Health 2.0 Challenge: Managing UGC in the regulated environment

Update: I originally posted this in May 3, 2009. I updated this post on July 26, 2009 to add advice in response to calls to action for Health 2.0 — the use of Web 2.0, Gov 2.0 and Enterprise 2.0 technologies to help improve medicine and health care. Its focus now outlines the major HHS and FDA regulations any Health 2.0 service provider will have to navigate to deliver a regulatory-compliant solution

Why this focuses on the management of UGC

Open Collaboration intrinsically involves the collection, moderation and management user generated content (UGC). In general, moderation of UGC is not a simple prospect. Moderation of UGC in a regulated space is even tougher – especially in the very highly regulated biotech, pharmaceutical and health care industries where UGC can now include disclosure of personal health history or inadvertent reporting of adverse events. Based on the sensitivity of any discussion of regulatory compliance, it is worth diverting a little of your attention to some disclaimers and background information:

  • I am not currently affiliated with any biotech, pharmaceutical or health care company. Nor am I affiliated with and PAC or PR firm supporting those industries. I am a Chief Information Officer for an enterprise social networking company, Neighborhood America.
  • Prior to this, I worked at Amgen (the world’s largest biotech.) Most of my tenure here was in their Regulatory Affairs & Safety Operations organization leading a program to scale closeout of clinical trial data and submission of Biologic and Drug Licensing Applications to the FDA (and its global counterparts)–a highly-regulated process–through combined use of process re-design and Enterprise 2.0 technologies
  • Before this, I worked at AOL where I owned many systems subject to compliance with numerous financial regulations (especially Regulations E and FD, and Section 404 of the Sarbanes-Oxley Act)
  • Prior to AOL, I spent nearly seven years Booz Allen Hamilton, Lockheed Martin and the US National Laboratory System where I learned strict adherence to control of information of various classification levels.

I state this so you will understand that, while I am someone deeply experienced in managing compliance of information management, I am not a doctor, FDA or EMEA official or similar certified compliance professional.

What regulations do I need to consider?

The range and depth of biotech, pharma and health care regulations are vast. They cover a wide range of areas spanning how you manage clinical trials to manufacturing to sales and control of patient information. For this reason, it is absolutely critical to ensure you separate the social networking components of your Health 2.0 infrastructure from your other enterprise systems. This directly contradicts what some analysts are calling for in the evolution of enterprise social networking. However, it your do not do this, you will subject your social networking infrastructure to so many regulations that it will be impossible to manage it as an effective network AND maintain regulatory compliance. (My preferred method of this separation is the publish/subscribe model—however, that is a subject of another blog post.)

With this understanding in mind, I am assuming—

  • You are using your social network to manage outreach to bring interested parties into the fold to inform them of where to get information, gather their ideas, priorities and interests, and connect them with other professionals with related interests and expertise and…
  • You are not using your social network to manage clinical trial subject data; drug, biologic or medical device manufacturing data; or safety data

If these are true you have two bodies of regulation to watch in particular:

  1. Title 21 CFR Part 11
  2. HIPAA Title II

In addition, you will need to ensure your social networking infrastructure enables mining and export of UGC to support of your organizations’ pharmacovigilance practices.

Another Disclaimer: Of course, you may have many other regulations to consider based on your unique company and its pipeline and products. I do not need to point out the need to engage your Compliance and Regulated Information Technology teams for a full and complete assessment of your risks and needs.

The impact of Title 21 CFR Part 11 on your social network

Title 21, Part 11 of the Code of Federal Regulations (CFR) deals with the FDA guidelines on electronic records and electronic signatures. In the social networking area this means you must do three things:

  1. Never delete: In general it is bad practice, to delete data. It is much better practice to turn the status of data to “Inactive” or “Archived” so you can find it later (if needed a part of a legal or similar investigation.) To assure Part 11 compliance, you will need to ensure your system does not delete data (and your back office systems administration processes ensure data are archived prior any removal as part of hardware tuning or decommissioning)
  2. Use secure, electronic signatures: Here is where user attribution of UGC is so very important. You cannot let unauthenticated users provide content. You must register and authenticate them first. They you register them, you must confirm their identity (e.g., confirm provided email addresses) and authenticate them with encrypted, strong passwords. You then must attribute all UGC to each authenticated user. (It would also not hurt to get SAFE to review your registration and authentication approach.)
  3. Document that you do this: You will need to demonstrate that you have designed, built and tested a system that does the above. This includes documenting requirements, design, test cases and successful completion of those test cases. It also includes demonstration that your configuration management processes ensure that the code you have in production has completed full documentation of the above before going to production. (For software, this is known as Validation; for infrastructure, this is known as Qualification.)

The impact of HIPAA Title II on your social network

In general, the Health Insurance Portability and Accountability Act (HIPAA) protects the ability for workers and their families to gain access to health care when the switch employers or jurisdictions (i.e., when they move). Title II of HIPPA contains something called The Privacy Rule that governs the use and disclosure of Protected Health Information (PHI). This is where social network—even when they are not used to manage medical information—cross into HIPPA regulation.

Imagine you have a social networking site where patients are discussing places to go for cancer recovery support. On this site, a person starts to discuss their medical history. They list enough of their identity that anyone accessing the site can see that they (or a family member) has certain health conditions. This leads to an insurance company declining coverage to them or a family member when they move jobs due to “pre-existing conditions.” Now you potentially have Privacy Rule compliance risk.

However, you can easily guard against this, if you build the following elements into your enterprise social network:

  1. Make it a closed network. Your network needs to be more like facebook (where you need to be member to see UGC) then Twitter (where everything is open). In addition, you need to apply White List / Black List Rules to enforce who can join the network (e.g., pre-filtered list of doctors or patients and/or blocking of users from specific domains such as insurance companies).
  2. Strictly manage profile information. You need to help your members protect themselves by limiting profiling information. Do not capture any PHI data fields. Strongly encourage Display Names to not include names or other identifiers (this includes either prohibiting Avatars or only allowing members to pick from a list generic Avatar icons). Finally, encrypt all profile information (and – to assure Part 11 compliance – never delete past profile information.)
  3. Moderate all UGC prior to publication. Yes, this slows down the dynamics of your network. However, it protects you and your patients. By moderating all UGC before publishing it, you can protect members from disclosing information that would make maintaining their privacy difficult or impossible to anyone reading their content.

Additional support for pharmacovigilance

The WHO defines pharmacovigilance as “the pharmacological science relating to the detection, assessment, understanding and prevention of adverse effects, particularly long term and short term side effects of medicines.”

From a social networking perspective, this means you need to make provisions to handle situations where someone (inadvertantly) reports an adverse effect (AE) via UGC. This could be real-life AE or a fake AE provided by a malicious member. (Adhering to the six 21 CFR Part 11 and Title II HIPAA recommendations above significantly reduces the risk of malicious AE reporting.)

You should implement the following two items to ensure your social networking supports strong pharmacovigilance:

  1. Moderate all UGC prior to publication. If you are following the HIPAA recommendation above, you are already doing this. However, not only are you protecting patient privacy, you are also monitoring for reported AEs. This lets you both prevent inadvertent publication of malicious reports and detect and direct AE data to you Safety Reporting Systems
  2. House all UGC in a true enterprise data warehouse. Pharmacovigilance does not simply span the processing of AE reports; it also includes the mining of information sources to detect safety signals. By pulling social networking UGC into a enterprise data warehouse and providing your safety monitoring team access to this, you are providing them a new channel to mine and monitor safety information.
While these to recommendations can “sound scary,” following them will let you exploit the social networking medium to create a stronger, timelier pharmacovigilance function and capability.

Should I take the dive into social networking?

I can only imagine how many people are saying, “Social Networking in Biotech, Pharma and Health Care = Unwarranted Risks.” This is a natural reaction to the many challenges imposed by this new and dynamically expanding medium of interaction.

However, social networking is here to stay – not as the “next great technology” but as an expected medium to interact with others. When taking these recommendations in mind, companies, associations, and research organizations can tap this new medium to:

  • Foster greater collaboration on new products
  • Improve internal processes
  • Increase the effectiveness and efficiency managing regulatory compliance
  • Enable doctors and patients to more easily access needed information
  • Increasing the efficiency in the delivery of health care through innovation and collaboration
  • Strengthen post-marketing pharmacovigilance their products

Of course, given the push for Health 2.0 and the agenda of the Obama Administration, you have heard all these arguments. You only need to search “#Health20” on Twitter to find the latest.