Otsuka’s Digital Drug: A Privacy Poison Pill?

Stay ahead of developments in federal and state health care law, regulation and transactions with timely, expert news and analysis.

By Greg Langlois

A pill with a sensor confirming it’s gone down the hatch could be a breakthrough in patient treatment compliance—if it doesn’t get swallowed up by privacy concerns.

The Food and Drug Administration last month approved Abilify MyCite, the first drug in the U.S. embedded with a sensor that registers whether a patient has taken it. That and other information is transferred to a smartphone application, and patients can then choose to share the data with doctors and caregivers to assess how a treatment regimen is progressing.

The promising digital tool could improve patient adherence to treatment plans—which can be a vexing problem—but also generate anxiety about consent and data security, health and privacy law practitioners told Bloomberg Law.

“You could think of ways this could be enormously positive, and of course you can also think of ways where it could be enormously negative,” said Deven McGraw, former deputy director of health information privacy at the Department of Health and Human Services’ Office for Civil Rights. “And that’s always a challenge with things like this—how do you make sure that the technology is deployed only for good and not for bad?”

Adherence Importance

Abilify, sold by Rockville, Md.-based Otsuka America Pharmaceutical Inc., is used to treat schizophrenia and bipolar disorder and as an adjunct treatment for depression. The added ingestible sensor, the size of a grain of sand, is made by Redwood City, Calif.-based Proteus Digital Health Inc.

Stomach fluids activate the sensor, which transmits the date and time the pill was taken as well as other information the patient may choose to capture—such as activity level and mood at the time—to a patch worn on the side of the body. The patch in turn transmits the data to an app, which allows the patient to decide which information to share with health-care providers and family members.

Problems with treatment compliance “is a big issue for a lot of populations” and has spurred development of “soft tech” solutions, such as daily pill organizers and pill bottles that register they’ve been opened, McGraw said in a Dec. 21 interview. But “this is the first time we’ve seen a technology like this where you have absolute certainty about whether it’s been taken or not,” she said.

“This makes it seamless,” she said. “That’s really in many ways what technology should do, which is help people achieve a goal in a way that takes away all the opportunities for them to fail.”

Increasing compliance improves treatment outcomes for mental health and other conditions and saves money, Pepper Hamilton LLP health sciences partner Sharon Klein said in a Dec. 19 interview.

“For the chronic disease states, making sure that people are actually taking the medications that are prescribed lowers the cost of those individuals’ care,” Klein said. “I think that’s been relatively proven.”

Consent Qualms

Privacy concerns with a data-generating health product such as Abilify MyCite center on consent and data security.

A health-care payer could, for example, require a patient to take the tracking medicine or not pay for it, McGraw suggested—essentially coerced consent to monitoring. The information gathered might be sold and used for marketing purposes, she said, possibly generating unwanted, targeted ads.

Or, a patient’s data could be used for purposes, even useful ones, not yet dreamed up when treatment begins, Squire Patton Boggs LLP health privacy and cybersecurity partner Elliot Golding said in a Dec. 21 interview.

“In order to achieve a lot of the benefits of these new technologies, we need to be able to use the data to get insights,” he said, “but a lot of the time, you don’t really know at the time of collection exactly [what] all the amazing ways you can use that data at some point will be. How do you tell someone about the potential to want to use their data for some technology that doesn’t even exist yet?”

Full disclosure and fully informed consent are key, Klein said. Disclosure and consent requirements under the Federal Trade Commission Act and possibly the Health Insurance Portability and Accountability Act would apply, she said.

Legally compliant disclosures “have to be complete and in plain English,” Klein said. “Say what you do and do what you say.”

Legal requirements provide “an important foundation,” McGraw said, “but I think it’s far more important for the companies who use this technology to recognize that the best way to deploy this is in a way that consumers will trust.”

Data Insecurity

Health data-generating products also naturally raise data security risks. Breaches can reveal very sensitive information about medical conditions and produce other harms, even employment discrimination, Golding said. Identity theft and exploitation of financial information can result, and criminals armed with stolen information might even use it to submit fraudulent health insurance claims, he said.

A product like Abilify MyCite, where data transmissions make several stops along the way to authorized users—from the sensor to the patch to a phone and to a web portal—opens up multiple points of exposure, Klein noted.

“That stream would have to be encrypted and secure,” Klein said.

Similarly, exposure increases as patients authorize more people to view their data, she said.

“The more that you distribute information, the greater the risk of data breach,” Klein said. “What we say in privacy is, ‘Once it’s gone, it’s gone.’”

Mitigation Measures

Ostuka works “purposely and deliberatively to earn and keep the trust” of its customers and patient privacy “was a key factor in the entire effort to develop and obtain regulatory approval” for its digital pill, company spokesperson Kimberly Whitefield said in a Dec. 22 email to Bloomberg Law.

Patients must provide consent to share their information, she said, and the company will explain to them how the data will be used. Phone app data are stored on a secure, HIPAA-compliant cloud-based server and are encrypted, she said, and data also are encrypted while in transit.

Otsuka limits employee access to patient data to authorized users, and it also created a bioethics steering committee to provide independent advice on “respecting individual autonomy, maximizing benefit, minimizing risk, and ensuring fairness,” Whitefield said.

Shared Future

In the tug-of-war between privacy concerns and data sharing, sharing is winning, Klein said. Consumers are comfortable with step- or sleep-tracking devices, for example, and commercial genetic tests, she noted.

This trend is true specifically for treatment compliance, Klein said, noting exceptions to privacy rules to allow for it have grown. HIPAA, for example, originally didn’t allow refill or expiration notices pharmacies often provide, she said, and a carve-out to the law now allows that.

“I think it’s just a balance between being able to get people to take their medications against some level of privacy and security risk, and where I see the law heading frankly is to get people to take their meds,” Klein said. “People are opting for medication adherence so that they hopefully can get some health benefit, and [they] don’t worry as much about the privacy impact.”

To contact the reporter on this story: Greg Langlois in Washington at glanglois@bloomberglaw.com

To contact the editor responsible for this story: Randy Kubetin at rkubetin@bloomberglaw.com

For More Information

The FDA's notice about approval of Abilify MyCite is at https://www.fda.gov/NewsEvents/Newsroom/PressAnnouncements/ucm584933.htm.

An infographic on the medication prepared by Otsuka and Proteus is at http://src.bna.com/vc4.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Health Care on Bloomberg Law