Any conversation about data privacy in clinical trials requires understanding of key regulations. And with multinational trials commonplace, knowledge of global regulations is essential.
In the U.S., the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) are the priorities, whereas, European trials look to the EU’s recent General Data Protection Regulation and the delayed Clinical Trials Regulation, set to become applicable to trials in the middle of 2020.
We explore what these regulations say about trial data in terms of what sponsors and trial managers need to know — and how they should safeguard trial data privacy.
HIPAA and HITECH are relevant to U.S.-based trial managers. Let’s start with HIPAA.
The amendment in 1999 to HIPAA to cover the protection of individual health information (PHI) has been significant for the security of patient data. Indeed, Patsy Bailin at Datavant calls HIPAA “the industry’s ‘north star’ for the collection, use, exchange, and protection of patient information.”
HIPAA, for data security, has two main thrusts: It governs patients’ rights to their data and organizations’ obligations to protect this data. Bailin says to think of HIPAA as a floor not a ceiling. It’s the base from which to facilitate the legal and safe exchange of patient data.
But HIPAA is not the only source of regulatory consideration for trial managers. Bailin mentions the HITECH Act of 2009. The aim of the act was to speed up use of electronic health records (EHRs) and broaden HIPAA’s data protection requirements and liability for non-compliance.
While HIPAA remains the guiding star, some critics say changes are required to make it more robust by extending its authority over non-covered entities. Failure to make these amendments poses data security risks, writes Jordan Harrod, a Ph.D. student in medical engineering at the Harvard-MIT Health Sciences and Technology program.
Harrod says HIPAA only protects “covered entities” such as healthcare providers, healthcare plans and research institutions. This enforcement is only in the U.S. and does not cover data on the internet.
The result is more information online in the possession of internet service providers and third party data companies and that information is being sold to marketers and advertisers. The solution, then, is changes in legislation. These might include broader categories of HIPAA-regulated entities so that any entity that collects personal health information would be bound by the law, explains Harrod.
Other options would be better encryption and anonymization protocols to counteract the advancements in machine learning re-identification capabilities. But, as Harrod says, perhaps the U.S. should look to the GDPR for inspiration. Replicating the GDPR’s binding nature on all companies that handle personal data — and penalties for violation of that data — would be valuable.
To be compliant with HIPAA in a highly digital world requires careful planning. So having a data protection strategy is key, says Juliana De Groot, marketing operations specialist at Digital Guardian. Having a clear strategy will maintain trust with patients and other stakeholders, help to maintain compliance with HIPAA and HITECH and offer better control over sensitive data.
And the increased use of EHRs means data security and privacy has become more challenging, making data security strategies paramount. De Groot notes the protection strategy needs to safeguard all data — structured and unstructured data, emails, documents, and scans — but also allow for easy sharing between healthcare providers.
Last year, the California Consumer Privacy Act was signed into law. It protects the privacy rights of California residents and dictates how businesses operating in California must treat consumer data. Important for trial managers to know is that the CCPA exempts certain clinical trial data, explain lawyers Kim Gold and James Hennessey at Reed Smith.
They say the wording is ambiguous, with the CCPA exempting “information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the U.S. Food and Drug Administration.”
The confusion, the pair argues, concerns whether or not clinical trial data is exempt only if conducted under the federal Common Rule. If so, the exemption would not be valid for particular types of privately funded clinical research.
Those responding to the wording have requested exemptions be valid for any clinical trial data from trials conducted under the federal Common Rule, the ICH Good Clinical Practice standards, or FDA human subject protection standards. Trial managers will need to keep abreast of which interpretation will be decided upon.
Trial managers and sponsors with trials in Europe will need to be familiar with the GDPR, which covers personal data protection in all aspects of life, and with the CTR — specific to clinical trials.
Informed consent to participate in a clinical trial is not the same as consenting to having personal data processed. The distinction is important to any sponsor or clinical trial manager. Personal data, according to Article 6 of the GDPR, can be processed only if the data controller is legally entitled to do so, explains Victoria Watts, global data protection officer at Premier Research.
The patient must consent first, but there are also legal requirements to meet. These include complying with an EU legal obligation that binds the controller, protecting the data subject’s vital interests and protecting the public interest.
Sponsors based in the U.S. with trials that gather personal data from residents of the EU and European Economic Area (EEA) are bound by the GDPR. But this is not limited to patient data. Clinical trial managers will need to protect the privacy of all subjects’ data, including that from investigators and site staff, CRO, vendor and sponsor staff, writes Natasa Spasic at Pharm-Olam.
Transferring this data, as well as patient health data, outside of the EU and EEA requires that certain contractual safeguards are in place. These include binding corporate rules, a code of conduct and data protection clauses stipulated by the European Commission or Privacy Shield certification for transfers to the U.S.
The Clinical Trials Regulation (CTR), which was enacted in 2014 but has not as yet been applied, requires certain considerations in terms of how personal data from trials and the GDPR need to be considered. The European Data Protection Board (EDPB) notes that health, genetic, biometric data will require special protections, explains privacy and cybersecurity advisor Andre Walter.
The EDPB’s recent opinion highlights key requirements concerning data privacy through the lens of the CTR and GDPR. For instance, informed consent under the CTR “will have a different qualification compared to the legal processing ground of 'explicit consent' under the GDPR,” he writes.
But the EDPB also considers, under the GDPR, legitimate interest and public interest as grounds — in addition to explicit consent — for data processing and sharing, according to lawyers Wilmer Hale. Legitimate interest claims require stakeholder organizations to justify the reason for their processing of data, such as by showing their legitimate interests are not incompatible with data subjects’ fundamental rights and freedoms.
Public interest claims must be based on EU law or EU member states’ laws but this would only be applicable to commercial pharma research within the EU.
The CTR places informed consent as the fundamental requirement for both participation in trials and the use of personal data. So trial sponsors should consider patients’ informed consent to participate in trials as indicative of their consent to their data being processed. But this consent still needs to be separate and explicit, explain lawyers Patrice Navarro and Elisabethann Wright.
U.S. clinical research companies have tricky terrain to cover when conducting trials outside of the country. When it comes to transferring patient data to and from the U.S., sponsors and trial managers need to seek permission and show further due diligence that the data will be secure, write Esther Daemen and Tine Wouters at TRIUM Clinical Consulting NV. This might include registration with the Privacy Shield framework.
Also important to note is that compliance with HIPAA does not necessarily mean data processing complies with the GDPR. The latter is broader than HIPAA, explain Daemen and Wouters, as it is not limited to health data. More importantly, perhaps, is that these two regulations measure protected health information differently.
Specifically, HIPAA considers PHI any demographic data that allows identification of a patient, while the GDPR includes a person’s race, ethnicity, religion, and biometric, genetic and other health data. Plus, the GDPR applies to all organizations — regardless of where they are based — that handle personal data of EU residents. This is a stark difference from HIPAA, which “only applies to the relationship between covered entities and their business associates,” they explain.
Images by: milkos/©123RF Stock Photo, everythingpossible/©123RF Stock Photo, asawinklabma/©123RF Stock Photo