Introduction ... 3
Key Points to Ensure Compliance ... 5
The Legal Landscape ... 7
Health Insurance Portability and Accountability Act of 1996 (HIPAA) ... 7
Pfizer is Not a Covered Entity under HIPAA ... 7
Pfizer Is Not a Business Associate under HIPAA ... 8
HIPAA Still Relevant for Pfizer ... 8
State Medical Information Privacy Laws ... 9
Federal and State Information Security Laws... 9
Federal and State Breach Notification Laws ... 9
Laws Protecting the Personal Information of Children ... 10
Requirements for Transparency, Notice and Consent ... 10
Pfizer’s Policies Relating to Privacy and Personal Information ... 11
Notice and Consent ... 11
Aggregated or De-Identified Data ... 12
Avoiding Exposure to Protected Health Information ... 12
Vendor Obligations ... 13
Activities That May Result in the Use and Disclosure of Protected Health Information ... 13
Marketing Initiatives and Other Communications ... 13
Pfizer-Sponsored Third Party Communications ... 13
Digital Marketing Initiatives ... 14
Pfizer’s Patient Programs ... 15
Working with HCPs ... 15
Mentorships and Preceptorships ... 17
Consumer Health Fairs or Screenings ... 18
Patient Information and Clinical Trials ... 19
Other Privacy Issues ... 20
Healthcare Professional Prescriber Data ... 20
Handling Healthcare Professionals and Other Customer’s Personal Information ... 21
Pfizer Policy on Your Responsibility for Safeguarding Personal Information ... 21
FOR MORE INFORMATION ... 22
Chapter 11: PRIVACY: PROTECTING PERSONAL INFORMATION
Introduction
Privacy is often described as the universal desire of an individual to keep his/her personal information confidential and by extension, to determine for himself/herself when, how, and to what extent his/her personal information is communicated to others.
Personal information or PI includes any information that alone or in combination with other data can be used to identify a person such as name, address, phone number, or e-mail address. Sensitive Personal Information is a subset of Personal Information and includes information relating to a person’s physical or mental health (e.g., a person’s medical history, physical or mental condition, diagnosis or treatment, including Protected Health Information of a Covered Entity), geolocation data, financial information, and national identifiers such as social security numbers.
There are many U.S. federal and state laws applicable to Pfizer’s use of Personal Information and Sensitive Personal Information. Moreover, other countries impose even more stringent limitations on the use, access, or transfer of Personal Information. The European Union is widely regarded as having imposed among some of the most stringent privacy protections for individuals in the world. Other countries with comprehensive, rigorous privacy regimes include Argentina, Australia, Canada, Colombia, Israel, Japan, Mexico, Peru, South Korea and Uruguay.
Although this Chapter is focused largely on certain U.S. privacy topics, it is important to consider whether any sales and marketing activities conducted in the U.S. can have privacy implications for complying with the laws of other countries. Consult your team attorney or the Global Privacy Office (GPO) if a proposed activity presents potential privacy implications for individuals outside of the U.S. or involves the transmission of PI collected outside the U.S. to the U.S.
Regardless of the circumstances under which Personal Information is disclosed, when an individual chooses to share such information with a person they trust, they generally expect that person to hold that information in confidence and to keep it secure. Pfizer respects this expectation and is committed Rev. 01/15
to appropriately protecting all Personal Information in its care in compliance with applicable privacy laws and regulations and Pfizer’s corporate policies and procedures. Pfizer’s policy is to safeguard all Personal Information it receives and maintains, regardless of the form, format, location, or use. For additional information, see Corporate Policy #404: Protecting the Privacy of Personal Information.
This Chapter highlights certain key Pfizer policies regarding the protection of Personal Information. Non-compliance with these policies puts the Company at risk and can subject Pfizer colleagues to disciplinary action up to and including termination.
Key Points to Ensure Compliance
• Do not sign a document that is called a “Business Associate Agreement” or otherwise relates to “Business Associate” status without receiving explicit written approval to do so by your team attorney or the Global Privacy Office (GPO).
• Pfizer’s Corporate Policy 404: Protecting the Privacy of Personal Information, requires all Pfizer colleagues and contractors to protect Personal Information collected by or on behalf of Pfizer. Before your team collects Personal Information (directly or via any third party service providers), your team attorney must be consulted and approve the collection and use of the data.
• Access to Personal Information should be minimized and access to Sensitive Personal Information should be limited to individuals who “need to know” the information.
• Sensitive Personal Information should only be received where it is necessary for an authorized business purpose. If Pfizer or its business partner or service provider will be receiving Sensitive Personal Information, consult with your team attorney. Pfizer colleagues and contractors must ensure that such information may be received in compliance with applicable law and, if applicable, that a proper patient authorization has been obtained by the entity that is disclosing the information.
• If Pfizer, a business partner, or service provider receives Sensitive Personal Information or more extensive Personal Information than intended, expected or necessary for the business purpose, immedately notify your team attorney.
• All Pfizer-sponsored third-party communications to patients, healthcare professionals (HCPs) and other customers must be approved by the appropriate Pfizer Review Committee (RC), which will consider issues of privacy and consent as part of its review process.
• When using Personal Information to identify and communicate with current and potential Pfizer customers (HCPs or consumers) it is important to work with Enterprise Multi-Channel Marketing (eMCM) to ensure compliance with applicable legal requirements and Pfizer policies and procedures.
Rev. 01/15
Key Points to Ensure Compliance (cont’d)
• When setting up a mentorship or preceptorship, Pfizer colleagues must ensure that physicians serving as mentors or preceptors know they are required obtain their patients’ written authorization before Pfizer colleagues may be allowed to observe any consultation, examination, and/or treatment of any patient.
• Avoid situations likely to lead to the inadvertent disclosure of Personal Information, such as being present at or near private conversations between HCPs and patients.
• Pfizer colleagues should not engage health fair attendees in specific discussions regarding a patient’s health. These discussions should occur between the patient and appropriate HCP.
• Always disclose that you are a Pfizer employee or representative when interacting with patients, such as at a consumer health fair or during a mentorship or preceptorship. Wear your Pfizer name tag at all times.
• Safeguard the confidentiality of prescriber data as you would any other Personal Information.
As a general rule, it should be used only for internal business purposes and not in dealings with Pfizer’s customers such as the HCPs themselves.
• Do not share an HCP’s prescriber data with anyone outside of Pfizer other than properly on-boarded vendors, with appropriate contracts in place, who may be assisting with your initiative. Check with your team attorney before sharing HCP prescriber data with anyone outside of Pfizer.
• Any suspected breach of security of Personal Information or Sensitive Personal Information should be immediately reported. Lost or stolen computers or other devices containing Pfizer data should be reported to the user’s local Service Desk / Help Desk. Any other incidents of potential unauthorized access to Pfizer data should be reported to the Global Security Operations Center at 212-733-7900 or [email protected].