Pharmacovigilance in the USA

Pharmacovigilance

Monitoring

What post-market monitoring mechanisms are in place to ensure the ongoing safety and efficacy of medicinal products after marketing authorisation has been granted?

Under US regulations, life sciences companies are required to report adverse events involving pharmaceuticals (21 CFR 314.80), biologic products (21 CFR 600.80) and medical devices (21 CFR 803). The Food and Drug Administration(FDA) maintains two post-market monitoring systems: the FDA Adverse Event Report System (FAERS) for pharmaceuticals and biologic products and the Manufacturer and User Facility Device Experience (MAUDE) database for medical devices. A key difference is that FAERS generally includes all reported adverse events, whereas MAUDE generally includes only serious or life-threatening adverse events or device malfunctions that could potentially lead to serious or life-threatening adverse events.

Data protection

What data protection issues should be considered when conducting pharmacovigilance activities?

Under the Health Insurance Portability and Accountability Act (HIPAA), covered entities (which includes most healthcare providers) may disclose protected health information to a person subject to FDA jurisdiction, for public health purposes related to the quality, safety or effectiveness of an FDA-regulated product or activity for which that person has responsibility. Examples of purposes or activities for which such disclosures may be made include, but are not limited to:

collecting or reporting adverse events (including similar reports regarding food and dietary supplements), product defects or problems (including problems regarding use or labelling), or biological product deviations;
tracking FDA-regulated products;
enabling product recalls, repairs, replacement or lookback (which includes locating and notifying individuals who received recalled or withdrawn products or products that are the subject of lookback); and
conducting post-marketing surveillance (45 CFR § 164.512(b)(1)(iii)).

The “person” subject to the jurisdiction of the FDA does not have to be a specific individual, and instead may be an entity, such as a partnership, corporation or association including a pharmaceutical manufacturer of the FDA-regulated product. Based on applicable guidance, covered entities may identify the party or parties responsible for an FDA-regulated product from the product label, from written material that accompanies the product (ie, the product labelling) or from sources of labelling, such as the Physician’s Desk Reference.

The disclosures described above may be made in the absence of patient consent. However, covered entities are required to provide a privacy notice to patients that describes their uses and disclosures of protected health information and make a good-faith effort to obtain an acknowledgement of receipt of the notice from patients.

Importantly, HIPAA does not pre-empt stricter state laws. Some state privacy laws that restrict the processing of medical information may require a healthcare provider to obtain individual consent to disclose such information to a pharmaceutical manufacturer for pharmacovigilance purposes.

Register now for your free, tailored, daily legal newsfeed service.

Pharmacovigilance in the USA

Filed under

Topics

Organisations

Laws

Popular articles from this firm

Gambling Laws of the World *

Arbitration Matters Bulletin: February 2026 *

Clinical trials in the USA *

Project Finance Law: Social Responsibility Risk *

Advertising & marketing to children global report November 2016 *

Professional development

Related practical resources PRO

Related research hubs

Health Insurance Portability and Accountability Act 1996 (USA)

Global

USA

Healthcare & Life Sciences