Life Science Compliance Update

« Previous article | Home| Next article »

February 26, 2014

Be Careful What You “Like”: Healthcare Industry Should Consider Privacy, Adverse Events, and Promotional Issues in Social Media Interactions

Social media offers the healthcare industry an opportunity to engage with patients, care givers, and physicians on health care topics in real-time. While Jennifer Chillas, Senior Counsel at Bristol-Myers Squibb, believes social media is an attractive frontier, she offered many thought-provoking considerations regarding company comment sections and real-time interactions via Facebook and Twitter at the recent Pharmaceutical Compliance Congress. In her presentation "Compliant Social Interactions and Engagements," Chillas spoke specifically about patient privacy, adverse event reporting, and promotional issues related to user-generated content (UGC).

Chillas began her presentation with survey statistics about online consumer behavior related to healthcare. In 2012, 72 percent more people reported that they looked online for health information over the previous year. One-third of the respondents used the online information to figure out what health condition they had, 53 percent talked to their physician about the information, and 41 percent stated that they had their online condition confirmed by a clinician.

These statistics show the internet is a powerful tool for the healthcare industry.

The survey also revealed that 77 percent of the online health seekers began their search at a search engine; 13 percent stated that they started at a medical information website, such as WebMD. Chillas noted that this research only reveals where searchers start. It is likely that many users follow up their initial research with social media sites, including Facebook, Twitter, and interactive comment sections on third party webpages.

Chillas believes social media offers pharmaceutical companies the important opportunity to engage with patients, caregivers, and healthcare professionals on topics for which the company has unique and valuable insights. If pharma does not engage, she argues, consumers could get confused about where information is coming from on various websites. Consumers may believe a pharmaceutical company sponsors a particular Facebook page for a disease or product when that is not the case.

Companies have been wary to engage in social media promotion so far—to much risk, too little guidance. Now that the Food and Drug Administration (FDA) has issued some direction, companies may be tempted to move too quickly into a still uncertain environment. Chillas offered three specific considerations for the social media realm.

(1)    Patient Privacy:

Social media offers companies the unique opportunity to monitor what is being said about a company or brand. Companies are familiar with examining a controlled environment when they sift through market data.But controls do not exist when companies track social media.

Anyone who has spent time sifting through the comments section of a website knows that attempting to quantify such qualitative data would be challenging, but potentially profitable. Chillas calls this "social listening," and believes it provides useful company insights.

Social listening, however, raises privacy concerns. Chillas believes that companies should first take a careful look at their privacy policy on social media interactions. Specifically, companies need to follow their policy requirements, and update their policy when their practice changes.

This seems obvious, but the Federal Trade Commission (FTC) has been active in measuring companies' conduct up to their privacy policies. The FTC has settled with Google, MySpace, and Epic over discrepancies between what a company states in its privacy policy and how it acts. The issue that has made the most news involves companies that turn over "cookies" to advertisers, who then put on specific ads to address what people search for. "History sniffing" is still legal, and we all know it still happens, but companies now disclose it in their privacy policy.

To make privacy matters more complicated, Chillas notes that the European Union has a different privacy regime than the FTC. The FTC generally enforces under Unfair and Deceptive Trade Practices; the EU has their own set of laws. The EU prohibits identifiable data transfer outside of the EU into the United States. This makes it challenging for a company that operates globally and collects personal information in some of its locations. There is a US-EU safe harbor that allows companies to transfer information if they have certified that they are compliant (available here).

State consumer protection and privacy laws pose additional requirements. For example, California requires companies to post privacy policies on their websites. California recently sued Delta Airlines over a mobile app that allowed users to figure out the location of their flight. Delta did not have a privacy policy, and had to comply with California law within 30 days of the action. In light of state privacy laws, companies need to disclose in their policies whether their web activities will follow a user online despite the fact that a user's browser tells them not to track.

Finally, company-wide conversations about online privacy should include physician-patient privacy under the Federal Health Insurance Portability and Accountability Act (HIPAA). HIPAA covers the use and disclosure of patient health information by healthcare providers. Conversation between pharmaceutical companies and patients is normally not covered by HIPAA. But, Chillas asks, how should a company prevent the healthcare provider, who is chatting on a company controlled social media site, from disclosing a patient's information and getting in trouble because the physician information is public?

Chillas listed out practical implications with regards to privacy in the social media context.

  1. Is the source of listening data public or private? If companies are pooling data from private sites, where users have to log in and subscribe, companies must disclose that they will turn over information if that is the company practice.
  2. Where does the listening occur and is there data transfer across countries? Companies need to certify their data with the EU if they do not hold their social listening to specific geographic areas.
  3. Vendor selection, contracting, training: Chillas believes this is an important issue. Most pharmaceutical companies will use third-party vendors to do their social-listening research; however, vendors—the ones who actually use consumer data—are often not up-to-date on privacy considerations. Thus, the onus is often on the company to appreciate the legal framework and choose their vendors accordingly.
  4. Third party sites versus Pharma-controlled sites: Companies need to consider whose privacy policy controls when internet users invariably move from one site to the next. Chillas recommends that companies think now about whether they will work with third parties whose privacy policies are inconsistent, and how to make it work.
  5. Pharma-controlled websites: How is data collected? How is it used? Who is disclosing the information?

Chillas recommends that companies work through the issues in advance. Above all, companies should have a privacy policy that properly addresses how the company will use the information they gather from social listening.

(2)    Adverse Event Reporting

The FDA approves drugs with the understanding that adverse reactions may become apparent only after a drug is used more widely, under more diverse conditions (such as combined with other drugs), or prescribed for uses for which the drug was not approved ("off-label" uses).

Pharmaceutical companies must report information pertinent to the safety and effectiveness of the drug from any source within 15 days of the initial discovery of any unexpected side effects or injuries associated with the drug, not provided for on the label. The FDA requires companies to report if they have (1) an identifiable patient, (2) an identifiable reporter, (3) an adverse event, and (4) a specific product.

Within the social media context, discussion of potential adverse effects can be very informal, such as "it didn't work for me." But even that statement could indicate a lack of efficacy, worthy of reporting. Chillas realizes there is a need to train social-monitoring vendors to search for these statements, but understands that finding a reportable adverse event is anything but cut-and-dry.

Some companies take the position that social media posts rarely satisfy the FDA's four adverse event reporting requirements (specific medication, adverse experience, identifiable patient, and identifiable reporter). Social media posts arguably will often fail to provide the first two required data elements of a reportable event due to the anonymity of membership to most social media sites. Without a patient's real name and other identifying facts, the poster might no be "an identifiable person reporting the event."

Chillas is hesitant to agree with pharmaceutical companies who have taken this position. "There is a view out there that if you don't have a patient's first and last name and a reporter's first and last name that that is not reportable," Chillas says. She believes the issue, then, is whether companies "should at least turn this info into the Pharmacovigilance department and let them decide, because some follow-up might take place." She notes that this can also raise privacy concerns if the venue does not allow for private messaging. Chillas suggests  companies should consider a "prepared response to encourage that person talking online to call in the adverse events."

Vendor and employee training is going to be a large aspect in the social listening sphere because of the informality of what they are going to be seeing. Adverse event reporting necessitates that companies spend money and invest personnel into monitoring user-generated content, especially on pharma controlled site. That seems to be the new reality if companies want to take advantage of real time communication.

Finally, Chillas notes that social media users who discuss arguably adverse events are doing so on an open site. The FDA can see it. Thus, "underreporting issues can be easily challenged by regulatory authorities on public sites."

(3)    Promotional Issues

Chillas notes that disease awareness and help-seeking materials are not regulated by the FDA as product promotion. Many websites educate people on disease issues. But, of course, there are numerous FDA regulations for product promotion: substantial evidence, consistency with labeling, fair and balanced promotion, fair prescribing information, etc. Attempting to satisfy the FDA with social media space constraints is a tough task.

The FDA Draft Guidance on Interactive Media Promotional states: "A firm generally is not responsible for UGC that is truly independent of the firm (i.e., is not produced by, or on behalf of, or prompted by the firm in any particular). FDA will not ordinarily view UGC on firm owned or firm controlled venues such as blogs, message boards, and chat rooms as promotional content on behalf of the firm as long as the user has no affiliation with the firm and the firm had no influence on the UGC."

Chillas wonders if this allowance actually frees companies up as much as some industry-stakeholders believe.

Chillas thinks that at the very least, the FDA Draft guidance obliges company's to monitor their employees' social media interactions. In complying with the FDA, companies also have to worry about state employee laws: when drafting policies about employee postings, the company cannot legally prevent an employee from ever talking about the company. However, the company has to balance being overly proscriptive with educating employees about proper social media conduct. 

To illustrate, imagine the likely scenario where an employee "likes" a company webpage, or even "likes" a user-generated comment. If an employee endorses an off-label use even through social media "thumbs-up" approval, this could raise tough issues for a company. Companies have to make sure that employee interactions do not constitute overstatements of product efficacy and minimization of risks.

Chillas believes that the FDA Draft Guidance on Unsolicited Requests provides a glimpse at how "loose" the new standard is:

"Example 8: A firm asks or otherwise encourages users to post videos about their own uses of its product on third party video-sharing sites (e.g., YouTube), which may result in video postings about an off-label use of its product. If the firm's initial request for posting of videos results in any questions about off-label uses, or if any off-label video posting made in response to the firm's encouragement of video postings results in questions about the product's off label use, these questions would be considered solicited requests."

This guidance raises the issue of prompting. More specifically, Chillas notes that there is a very fine line between an express invitations to post versus technology that permits posting. Chillas posits that "even if user-generated content is not the company's responsibility," the company is responsibility for what it does or doesn't do next.

Can a company simply just step away when users pose questions about off-label topics or post potential adverse events? Likely not. Furthermore, if the comment section on a company site is moderated, the company has to be careful about any intervention in the comment section. If the website moderator takes away all the negative comments, and leaves the positives, that is not exactly demonstrative of "UGC that is truly independent from the firm," as the FDA guidance requires.

Chillas notes that it might be best for companies to have prepared answers to address potential problem areas.

The FDA is not the only one who will be interested in social media information. The Department of Justice, State Attorney Generals, Consumer Protection agencies, and, of course, patient attorneys and products liability attorneys.

"The internet is not always a friendly place," Chillas warns.

Hopefully the FDA brings additional guidance so that companies can at least know the regulatory framework and deal with the customers in turn.

« Previous article | Home| Next article »


TrackBack URL for this entry:

Listed below are links to weblogs that reference Be Careful What You “Like”: Healthcare Industry Should Consider Privacy, Adverse Events, and Promotional Issues in Social Media Interactions:


Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.


Preview | Powered by FeedBlitz


April 2018
Sun Mon Tue Wed Thu Fri Sat
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30