Public Comments: June 2007 – FDA/AHRQ Public Workshop, Implementation of Risk Minimization Action Plans to Support Quality Use of Pharmaceuticals: Opportunities and Challenges



World Privacy Forum executive director Pam Dixon testified at an FDA/AHRQ joint public workshop about the need for the FDA to set robust privacy standards for drug risk minimization programs, which are put in place for drugs the FDA has determined to be high risk in some way. Drug risk minimization programs (like the iPledge program for the acne drug Accutane) are not typically covered by HIPAA, and some programs have a privacy policy that allows marketing use of patient information collected as part of the risk program. This kind of marketing activity would not be allowable if the programs fell under HIPAA, and Dixon’s testimony stated that patients in these programs should have the same kinds of privacy protections as HIPAA covered programs, and that marketing activities involving patient information should not be allowable in these programs.


Statement of Pam Dixon, Executive Director, World Privacy Forum


The Food and Drug Administration and the Agency for Healthcare Research and Quality

FDA/AHRQ Public Workshop, Implementation of Risk Minimization Action Plans to Support Quality Use of Pharmaceuticals: Opportunities and Challenges

June 26, 2007

Rockville Maryland


The Lack of FDA Attention to Privacy Standards in RiskMAPS has Resulted in the Unethical and Inappropriate Marketing of Patient Information Collected for Treatment Purposes

Thank you for the opportunity to testify on issues of privacy and confidentiality as they apply to RiskMAPs, or Risk Minimization Action Plans. My name is Pam Dixon and I am the executive director of the World Privacy Forum. The World Privacy Forum is a non-profit, non-partisan public interest research group. Our work focuses on in-depth research and analysis of privacy issues, with health care being one of our key focus areas.

The FDA has not paid attention to privacy standards that should be applied to RiskMAP programs. Unfortunately, this lack of FDA attention has resulted in inappropriate and unethical marketing to patients using patient information gathered for treatment purposes. If these marketing activities were being conducted by HIPAA-covered entities, the activities would be illegal. These activities may well be illegal in California, which has a strong state-level medical privacy law that goes beyond HIPAA.

The FDA needs to set privacy standards for RiskMAPs that resolve this problem. The marketing use of patient information collected for safety, public health, and research purposes is an unsupportable practice that should be expressly prohibited by the FDA, if not by statute.

Privacy protections for patients from marketing uses of their sensitive data do not need to interfere with public safety. In fact, privacy protections would advance the safety of patients because with strong privacy protections, patients would find fewer reasons to seek RiskMAP-protected drugs through the Internet or other means.


Example: iPledge’s marketing to patients would not be legal if conducted by a HIPAA-covered entity, and it may not be legal for California patients under the CMIA

To cite one example, the World Privacy Forum’s analysis of the iPledge RiskMAP [1] program found systemic privacy concerns. The most significant and troubling problem our analysis found is the marketing of sensitive patient information gathered for treatment purposes.

All patients who are prescribed the drug isotretinoin (Accutane or its generics) must register in a mandatory, computer-based drug registry and patient tracking program called iPledge. The iPledge program was approved by the FDA as a risk minimization program (RiskMAP) August 12, 2005, and the program became mandatory March 1, 2006. The program is operated by the four drug manufacturers who make Accutane or isotretinoin generics, and is administered by Covance. The iPledge program does not fall under HIPAA, a fact stated in the FDA’s iPledge FAQ:

Pharmaceutical manufacturers are not included in any of these groups [covered entities under HIPAA], therefore the manufacturers of isotretinoin are not covered entities under HIPAA and HIPAA does not apply to the iPledge program. (FDA iPledge FAQ at 13) [2]

If the iPledge program did fall under HIPAA, its current use of patient information for marketing would be illegal. Under the California Confidentiality of Medical Information Act, which goes further than HIPAA, the program may be currently illegal.


The FDA knew marketing could be an issue in iPledge

The FDA knew that marketing using patient information provided to a RiskMAP program could happen. In a February 10, 2006 hearing at which the iPledge program was discussed, a member of the FDA Drug Safety and Risk Management Advisory Committee asked:

My question is, will these data by the manufacturers be used for any purposes other than pregnancy prevention or detection efforts, because in the past, we asked would they be used for marketing or any other use? (Stephanie Y. Crawford, Ph.D, Drug Safety and Risk Management Advisory Committee member).

To which the reply was:

….To your last question, absolutely not. The data is only for risk management purposes. (Susan Ackermann, Hoffman-La Roche).

(Drug Safety and Risk Management Advisory Committee, Volume II, Friday, Feb. 10, 2006, at 182-183.)

The iPledge privacy policy directly contravenes this statement.


The iPledge privacy policy specifically allows marketing and information combining

The iPledge privacy policy states that patient information can be used for marketing purposes. Current as of June 26, 2007, the iPledge privacy policy states:

Information Sharing and Disclosure

0.iPLEDGE does not rent, sell, or share personal information about you with other people or nonaffiliated companies except to provide products or services you’ve requested, when we have your permission, or under the following circumstances:

We provide the information to trusted partners who work on behalf of or with iPLEDGE under confidentiality agreements. These companies may use your personal information to help iPLEDGE communicate with you about offers from iPLEDGE and our marketing partners. However, these companies do not have any independent right to share this information.

The iPledge privacy policy is filled with other troubling statements and loopholes. For example, the policy states:

iPLEDGE may combine information about you that we have with information we obtain from business partners or other companies.


This policy does not apply to the practices of companies that iPLEDGE does not own or control, or to people that iPLEDGE does not employ or manage.

(Privacy policy available at

This policy is troubling because the iPledge registry is not anonymous, and it collects highly sensitive information. It collects each patient’s full name, date of birth, gender, address, last four digits of their SSN, phone number, email, and an assigned iPledge ID card number. Women who can get pregnant must disclose the two methods of contraception they are using to prevent pregnancy, and the results of pregnancy tests.

Because the FDA has determined that iPledge does not fall under HIPAA, [3] the primary privacy protection patients must rely on is the privacy policy. In this case, the privacy policy expressly allows marketing using patient data. It should be noted that medical information about consumers is generally a valuable commodity in the marketing world. [4]


The FDA has not done enough to set privacy standards for RiskMAPs

The World Privacy Forum appreciates the FDA’s efforts to make drugs available and make them safe. But the FDA has not done enough to set standards for privacy practices in RiskMAPs. IPledge is but one example of a RiskMAP; other RiskMAPs have even more opacity regarding privacy practices than iPledge. Patients should never be forced to either use a drug and have no option but be marketed to, or not have access to the drug at all.

The lack of privacy restrictions on RiskMAP programs violates the spirit of HIPAA as well as the privacy rights of patients. The FDA has, intentionally or not, assigned a required part of these RiskMAP programs to entities that the FDA has determined are not covered by HIPAA. RiskMap programs could be structured differently so that they would fall under HIPAA. In the alternative, the FDA could impose privacy restrictions that would protect patients against marketing uses of especially sensitive personal information. So far, the FDA has chosen neither approach.

The FDA should immediately set privacy standards that will apply to all RiskMAPs. Whatever standards the FDA determines, one of them should be to expressly prohibit marketing to patients who have disclosed information for treatment purposes in a RiskMAP setting. To reiterate, all patient safety goals can be met and improved upon while still providing patients privacy protection that is fully appropriate, necessary, and rightfully expected by patients.


Respectfully submitted,

Pam Dixon
Executive Director,
World Privacy Forum






[1] See U.S. Food and Drug Administration, Center for Drug Evaluation and Research, Isotretinoin Capsule Page. <>.

[2] The World Privacy Forum takes no position on the legal conclusion that the iPledge RiskMAP does not fall under HIPAA.

[3] See IPledge Program Frequently Asked Questions As of October 6, 2006, available at the FDA web site, <>.
[4] A search of the DirectMag listfinder service for generally available marketing lists relating to medical

data on consumers as of June, 2007 using the keyword “ailment” returned more than 400 marketing lists of consumers with various kinds of ailments. DirectMag listfinder, <>.