Within the U.S., patient support programs (“PSPs”) have drawn increased regulator scrutiny, consistent with their growing importance in the healthcare sector, where it is increasingly being said, and quite appropriately so, that “the patient is the new healthcare provider.” As such, many companies have begun developing compliance programs for PSPs structured entirely on practices, regulations, and enforcement in the U.S. Yet as global healthcare spend continues to increase, multi-national companies throughout the industry are likewise increasing investment in PSPs and other patient support, such as interactions with or funding of patient assistance organizations or other charitable organizations helping patients (together, “Patient Support”) outside of the U.S. All too often, however, this increased global investment has not been met with a corresponding globalization of patient support compliance efforts—leaving many companies ill-prepared to mitigate risk or face global regulatory scrutiny as they go global with Patient Support. This two-part series considers the growth of patient support, and the global patient support compliance framework required to mitigate the corresponding compliance risks. In Part I, we examined the growth of global patient support efforts and the corresponding need to understand and integrate applicable laws and industry codes when developing a tailored, global compliance framework to effectively mitigate compliance risks. In Part II, we take up the remaining three core compliance considerations when going global with patient support.
Growing Global Patient Support Programs Counsel Development of a Global Patient Support Compliance Framework
Investment in Patient Support outside the U.S. has grown substantially in recent years, driven, in part, by increasing use of complex therapies such as specialty drugs. As detailed in Part I of this series, when considering the diversity of access, reimbursement, and logistical challenges with variant legal, regulatory, and industry standards, and the threat of multi-regulator anti-corruption and other exposures, it quickly becomes clear that compliance structures built to manage U.S. Patient Support under U.S. legal regimes fall far short. While a global Patient Support compliance framework must certainly be flexible in order to accommodate a diversity of Patient Support efforts and legal and industry requirements, the task of creating such a framework is not impossible. Its most basic component, the global framework—documented in policies, procedures, work instructions, FAQs and other guidance consistent with the company’s governance structure for guiding documents—should clearly outline the initiation, review, and approval process for any potential Patient Support effort, mandating the necessary documentation, any relevant approval flows / value thresholds, and core considerations in creating and/or approving Patient Support. And of course, the framework should outline, or by reference to other company policies address, core compliance risks and related requirements for items such as interactions with patients, engaging HCPs and government officials, and managing personal data.
In constructing this global framework, companies should consider and address four core components. In Part I of this series, we examined the first consideration: the framework must account for the variant legal regimes and industry codes applicable to the company’s Patient Support. Here we take up the remainder, starting with the second consideration: the company’s proper purpose for engaging in Patient Support should be clearly stated, while improper purposes should be articulated and forbidden. Third, the framework should mandate controls relating to the collection, storage and use of patient data, and should include appropriate consideration of and mechanisms for adverse event reporting. Fourth, the framework should anticipate the circumstances under which it may be appropriate (or mandated) that a third party be utilized to execute a Patient Support effort, and any particular requirements for the selection, diligence, contracting, training, and/or monitoring of those third parties. Finally, and relatedly, the framework should delineate both the efforts and persons or functions responsible for ongoing oversight and monitoring of the Patient Support.
I. See Part I [here] for a discussion of understanding and integrating legal regimes and industry codes
II. Provide Guidance on and Mandate a Proper Purpose
In line with potentially applicable law and industry codes, the global framework should clearly delineate and mandate a proper purpose for all Patient Support efforts, namely, that they exist solely to serve patients and not to drive therapeutic decisions or sales or otherwise provide an improper inducement to patients or HCPs. The global framework should thus guard proper purpose by identifying proper versus improper purposes (giving appropriate definitions and/or examples). It should both mandate a proper purpose and expressly prohibit patient support for any improper purpose. Additionally, the review and approval process should be designed to vet the proposed purpose, while the required documentation should set out both the appropriate purpose and the assessment thereof.
Because “proper” purpose may vary from country to country based on the applicable mandates and/or restrictions, this is an area underscoring the import of understanding local law and industry code. For example, the IMC Code of Ethical Practice contains numerous restrictions directed towards ensuring that PSPs are not used to achieve any improper purposes (such as to access a medical practice), improperly influence a HCP’s clinical judgment, or cover a HCP’s operational expenses. The Medicines Australia Code of Conduct and its supplemental piece also help to protect against improper HCP and patient influence by requiring that PSPs are well-defined, appropriately communicated to patients, HCPs, and HCOs, and do not interfere with HCP and patient integrity. Additionally, the U.K.’s ABPI Code of Practice provides restrictions on the provision of free PSP items to HCPs and their patients. Here again, companies should both survey applicable law to ensure it thematically informs the development of global guidance, and ensure that the review and approval process in the ultimate framework sets a moment in time to identify any restrictions on purpose imposed by local law or code, and consider the potential Patient Support efforts in view of those constraints.
III. Carefully Guard the Use, Protection, and Reporting of Patient Data
Companies collect significant amounts of data through PSPs for many permissible objectives, such as enhancing and expanding PSP offerings to better meet patient needs. With this access, however, comes onerous data privacy and pharmacovigilance obligations and risks. Health regulators in the U.S., the E.U., and other countries are increasingly focusing on whether manufacturers have proper controls to ensure that they use the data for proper purposes, respect patient privacy rights, and, as necessary, report adverse events collected through PSPs. Adding to the complexity are the stringent restrictions on the access, use, storage, and transfer of personal data in countries like the E.U., Latin America, and certain parts of Asia.
To address these requirements, the global framework—leveraging existing policies and guidance on data privacy and the use of patient data—should include considerations of and requirements relating to the appropriate collection and use of data amassed through the PSP, here again, ensuring consideration of applicable local law and industry codes. Additionally, the anticipated collection, storage, transfer, use, and controls around access should all be documented, and use of data should be considered in designing and approving each potential PSP. Critically, the framework should prohibit, and the program-specific controls should guard against, the commercial access or use of the collected data. Federal prosecutors in the U.S. are aggressively pursuing violations of its patient data privacy law, the Health Insurance Portability and Accountability Act (“HIPPA”), in this context. For example, in 2018, several prescribers were indicted for criminal violations of HIPAA where they allowed sales representatives to impermissibly access protected patient data in connection with the company’s prior authorization services. In a likely related matter, the pharmaceutical manufacturer involved in the case recently announced that it settled investigations with federal authorities relating to possible violations of, among other things, HIPAA.
The U.S. is not alone in its focus on proper use of patient and personal data. Perhaps the most poignant example, the E.U.’s General Data Protection Regulation (GDPR), carries the potential for hefty sanctions—20,000,000 EUR or 5% of total annual worldwide revenues, whichever is greater—for the improper processing of personal data occurring both within and/or outside of the EU. In the context of patient support, these “improper processing” concerns can arise in a myriad of ways, including, as examples, data collection incompatible with “specific, explicit, and legitimate purposes” or executed without necessary safeguards. The GDPR, and similar laws in countries such as Canada and Japan appear to warn that U.S. enforcement relating to data merely foreshadows potential regulator focus around the world.
In addition to privacy and patient data concerns, the global framework should also address pharmacovigilance. Most notably, the review and approval process should assess the proposed PSP to ensure the existence of mechanisms to appropriately facilitate collection, recording, and reporting of adverse events (here again, in view of regulation and industry codes applicable to the particular support) and adequate training of those involved in pharmacovigilance efforts. Indeed, guidance and industry enforcement from the E.U. and U.K. demonstrate both the considerable regulator focus on this issue, and, as in the U.S., the potential for significant consequences (including fines, remedial action, and reputational damage) where these mechanisms are not in place.
As but one example, in 2012 the European Medicines Agency (“EMA”) initiated a five-year infringement procedure against a global pharmaceutical company for PSP-related violations identified during a routine government pharmacovigilance inspection, which resulted in a finding of “serious shortcomings.” In particular, the inspection identified pharmacovigilance information from market research and patient support programs within and outside the E.U. that possibly violated Commission Regulation (EC) No 658/2007 (the so-called Penalties Regulation). This included a failure to report up to 80,000 reports of possible adverse reactions from its drugs, including 15,161 deaths, collected through a U.S. patient support program. As part of the procedure, the EMA conducted two investigations into the company’s pharmacovigilance practices, exposing the company to a potential fine of up to 5% its annual revenue. After (and based on) the company’s remediation and commitment to further enhancements and a finding that the reporting failures did not impact the risk profile of the company’s drugs, the EMA closed the procedure without penalty in 2017.
As another example, in July 2017, the ABPI suspended, and nearly terminated, Astellas U.K.’s membership after finding “serious breaches” of the Code of Conduct arising in the context of two Atellas PSPs, which breaches carried significant implications for adequate detection and collection of adverse events. Specifically, in announcing the suspension, the ABPI cited both Astellas U.K. and Astellas Pharma Europe for “wholly inadequate oversight” and a “lamentable lack of concern for patient safety” in connection with the training and information provided to third-party nurses who delivered PSPs for the company. In one such case, Astellas self-reported to the U.K.’s Prescription Medicines Code of Practice Authority Appeal Board that “[a]lthough [it] had monitored the number of patients enrolled into each patient support programme monthly and had continued to pay the [third party] agency [employing the nurses] the monthly fixed fee, it had not provided similar ongoing oversight and support for the nurse helpline in relation to product training.” Once a year, Astellas completed adverse event training via an Astellas pharmacovigilance training slide deck, but the company had not done any further training on the two products at issue in the PSPs despite multiple changes in the summaries of product characteristics, including changes related to undesirable effects. The other cases similarly involved failure to update and provide complete prescribing information for a number of medicines. Due to improvements by both companies, Astellas U.K. regained full ABPI membership in June 2018.
IV. Third Party Management & General Program Monitoring
As underscored by the Astellas matter, the import of and risks arising from third parties in the Patient Support context is particularly significant. Third parties are often the direct contact between a PSP provider and healthcare providers and/or patients—serving as both the administrator of the PSP as well as a key buffer between patients and the provider. Not surprisingly given this critical role in PSPs, many industry codes specifically outline requirements and/or guidance for the selection, diligence, and/or management of third parties involved in PSPs. For example, guidance from the ABPI encourages manufacturers to perform due diligence on PSP third parties, including assessments to ensure that potential third parties are properly equipped to carry out the services in terms of capabilities, process, and compliance. Additionally, the ABPI guidance and the European Pharmaceutical Market Research Association Code of Conduct (“EphMRA Code of Conduct”) provide that manufacturers should clearly communicate PSP expectations, requirements, and purpose through continuous third-party training and communication, and, in the contracting phase, clearly delineate purpose, structure, compensation, role, responsibilities, and operating procedures. Of course, each of these specific codes comes against the backdrop of long-standing general regulator compliance guidance calling for risk-based diligence, appropriate communications and contractual terms, and ongoing oversight of third-party relationships. Together, these resources counsel a number of key third-party considerations when framing global compliance governance relating to Patient Support.
First, companies should consider their existing third-party diligence programs as well as applicable local law and industry codes and assess what, if any, additional diligence steps should be considered (or mandated) in vetting third parties in the Patient Support context. Specifically, they should consider whether the existing diligence (often designed to mitigate financial, quality, and/or corruption risks) will appropriately cover off Patent Support specific issues such as the potential vendor’s qualifications to administer the specific Patient Support effort, its ability to maintain appropriate controls around patient data, or its experience in managing any regulatory or disclosure obligations the third party will undertake. The framework should then outline any additional corresponding diligence activities related to vetting potential third parties. Second, companies should assess their existing contractual practices and approvals, as well as standard terms and templates, and consider whether additional approvals (or approval considerations) and/or Patient Support-specific terms should be included in the global framework. Even companies with robust “standard” contractual terms may find they fall short in the Patient Support context. For example, is the standard audit clause sufficient to support the review and monitoring activities needed? Is the template “we agree to abide by the law and report concerns” term sufficient to satisfy any local law / code requirements such as transparency or pharmacovigilance reporting obligations the third party will be expected to execute? Are the standard exit provisions appropriate to cover the unique circumstances under which the company may choose to terminate the third party in the Patient Support arena? Do the payment terms mandate sufficient invoice description and supporting documentation to appropriately monitor and reconcile program spend and/or facilitate any reporting or transparency obligations the company may have? Without these considerations companies may find themselves without the contractual basis needed to appropriately manage (or exit!) Patient Support-related third-party relationships.
Finally, including but beyond third parties, the global framework for Patient Support should address monitoring, clearly defining responsibility for oversight, and outlining the types of efforts to be taken or requiring that a program-specific plan be created and approved for each Patient Support effort. Additionally, many companies have developed effective PSP monitoring tools in the U.S., which can be leveraged to deploy effective global resources. These tools include dashboards of PSP utilization by region, service, and HCP, live reviews of third parties performing services on the company’s behalf, and proactive market or regional assessments of program design and functionality. Consistent with regulator guidance, these efforts should seek to identify both potential concerns with the particular PSP, as well as areas for potential enhancement in the global compliance framework used to manage them.
In the realm of patient support, a “one-size-fits-all” approach—particularly where applying a U.S.-centric focus—is unlikely to result in tailored, effective risk mitigation of Patient Support efforts, and may leave companies exposed to, among other things, local law and industry code violations from the inception of an ex-U.S. Patient Support effort. As Patient Support continues to be an area of both global investment across the industry and increasing regulator focus, companies should develop a global compliance framework tailored to their Patient Support strategy and global footprint, and sufficiently flexible to cover the variant programs and related efforts in their ex-U.S. Patient Support portfolio.
 Medicines Australia, supra, note 9; Medicines Australia, Code of Conduct Guidelines, Version 2 (Oct., 2016).
 ABPI, Code of Practice for the Pharmaceutical Industry (2019).
 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
 Personal Information Protection and Electronic Documents Act, (2000).
 Amended Act on the Protection of Personal Information, (2017).
 See, e.g., European Medicines Agency, Guideline on good pharmacovigilance practices (GVP), (Jul. 2017); European Pharmaceutical Market Research Association Code of Conduct (EphMRA) Code of Conduct (Aug. 2018); ABPI, supra, note 2.
 See, ABPI supra, note 2.
 See, id.; EphMRA supra, note 19; IMC, supra, note 3.
 U.S. Sentencing Guidelines Manual (Nov., 2018); U.S. Dep’t of Justice, Evaluation of Corporate Compliance Programs (Feb. 2017), Bribery Act, 2010, s7-9 (U.K.).