The U.N. recognizes privacy as a fundamental human right, and nowhere is this more important than in medical data. That’s why both the US and the EU have regulations in place that govern the collection, storage, and use of patient data in healthcare.
In the US, there is the Health Insurance Portability and Accountability Act of 1996 (HIPAA). And in the EU, the broader General Data Protection Regulation (GDPR) also covers patient health information.
When medical device companies begin clinical trials for their devices, they invariably come into possession of subjects’ personal data, which means they may be required to comply with either (or both) of these regulations, depending on where the studies take place and who participates.
The penalties for failing to comply with these regulations can be steep, so it’s essential that you have an understanding of what’s required of your company while handling patient health data.
Let’s start in the US, with HIPAA.
The Health Insurance Portability and Accountability Act of 1996 was passed to create national standards for the protection of sensitive patient health information from being disclosed without a patient’s consent or knowledge.
Covered entities, meaning those that must comply with HIPAA rules, include:
HIPAA compliance is also required of business associates of a covered entity. That means if a covered entity engages with another business to help it fulfill its activities and functions, that associated business must also comply with HIPAA rules.
The three main HIPAA rules regarding Protected Health Information (PHI) in the US are:
As its name implies, the General Data Protection Regulation (GDPR) is a broad regulation that encompasses more than just personal medical data. The GDPR went into force on May 25th, 2018, with the goal of protecting the rights of EU citizens by enhancing privacy and minimizing the risk of data breaches.
GDPR applies to any information that could be used to identify someone in the EU, either directly or indirectly—also known as personally identifiable information (PII). That could include personal data such as telephone numbers or credit card numbers, but it also includes “sensitive personal data” such as patient health data.
Any organization that processes PII must abide by seven data protection principles laid out in Article 5.1-2 of the regulation:
GDPR also requires data protection “by design and by default”, which means that every organization that deals with personal data must consider these data protection principles while designing any new product or service.
HIPAA and GDPR share some common goals and principles, but they do have many differences, and compliance with one does not necessarily mean you’ll be in compliance with the other.
HIPAA and GDPR are both concerned with protecting the personal health information of individuals and both regulations give people rights over the use of their data and their access to that data.
They both also require organizations that process personal health data to create specific safeguards for that data. Additionally, HIPAA and EU GDPR require organizations processing personal health information to notify anyone who is affected in the event of a data breach.
The biggest difference between HIPAA and GDPR is their scope.
The General Data Protection Act covers any organization processing personal data that could be used to identify someone in the EU. HIPAA is limited to the covered entities that process the Protected Health Information (PHI) we mentioned earlier.
But there are still a handful of other differences to note:
Medical device companies conducting clinical studies will end up collecting personal health data from subjects. They are, therefore, subject to HIPAA and/or GDPR regulations depending on the location of the clinical trial and who is participating in it.
In the US, sponsors of a medical device clinical trial will need to abide by all three of the HIPAA rules (Privacy, Security, Breach Notification), but the Privacy Rule has the most immediate impact on research.
The Privacy Rule defines research as “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.” When it comes to research, the Privacy Rule is meant to protect health information that could identify individuals while also making sure that researchers can access the data they need.
In practice, this means there are instances where a covered entity may use or disclose PHI without authorization by the individual.
For instance, this can occur when the covered entity receives approval from an Institutional Review Board (IRB) or Privacy Board. The Department of Health and Human Services provides a full list of the specific situations in which the covered entity may use or disclose PHI without authorization.
Just remember that in the US, regulations around personal data in clinical trials are not limited to HIPAA. The HHS and FDA’s Protection of Human Subjects Regulations have provisions that are separate from those of the Privacy Rule, but must still be followed when carrying out research with human subjects.
According to the GDPR, clinical trial sponsors can be categorized as both a processor and a data controller. This is because a clinical trial operation includes data not only from subjects, but also personnel, sales, and sub-contractors.
This means there are a number of different obligations that MedTech companies must fulfill when conducting clinical trials in the EU, including:
Similarly to HIPAA, GDPR does provide some exemptions regarding provisions like the right to be forgotten in certain cases. For instance, clinical trial data is considered “special data”, because processing of such data is necessary for research-specific purposes.
This is due to the fact that clinical data cannot just be removed or transferred from a dataset, without affecting the audit trail or the statistical outcome. Subjects can, however, choose to withdraw their consent to prevent any additional data collection.
With such a strong regulatory focus on patient health data on both sides of the Atlantic, you can’t afford to use clinical data capture tools that aren’t actively helping you comply with these regulations.
That’s why SMART-TRIAL by Greenlight Guru is designed to simplify regulatory compliance with GDPR and HIPAA, as well as ISO 14155 (GCP) and FDA’s 21 CFR Part 11. With ready-to-use QA templates, system modules, and guidance documents, you can rest easy knowing your clinical data capture software is built to help ensure the privacy and security of sensitive patient data.
Ready to get a powerful and compliant electronic data capture (EDC) solution for your next study or survey? Contact us today for your free demo of SMART-TRIAL by Greenlight Guru!