While the concept of patient health and information privacy is not new as the Hippocratic Oath has been around for thousands of years, there was a lack of regulations protecting patient health information until 1996 when the Healthcare Insurance Portability and Accountability Act (HIPAA) was enacted in the United States.
HIPAA was the first regulation to protect medical information and patient privacy in an increasingly digital world, thereby establishing standards for patients’ sensitive health information or Protected Health Information (PHI). The General Data Protection Regulation (GDPR) enacted in 2016 by the European Union had the broader goal of protecting personal data and privacy of EU citizens. GDPR puts an emphasis on transparency, consent, and data minimization when handling personal data.
Although GDPR originated in the European Union, the concept has been adopted worldwide by many countries outside of the EU that have enacted regulations based on GDPR concepts. Additionally, US state governments are enacting broader consumer data protection laws, like the California Consumer Privacy Act (CCPA) enacted in 2018 and the Virginia Consumer Data Protection Act (VCDPA) passed in 2021.
Complying with these evolving regional, national, and global consumer and patient privacy regulations creates a significant burden on biopharmaceutical companies running clinical trials not only across the US, but globally as well. Patient recruitment service providers often conduct outreaches on behalf of biopharmaceutical companies by contacting patients, handling patient information, and managing protected health information. These providers need to not only comply with the aforementioned regulations, but also with laws such as the Children’s Online Privacy Protection Act (COPPA), designed to protect the online privacy of children under the age of 13.
Compliance with privacy regulations requires technological, procedural, legal, data storage, and data transfer considerations. Included below is a brief discussion of specific requirements within these categories.
HIPAA is guided by an emphasis on PHI and does not require a patient’s informed consent for treatment purposes. However, HIPAA does require obtaining patient consent for activities that involve marketing and sharing data for research. Conversely, HIPAA also requires the opportunity for patients to opt out of sharing their data.
GDPR has a broader scope when compared to HIPAA and requires consent from any user before their personal data - including health-related information - can be processed.
Both HIPAA and GDPR have specific requirements and different approaches, thereby requiring careful consideration to ensure compliance with both.
Clinical trials involve sharing data with multiple parties. Under both HIPAA and GDPR, data sharing requires stringent agreements to maintain data security and patient privacy.
Compliance with HIPAA and GDPR requires a comprehensive approach to collecting, storing, handling, and using patient data. Companies handling patient data should pay particular attention to the following.
Safeguarding data in secure and compliant technology infrastructure is required. Strong and secure access controls to ensure only authorized users can access the system are necessary. Additionally, encryption is required when transferring data.
It is critical to enter into legally-sound agreements with partners and business associates and receive consents from patients. Companies need to invest an appropriate amount of time and resources to create the necessary documents and to execute agreements.
Rigorous and detailed consent processes are needed to ensure patients agree to their data usage in clinical trials. Consent must be received at the time of data collection and appropriate processes must be in place to ensure compliance if a patient withdraws consent.
Any patient-facing materials should be reviewed by these governing bodies to evaluate and ensure compliance with ethical and legal requirements.