While the concept of patient health and information privacy is not new as the Hippocratic Oath has been around for thousands of years, there was a lack of regulations protecting patient health information until 1996 when the Healthcare Insurance Portability and Accountability Act (HIPAA) was enacted in the United States.  

HIPAA was the first regulation to protect medical information and patient privacy in an increasingly digital world, thereby establishing standards for patients’ sensitive health information or Protected Health Information (PHI). The General Data Protection Regulation (GDPR) enacted in 2016 by the European Union had the broader goal of protecting personal data and privacy of EU citizens. GDPR puts an emphasis on transparency, consent, and data minimization when handling personal data.  

Although GDPR originated in the European Union, the concept has been adopted worldwide by many countries outside of the EU that have enacted regulations based on GDPR concepts.  Additionally, US state governments are enacting broader consumer data protection laws, like the California Consumer Privacy Act (CCPA) enacted in 2018 and the Virginia Consumer Data Protection Act (VCDPA) passed in 2021.  

Complying with these evolving regional, national, and global consumer and patient privacy regulations creates a significant burden on biopharmaceutical companies running clinical trials not only across the US, but globally as well.  Patient recruitment service providers often conduct outreaches on behalf of biopharmaceutical companies by contacting patients, handling patient information, and managing protected health information. These providers need to not only comply with the aforementioned regulations, but also with laws such as the Children’s Online Privacy Protection Act (COPPA), designed to protect the online privacy of children under the age of 13.

‍

Compliance Requirements

Compliance with privacy regulations requires technological, procedural, legal, data storage, and data transfer considerations.  Included below is a brief discussion of specific requirements within these categories. ‍

1. Informed Consent and Transparency

HIPAA is guided by an emphasis on PHI and does not require a patient’s informed consent for treatment purposes. However, HIPAA does require obtaining patient consent for activities that involve marketing and sharing data for research. Conversely, HIPAA also requires the opportunity for patients to opt out of sharing their data.  

GDPR has a broader scope when compared to HIPAA and requires consent from any user before their personal data - including health-related information - can be processed.

• Explicit Consent Requirement
  Data collectors must collect explicit consent from data subjects before processing their personal data, especially sensitive data such as personal health information.
  

• Purpose and Transparency
  Data collectors must provide clear, concise, and easily accessible information to data subjects about the purposes of data processing, the types of data being collected, how it will be used, and how long it will be retained.
  

• Withdrawal of Consent
  GDPR allows data subjects to withdraw their consent at any time, meaning data processing that previously relied on that consent must cease.
  ‍

2. Data Collection, Storage and Usage

Both HIPAA and GDPR have specific requirements and different approaches, thereby requiring careful consideration to ensure compliance with both.

HIPAA

1. Minimum Necessary Standard
   Requires limiting the use, disclosure, and request for PHI to the minimum amount necessary to achieve the intended purpose.

2. Patient Consent and Authorization
   While consent is not required for treatment, payment, or healthcare operations, it is required for marketing and sharing data for research purposes and must include the ability to opt out.
   

3. Security Safeguard
   The HIPAA Security rule mandates the implementation of administrative, physical, and technical safeguards to protect PHI against unauthorized access, use, and disclosure.
   

4. Business Associate Agreements
   Covered entities must enter into Business Associate Agreement contracts with any third parties that handle PHI on their behalf.  

GDPR

1. Lawful Basis for Processing
   Data collectors must establish a lawful basis for processing personal data, explicit consent being one of the lawful bases. Explicit consent is required for processing sensitive data, including health data.  
   

2. Purpose Limitation and Data Minimization
   Data collectors must clearly define the purposes for which data will be processed and ensure that the data collected is relevant and limited to what is necessary for those purposes.  
   

3. Data Subject Rights
   GDPR grants data subjects various rights, including the right to their personal information, to rectify inaccuracies, to request deletion, and to restrict or object to processing.  
   

4. Data Protection Impact Assessments (DPIAs)
   Organizations must conduct DPIAs for high-risk data processing activities, including those involving health data. A DPIA assesses the potential impact on a data subject’s privacy and includes measures to mitigate risks.  
   

5. Cross-border Data Transfers
   GDPR sets requirements for transferring personal data outside the EU, including provisions for ensuring adequate level of protection in the receiving country.  

‍

3. Data Sharing

Clinical trials involve sharing data with multiple parties. Under both HIPAA and GDPR, data sharing requires stringent agreements to maintain data security and patient privacy.  

‍

Steps Necessary to Ensure Compliance

Compliance with HIPAA and GDPR requires a comprehensive approach to collecting, storing, handling, and using patient data.  Companies handling patient data should pay particular attention to the following.

Use Secure Technology Infrastructure

Safeguarding data in secure and compliant technology infrastructure is required.  Strong and secure access controls to ensure only authorized users can access the system are necessary. Additionally, encryption is required when transferring data.

Achieve Legal Compliance

It is critical to enter into legally-sound agreements with partners and business associates and receive consents from patients. Companies need to invest an appropriate amount of time and resources to create the necessary documents and to execute agreements.

Implement Rigorous Consent Management

Rigorous and detailed consent processes are needed to ensure patients agree to their data usage in clinical trials. Consent must be received at the time of data collection and appropriate processes must be in place to ensure compliance if a patient withdraws consent.

Obtain Ethics Committee (EC) and Institutional Review Board (IRB) Approvals

Any patient-facing materials should be reviewed by these governing bodies to evaluate and ensure compliance with ethical and legal requirements.