data that is related to direct responses, scores, items, forms, protocols, manuals, or other materials that are part of a mental health evaluation” and to revise the definition based on this study.
Broadening of the “psychotherapy notes” definition could impact disclosure of such information as part of a limited data set, pursuant to an IRB waiver, as preparatory to research, or for public health activities (e.g., reporting adverse events).
Privacy-Compliance-TrainingGZ Obrycki
Privacy Overview- ver. Mar. 2010
Best Privacy Practices for Trial Sites
Have a designated privacy officer/privacy office to manage incidents and report to agency or IRB as required
Have an understanding of local privacy laws impact on what they do If using a vendor, have appropriate contractual protections and ensure
vendor understands breach reporting requirements Have an understanding of local IRB requirements regarding PHI
breaches to Sponsor and policy around review of site’s medical records for potential trial subjects
Have documented processes re Informed consent process (and HIPAA authorization), access to medical records, secure transmission of subject information to Sponsor, de-Identification process, and secure storage and destruction of subject’s files
Have training records for site personnel re local privacy requirements and site’s policies and procedures
Have security safeguards in place with regards to subject’s study file and medical records
Have an escalation process in place for Breaches and handling Regulatory Inspection activities
Privacy-Compliance-TrainingGZ Obrycki
Privacy Overview- ver. Mar. 2010
EU Commission-EU Data Protection Directive
5 institutions involved- Council, Commission, Parliament, Courts of Justice and Auditors
EU Directive 95/46/EC-multiple Articles within Directive reference DP-Article 29 most important for privacy
Commission (Internal Market Directorate) most important for DP-”Working Party” (DPA)
Directive focus on protection of individuals with regard to the processing of personal data and on the free movement of such data
Directive outlines minimum privacy requirements and requirements for cross border transfers to countries without recognized privacy practices e.g. US, Australia,
Enforcement by Data Protection Agencies in each Country
Privacy-Compliance-TrainingGZ Obrycki
Privacy Overview- ver. Mar. 2010
EU Data Protection Directive
Sets the floor for privacy, local countries may have stricter interpretation
Principles of Notice, Choice, Legitimate purpose, Access/ Rectification, Data Quality, Confidentiality/Security
Specific rules for Sensitive data: legitimate purpose, explicit consent, contract requirements, security controls e.g. encryption
Enforcement mechanism: Data Protection Authorities Data Transfer Mechanisms: model contracts, BCRs, Safe Harbor Local Privacy requirements for Data processing: consents,
Notifications to DPA, works councils, inter-company agreements
Privacy-Compliance-TrainingGZ Obrycki
Privacy Overview- ver. Mar. 2010
International Enforcement trends
General trends Convergence of medicines regulatory/DPA enforcement and regional collaboration
among authorities Increasing awareness of industry practices among regulators Proliferation of National & Regional Data Privacy Laws- Over 70 countries worldwide &
growing Greater Enforcement by Regulators-More DPA activity generally Health-sector specific audits
Denmark, Sweden
Risks increasing for Pharmaceutical companies conducting clinical research
medical health data; vulnerable data subjects; data transfers and disclosures; use of multiple vendors and consultants
Sanctions include monetary fines, criminal liability; imprisonment, invalidation of study data, halting of data flows
Privacy-Compliance-TrainingGZ Obrycki
Privacy Overview- ver. Mar. 2010
Medicines Regulators Inspection Activity
Post 2004 - focus on privacy-aspects of clinical trials in light of Directive 2001/20
Review of consent documentation, transfer of patient data, security measures, etc.
Inspection activity reported in: France, UK, Denmark, Netherlands
Expect similar trends in non-EU jurisdictions based on ICH GCP
Privacy-Compliance-TrainingGZ Obrycki
Privacy Overview- ver. Mar. 2010
DPA Inspections
Most common triggers National notifications Individual complaints Targeted sector reviews DPA to DPA referrals
Pharma-specific investigations in CR, Poland, Portugal and Spain
DPA inspections on the rise Dawn raids reported in Italy, France,
Privacy-Compliance-TrainingGZ Obrycki
Privacy Overview- ver. Mar. 2010
Pharma-specific developments
Outsourcing to vendors of trial activities
Pharmacogenomics to create designer drugs
The struggle to define “personal data” relating to bio-samples and concerns with genetic data
Medicines regulators/ECs focusing on privacy Appropriateness of consent, secondary uses,
breaches
Privacy-Compliance-TrainingGZ Obrycki
Privacy Overview- ver. Mar. 2010
Data Transfers
Mechanisms to transfer Personal Information out of a country Safe Harbor (EEA region and Switzerland) Binding Corporate Rules Model Contracts Consent
Many companies going the Safe Harbor route or a combination of the above depending on type of data
Privacy-Compliance-TrainingGZ Obrycki
Privacy Overview- ver. Mar. 2010
Safe Harbor
Background: October 1998 – EU Data Protection Directive goes into effect prohibiting the transfer of personal data to non-EU countries that do not provide “adequate” privacy protection US and the EU committed to bridging the privacy gap and maintaining high levels of privacy protection thus enabling trans-border data flows FTC Act permitted both sides to maintain their positions:
US companies made voluntary commitments EU was satisfied that those commitments were legally binding
The Safe Harbor Framework Includes: 7 Privacy Principles: Notice, Choice, Onward Transfer, Access, Data Integrity, Security, Enforcement 15 FAQ’s EU’s “adequacy” determination Series of letters between the European Commission, Department of Commerce, Federal Trade Commission, and Department of Transportation
Why is this ImportantAllows for the transfer of data out of a EU or Switzerland to US for processing; HOWEVER local privacy requirements must still be met such as providing notice and choiceAllows companies to contract with vendors to process data on their behalf
Privacy-Compliance-TrainingGZ Obrycki
Privacy Overview- ver. Mar. 2010
Sample list of Pharmaceutical companies with Safe Harbor certifications
• Amersham Health• Baxter International• Eli Lilly & Co• Ethicon Endo Surgery• LifeScan• Merck & Co., • Pharmacia Corporation• Pfizer• Protcor & Gamble• Wyeth Pharmaceuticals • Novartis
Privacy-Compliance-TrainingGZ Obrycki
Privacy Overview- ver. Mar. 2010
Basic Security Requirements
Administrative controls (e.g. privacy oversight, written policies, training)
Physical controls (e.g. secure access to records)
Logical/Technical controls ( e.g. Disaster recovery, password protections, encryption, access/authentication controls)
Privacy-Compliance-TrainingGZ Obrycki
Privacy Overview- ver. Mar. 2010
Privacy and Security Tips at Home→
If asked for personal data, find out how it will be used and how it will be protected.
If you shop online, do not provide personal data to a website until you have checked for indicators that the site is secure, like a padlock icon on the browser’s status bar or a website URL that begins with “https”.
Read privacy policies of the Web sites you visit to discover how your data is used and with whom it will be shared
Beware of “phishing.” If you receive an email from an address that you do not recognize, do not open it. It may be an email from what appears to be a legitimate company asking for your personal data. Never reply to, or click on links or pop-ups in email that ask for personal data unless you are sure it is the business that is supposed to receive it. Do some checking first before you provide your personal data.
Protect passwords. Never share them. Change them often. Ensure they have at least 8 characters and include numbers and symbols. Do not use common words.
Privacy-Compliance-TrainingGZ Obrycki
Privacy Overview- ver. Mar. 2010
Privacy and Security Tips at Home
Know what personal data you have in your home files and on your computer.
Lock it away. Secure your laptop at home and in your car. Secure your important personal paper records at home in a locked desk draw when you are away from home. Secure mail and your portable storage devices. Secure your laptop in the trunk not the back seat of your car.
Be mindful of your cash withdrawal machine transactions and where the machines are located. .
Use a credit card from a reputable company. The credit card company monitors activities and will notify you if something appears wrong. They will also cover certain expenses in event of a theft. A bank debit card may not do this.
Encrypt electronic files and folders containing personal data.
Privacy-Compliance-TrainingGZ Obrycki
Privacy Overview- ver. Mar. 2010
Resource Information Links
In the US, contact the Federal Trade Commission at 1-877-382-4357 or visit ftc.gov to file a complaint or get additional information on consumer issues
Consumer information on children’s privacy, identity theft, and privacy and security, is available on the FTC’s Web site at:
http://www.ftc.gov/bcp/menus/consumer/data/child.shtm http://www.ftc.gov/bcp/menus/consumer/data/idt.shtm http://www.ftc.gov/bcp/menus/consumer/data/privacy.shtm
HIPAA Privacy Rule: http://privacyruleandresearch.nih.gov/
Data Privacy Day: http://dataprivacyday2010.org/
IAPP-International Association of Privacy Professionals: https://www.privacyassociation.org/
AICPA.org
HHS- http://www.hhs.gov/ocr/privacy/
Privacy-Compliance-TrainingGZ Obrycki
Privacy Overview- ver. Mar. 2010