The role of medical affairs teams continues to evolve as companies identify new ways to connect with healthcare providers. The COVID-19 pandemic provided multiple opportunities for medical science liaisons to prove their value and connect with HCPs and key opinion leaders (KOLs) virtually. However, the growth of MA teams and their use of digital communication also creates risk. There are increased opportunities for data breaches or compliance issues to crop up — especially because of the relative newness of this field.
Here are a few common issues facing medical affairs teams related to cybersecurity, privacy and compliance.
One of the most important factors related to medical affairs and pharmaceutical development as a whole is data integrity. In the short run, poor data integrity can cause the FDA to reject a study and prevent a treatment from going to market. In the long run, data integrity issues can affect the reputation of a company and create extra work for medical affairs teams.
“The FDA expects that all data submitted to the agency to obtain market approval is both reliable and accurate,” writes the team at professional services provider Astrix. “The FDA considers the integrity of data, from the moment it is generated, and extending through to the end of its life cycle, to be a critical component of ensuring that only high-quality and safe drugs are manufactured.”
Medical affairs teams aren’t just on the hook for the data integrity of their own companies. They also need to be aware of any unintended data mismanagement threats from outside organizations that they work with — and particularly contract research organizations (CROs).
“For a contract laboratory, reliability and trust in the data delivered to the sponsor are paramount,” writes pharmaceutical professional Tim Rhines at Contract Pharma. “A contract laboratory cannot afford to be implicated in a breach of data integrity, no matter how small. A breach in data integrity not only impacts the data and standing with regulatory agencies, but also compromises relationships with sponsors, and in turn, the health of the business.”
Once a company has a reputation for submitting bad data (or trying to hide data from the FDA), healthcare providers won’t be willing to trust the medical affairs teams that represent them.
While data integrity is certainly a technology and cybersecurity issue, there are also human elements that lead to data breaches or intentionally manipulated data sets.
“Over the past few years, the news has been full of reports about data integrity breaches in the bio/pharmaceutical industry,” write consultants James Agalloco and Allen Welsher in an article at PharmTech. “How often do such breaches stem from personal integrity issues, when a professional who knows better decides to take a shortcut and fails to see the potential ramifications of an action (or failure to act)? When people act with integrity, the data they generate will usually follow suit.”
Companies that create a culture of integrity and support for researchers will be less likely to experience data issues. While there is no guarantee that data problems won’t arise, many cybersecurity experts are quick to highlight how data integrity is often broken by desperate employees placed under pressure to perform.
“In Pharma, intentional data integrity breaches often revolve around testing and manufacturing data,” writes Julie Maurhoff, VP GxP compliance and inspection management at Ultragenyx Pharmaceutical. “The decision to be deceptive may not always be driven by a malicious intent, but can be so intensely personal, based on fear or an internal sense of shame, to an extent that the individual is able to rationalize their deceptive practice.”
In many cases, it’s better to be transparent with the FDA if your organization suspects a breach in data integrity.
“When sponsors are still uncertain as to whether a data integrity issue will ultimately impact FDA’s determination as to the reliability of data, sponsors often will find that it is advantageous to report data integrity issues to FDA soon after discovery rather than waiting for FDA to discover the data integrity issue during an inspection,” write Greenleaf Health’s Cynthia Schnedar and Kalah Auchincloss.
One thing that medical science liaisons need to keep in mind is that HIPAA isn’t all-encompassing when it comes to data management and patient privacy. There are many gaps in these guidelines which create gray areas for pharmaceutical companies and their medical affairs teams.
“HIPAA only applies to healthcare providers, health plans, healthcare clearinghouses (covered entities) and business associates of those entities,” according to HIPAA Journal. “When the same healthcare data is shared with an entity that is not covered by HIPAA, those protections do not need to be in place. HIPAA also gives patients rights over their health data, but those rights do not apply to health data sent to a non-HIPAA-covered entity.”
After noticing these gaps, the American Medical Association has stepped up. They created their own set of best practices to help companies protect patient data and provide extra security for patients.
“The AMA’s Principles provide a helpful springboard for considering ways to improve privacy protections and whether such protections should apply consistently across the digital health ecosystem,” says Deven McGraw et al. for Health Affairs. “They address needs that have become more apparent as the nation transforms to a digital health infrastructure and electronic information exchange.”
It is better for your company to go above what is required, rather than limiting your data protections to HIPAA guidelines.
Another reason to invest in data privacy and integrity guidelines beyond HIPAA is the increasingly global footprint that pharmaceutical brands have. Even after the COVID-19 pandemic closed borders, teams continue to work with international companies to promote their therapies and treatments.
“Several companies have expanded their medical affairs team footprint beyond the United States and the need to ensure greater consistency and uniformity in the processes, training, and quality of their medical affairs organization cannot be understated,” says William Soliman, CEO at the Accreditation Council for Medical Affairs.
Each country (or collection of countries) comes with its own guidelines. Pharmaceutical companies will have an easier time navigating data privacy rules if they go beyond the minimum requirements in the United States and consider both the needs of their patients and the expectations of other governments.
“International regulatory collaboration on good clinical practice (GCP) has become critical for adequate oversight and the assessment of data integrity because of the increasing numbers of clinical trial sites per study, their locations outside the regulatory agencies’ regions, the limited resources of such regulatory agencies and the accelerated timelines by which regulators have to review marketing applications,” writes journalist Zachary Brennan, in an article covering regulatory policy and the FDA.
The challenge that comes with keeping up with data integrity and privacy is the day-to-day work of medical affairs teams. This field is still relatively new, with companies working to balance the commercial and medical skills of team members like medical science liaisons (MSLs).
“One of the primary drivers for the creation of the medical affairs role was to establish a line of separation between medical and commercial departments and prioritize education rather than commercialization,” write Darren Jones, et al. at CPA firm Baker Tilly. “By having MSLs share clinical data with KOLs as it becomes available, there is a greater opportunity for active engagement while avoiding any solicited requests or off-label information.”
However, many companies continue to move tasks onto the medical affairs teams that would otherwise be regulated in the commercial marketing front. This may create conflict in the future if regulators decide to evaluate how medical affairs departments operate.
“Continued regulatory pressure has shifted many ‘commercial’ responsibilities to medical affairs,” writes Thomas Sullivan, president and CEO at medical education company Rockpointe. “Due to the importance of delivering credible medical information and the increased scrutiny on medical affairs, companies must continually update their policies and ensure cross-training between medical and commercial departments.”
Staying on top of compliance and privacy issues doesn’t just help medical affairs staff present a more reputable firm to HCPs. It allows these MSLs to feel confident in their roles within the company and avoid potential compliance issues.
Medical affairs teams are significantly affected by the data integrity, privacy and cybersecurity practices in their companies. Digital weaknesses limit the national and international footprints these firms can have. If a company only does the bare minimum to follow compliance guidelines, then it risks hurting its reputation and creating barriers for MA teams to connect with healthcare professionals.