The privacy landscape in the United States and much of the world is quickly evolving around the framework of the General Data Protection Regulation (GDPR) within the European Economic Alliance (EEA). Clinical trials involve the collection of Personal Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its accompanying regulations within the US and “Personal Data” as defined by the GDPR within the EEA. In nearly all cases, one or both privacy laws may govern data collection, use, and storage in the setting of clinical research. Additionally, many states within the U.S. are implementing privacy laws at the state level. These laws impose many obligations similar to obligations under GDPR, including notice, consumer/data subject rights, and security measures; however, to date, effective state laws all contain an exception for personal information collected in the context of HIPAA subject data or research activities such as clinical trials.
In this article, we will discuss three areas where evolving data privacy protections and clinical trials intersect, resulting in important considerations to ensure our ability to continue meaningful clinical research while protecting participating data subjects: (1) The importance of defining your role and knowing your responsibilities; (2) Cross-border transfers of Personal Data; and (3) The complicated reality of notice requirements.
(1) The importance of defining your role and knowing your responsibilities
The seminal privacy law within the U.S. at the federal level remains the HIPAA. HIPAA’s application is limited to “covered entities” such as health insurers and healthcare providers and their “business associates.” Accordingly, for clinical studies conducted solely within the U.S., HIPAA compliance is required of most institutions and principal investigators. However, sponsors are not typically classified as a “covered entity” or “business associate.” As such, sponsors generally take great care not to assume compliance with HIPAA through contractual terms. Nonetheless, sponsors of clinical research will normally agree to maintain PHI confidentiality and only use, process, and store such information as allowed by the applicable informed consent form. Within the EEA, GDPR applies to all parties to a clinical trial – not just the institution and principal investigators.
The roles of the parties to clinical research need to be assessed to determine the responsibility of each party under GDPR as either a (joint or independent) data controller, a data processor, or both. Factors to consider in making such a determination include the following: Is that party determining the purposes and means of processing personal data (controller) or is that party simply processing Personal Data at the direction of another party (processor)? While the definitions are fairly simple, interpreting each party’s role in clinical research involves a more complex analysis. GDPR imposes obligations upon a data controller making this party responsible for how it processes data and the operations of data processors who are processing data on its behalf. It is generally the case that Clinical Research Organizations (CROs) act as a processor and Sponsors act as a controller, jointly or alone; however, it is less clear which role Clinical Trial Sites and other parties play and often depends on the circumstances involved. In many instances, the different parties wear different hats for different data cohorts, which may lead to tension between the parties regarding respective roles. For instance, an institution may be a data processor for clinical trial data but a data controller for the study subject’s medical records and health data. Identifying and defining roles at the outset of your trial is critical to ensure protection of data subjects with regards to obligations throughout the trial and thus all parties should consider these obligations and be aware of their respective positions prior to executing a CTA.
(2) Cross-border transfers of Personal Data
Transfer of Personal Data covered by GDPR to a location outside of the EEA is generally prohibited unless: (1) The jurisdiction in which the recipient is located is deemed to provide an adequate level of data protection; (2) The data exporter puts in place appropriate safeguards, most commonly the European Commission standard contractual clauses (SCCs); or (3) A derogation or exemption applies. For clinical trials, these requirements are complicated. First, while the European Commission published in December 2022 its draft adequacy decision recognizing the essential equivalence of U.S. data protection standards, paving the way for finalization of a Data Protection Framework between the EEA and United States, the framework may only legitimize transfers of Personal Data to U.S. entities who self-certify and may not be available to nonprofit organizations. Second, Article 1 of Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council technically did not apply to data importers based outside of the EEA if the relevant processing activity by the importer is subject to GDPR. In other words, if a party based in the U.S. is subject to GDPR based on marketing of goods and services or monitoring of data subjects in the EEA, the party must use another safeguard to legitimize transfers. While the European Commission has stated that it intends to release sometime in 2023 a new set of SCCs for data importers in this situation, parties falling under this exception now may be struggling with decisions regarding appropriate safeguards. Finally, the use of derogations for clinical trials is often ambiguous as Article 49(1) specifically states that they should not be relied upon for “repetitive” transfers, which is common for clinical trials. Additionally, the required “explicit consent” may be complicated when dealing with secondary uses or parties who do not have direct access to the data subject.
(3) The complicated reality of notice requirements
The heart of most privacy laws boils down to providing data subjects with information to understand how their data is used and giving them a means to control it. Therefore, the obligation to provide notice, contained in GDPR’s requirement for Fair Processing Information, is central to data protections. However, in the context of clinical trials, this can be difficult. Many argue that meaningful medical research may benefit from secondary uses of the collected data. However, parties often do not directly collect personal data from data subjects or data may be provided in a pseudonymized form, inhibiting true notice and (re)consent. This prevention or complication of access to data for secondary uses has been seen in the industry as imposing handcuffs on the medical research industry, and many call for an updated solution to both protect Personal Data and facilitate necessary medical research.
Data is the most valuable asset generated from clinical research. The myriad laws governing the collection, use and storage of data are among the countless regulations that sponsors, clinical trial sites and CROs, among others, must navigate. It is imperative that parties to clinical research understanding what law applies and how each party’s role to the research impact who is responsible for securing the data and how and where the data may be used.
