Patient data protection is far from a new topic of discussion, however, digital platforms and the use of the internet have opened up several high-risk loopholes that are only beginning to get covered by regulatory agencies.

These agencies have yet to align as a fully unified and standardized set of practices that will allow researchers effortless compliance and maintain a streamlined process throughout clinical trials. In this article, we’re going to discuss why this is, what it means for the future of research, and how best you can work towards a safer environment for your patients’ personal data.

First, let’s have a look at how modern data privacy came about and how it functions to protect patient data.

The Need for and Role of Data Privacy in Clinical Trials

The concept of data privacy has been published since at least 1890. However, with the invention and widespread utilization of the internet, specific legislation has needed to evolve. In the ‘90s, Congress devised these specific privacy standards for health information that are still being used. Europe, too, devised its own, and in 2016, a modernized version of these protections emerged, known as the General Data Protection Regulation (GDPR).

The 1996 Health Insurance Portability and Accountability Act (HIPAA) was amended in 1999 to cover the protection of individual health information too. This amendment aims to give governing responsibility to HIPAA over both the right of patients to their data and the obligations of the organizations involved to protect it on their behalf.

The GDPR, applies to any clinical trial involving the collection of personal data from EEA citizens, whether they are trial participants or investigators, or CRO employees.

The rapidly increasing rate of technological adoption in clinical trials promises to drive a far more accurate and complex range of outcomes for patients and sponsors, but these improvements come directly from the increased volume and use of the data gathered in trials. With increased data capacity comes an increased need for protections surrounding how they’re collected, stored, shared, and used.

The technological shift looks set on its trajectory, with the vast majority of monitoring expected to be remote in the near future. Hence, there’s a pressing concern that data management keeps up with the current trend of digitalism in clinical trials.

The basics of data privacy follow some fundamental principles, and both HIPAA and the GDPR are based on them. These fundamentals are:

  • Personal data is anything that identifies or contributes to the identification of someone when combined
  • Individuals should be given notice of how and when their data will be used
  • Individuals should give permission through consent, contract, legal obligation, or any other form of relevant permission
  • They must be given the choice to exercise these rights

There are many more specifics of the regulations in play that are mostly based on these principles. Let’s take a slightly deeper look.

GDPR and HIPAA Clinical Trials Compliance and Patient Data Protection

To delve a little deeper into the current state of the two major regulatory entities, it’s important to look at the two major players: GDPR and HIPAA in clinical trials. These two represent Europe and the US, respectively, and cover a lot of ground, but they are far from the only players in the game, and this comes with both benefits and drawbacks.

hipaa clinical trialsLet’s start with the GDPR.

The GDPR is considered one of the most robust data privacy and security laws on the planet. This has both benefits and drawbacks, as in some cases, these stringent safeguards push clinical trials toward other countries with less protection as a way of saving costs and time.

These regulations apply to anyone collecting data from the member countries, regardless of where these data will be used. They state that any organization must take documented steps to follow the protections set to limit access to personally identifiable information or PII.

These steps need to include:

  • Consent – specifically, it prohibits the use of convoluted or confusing conditions and states that informed consent can only be acquired with the use of clear language. It must also be easy to withdraw.
  • Breach notifications – Organizations must alert subjects of a breach within 72h of it occurring.
  • Right to access – Organizations must be transparent about how they use their PII
  • Right to be forgotten – Individuals must be able to request the deletion of their PII and have its dissemination and storage immediately ceased.
  • Privacy by design – PII must be relevant to the desired outcomes of the trial
  • Data protection officer (DPO)s – Organizations must appoint a DPO under specific conditions (usually relating to scale)

Failure of compliance where needed can result in fines of up to €20 million or 4% of worldwide annual revenue for the previous year if that’s higher.

In the US, HIPAA in clinical trials is the best-known source of regulatory consideration, though it is not the only one. While HIPAA covers the US, there are some weak points in its reach, in that it is said to allow for some data to be sold on the internet to advertisers and third-party data companies.

Calls for updated legislature are suggesting a wider range of HIPAA-regulated entities to create blanket protections for PII. At the end of 2020, new guidelines were presented for review. These changes include:

  • Right to access for patients
  • Third-party access only with signed permission from the patient
  • There should be low financial barriers to patients for access to their PII

HIPAA is supposed to represent the low end of regulations; meaning that it acts as a base for patient data protection and not the upper bounds of it. Currently, it has multiple applications in clinical research.

GDPR and HIPAA in clinical trials help ensure that almost all safety requirements are met, but they aren’t alone. As we’ll see, other regulatory bodies have their own requirements, and this can alter the efficiency of running a trial to the point where many sponsors consider going elsewhere.

As expected, the number of phase 1 and 2 trials that failed compliance rose significantly in the time following the introduction of the new rules. There is now a rise in trials in countries with more relaxed privacy laws, showing that the increase in regulations creates a demand for a more streamlined approach elsewhere.

Clinical Trial Data and Patient Protection: Impacts

In reviews of medical records for pre-research review, sponsors commonly ask for summary information about a physician’s patients to assess their practice. This information can be released, as long as it contains no personally identifying health information. It’s also necessary that the information requested is relevant to the nature of the review. As these steps need to be documented, a physician might ask the sponsor to provide this information in writing.

patient data protectionDuring enrollment, a physician needs to get HIPAA research authorization for each patient. The sponsor consent template form typically needs to be supplemented with the HIPAA authorization forms. These are research-specific authorization forms and may have the requirement of a patient’s signature, as well as education for the patient on how and why they might withdraw their consent at any time. This revocation, however, does not protect any PII relevant to the study that was collected before the moment of revocation itself.

During publication, in most cases, physicians need to get written HIPAA authorization for anything they plan to publish if it contains public health information (PHI). This is where it can get tricky. It is the physician’s responsibility to ensure that any PII has been removed and that the patient-level information published cannot be combined with other PHI that’s publicly available to identify an individual.

As we noted, GDPR applies to any trial that collects data from citizens of the European Economic Area (EEA), whether they’re patients or staff. GDPR works in conjunction with the Clinical Trials Regulation (CTR) that governs other details of how data collected is analyzed and stored.

Between them, EU law considers clinical trial data to have two uses:

  • Primary Use – This is the initial use of the data for the trial for which it was collected, following the span of its entire lifecycle from collection to archiving.
  • Secondary Use – This is the re-use of old data for research purposes.

Since there is a secondary use, there is a need for re-consent, and the GDPR covers its protection in this case, too. This means that sponsors and investigators need to inform the individual of the desired use of their data for re-use.

It is possible for the participant to fill in re-use consent in the original consent form, as long as there is no confusion in this consent form that could hinder informed consent being given. GDPR also emphasizes consent being ‘granular, meaning that there are levels of consent that must be attained. This allows the subject to have a say over not only whether their data can be used, but to what ends.

In these cases, it’s useful to be prepared to ask for consent multiple times and at multiple levels. What this means for future trials is that the depth and resolution of informed consent may lead to more automated and technological systems for collecting and managing consent.

These rules are getting more complex, and this does inspire a certain hesitancy in researchers when it comes to embracing the idea of decentralized trials. Data protection and regulatory acceptance are being stated as significant roadblocks to the running of trials as a whole, and this means that more standardization and a better understanding of the importance and methodologies of data protection might be needed.

The importance of data privacy needs to be balanced against cheaper and more efficient ways to implement it, otherwise, highly-regulated regions will lose clinical trials to those with fewer roadblocks to research, and this can only lead to worse outcomes for all stakeholders, as patient protections are ignored and studies aren’t as stringently performed.

Ultimately, researchers still need to take care to learn the details of regulations when they’re running trials that involve data protection laws from multiple countries. This, of course, is easier said than done.

How Best to Ensure Data Privacy in Clinical Trials

There are some data privacy best practices that can help keep researchers on the road to compliance. The details might vary, depending on the study at hand and the nations and stakeholders involved, but in general, it’s possible to follow five basic steps to improve regulatory adherence.

Tip 1. Audit your data

While audits might be focused on internal policies and supplier quality, it’s possible to overlook data quality without specifically designing an audit system for it. Data audits should cover such issues as what kinds of data you’ll be receiving, and what the data contains, as a matter of identifiable information. These questions will need to be asked of all external vendors, too.

Identify which software will be involved with the data. Email providers, analysis software, storage repositories, etc. All of these need to be identified and secured. Consider the sources of the data and the software they might be using. Finally, audit the people involved in the data lifecycle and who will be dealing with potentially sensitive information.

Tip 2 – Design your SOPs.

SOPs are a great way to standardize processes that are important and this applies to the management of data too. They can be drawn up as a team effort with input from informed contributors as a way of creating a pathway for data management that complies with all up-to-date regulations. If a Data Protection Officer is present, this makes the job a lot simpler.

Ensure there is a good collaboration between key stakeholders and contributors such as QA, IT, and Data Protection departments and brainstorm all the possible risks so that they can be mitigated in the SOP. These documents should be a mandatory component of the regulated activities they cover. They can also contribute to remediation policy and simplify processes at the same time.

Tip 3 – Keep data centralized.

Centralized data is are lower-risk, as the more systems involved, the more chance of something escaping or being lost. A single repository is easier to defend and control, and while it represents an initial, potentially resource-intensive transition, should lead to more streamlined processes once adopted.

To start this, identify the right platform that’s easy to use for the data you’ll be storing. Ensure that the platform is GxP compliant and that its implementation can be affected quickly. Ensure that all relevant parties are involved in its adoption and are on board with how to use it and that it has the appropriate safeguards against malicious software inbuilt.

Tip 4- Lean on your available tech

It’s now possible for machine learning tools to take a load off you when it comes to identifying critical pieces of data that need to be flagged for protection. Don’t be afraid to allow these tools to work for you. It’s important when making use of them, however, that they integrate well with your storage repositories.

These tools can notify you of high-risk data and of any pending or imminent data privacy breaches. Your automation should make full use of machine learning/AI systems that are available so that they’re the most up-to-date with current data protection requirements.

Tip 5- invest in training

As usual, the weakest point in any of your most sensitive systems will be the people. This makes training one of the highest priorities when it comes to ensuring data privacy in clinical trials. Not only does training have to occur regularly, but it also needs to cover more than just the practical bases; it needs to delve into data privacy theory and the importance of building a culture of conscientious practices.

Train your staff on different types of data, what constitutes identifiable data, your SOPs, and how to handle exceptions and waivers. It’s important to schedule training frequently, but it’s equally important to promote engagement and expert input. Attendees should be able to ask questions to qualified people.

Following on from the previous tip, it’s important to be able to rely on all parties to use the technological tools set in place and how to use and automate them. Training its, elf can also be automated with scheduled, online courses and refresher questionnaires.


The safeguards in place for data privacy in clinical trials are continuously expanding. This expansion brings with it the capacity for more data to be collected, stored, shared, and archived safely. However, with multiple agencies covering multiple data protection requirements, the path to a clear and efficient clinical trial does involve some unappealing hurdles.

Further, certain regulations set as a floor, rather than a ceiling, leave a lot of openings for the misuse of data in certain contexts, particularly online. If locations are to maintain an appealing environment for researchers of clinical trials without sacrificing data privacy for their patients, regulators need to unify and standardize practices, making use of education, automation, and transparency to develop a culture that benefits both researchers and their patients.