Tag Archives: hcp

Processing of personal and health data through apps and online platforms aimed at connecting HCPs and patients: the new digest of the Italian DPA

Legal news, , , , , , , , , , , , , , , , , , , , , ,

On March 2024, the Italian Data Protection Authority (“Italian DPA”) has issued a new digest (“Digest”) relating to the processing of personal data, whether or not concerning health data pursuant to section 9 of the GDPR, carried out through the utilization of platforms, accessible through apps or web pages (“Platforms”), that aim to facilitate connection between healthcare professionals (“HCPs”) and patients.

The use of such Platforms poses high risks to the protection and security of patients’ personal data, and in particular health-related data, given that the latter are subject to an enhanced protection regime set forth by section 9 of the GDPR. 

The Digest seeks to summarize the applicable data protection rules that may be followed, and defines the roles of the parties, as well as the legal bases, applicable to (i) the processing of personal data of the users by Platform’s owners; (ii) the processing of HCP’s personal data by Platform’s owners; and (iii) the processing of health data of the patients by the Platform’s owner and by the HCPs.

Additional guidance is provided as to:

  • The necessity for the Platform’s owner to carry out (and periodically update) a data protection impact assessment (DPIA) pursuant to section 35 GDPR, since the use of Platforms determine a “high risk” processing of personal data, as such kind of treatment automatically meets the criteria issued by the European Data Protection Board for the identification of the list of data processing that may be deemed subject to the duty to perform a DPIA;
  • Which information notices should be provided, by who and to whom, as well as the contents that such information notices should have in each case, according to sections 13 and 14 GDPR;
  • The specific rules applicable to cross-border data transfers and data transfer to third countries.

Lastly, the Digest includes a list of the most common measures that are taken by the data controllers to ensure an appropriate level of technical and organizational measures to meet the GDPR requirements, such as encryption, verification of the qualification of the HCPs that seek to enroll within the Platform; strengthened authentication systems, monitoring systems aimed at preventing unauthorized access or loss of data.

The Digest should be very welcomed by the Platform’s owners, as it now gives a reliable and complete legal frame that may be followed in order to set up a Platform in a way which is compliant with the GDPR principles.

Implementation of the “231” Compliance Model in the Pharma Industry: New Guidelines issued by the Italian Association of Pharmaceutical Companies

Legal news, , , , , , , , , , , , , , , ,

On September 5, 2023, the Italian Association of Pharmaceutical Companies (“Farmindustria” – https://www.farmindustria.it/) has issued guidelines to design an organizational model pursuant to the Legislative Decree 231/2001 in the pharmaceutical sector (“Guidelines”).

In particular, the Guidelines, by taking into account the main peculiarities of the pharma industry, seek to identify the typical activities that are most at risk for the commission of criminal offences, and provide detailed guidance about the main policies and preventive actions that should be carried out by companies in order to prevent their commission.

As expected, the highest risks concern relationships with public officials, which may lead to crimes such as corruption or fraud against the State, with significant advantages for pharma companies.

The Guidelines seek to drive the attention of companies involved in the pharma sector on the risks that are latent in the following areas:

  • Relationships with healthcare professionals (“HCP”) and healthcare organizations (“HCO”): compliance programs should regulate activities of the key account managers and their bonuses, sponsorship of congresses, grants and donations to HCOs, gifts to HCPs, as well as other sponsorship or advertisement activities;
  • Relationships with Public Authorities: many interactions with public officials may entail corruptions risks, such as, e.g., obtainment of Market Authorizations, price reimbursement negotiations with the Italian drug regulatory agency (AIFA – https://www.aifa.gov.it/), management of site visits and inspections, participation and execution of public tenders for the supply of drugs to HCOs;
  • Relationships with private entities: relationships with suppliers providing services in the context of clinical studies, pharmacies, patient advocacy organizations, patients and “expert patients”, or management of patient support programs also need to be regulated.

The Guidelines also offer a complete set of policies and other preventive remedies that may be sufficient to prevent the envisaged criminal risks.

The Guidelines are a useful tool for pharma companies and no similar initiatives have been taken by other associations with regard to different industries and sectors. The Guidelines also constitute a benchmark for best practices that will be difficult to ignore.

Do you need help in designing or updating your company’s “231” compliance model? Do not hesitate to reach out!

EU Commission Factsheet on MDR and IVDR

Legal news, , , , , ,

Still confused about the regulatory changes affecting medical devices and in vitro devices? The EU Commission has published a useful factsheet, which you can find here.

Through the factsheet, the Commission warns health institutions and healthcare professionals that the upcoming changes may have consequences on the availability of medical devices because manufacturers may decide to stop their production or because products may not get their certificates on time.

Some notified bodies have also decided to drop off and only two notified bodies have been MDR designated so far, so this will create additional bottlenecks. A short grace period until 2025 is granted, but it does not apply to class I devices.

The path to an enhanced regulatory framework will be complicated and manufacturers, healthcare institutions and healthcare professionals need to know what to expect.

New Rules on Continuing Medical Education

Legal news, , , , , , ,

The rules on continuing medical education (“CME”) have changed since a new agreement between the Italian government, the Italian Regions and the autonomous provinces of Trento and Bolzano has come into force on February 2, 2018. You may find the new agreement here or here (only in Italian, sorry).

The agreement is an “upgraded version” of the previous principles, which remain largely unchanged, but are now better defined, stricter and hopefully more effective.

  • THE RIGHT TO CME. Health care professionals (“HCPs”) have the right to obtaining CME and regulators will need to remove impediments in order to allow the exercise of such right.
  • ACCREDITATION OF PROVIDERS. As before, providers of CME need to be accredited, but accreditation will be subject to stricter rules, which particularly focus on avoiding any conflicts of interest. Providers will also need to adopt an internal regulation setting forth how to prevent and exclude (even potential) conflicts of interest.
  • SPONSORSHIP OF EVENTS. Sponsorship of CME events will be possible by private companies, provided that the principles of transparency, objectivity, impartiality and independence are complied with. No advertisement of medicinal products or medical devices can be carried out during the CME event, but only before, after and outside the event. No direct payments or reimbursements are allowed to speakers or moderators of the CME events.
  • NO ACCESS TO PERSONAL DATA OF HCPs. On the data protection front, note that sponsors of CME cannot have access to lists and addresses of participants, speakers or moderators.
  • SPONSORSHIP OF HCPs. Lastly, HCPs may be sponsored by commercial firms operating in the health industry, but cannot fulfil more than one third of their CME requirement through such sponsorship. This is bound to change how CME has been handled before, forcing HCPs to bear the cost of at least two thirds of their CME requirements.

Have a great weekend!