How coronavirus has impacted privacy in clinical trials and might (or might not) narrow the increasingly polarizing divergence in the U.S. between viewing privacy as a consumer right versus a human right
Biogen, a biotechnology company known for discovering and manufacturing treatments for neurodegenerative diseases and ranking 235 in the Fortune 500 with revenue of $14.4 billion, has made deliberate moves in recent weeks to help combat the spread of COVID-19 and aid in the search for potential treatments and vaccines after experiencing firsthand the realities of how quickly the disease can spread within their own organization. In addition to donating $10 million through its Biogen Foundation to “help expand testing options, ease the strain on medical systems, provide training for frontline health workers, and support access to necessities like food,” Biogen has helped build a COVID-19 biobank, a new consortium in partnership with The Broad Institute of MIT and Harvard and Partners HealthCare. The biobank, comprised of blood samples and other medical and biological data, will help researchers better understand the biology and behavior of the coronavirus. While Biogen does not typically do research in this area of infectious disease, it has offered support of research into the use of interferons (core to some of their products) for treatment of the disease. The organization’s contribution in recent weeks to prevent, treat, and support research efforts on the coronavirus is certainly reflected in the company’s post-outbreak policies, public posture, and reinforced commitment to maintaining privacy-by-design throughout.
Managing privacy around the world for Biogen is Chief Privacy Officer Susan Wise. One of the biggest impacts the current COVID crisis has created involves the execution of clinical trials. When asked how the coronavirus most immediately impacted clinical trials that Biogen is executing, Wise was quick to answer, “Having to do things remotely.” The company has set taskforces to address each area impacted.
For example, in most clinical trials, patients and clinicians are interacting in-person in a secure and controlled environment. Now, with stay-at-home orders in place, there is a drive to do more communication virtually through technology to help ensure the safety of all involved. “There has been a tendency by regulators, not for leniency, but for accommodations for these interactions, in many cases allowing them to happen over Facetime or WhatsApp, in a sort of ‘Safe Harbor’ waiver of the HIPAA requirements for some of these platforms.” Thus, the privacy team must make sure they know the parameters in which data is being collected in these telehealth conversations. “Sometimes, you don’t want those interactions being recorded,” says Wise, “and it is the privacy team’s responsibility to make people understand what the appropriate [overarching] guidelines are,” which are then tailored by the requirements of local regulators. Wise conveyed that the need to keep attuned to guidance across the involved regulatory bodies (both in terms of data privacy, national health agencies, and governing regulators like FDA and EMA) is very important.
From an operational perspective, delivering medicine to patients’ homes may not be as simple as it seems. Third parties are engaged by Biogen to facilitate the delivery of medicine globally to patient homes, and in some cases, Biogen engages home healthcare providers who send nurses to help administer the medicine. “When you are delivering medicine [to a patient’s house], you need to have appropriate contracts in place with vendors and suppliers and to ensure we have the patient’s consent to share [their] data.” Biogen needs to be transparent about the data is shared and how it will be used. “This is often just point-to-point between hospital and patient [a process that Biogen is not directly involved in executing, but that Biogen has responsibility for ensuring is done compliantly],” says Wise, since patients are no longer being given medicine on site. “Under the auspices of the trial,” Wise continues, “we are also interested in making sure there are appropriate controls in place. Depending on the aspect of the trial, who has the responsibility to oversee those controls can vary and is driven by whether the vendor [or third party] is viewed as a controller or processor.”
Any change to the normal execution of a clinical trial is logged as a “protocol deviation” – this gives visibility to things that have been handled differently, in this case, because of COVID-19. “If a patient withdraws from trial for COVID, it is logged, and, just like other information or ailments, it is protected personal data,” says Wise. Like all companies, Biogen is monitoring the impact of COVID on trials closely and taking proactive steps to minimize it.
These subtle adjustments in privacy posture reflect the importance of nimble and highly educated privacy professionals within an organization. “COVID has created a whole new set of initiatives to help support this pivot for the business,” says Wise, with commercial engagement, employee safety, and going back to work being other big areas of focus in addition to clinical trials impact. However, she does not see these projects as overburdensome in terms of human capital effort. Rather, Wise sees these projects and COVID-related privacy policy and program changes as part of a new normal that the entire privacy team must integrate with the business. “The COVID initiatives may potentially change the way we do business overall, so those projects are likely morphing into existing projects instead of creating a whole new incremental set of projects” going forward, says Wise. She added, “Given the scarcity of resources in privacy, and the urgency to address these new considerations, we’re not seeking incremental headcount to support this initiative.”
Increasing the availability of talent for the privacy profession at large may be an indirect, positive, and unintended effect of the coronavirus outbreak. Wise believes there’s the potential for privacy as a human right to garner greater social interest and attention as the debate between public health and individual rights intensifies, especially in the United States. “There are so many instances in which privacy is highlighted by this crisis: the impact it has on employees, the business, and understanding both how the pandemic is progressing and the intersection of privacy, safety, and health information,” adds Wise. In the United States, “COVID has given a more specific contextual visibility into what data privacy is about than GDPR did. It touches people more directly,” says Wise, adding that regardless of the current state of affairs, “There is certainly a need for more privacy professionals.”
The key to inspiring the next generation of privacy professionals to enter the space fully could be directly connected to shifts in U.S. culture that may (or may not) occur as privacy rights continue to draw attention from COVID combative solutions. The impact COVID has on people involved in clinical trials is meaningful, but other broader efforts to deflect the coronavirus spread, namely contact tracing applications, could bring privacy into a new public spotlight. As a person’s individual COVID status becomes a potential area for inquisition from societal stakeholders beyond a physician, participation in sharing that information will become a point of contention with individual rights activists. As healthcare organizations and mainstream technology companies collaborate on this effort, a much more protected and sensitive source of data, an individual’s medical data, becomes at risk for exposure of exploitation. In this case, unlike the Cambridge Analytica scandal or the Equifax breach where identity theft or unlawful, targeted advertising was the infringement and where the recovery for consumer victims whose data was exposed was relatively mild, the societal impacts for an individual whose healthcare data is revealed publicly could cause irreparable personal, financial, or reputational damage.
Wise observes that in the United States, “Our laws are oriented on consumer protection – that aspect – and less on privacy as a fundamental human right.” Wise points out that even the most comprehensive U.S. privacy law, the CCPA, still stands for the California Consumer Privacy Act and is more broadly oriented. While Wise would “love to see the U.S. achieve adequacy with the EU” and adopt a similar approach to privacy as the GDPR, she is “not optimistic we are at a line of sight to achieve that.” In terms of global consistency to data privacy, Wise is even less optimistic, adding that for global harmonization, “We are actually pretty far off, in part because of the divergence in the GDPR model, which gives you breadth in terms of legal bases for processing data, and others [like the APAC, LATAM] that are very consent-based. In the EU, consent is almost a last resort approach.” These sovereign differences in foundational privacy approach ripple and reflect the cultures of the countries they represent.
Wise asserts that the AdTech industry is where real change may first be needed to perpetuate cultural changes that ultimately affect the laws used to govern privacy domestically. But what happens when AdTech companies collaborate with healthcare companies or hospitals to share data and use technology to contact trace COVID-19? “U.S. laws are sectoral,” says Wise, pointing to the importance of HIPAA and how, when it comes to healthcare data, the U.S. does have strong privacy regulation but one that should extend to a broader application than covered entities. “Respecting and protecting healthcare data is important. Once you uncover that information, you can’t recover from that. It is known – you can’t unknow that. How you protect it and ensure it’s not misused is so important, and it is interesting that some of the same players that have been accused of misusing data are now focused on this [contact tracing],” says Wise.
According to Wise, as of early May, some initiatives in Europe have not been as successful in garnering regulatory buy-in for their contact tracing applications. “I’ve seen cases where countries in the EU have come forward with apps that, when they do the data protection impact analysis, the way those were designed failed.” In the U.S., companies like Apple and Google are developing tech that is “privacy-preserving contact tracing” using Bluetooth technology and other security encryption techniques. This will require sharing data related to COVID positive/negative status. This will require participation from people, all of which will require attention to privacy rights. “The risk of the impact of this health data being misused could really change the way people think about personal data and how it’s used,” observes Wise. But Wise sees that there needs to be “trust, not distrust and skepticism” around these companies working to solve this problem and handle this data. “The design they put into randomization and ensuring people can never fully know whose data is whose is really interesting. We will see if they can convince people that is the case and [they] can protect it,” she adds.
A shift in the cultural conception of privacy from consumer to human rights in the U.S., which was already well underway in Europe, could be sped up by the myriad privacy considerations raised as a result of COVID-19 issues related to remote clinical trials, telemedicine, and now, contact tracing. Will this awareness elevate the desirability of developing a career in privacy? Join us for future installments of COVID with Privacy Pros to continue exploring the impacts COVID has on privacy law, the privacy community, and privacy as a profession.
