Public Comments: August 2007 – iPledge Program / FDA ….. World Privacy Forum testifies at FDA advisory committee hearing on the iPledge program; requests attention to privacy issues


The World Privacy Forum testified before the Dermatologic and Ophthalmic Drugs Advisory Committee and the Drug Safety and Risk Management Advisory Committee of the Food and Drug Administration regarding privacy issues related to iPledge, a mandatory program for patients taking the drug Accutane or isotretinoin generics. The FDA has stated that the program, which it requires four drug manufacturers to have in place, does not fall under HIPAA. The program collects substantive amounts of patient information. The Forum urged the FDA to set privacy standards for all RiskMAPs in general, and to resolve privacy issues in the iPledge program specifically. The Forum requested that all marketing provisions of the iPledge program privacy policy be removed, that patients be expressly informed the program does not fall under HIPAA, and that patients be given a printed copy of the iPledge program privacy policy, among other requests.


Written statement of Pam Dixon, executive director, World Privacy Forum
to The FDA Dermatologic and Ophthalmic Drugs Advisory Committee and the Drug Safety and Risk Management Advisory Committee Regarding  rivacy and the iPledge Program

Hilton Washington DC North/Gaithersburg,
The Ballrooms
620 Perry Pkwy
Gaithersburg, MD

August 1, 2007


The World Privacy Forum is a non-profit public interest research group. We focus our work on in-depth analysis of privacy issues. We also conduct original research. Health care privacy is a core area for the World Privacy Forum. [1]

Our principal concern with iPledge is that the FDA has failed to set privacy standards for the iPledge program [2] or for similar programs that mandate patient tracking. As a result, the iPledge registry has privacy shortcomings that may potentially impact the individuals who take Accutane or Isotretinoin generics.

The FDA has taken the position that the information in the iPledge registry database is not protected by HIPAA. [3] The World Privacy Forum has some doubt that this view of HIPAA is correct. Nevertheless, in the absence of HIPAA-applicability or a comparable policy mandated by the FDA, the iPledge privacy policy is what patients must rely on for protection. However, since March 2006, the iPledge privacy policy has allowed for marketing uses of the patient data that the registry contains. [4] After I spoke about iPledge privacy policy issues at an FDA/AHRQ joint meeting on RiskMAPs on June 26, 2007, the World Privacy Forum received an email from Covance explaining that the company is planning to change its iPledge privacy policy and that it will submit a new policy to the FDA for approval. This is an important first step, and we applaud Covance for taking this step.

However, without clear, consistent privacy standards set by the FDA, pharmaceutical companies and their subcontractors can establish any privacy standards they choose, including having no privacy policy at all. Further, there is currently no independent privacy policy or oversight mechanism because the FDA has neglected the field.


I. Analysis of privacy issues in the iPledge Program

The World Privacy Forum has analyzed the iPledge program, and has found substantial privacy issues. The specific areas that need to be improved include the following items:

A. iPledge Privacy policy shortcomings

First, the original iPledge marketing clauses allow marketing through an intermediary and give Covance the ability to contact patients on behalf of a marketer or for any marketing purposes whatsoever. Here is what that policy provides:

“We provide the information to trusted partners who work on behalf of or with iPLEDGE under confidentiality agreements. These companies may use your personal information to help iPLEDGE communicate with you about offers from iPLEDGE and our marketing partners. However, these companies do not have any independent right to share this information.” [5]

Any possible use of iPledge information for marketing should be prohibited. There is no reason iPledge information should be treated differently in this regard than any other patient information covered by the HIPAA marketing limitations.

Second, the iPledge privacy policy is only available on the web. The privacy policy needs to be made available in print form and given to every patient prior to registration — in writing as part of the education kit, not in the small print on a web site. No patient should be enrolled in the iPledge program until the patient has received the iPledge privacy policy (not just the physician’s HIPAA privacy policy.)

B. Patient information

All patient educational materials should address privacy issues clearly, directly, and consistently. Patients should be told the legal status of the protection of their data, that the data is not protected by HIPAA, and should be told of any state law privacy restrictions that apply. We note that in the 16 -page printed patient introductory brochure, there is no mention of privacy or confidentiality.

Currently, the only place a patient can find official information about whether or not HIPAA applies to iPledge is if he or she happened to read the Prescriber section of the iPledge FAQ on the FDA web site. This is insufficient explanation for patients.

C. Physician information

Physician materials do not address privacy in a meaningful or in a complete manner. First, physicians are not given the iPledge privacy policy in the printed iPledge Program kit that is mailed to them. Physicians are not given instructions or information by the FDA as to what to tell patients about the privacy standards they can expect. Physicians do not have clear instructions about how HIPAA applies or how it does not apply to the program for patients. The small discussion in the FAQ on the FDA web site is the only discussion we could find.

D. Pregnancy registry

Women who get pregnant during treatment must register in a separate and additional part of iPledge called the iPledge pregnancy registry. This particular part of iPledge is the subject of apparently conflicting statements that need to be resolved. For example, some iPledge printed materials use the word confidential to describe the pregnancy registry, meanwhile, the current iPledge privacy policy on the iPledge web site states it allows for marketing uses of patient information.

Specifically, in the Patient and in the Prescriber Isotretinoin kits, the word confidential is used a number of times to describe certain aspects of the iPledge pregnancy registry. This occurs in the 23-page patient guide to Isotretinoin on page 9. [6] The use of confidential also occurs in the 32-page guide to best practices for Isotretinoin. [7] Because the FDA has determined that HIPAA does not apply to the program, and because the FDA has not set privacy standards, the term confidential does not have a clear meaning. Patients have no way of knowing exactly what confidential means, and the FDA has not mandated a way for patients to understand precisely how their information can be used and disclosed. Covance’s reservation of the ability to use patient information for marketing is not likely to be consistent with the average patient’s definition of confidentiality for health information.

Given the sensitivity of the pregnancy registry information as well as the potential value of pregnancy status information to marketers, patients deserve clear, consistent and transparent statements about how the pregnancy registry data will be used, stored, and shared.

E. Patient informed consent

The patient informed consent forms do not include any references to the iPledge privacy policy, or to any source for the privacy standards that govern the iPledge program. While it is hard to assess general patient understanding of HIPAA, it is likely that patients will assume that HIPAA applies unless they are told otherwise. Information about the applicability or non-applicability of HIPAA should be a prominent part of the informed consent process.


II. Recommendations for correction

We do not know what changes will be proposed by Covance to the iPledge program at the August 1, 2007 hearing. We hope, however, that the FDA will carefully consider the issues we raise here and correct the lack of standards and oversight in this program, as well as correct the specific issues we discuss briefly here.

The following are our recommendations for correcting the immediate problems in the iPledge program.

  • The FDA needs to set consistent privacy standards for all RiskMAPs, including iPledge. We encourage the FDA to make these standards equal to or better than the HIPAA privacy and security rule. The FDA should recognize that RiskMAP programs place patients at great risk for privacy because the programs collect and share patient data more widely than the average prescription medication. The FDA standards should mandate independent auditing of privacy policy compliance.
  • The FDA needs to make its position on HIPAA and RiskMAPs clear to physicians in its printed best practices for physicians. If prescribers do not have a clear and well-informed idea of privacy protections afforded to patients, then their patients will not be able to obtain accurate information from the best source of information about program consequences. It is unreasonable to ask physicians to go to a web site to search for an FDA statement about the lack of applicability of HIPAA.
  • The iPledge privacy policy must not allow any marketing uses or disclosures of patient information, including marketing through an intermediary or by Covance directly. The patient information in the iPledge registry should not be a profit center for Covance or any of the pharmaceutical manufacturers.
  • The iPledge privacy policy needs to be given in print form to each patient. The privacy policy should be included in print form in all printed patient kits. The policy and the governing privacy standards should be explained to patients before they enter the iPledge program.
  • The privacy standards governing the iPledge pregnancy registry need to be greatly clarified for physicians and for patients. What does the word confidential mean in this context? If the pregnancy registry does not fall under HIPAA, then patients and physicians need to be told this, and very clear explanations of the precise standards that will applied need to be given to patients and physicians in writing, in print format (not just on the web) prior to patient sign-up in the program.


III. Conclusion

The World Privacy Forum is encouraged by Covance’s willingness to change its privacy policy. We have not seen the new privacy policy yet, but we will be looking closely at it when it is published. However, even if the policy that Covance adopts is perfectly attuned to patient privacy needs, it will be a policy voluntarily adopted and subject to change at any time by Covance. Our broadest concern is that the iPledge drug registry could be used as a model RiskMAP system for many more drugs. Use of the registry model with no standardized privacy protections put in place by the FDA could potentially act to circumvent privacy protections Congress sought to give patients taking medications when it enacted HIPAA.

Thank you for holding this hearing, and thank you for your attention to this matter. We have attached our June 26, 2007 written testimony to this written statement. In the June joint meeting, we articulated our concerns with RiskMAPs and privacy, as well as some specific issues with the language in the iPledge privacy policy.


Respectfully submitted,

Pam Dixon
Executive Director,
World Privacy Forum






[1] See <>.

[2] Patients who go on the medication Accutane or its generics must register in a mandatory, computer-based drug registry and patient tracking program called iPledge. The program began March 1, 2006.

[3] The FDA’s iPledge Program Frequently Asked Questions as of October 6, 2006 states: “Under HIPAA, covered entities are defined as three groups: health plans, health care providers and health care clearinghouses. Pharmaceutical manufacturers are not included in any of these groups, therefore, the manufacturers of isotretinoin are not covered entities under HIPAA and HIPAA does not apply to the iPLEDGE Program.” See <> at 13.

[4] The iPledge privacy policy contains a number of potential loopholes and other issues. Even if the pharmaceutical companies do not receive identifiable patient information, patient information given for treatment purposes could still under this policy be used for marketing purposes, which is inappropriate. The full policy is available at <>.

[5] See iPledge privacy policy at <>.

[6] See Guide to Isotretinoin for Female Patients who can get pregnant, p. 9: “The confidential iPLEDGE Program Pregnancy Registry is a way to collect that information” and “Your doctor will tell you about the confidential iPLEDGE Program Pregnancy Registry.”

[7] See iPLEDGE Program Guide to Best Practices (Prescriber Guide), p. 14: “Female patients of childbearing potential: Inform patient about confidential iPLEDGE Program Pregnancy Registry (bullet 8); See also footnote on same page: “Refer to page 24 for information about reporting pregnancies to the confidential iPLEDGE Program Pregnancy Registry.” See also p. 24, “Reporting Pregnancy: The iPLEDGE Program Pregnancy Registry /The iPLEDGE Program Pregnancy Registry collects data on pregnancies that occur in female patients who become pregnant while taking isotretinoin or within 1 month of their last dose. Data from the registry are reported to the FDA and are used to assess the effectiveness of the iPLEDGE program. The data are also used to evaluate further ways to reduce fetal exposure. Information gathered in the iPLEDGE Program Pregnancy Registry will be used for statistical purposes only and will be held in the strictest confidence.”