Any conversation about data privacy in clinical trials requires understanding of key regulations. And with multinational trials commonplace, knowledge of global regulations is essential.
In the U.S., the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) are the priorities, whereas, European trials look to the EU’s General Data Protection Regulation (GDPR) and the Clinical Trials Regulation, became applicable to trials in early 2022.
We explore what these regulations say about trial data in terms of what sponsors and trial managers need to know — and how they should safeguard trial data privacy.
A Perspective From the U.S.
HIPAA and HITECH are relevant to U.S.-based trial managers. Let’s start with HIPAA.
HIPAA: The North Star for Patient Information
The amendment in 1999 to HIPAA to cover the protection of individual health information (PHI) has been significant for the security of patient data. HIPAA, for data security, has two main thrusts: It governs patients’ rights to their data and organizations’ obligations to protect this data. HIPAA is a floor not a ceiling; it’s the base from which to facilitate the legal and safe exchange of patient data.
But HIPAA is not the only source of regulatory consideration for trial managers; there is the HITECH Act of 2009. The aim of the act was to speed up the use of electronic health records (EHRs) and broaden HIPAA’s data protection requirements and liability for non-compliance.
The Future Strengthening of HIPAA
While HIPAA remains the guiding star, some critics say changes are required to make it more robust by extending its authority over non-covered entities. Failure to make these amendments poses data security risks, writes Jordan Harrod, a Ph.D. in medical engineering at the Harvard-MIT Health Sciences and Technology program.
Harrod says HIPAA only protects “covered entities” such as healthcare providers, healthcare plans and research institutions. This enforcement is only in the U.S. and does not cover data on the internet.
The result is more information online in the possession of internet service providers and third-party data companies and that information is being sold to marketers and advertisers. The solution, then, is changes in legislation. These might include broader categories of HIPAA-regulated entities so that any entity that collects personal health information would be bound by the law, explains Harrod.
HIPAA Changes in 2021
In December 2020, the Office of Civil Rights (OCR) posted a Notice of Proposed Rulemaking for HIPAA which allowed for a comment period on changes to the law. The OCR then extended this period into May 2021. This gives healthcare providers a set period to review the guidelines and prepare to implement them.
Greg Garner, president at HIPAA Exams, broke down what each of these changes are and what they mean. A few specific changes that affect data privacy include:
- Patients have the right to access their information and store their own personal health data.
- Third parties may request patient records, but must have HIPAA documentation signed by the patient.
- Healthcare organizations should only charge “reasonable” fees to send or receive patient information. This allows patients to easily access their records without financial barriers.
Reading through these guidelines, you can understand how the proposed changes are meant to increase accessibility for patients and community organizers (resulting in better treatment) while also protecting patient privacy.
Create a Data Protection Strategy
To be compliant with HIPAA in a highly digital world requires careful planning. So, having a data protection strategy is key, says Juliana De Groot, senior marketing operations specialist at Digital Guardian. Having a clear strategy will maintain trust with patients and other stakeholders, help to maintain compliance with HIPAA and HITECH and offer better control over sensitive data.
And the increased use of EHRs means data security and privacy has become even more challenging, making data security strategies paramount. De Groot notes the protection strategy needs to safeguard all data — structured and unstructured data, emails, documents, and scans — but also allow for easy sharing between healthcare providers.
A Note About California
In 2018, the California Consumer Privacy Act was signed into law. It protects the privacy rights of California residents and dictates how businesses operating in California must treat consumer data. Important for trial managers to know is that the CCPA exempts certain clinical trial data, explain lawyers Kimberly Gold and James Hennessey.
They say the wording is ambiguous, with the CCPA exempting “information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the U.S. Food and Drug Administration.”
The confusion, the pair argues, concerns whether or not clinical trial data is exempt only if conducted under the federal Common Rule. If so, the exemption would not be valid for particular types of privately funded clinical research.
Those responding to the wording have requested exemptions be valid for any clinical trial data from trials conducted under the federal Common Rule, the ICH Good Clinical Practice standards, or FDA human subject protection standards.
This law and others like it continue to evolve and strengthen. The law practice of Hunton Andrews Kurth shared some of the most recent updates to the California Privacy Rights Act of 2020, which will be implemented in spring of 2022. Amendments to this law work to protect the genetic code of residents (particularly when used for genetic testing in popular ancestry kits) while also protecting the medical privacy of Californians. These laws take HIPAA into consideration and build on it for added protections.
Goings-On in Europe
Trial managers and sponsors with trials in Europe will need to be familiar with the GDPR, which covers personal data protection in all aspects of life, and with the CTR — specific to clinical trials.
What the GDPR Demands
Informed consent to participate in a clinical trial is not the same as consenting to having personal data processed. The distinction is important to any sponsor or clinical trial manager. Personal data, according to Article 6 of the GDPR, can be processed only if the data controller is legally entitled to do so, explains Victoria Watts, vice president of privacy and global data protection officer at Premier Research.
The patient must consent first, but there are also legal requirements to meet. These include complying with an EU legal obligation that binds the controller, protecting the data subject’s vital interests and protecting the public interest.
It’s Not Just Patient Data That Matters
Sponsors based in the U.S. with trials that gather personal data from residents of the EU and European Economic Area (EEA) are bound by the GDPR. But this is not limited to patient data. Clinical trial managers will need to protect the privacy of all subjects’ data, including that from investigators and site staff, CRO, vendor and sponsor staff, writes Natasa Spasic at Pharm-Olam.
Transferring this data, as well as patient health data, outside of the EU and EEA requires that certain contractual safeguards are in place. These include binding corporate rules, a code of conduct and data protection clauses stipulated by the European Commission or Privacy Shield certification for transfers to the U.S.
The Relationship Between the GDPR and CTR
The Clinical Trials Regulation (CTR), which was enacted in 2014 but has not as yet been applied, requires certain considerations in terms of how personal data from trials and the GDPR need to be considered. The European Data Protection Board (EDPB) notes that health, genetic, biometric data will require special protections, explains data law and privacy advisor Andre Walter.
The EDPB’s recent opinion highlights key requirements concerning data privacy through the lens of the CTR and GDPR. For instance, informed consent under the CTR “will have a different qualification compared to the legal processing ground of ‘explicit consent’ under the GDPR,” he writes.
But the EDPB also considers, under the GDPR, legitimate interest and public interest as grounds — in addition to explicit consent — for data processing and sharing, according to lawyers Martin Braun, Frédéric Louis and Itsiq Benizri at WilmerHale. Legitimate interest claims require stakeholder organizations to justify the reason for their processing of data, such as by showing their legitimate interests are not incompatible with data subjects’ fundamental rights and freedoms.
Public interest claims must be based on EU law or EU member states’ laws but this would only be applicable to commercial pharma research within the EU.
The CTR places informed consent as the fundamental requirement for both participation in trials and the use of personal data. So, trial sponsors should consider patients’ informed consent to participate in trials as indicative of their consent to their data being processed. But this consent still needs to be separate and explicit, explain lawyers Patrice Navarro and Elisabethann Wright.
CTR Implementation in 2022
Despite the enactment of CTR in 2014, the processes have yet to be implemented almost a decade later. This is about to change.
Kezia Parkins at Clinical Trials Arena writes that the Clinical Trial Information System (CTIS) is ready to be deployed in early 2022. The CTIS is a key part of CTR and the cause of so many delays.
“CTIS will contain the centralised EU portal and database, and when live, will be the single EU entry point for clinical trial applications,” explains Parkins. “It will enable trial sponsors to apply for a clinical trial in all countries of the European Economic Area (EEA) with a single application rather than having to apply separately in every country.”
The CTR guidelines detail which parts of clinical trial oversight will be governed on the EU level and which will belong to member states. The CTIS will have multiple tools for oversights and monitoring, allowing for a higher standard of trial performance.
The Differences Between HIPAA and GDPR
U.S. clinical research companies have tricky terrain to cover when conducting trials outside of the country. When it comes to transferring patient data to and from the U.S., sponsors and trial managers need to seek permission and show further due diligence that the data will be secure, write clinical research professionals Esther Daemen and Tine Wouters. This might include registration with the Privacy Shield framework.
Also important to note is that compliance with HIPAA does not necessarily mean data processing complies with the GDPR. The latter is broader than HIPAA, explain Daemen and Wouters, as it is not limited to health data. More importantly, perhaps, is that these two regulations measure protected health information differently.
Specifically, HIPAA considers PHI any demographic data that allows identification of a patient, while the GDPR includes a person’s race, ethnicity, religion, and biometric, genetic and other health data. Plus, the GDPR applies to all organizations — regardless of where they are based — that handle personal data of EU residents. This is a stark difference from HIPAA, which “only applies to the relationship between covered entities and their business associates,” they write.