On World Patient Safety Day, Torrey Cope in Washington, D.C., Chen Yang in Beijing, and Olivier Goarnisson in Geneva consider one big pharmacovigilance question raised by the increasingly patient-centric way in which life science companies are doing business today: How to treat the data collected by the apps provided with drugs and devices.
Patient-centric initiatives are on the rise, including apps associated with the use of drugs and devices. Some of the most significant regulatory and legal questions around these initiatives relate to the necessity and feasibility of evaluating patient safety via such apps. The law has not quite caught up with our increasingly digitised world, and lapses in pharmacovigilance could occur in the resulting gap.
Should companies who provide apps with their drugs and devices monitor the patient data collected by the app for signs of any adverse reactions to the product? Do data protection laws even allow companies to access such information? Does maintaining good pharmacovigilance practices mean companies have an obligation to monitor for adverse reactions and report them?
The answers are unclear at the moment because this is a new situation and no explicit regulations or guidance have yet been issued. In Europe, which has traditionally led the way on global pharmacovigilance, neither the European Commission nor the European Medicines Agency have issued any specific guidance on this issue. In the U.S., FDA has taken steps to clarify general regulatory obligations with respect to apps, but has not issued guidance regarding the specific pharmacovigilance considerations at issue here.
In May, China introduced new regulatory guidance on Good Vigilance Practice which brings the country into line with the U.S. and Europe. And in July a new personal information protection law is also coming into effect. But with more apps and wearables coming onto the market in China, the emerging regulatory system has still not addressed all the questions around the privacy and security issues on patient data collected through those apps.
Indeed, globally there is still a lack of clear rules. This means that pharma and medtech companies must largely forge their own paths in this area. A good initial step is to adopt general policies and principles that recognise the need for pharmacovigilance questions to be addressed “early and often” during app development and deployment, bearing in mind the general purposes of pharmacovigilance. These should take into account the specific types of safety-related data that might be collected, given the company’s own unique mix of products and the digital app solutions likely to be of interest.
Overall, pharma and medtech companies should address the question of how to reconcile their pharmacovigilance and privacy-related obligations, including by determining the extent to which any data will be collected, accessed, and/or de-identified, and the extent of the safety-related monitoring, review and reporting that is warranted.
When doing so, the most important factor is to limit the collection of personal data to the data that is strictly necessary to achieve the objectives of pharmacovigilance. Therefore if you can satisfy your pharmacovigilance requirements by recording only the patients age, then you should avoid recording any other patient identifiers to avoid breaching the data minimization requirements under data protection law.
This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.