In 2019 there were 318,901 clinical studies registered globally and the number is steadily growing. Clinical trials are essential for public health, innovation in healthcare, and access to new medicine to the market.
Considering that clinical trials consist of several phases, researchers encounter many difficulties. One of the main challenges is ensuring correspondence to all numerous privacy policies introduced by different countries. Researchers and sponsors have to take care not only of the trial itself but consider law, regulations, participants’ anonymity, and so many other aspects of the administrative part of it. Otherwise, you may be sued by participants or be fined by the state. And in order to avoid this, profound knowledge of all the data privacy regulations is needed.
What type of information should be protected? What are the main points of data protection regulations in healthcare? How to ensure data security in clinical trials with modern technology? Get answers to these and many other important questions in our article!
What Is Clinical Trial Data Protection?
Considering that clinical trials are based on data that belongs to Protected Health Information (PHI), ensuring its security becomes a priority. The HIPAA Privacy Rule defines PHI as any information that can lead to identifying a physical person. It includes name, address, emails, medical records, health condition, social security numbers, photos, etc.
You should prevent this exact data from breach, loss, or providing access to it to the parties that should not be involved. So, let’s learn what are the regulations that safeguard data privacy in different countries and what you should know about them.
Laws for Data Protection Regulation in Clinical Trials
There are regulations on clinical trial data privacy that researchers, sponsors, and vendors should know. Regulations help you to understand how to work around participant data and what requirements you should meet to not get fined.
There is no regulation that is mandatory worldwide. However, there are two regulations that are discussed more than the others: GDPR and HIPAA. Let’s take a closer look at both.
General Data Protection Regulation was developed in 2018 by the European Union and is applied to all the EU member countries. The regulation is extraterritorial, so even companies located outside of the European Union countries need to comply with it in order to process the data of EU citizens. GDPR includes several points focusing on safeguarding trial data privacy:
Before obtaining data about a participant, site staff, vendor, sponsor, or anyone else involved, an organization should give them a form to sign. It is a confirmation that they give you permission to process their data and they know which data will be processed, where, and for which purposes. Therefore, you should not only give a paper but inform a data subject about the data that you will need.
At any time, a data subject can demand to erase their data and not use it in further research. If you already shared the data with the third party, you should bring them to delete it as well.
It should be easy for a data subject to transfer their data from one data controller to another.
An organization should ask only the information that is absolutely necessary for the research. Only those who absolutely need the data may have access to it.
An organization should provide data encryption and use HTTPS protocols on every step of research.
What is particularly interesting about GDPR is that it works not only within the EU. Every time when the data of an EU citizen is involved, GDPR is applicable. When the US-based company conducts a trial in the EU, GDPR is applicable. Therefore, if it involves an EU citizen or the EU territory, trial managers will have to comply with the regulation.
The Health Insurance Portability and Accountability Act was developed in 1996 in the US and applies to the entities within the United States, even with respect to non-US citizens. HIPAA has the following requirements:
Before an organization collects any protected health information, a data subject has to give them a written authorization. A participant should also sign an informed consent document that signals that they know the details of the trial’s methodology, timeline, risks, etc. Only PHI is protected. It includes health history, health records, lab results, etc.
Revoke the Authorization
A participant has a right to revoke the authorization at any time. However, the information that was previously obtained should not be deleted, unlike GDPR.
“Need to Know” Basis
An organization should only use the information that is needed and give access to those who absolutely need it.
De-identification is a process of either a formal determination by a statistician or removing the identifiers.
Publication and Presentation of Results
In order to present or publish the results of a clinical trial containing PHI, researchers are required to receive the HIPAA authorization.
HIPAA applies to covered entities and business associates only.
How to Safeguard Trial Data Privacy
We have already discussed what data you must protect. In this section, we will elaborate more on how to secure data in clinical trials that we have mentioned before and learn a new protection point that is good to consider.
Mind Clinical Trial Patient Data Privacy
So, you know that sharing information that may lead to individual identification is not allowed. Yet, such information includes mental and physical health that is essential to clinical trials. So how do you publish a result that is relevant and ensure confidentiality and security in clinical trials?
You can provide results as general statistical information. You can try anonymization or pseudonymization for confidentiality and security in clinical trials as well. Pseudonymization is about giving a code name to a person. They can still be identified but much more time is needed for that. Anonymization makes it impossible to identify a person. You can learn more about the data anonymization process in clinical trials here.
Ensure Clinical Trial Results Integrity
The person’s participation in numerous trials at the same time negatively influences the quality of results, because it increases the placebo rate and chances of adverse events.
Modern software that is based on biometric technology can solve this problem. Using facial recognition and fingerprint authentication, a system can detect if a person is already enrolled in a clinical trial and prevent multiple enrollments thus ensuring the integrity of results.
Develop Database Access Protection Strategy
It is essential that access to all the structured and unstructured data is limited. Limits can be applied not only to the third parties that should have no access at all. They are also about different access to different trial roles, such as, participants, sponsors, and researchers will have different access levels.
You can control that by creating profiles for each member with a certain role.
How to Protect Data in Clinical Trials with Modern Software
Since all the data from clinical trials is usually operated with software, it is essential that the software has the right mechanisms for data protection. Here are the features that are important for a clinical trial software:
Since regulations include the point about access to data on the basis of absolute need, it is essential that the GDPR and HIPAA compliance software for clinical trials provides access to a very limited number of people. At the same time, it should give a different amount of information to different roles, as discussed previously.
So your software should be able to create profiles with strong passwords and assign different roles, resulting in different access levels.
Make sure that the trial data (usually kept for a long time) is stored properly. Securely stored data is not likely to face the breach. Usually, stored data is kept secure by multiple levels of defense such as logical protection, firewalls, virus-detection programs, etc.
Researchers and staff usually exchange data actively. However, it is important to know the basics of secure communication to avoid breaches. For example, researchers use encrypted communication, authentication, anti-malware systems, and physical protection for data carriers.
In order to not enroll participants that are enrolled in other clinical trials, the software uses the ID and fingerprint authentication (facial recognition as a way for remote procedures). It excludes the possibility of money and time waste caused by professional clinical trial participants.
Langate has created a custom solution connected with protecting data in clinical trials. This solution has helped numerous researchers to prevent duplicates and professional subject enrollment and is compliant with GDPR and HIPAA.
Our client needed a tool for remote biometric verification that is compliant with HIPAA and GDPR. So the Langate team has created iOS, Android, and modified Windows applications that allow identification from remote locations with the help of facial recognition.
It was especially relevant in the times of the pandemic. Now our client offers the best and up-to-date solutions to their clients.
Clinical trials are bound to protect participant’s data by GDPR (EU) and HIPAA (USA). It is possible to avoid the identification of participants and share adequate results through statistical approach and anonymization.
Software is a big deal when it comes to ensuring privacy and information security in clinical trials since a big amount of data is operated non-physically. Therefore, software should include authorization, secured ways of storing the data, safe communication, and duplicates prevention.
Langate can offer a custom solution for your business that will fulfill all the requirements. Our professionals have already worked with such solutions and will provide extensive expertise in the field. Contact us for further information right now and we will ensure the safety of your clinical trial data tomorrow.