How Life Sciences Organizations are Re-Examining their Compliance Operations and Technology

Rena Verma

Senior Managing Director, FTI Consulting

9/22/2020

Rena, in terms of compliance monitoring, what major challenges are the pharmaceutical and healthcare industries reckoning with today?

The new environment driven by COVID-19 has created unexpected and increased risks for compliance departments within pharmaceutical and healthcare organizations. Many of these center around managing evolving regulations and an increasing data footprint. Specifically, three common challenges are:

1. Data privacy compliance with the California Consumer Privacy Act. Even organizations that are covered under HIPAA for electronic protected health information (ePHI), or already privacy compliant under Europe’s GDPR or regulations in other jurisdictions, must assess their obligations under CCPA if they serve California residents.
2. Compliance monitoring for sales and promotional activity. Nearly all major pharmaceutical companies and med-tech organizations are involved in provisioning solutions to address the COVID-19 pandemic, not to mention continuing market outreach for existing products or non-COVID related products. With that, sales and business development teams are switching to virtual sales calls. . This is creating a lot of legwork for compliance departments to monitor activity that is taking place over video conferencing, call recordings, texting apps and messaging platforms, identify behaviors that require corrective action and make enhancements to existing compliance training.
3. Data explosion on new digital platforms. While there are tremendous benefits of virtual communication tools such as Microsoft Teams, Zoom, Skype, Slack and new telehealth apps, these technologies are creating an explosion of records that may need to be mined in the event of an internal HR investigation or external investigation from a federal or state authority.

These are issues that FTI sees with clients in many industries and contexts. What are some things healthcare and pharmaceutical organizations can do to address the challenges mentioned above?

Let’s break this into two categories: data privacy compliance and compliance monitoring.

1. For data privacy compliance with CCPA, organizations should conduct an assessment of potential gaps for information that may be subject to CCPA but not covered under HIPAA, HITECH or California’s Confidentiality of Medical Information Act. Medical information used for research and development without explicit authorization from the subject is one example. Depending upon the results of the assessment, an organization may need to update its training and education for CCPA, create a data map, update privacy notices and implement a data subject access request process.
2. Compliance monitoring is a more complicated and high stakes issue as it involves rigorous workforce training and monitoring for actions, behaviors and sentiments in communications. We’ve all heard the statistics that underscore just how much collaboration tool usage has skyrocketed this year. Depending on the sophistication of an organization’s records retention policy for these applications, recorded virtual meetings and collaboration platforms can add a significant burden to compliance monitoring. With ongoing remote work, communications between employees over new(ish) digital platforms, as well as external communications between a patient and doctor, sales rep/HCP, employee/supplier/government representative etc., will continue to grow and complicate the landscape of channels that must be monitored for compliance.

To address these challenges, legal, compliance and IT departments can take the following steps:

• Quickly turn their attention to enhancing information governance, records retention and digital media usage policies.
• Enhance compliance training programs.
• Engage experts for collecting data from disparate applications and creating smart workflows using a combination of AI and review teams.
• Use advanced technology that can provide sentiment analysis, which can detect changes in behavior before it becomes a problem.

Can you expand on that last point about how advanced technology detects risky behavior before it becomes a problem?

AI and analytics can augment existing data with insights to reveal abnormal behavioral patterns (such as emails being sent during off-hours) that warrant further exploration. The idea is to recognize patterns that emerge from all of the organization’s data (chat messages, email, voice recordings, structured databases, public records, etc.) and not depend on reactive alerts. Another benefit of this technology is to identify patterns and signals within datasets too large for human review. Some tools can also identify industry-specific high-risk behavior, but these are more advanced and typically require guidance from experts to effectively deploy.

Technology adoption and innovation are going to keep growing and evolving to keep up with the driving forces associated with today’s environment. One of the best things compliance teams can do is stay abreast of the changes on both the regulatory and technical fronts, and be ready to shift when needed.