clinical research privacy
TRANSCRIPT
1
Clinical Research Privacy:Mutual Challenges and Shared Solutions
Mary Alexander, CHPC, CHRC, CIP Research Compliance Officer – UC Irvine Health
Nick Weil, JD, LLM, CHC, CHPCSenior Director – Ankura Consulting
Overview
Challenges in Clinical Research Privacy A Pro-Active Solution: Developing a Compliant
Clinical Research Privacy Infrastructure Clinical Research Privacy Assessment
Health Data Governance
Guide for Investigating and Assessing a Research Privacy Breach
1
2
2
Regulatory Landscape
• Common Rule (45 CFR 46)• FDA (21 CFR 50 and 56)• HIPAA Privacy & Security 45
CFR 164• The Belmont Report• State Laws (CMIA, NYPA,
CCPA)• International Laws (GDPR)• National Institutes of Health
(NIH) Certificates of Confidentiality (CoC)• 42 CFR Part 2
• National Institutes of Health (NIH) Data Management and Sharing Policy • National Institute of Justice
(NIJ) Privacy Certificate• Office of National Coordinator
for Health Information Technology (ONC) Interoperability • Centers for Medicare and
Medicaid Services (CMS)Information Blocking
3
4
3
Challenges at a Glance
• IRBs/Privacy Boards• Compliance Privacy Offices of Covered Entities• Principal Investigators and Physicians• Executive and Institutional Leadership
Intersection of risk and responsibility Intersection of risk and responsibility
• Public expectation and perception• Current laws/regulations do not contemplate new
challenges
Increased Use of Data for TechnologyIncreased Use of Data for Technology
• Safeguarding health data• Use that data for public good
Conflicting DutiesConflicting Duties
Contributing to societal good
Protecting Patient Rights
5
6
4
Exploring Current Challenges
• IRB or Privacy Office oversight?• When a central IRB is used? • When a waiver is issued?
HIPAA Authorization for ResearchHIPAA Authorization for Research
• Should data leave the CE environment?• Trust and reputational impact • Sponsors, business associates
Sharing PHI with third partiesSharing PHI with third parties
• Differing definitions• Is genetic info PHI?• De-identification doesn’t eliminate privacy risk • Reidentification• Group harm
De-identification Defined (Common Rule, HIPAA)De-identification Defined (Common Rule, HIPAA)
• Non HSR that uses PHI• New NIH Policy advises to consider consent for de-identified uses of data
Consent Consent
• Sharing PHI between covered and non-covered components
Hybrid entities Hybrid entities
How to Develop a Compliant Clinical Research Privacy Infrastructure
Conduct a Clinical Research Privacy Risk AssessmentImplement Health Data GovernanceMaster a Research Privacy Breach Investigation
7
8
5
Clinical Research Risk Assessment
Map the clinical research lifecycleIdentify current practicesIdentify regulatory
implicationsIdentify responsible partiesConduct a gap analysis
Clinical Research Process
Industry Standard/Current Practice
Regulatory Implication
Responsible Oversight/Department
Gap Analysis
Development of Protocol
Protocol includes privacy protection measures and confidentiality maintenance
Safeguarding • Principal Investigator
• IRB/Privacy Board
Submission and Review
IRB review of privacy protection measures and confidentiality maintenance review
Adequate provisions to protect the privacy/maintain the confidentiality
Risks minimized Risks
reasonable in relation to benefit
• IRB/Privacy Board
IRB Informed Consent review
Description of privacy protection and confidentiality maintenance
• IRB/Privacy Board
HIPAA Authorization/Waiver requirements (Privacy Board)
Permission to Use and/or Disclose
• IRB/Privacy Board
Review Preparatory to Research and Decedent Research
Permission to Use and/or Disclose
Clinical Research Risk Assessment
Clinical Research Process
Industry Standard/Current Practice Regulatory Implication Responsible Oversight/Department
Gap Analysis
Activation Data Transfer and Use Agreements (DTUAs)
Safeguarding Breach and
Reporting
Research Contracting
Clinical Trial Agreements (CTAs) Safeguarding Breach and
Reporting
Research Contracting
Materials Transfer Agreements (MTAs) Safeguarding Breach and
ReportingConduct Recruitment of Research Subjects Permission to Use
and/or DisclosePrincipal Investigator
Obtaining consent and HIPAA Authorization
Permission to Use and/or Disclose
E-Consent Permission to Use and/or Disclose
Safeguarding Electronic health record access
provisioning for researchers and monitors
Safeguarding
Accessing/Requesting PHI datasets, De-identification
Permission to Use and/or Disclose
Accounting of Disclosures of PHI
Safeguarding
Storing and managing PHI (electronic systems such as CTMS, REDCap, computing environment, etc.)
Safeguarding
Disclosing PHI to sponsors (Case Report Forms) or collaborators (transmitting)
Permission to Use and/or Disclose
Safeguarding
9
10
6
Clinical Research Risk Assessment
Clinical Research Process
Industry Standard/Current Practice
Regulatory Implication Responsible Oversight/Department
Gap Analysis
Oversight • Breach investigation and reporting
• Auditing, monitoring, and enforcement
Review of unanticipated problems and/or serious/continuing noncompliance
Breach and reporting to participants OHRP, FDA, OCR, CDPH
Closeout and Record Retention
• Electronic health record access termination
Safeguarding
• Record retention Covered Entity Organizational Requirements
IRB Records Future Research
• Registries/Repositories/Stored data
• Consent, authorization, waiver
Compound authorizations
Future Research consent requirements
Common Rule Broad Consent
Implement Health Data Governance
• Public trust• Standards (data stewards, security) • Oversight for Non-HSR use of PHI• Address risks in use of de-identified data
Why do we need *another* committee? Why do we need *another* committee?
• Stakeholders (ethics, legal, privacy compliance, information security, research leadership, analytics and computer science experts, information officers)
Who should be on it?Who should be on it?
• Establish governing principles and criteria• Routine vs. Escalated Review (risk matrix)• Policies and Procedures
How should it operate?How should it operate?
11
12
7
Anatomy of a Privacy Investigation
What to Do and When – Step by Step
The Breach Assessment (template provided)
Patient Notification and Related Steps
Correctly Using Corrective Action
Common Scenarios
Investigation Fundamentals
Step 1Stop. The. Breach.Stop. The. Breach.
Step 2Gather Experts and Facts•Who was the
*Breached* Patient?
•What data was compromised?
•How did it happen?
•What was done in response?
Gather Experts and Facts•Who was the
*Breached* Patient?
•What data was compromised?
•How did it happen?
•What was done in response?
Step 3Conduct a Breach Assessment
Conduct a Breach Assessment
Step 4NotificationNotification
Step 5Corrective ActionCorrective Action
13
14
9
To Notify or Not to Notify Follow HIPAA breach assessment conclusion
Consider state law requirements, which usually depend on the type of information release (SSN, license number, credit card are common reporting requirements) When (and how) should you offer credit?
When in doubt, send a patient letter HIPAA requires 60 days
California requires 15 days
Notification to authorities may also be needed Notify the covered entity
HIPAA requires reporting breaches to HHS <500: Annually
>500 patients: 60 days (and to the Media)
State Attorneys General have individual rules
Correctly Using Corrective Action
When do you educate, coach, discipline, and terminate? Equity and Consistency
Consider Harm and Intention
Always Implement a people fix or process fix (or both) Training and Technology
Policy and Preventatives
Compliance Program Solutions
Document Corrective Action in the Breach Assessment and Maintain Records
17
18