Pharmaceutical companies are increasingly looking for innovative ways to improve healthcare outcomes for patients. One potential way to do this is for companies to implement a patient support programme (a “PSP”). This article explores some of the key legal risks which need to be considered as companies consider Irish PSPs and also considers potential ways to mitigate those risks.

IPHA Code compliance risk

In Ireland, the majority of originator pharmaceutical companies are members of the Irish Pharmaceutical Healthcare Association (“IPHA”). Where the company is member of IPHA, the provision of a PSP will be subject to the IPHA Code of Practice for the Pharmaceutical Industry. The IPHA Code refers to PSP as a ‘Healthcare Support Service’, being defined there as a ‘process enhancement initiative or medical service support (e.g. patient compliance initiative, sharps bin service, disease identification, screening or genetic marker test, review of patient management/treatment quality review etc.) provided by a pharmaceutical company that ultimately improves patient care and welfare’. The examples given there are clearly not intended to be exhaustive. As well as potentially providing the PSP directly, the company may engage a third party to undertake the PSP (not least as this can provide a useful degree of independence from the activity itself).

Where applicable, the IPHA Code requires there to be a genuine need for the support and a written contract to be in place with the relevant healthcare professional (or presumably, the relevant recipient hospital). Its Annex II on nursing services also sets out further requirements which must be complied with for those services (e.g. the use of trained and licensed nurses). The IPHA Code requires that a PSP must have the objectives of monitoring disease activity, achieving better healthcare outcomes and enhancing patient care.

Further, under the IPHA Code, a PSP must be ‘...non-promotional, must not be designed as an inducement to prescribe and must not be designed or operated in a promotional manner’ and that any support ‘…does not offset the routine business practice costs of the recipient’. It also states that proposals to provide a PSP ‘…must be reviewed, and the details approved in advance, by the appropriate non-promotional function within the company (e.g. Scientific Services, medical, legal etc.)’. When company staff are involved in the provision of the PSP they must report to that function within the company and their compensation must not relate to sales of the company’s products.

Patients involved in the PSP must also be advised of the company’s involvement and the patient’s consent obtained, where required. Accordingly, appropriate forms and notices will need to be designed and implemented.

Data protection risk

Where a PSP involves the processing of personal data of patients and/or healthcare professionals, the company will also need to consider data protection law. This will involve, for example, considering the extent to which it will be a controller of the personal data which is collected and processed as part of the proposed PSP and the need to provide notice of, and have a legal basis for, any processing of personal data.

Where the company does not usually have significant direct interactions with patients or handle such patient data in the course of its day-to-day business operations, a PSP may raise additional data protection law risk to it and to data subjects. Some of the potential risks include the company or a third party not implementing sufficient organisational and technical measures to ensure the security of personal data, the associated potential for data breaches, that too much personal data is collected and processed in the PSP and that data subjects are not made sufficiently aware of the processing of their data.

Where high risks to data subjects are perceived, it is also mandatory to undertake a data protection impact assessment for the PSP. Where a third party will be involved, conducting data protection due diligence on, and contracting with, a reputable and experienced third party provider will also mitigate some of the data protection compliance risk involved. Although not usually likely to be relevant, where applicable, the Irish Health Research Regulations 2018 should also be considered.

Non-compliance by any entity with data protection law could lead to exposure to significant fines (up to the greater of €20,000,000 or 4% of the annual worldwide turnover), regulatory enforcement actions by data protection authorities (e.g. enforcement notices, warnings/reprimands) and/or claims by individual data subjects.

Administration or service failure - liability risk

Where the PSP involves company or third party staff acting on behalf of the pharmaceutical company in providing care or services to patients and this causes physical injury or other harm to any such patient, this could present an additional risk. As such, the pharmaceutical company is potentially exposing itself to being joined in medical negligence or other similar proceedings brought by a patient (or their estate) or by the relevant hospital.

To mitigate this, a reliable, professional and experienced third party provider and/or appropriately trained company employees should be engaged to operate the PSP. Full training should also be provided to any such third party and, in all cases, appropriate records should be kept. As to potential financial liability when engaging a third party, the pharmaceutical company should also seek to include contractual protection in its agreement with that entity. This could include obtaining an indemnity for the pharmaceutical company in respect of all loss, liability and cost arising from the acts or omissions of the third party in providing the PSP services. The pharmaceutical company should also review relevant insurances and the financial standing of any third party.

Pharmacovigilance risk

When implementing PSPs involving medicinal products, marketing authorisation (“MA”) holders must follow the pharmacovigilance requirements laid down in Directive 2001/83/EC and Regulation (EC) No 726/2004 (as amended), including as implemented in Ireland (principally by the Medicinal Products (Control of Placing on the Market) Regulations 2007 (as amended)) and should also follow relevant EU guidance. This requires MA holders to have in place an appropriate system for pharmacovigilance in order to assume responsibility for marketed medicines and to ensure appropriate action may be taken when suspected adverse reactions are observed.

Given the above, it will be important that the company’s pharmacovigilance team is kept fully aware of the nature and extent of the PSP. Additionally, appropriate procedures should put in place within any PSP itself (and reflected in any contract with any third party) such that suspected adverse reactions identified during any PSP are monitored and reported to the Irish Health Products Regulatory Authority (or other authority as required). Relevant training on the pharmacovigilance obligations should also be provided by the pharmaceutical company as necessary.

Non-compliance with advertising/HCP interaction rules risk

Finally, the advertising of medicinal products is regulated by the Medicinal Products (Control of Advertising) Regulations 2007 (the “Advertising Regulations”). With very limited exception, medicines may not be advertised or promoted to the general public if they are prescription-only medicines. The Advertising Regulations apply to ‘persons’ promoting medicinal products, offering hospitality or supplying free samples to ‘persons qualified to prescribe or supply medicinal products’.

In relation to branding, while the IPHA Code provides that materials used in the PSP may be company branded, they may only include the brand name of the medicine, to support the safe use of the medicine, after the prescribing decision has been made. Any materials used in providing the service must be non-promotional.

Given the above, where any PSP relates to a prescription medical product, information supplied to patients or patient organisations should not be of (or be seen to be of) a promotional nature and all information supplied to healthcare professionals should comply with the rules set out in the Advertising Regulations and the IPHA Code. Any interactions with healthcare professionals must also comply with those relevant rules and all materials delivered to healthcare professionals should also be reviewed to comply with the Advertising Regulations and the IPHA Code.

This briefing is for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.