Tag Archives: UGC

Health 2.0 Challenge: Managing UGC in the regulated environment

Update: I originally posted this in May 3, 2009. I updated this post on July 26, 2009 to add advice in response to calls to action for Health 2.0 — the use of Web 2.0, Gov 2.0 and Enterprise 2.0 technologies to help improve medicine and health care. Its focus now outlines the major HHS and FDA regulations any Health 2.0 service provider will have to navigate to deliver a regulatory-compliant solution

Why this focuses on the management of UGC

Open Collaboration intrinsically involves the collection, moderation and management user generated content (UGC). In general, moderation of UGC is not a simple prospect. Moderation of UGC in a regulated space is even tougher – especially in the very highly regulated biotech, pharmaceutical and health care industries where UGC can now include disclosure of personal health history or inadvertent reporting of adverse events. Based on the sensitivity of any discussion of regulatory compliance, it is worth diverting a little of your attention to some disclaimers and background information:

  • I am not currently affiliated with any biotech, pharmaceutical or health care company. Nor am I affiliated with and PAC or PR firm supporting those industries. I am a Chief Information Officer for an enterprise social networking company, Neighborhood America.
  • Prior to this, I worked at Amgen (the world’s largest biotech.) Most of my tenure here was in their Regulatory Affairs & Safety Operations organization leading a program to scale closeout of clinical trial data and submission of Biologic and Drug Licensing Applications to the FDA (and its global counterparts)–a highly-regulated process–through combined use of process re-design and Enterprise 2.0 technologies
  • Before this, I worked at AOL where I owned many systems subject to compliance with numerous financial regulations (especially Regulations E and FD, and Section 404 of the Sarbanes-Oxley Act)
  • Prior to AOL, I spent nearly seven years Booz Allen Hamilton, Lockheed Martin and the US National Laboratory System where I learned strict adherence to control of information of various classification levels.

I state this so you will understand that, while I am someone deeply experienced in managing compliance of information management, I am not a doctor, FDA or EMEA official or similar certified compliance professional.

What regulations do I need to consider?

The range and depth of biotech, pharma and health care regulations are vast. They cover a wide range of areas spanning how you manage clinical trials to manufacturing to sales and control of patient information. For this reason, it is absolutely critical to ensure you separate the social networking components of your Health 2.0 infrastructure from your other enterprise systems. This directly contradicts what some analysts are calling for in the evolution of enterprise social networking. However, it your do not do this, you will subject your social networking infrastructure to so many regulations that it will be impossible to manage it as an effective network AND maintain regulatory compliance. (My preferred method of this separation is the publish/subscribe model—however, that is a subject of another blog post.)

With this understanding in mind, I am assuming—

  • You are using your social network to manage outreach to bring interested parties into the fold to inform them of where to get information, gather their ideas, priorities and interests, and connect them with other professionals with related interests and expertise and…
  • You are not using your social network to manage clinical trial subject data; drug, biologic or medical device manufacturing data; or safety data

If these are true you have two bodies of regulation to watch in particular:

  1. Title 21 CFR Part 11
  2. HIPAA Title II

In addition, you will need to ensure your social networking infrastructure enables mining and export of UGC to support of your organizations’ pharmacovigilance practices.

Another Disclaimer: Of course, you may have many other regulations to consider based on your unique company and its pipeline and products. I do not need to point out the need to engage your Compliance and Regulated Information Technology teams for a full and complete assessment of your risks and needs.

The impact of Title 21 CFR Part 11 on your social network

Title 21, Part 11 of the Code of Federal Regulations (CFR) deals with the FDA guidelines on electronic records and electronic signatures. In the social networking area this means you must do three things:

  1. Never delete: In general it is bad practice, to delete data. It is much better practice to turn the status of data to “Inactive” or “Archived” so you can find it later (if needed a part of a legal or similar investigation.) To assure Part 11 compliance, you will need to ensure your system does not delete data (and your back office systems administration processes ensure data are archived prior any removal as part of hardware tuning or decommissioning)
  2. Use secure, electronic signatures: Here is where user attribution of UGC is so very important. You cannot let unauthenticated users provide content. You must register and authenticate them first. They you register them, you must confirm their identity (e.g., confirm provided email addresses) and authenticate them with encrypted, strong passwords. You then must attribute all UGC to each authenticated user. (It would also not hurt to get SAFE to review your registration and authentication approach.)
  3. Document that you do this: You will need to demonstrate that you have designed, built and tested a system that does the above. This includes documenting requirements, design, test cases and successful completion of those test cases. It also includes demonstration that your configuration management processes ensure that the code you have in production has completed full documentation of the above before going to production. (For software, this is known as Validation; for infrastructure, this is known as Qualification.)

The impact of HIPAA Title II on your social network

In general, the Health Insurance Portability and Accountability Act (HIPAA) protects the ability for workers and their families to gain access to health care when the switch employers or jurisdictions (i.e., when they move). Title II of HIPPA contains something called The Privacy Rule that governs the use and disclosure of Protected Health Information (PHI). This is where social network—even when they are not used to manage medical information—cross into HIPPA regulation.

Imagine you have a social networking site where patients are discussing places to go for cancer recovery support. On this site, a person starts to discuss their medical history. They list enough of their identity that anyone accessing the site can see that they (or a family member) has certain health conditions. This leads to an insurance company declining coverage to them or a family member when they move jobs due to “pre-existing conditions.” Now you potentially have Privacy Rule compliance risk.

However, you can easily guard against this, if you build the following elements into your enterprise social network:

  1. Make it a closed network. Your network needs to be more like facebook (where you need to be member to see UGC) then Twitter (where everything is open). In addition, you need to apply White List / Black List Rules to enforce who can join the network (e.g., pre-filtered list of doctors or patients and/or blocking of users from specific domains such as insurance companies).
  2. Strictly manage profile information. You need to help your members protect themselves by limiting profiling information. Do not capture any PHI data fields. Strongly encourage Display Names to not include names or other identifiers (this includes either prohibiting Avatars or only allowing members to pick from a list generic Avatar icons). Finally, encrypt all profile information (and – to assure Part 11 compliance – never delete past profile information.)
  3. Moderate all UGC prior to publication. Yes, this slows down the dynamics of your network. However, it protects you and your patients. By moderating all UGC before publishing it, you can protect members from disclosing information that would make maintaining their privacy difficult or impossible to anyone reading their content.

Additional support for pharmacovigilance

The WHO defines pharmacovigilance as “the pharmacological science relating to the detection, assessment, understanding and prevention of adverse effects, particularly long term and short term side effects of medicines.”

From a social networking perspective, this means you need to make provisions to handle situations where someone (inadvertantly) reports an adverse effect (AE) via UGC. This could be real-life AE or a fake AE provided by a malicious member. (Adhering to the six 21 CFR Part 11 and Title II HIPAA recommendations above significantly reduces the risk of malicious AE reporting.)

You should implement the following two items to ensure your social networking supports strong pharmacovigilance:

  1. Moderate all UGC prior to publication. If you are following the HIPAA recommendation above, you are already doing this. However, not only are you protecting patient privacy, you are also monitoring for reported AEs. This lets you both prevent inadvertent publication of malicious reports and detect and direct AE data to you Safety Reporting Systems
  2. House all UGC in a true enterprise data warehouse. Pharmacovigilance does not simply span the processing of AE reports; it also includes the mining of information sources to detect safety signals. By pulling social networking UGC into a enterprise data warehouse and providing your safety monitoring team access to this, you are providing them a new channel to mine and monitor safety information.
While these to recommendations can “sound scary,” following them will let you exploit the social networking medium to create a stronger, timelier pharmacovigilance function and capability.

Should I take the dive into social networking?

I can only imagine how many people are saying, “Social Networking in Biotech, Pharma and Health Care = Unwarranted Risks.” This is a natural reaction to the many challenges imposed by this new and dynamically expanding medium of interaction.

However, social networking is here to stay – not as the “next great technology” but as an expected medium to interact with others. When taking these recommendations in mind, companies, associations, and research organizations can tap this new medium to:

  • Foster greater collaboration on new products
  • Improve internal processes
  • Increase the effectiveness and efficiency managing regulatory compliance
  • Enable doctors and patients to more easily access needed information
  • Increasing the efficiency in the delivery of health care through innovation and collaboration
  • Strengthen post-marketing pharmacovigilance their products

Of course, given the push for Health 2.0 and the agenda of the Obama Administration, you have heard all these arguments. You only need to search “#Health20” on Twitter to find the latest.

 

Big Web 2.0 Technology Challenges: Cross-platform media management

We live in a multimedia world

Once we escaped the tyranny of 56-kbps dial-up rates, we entered a fully multimedia online world. Small pictures and hypertext were no longer good enough. We demanded high-definition pictures, streaming audio and video and rich interactive experiences (such as those provided by Adobe Flash and AIR). This created whole new challenges for capacity management across data centers, bandwidth, servers and storage. However, all of these challenges were solvable by application of basic systems engineering principles. Then Web 2.0 came along…

Web 2.0 literally “exploded” multimedia challenges

In the Web 2.0 world any community member can upload multimedia user-generated content (UGC) from any platform (browser and operating system combination) using a multitude of file formats: MPEG, AVI, SWF, WMF, FLV, and many, many others. To further complicate this, any other member will need to download and view this content locally (again, from a multitude of browser and operating system combinations).

Anyone who has ever worked with CODECs can appreciate how difficult it is to create a sight that lets you play multimedia on any operating system and browser combination. This becomes a much more complex engineering problem when you have to manage CODECs when you have no control regarding the size, type, source or frequency of uploaded content. (I did not fully appreciate this problem until I began to build multimedia-based social networks at Neighborhood America).

You cannot run from this challenge

Some have argued that social networks should limit what type of content they allow users to upload, pointing to low-bandwidth networks such as Twitter as an example. Nevertheless, you cannot run from this challenge for the following reasons:

  1. Social networking is about collaboration
  2. Go into any room where people are collaborating and you will see that they do this through picture, hand motions, speech, etc. People collaborate in multimedia
  3. Multimedia is not just pictures: a picture may be worth a thousand words, but a video contains thousands of pictures (frames). In addition, audio files let people transcribe words to media faster and more easily than any other format

If you do not support multimedia collaboration and ideation in your social network, some else will. Once they do this, they will steal your market.

What it takes to manage this

You still need to apply all of the basic systems engineering principles that you used to manage your Web 1.0 multimedia network. Now, however, you have to add the following:

  • Basic file upload functionality
  • File screening functionality (to block dangerous files like executables and to detect and block files with viruses and malware)
  • File upload preview and annotation functionality (to enable your members to tag and describe files with data that makes them searchable and matchable)
  • Tracking of Terms of Service acceptance and indication of Rights for Publication
  • Universal File Conversion functionality (this is a “biggie,” see below for more)
  • File Linking Services (so you can associate one piece of media with many albums, blog posts etc–without needing to re-upload it).
  • Universal File Playback functionality

In addition, you will likely want to enhance this functionality like multimedia RSS and content sharing.

Universal File Conversion is not a trivial function. It needs to do the following:

  1. Support 95% of the CODECs in use today
  2. Quickly convert media files by type into a universally playable format (the usual is FLV)
  3. Compress files into a small enough footprint to prevent 14-year-olds from filling your data center with HD videos of skateboarding tricks
  4. Create multiple-sized thumbnails of each media to use for each type of preview mode your network supports
  5. Link all of these thumbnails to the original file
  6. Add any watermarks you want to maintain the branding of your community

By the way, you need to do this quickly, with low error rates, and at very high scale–and without breaking the bank!

This is why YouTube is a huge technical achievement

YouTube pioneered solving this problem at the highest scale yet seen in history. As much as I love Hulu for its elegance and utility (I would pay a subscription fee to watch more than the token five episodes for each show they feature), I have to give greater credit to YouTube’s technical achievement. I am amazed not only by the scale of this accomplishment but also how quickly and reliably YouTube converts videos.

However, technical achievements are not everything

YouTube is a huge technical achievement. However it will lose Google some $500m this year. The trick is applying this type of technology in ways that earns money (or advances your enterprise’s mission). I believe this will happen in two places:

  1. Internal Networks: Letting your staff share information and ideas with each other in multimedia to increase knowledge sharing and reduce training costs
  2. Ideation Networks: Letting your customers and constituents share ideas as to how you can serve them better in multimedia. This will reduce product research and focus group costs and increase customer loyalty. It can also be used in the media business to get ideas for new screenplays, videos, news stories, etc.

The next time we upload multimedia content to YouTube, Facebook, or a multimedia-driven social network, we should all give greater appreciation to the technical accomplishment. However, we should also ask ourselves how we can leverage this content to create enterprise value.