clinical research privacy

1

Clinical Research Privacy:Mutual Challenges and Shared Solutions

Mary Alexander, CHPC, CHRC, CIP Research Compliance Officer – UC Irvine Health

Nick Weil, JD, LLM, CHC, CHPCSenior Director – Ankura Consulting

Overview

Challenges in Clinical Research Privacy A Pro-Active Solution: Developing a Compliant

Clinical Research Privacy Infrastructure Clinical Research Privacy Assessment

Health Data Governance

Guide for Investigating and Assessing a Research Privacy Breach

1

2

2

Regulatory Landscape

• Common Rule (45 CFR 46)• FDA (21 CFR 50 and 56)• HIPAA Privacy & Security 45

CFR 164• The Belmont Report• State Laws (CMIA, NYPA,

CCPA)• International Laws (GDPR)• National Institutes of Health

(NIH) Certificates of Confidentiality (CoC)• 42 CFR Part 2

• National Institutes of Health (NIH) Data Management and Sharing Policy • National Institute of Justice

(NIJ) Privacy Certificate• Office of National Coordinator

for Health Information Technology (ONC) Interoperability • Centers for Medicare and

Medicaid Services (CMS)Information Blocking

3

4

3

Challenges at a Glance

• IRBs/Privacy Boards• Compliance Privacy Offices of Covered Entities• Principal Investigators and Physicians• Executive and Institutional Leadership

Intersection of risk and responsibility Intersection of risk and responsibility

• Public expectation and perception• Current laws/regulations do not contemplate new

challenges

Increased Use of Data for TechnologyIncreased Use of Data for Technology

• Safeguarding health data• Use that data for public good

Conflicting DutiesConflicting Duties

Contributing to societal good

Protecting Patient Rights

5

6

4

Exploring Current Challenges

• IRB or Privacy Office oversight?• When a central IRB is used? • When a waiver is issued?

HIPAA Authorization for ResearchHIPAA Authorization for Research

• Should data leave the CE environment?• Trust and reputational impact • Sponsors, business associates

Sharing PHI with third partiesSharing PHI with third parties

• Differing definitions• Is genetic info PHI?• De-identification doesn’t eliminate privacy risk • Reidentification• Group harm

De-identification Defined (Common Rule, HIPAA)De-identification Defined (Common Rule, HIPAA)

• Non HSR that uses PHI• New NIH Policy advises to consider consent for de-identified uses of data

Consent Consent

• Sharing PHI between covered and non-covered components

Hybrid entities Hybrid entities

How to Develop a Compliant Clinical Research Privacy Infrastructure

Conduct a Clinical Research Privacy Risk AssessmentImplement Health Data GovernanceMaster a Research Privacy Breach Investigation

7

8

5

Clinical Research Risk Assessment

Map the clinical research lifecycleIdentify current practicesIdentify regulatory

implicationsIdentify responsible partiesConduct a gap analysis

Clinical Research Process

Industry Standard/Current Practice

Regulatory Implication

Responsible Oversight/Department

Gap Analysis

Development of Protocol

Protocol includes privacy protection measures and confidentiality maintenance

Safeguarding • Principal Investigator

• IRB/Privacy Board

Submission and Review

IRB review of privacy protection measures and confidentiality maintenance review

Adequate provisions to protect the privacy/maintain the confidentiality

Risks minimized Risks

reasonable in relation to benefit


IRB Informed Consent review

Description of privacy protection and confidentiality maintenance


HIPAA Authorization/Waiver requirements (Privacy Board)

Permission to Use and/or Disclose


Review Preparatory to Research and Decedent Research




Industry Standard/Current Practice Regulatory Implication Responsible Oversight/Department

Gap Analysis

Activation Data Transfer and Use Agreements (DTUAs)

Safeguarding Breach and

Reporting

Research Contracting

Clinical Trial Agreements (CTAs) Safeguarding Breach and

Reporting

Research Contracting

Materials Transfer Agreements (MTAs) Safeguarding Breach and

ReportingConduct Recruitment of Research Subjects Permission to Use

and/or DisclosePrincipal Investigator

Obtaining consent and HIPAA Authorization


E-Consent Permission to Use and/or Disclose

Safeguarding Electronic health record access

provisioning for researchers and monitors

Safeguarding

Accessing/Requesting PHI datasets, De-identification


Accounting of Disclosures of PHI

Safeguarding

Storing and managing PHI (electronic systems such as CTMS, REDCap, computing environment, etc.)

Safeguarding

Disclosing PHI to sponsors (Case Report Forms) or collaborators (transmitting)


Safeguarding

9

10

6



Industry Standard/Current Practice

Regulatory Implication Responsible Oversight/Department

Gap Analysis

Oversight • Breach investigation and reporting

• Auditing, monitoring, and enforcement

Review of unanticipated problems and/or serious/continuing noncompliance

Breach and reporting to participants OHRP, FDA, OCR, CDPH

Closeout and Record Retention

• Electronic health record access termination

Safeguarding

• Record retention Covered Entity Organizational Requirements

IRB Records Future Research

• Registries/Repositories/Stored data

• Consent, authorization, waiver

Compound authorizations

Future Research consent requirements

Common Rule Broad Consent

Implement Health Data Governance

• Public trust• Standards (data stewards, security) • Oversight for Non-HSR use of PHI• Address risks in use of de-identified data

Why do we need *another* committee? Why do we need *another* committee?

• Stakeholders (ethics, legal, privacy compliance, information security, research leadership, analytics and computer science experts, information officers)

Who should be on it?Who should be on it?

• Establish governing principles and criteria• Routine vs. Escalated Review (risk matrix)• Policies and Procedures

How should it operate?How should it operate?

11

12

7

Anatomy of a Privacy Investigation

What to Do and When – Step by Step

The Breach Assessment (template provided)

Patient Notification and Related Steps

Correctly Using Corrective Action

Common Scenarios

Investigation Fundamentals

Step 1Stop. The. Breach.Stop. The. Breach.

Step 2Gather Experts and Facts•Who was the

*Breached* Patient?

•What data was compromised?

•How did it happen?

•What was done in response?

Gather Experts and Facts•Who was the

*Breached* Patient?

•What data was compromised?

•How did it happen?

•What was done in response?

Step 3Conduct a Breach Assessment

Conduct a Breach Assessment

Step 4NotificationNotification

Step 5Corrective ActionCorrective Action

13

14

8

Breach Assessment Tool

Breach Assessment Tool –Probability of Compromise Determination

15

16

9

To Notify or Not to Notify Follow HIPAA breach assessment conclusion

Consider state law requirements, which usually depend on the type of information release (SSN, license number, credit card are common reporting requirements) When (and how) should you offer credit?

When in doubt, send a patient letter HIPAA requires 60 days

California requires 15 days

Notification to authorities may also be needed Notify the covered entity

HIPAA requires reporting breaches to HHS <500: Annually

>500 patients: 60 days (and to the Media)

State Attorneys General have individual rules

Correctly Using Corrective Action

When do you educate, coach, discipline, and terminate? Equity and Consistency

Consider Harm and Intention

Always Implement a people fix or process fix (or both) Training and Technology

Policy and Preventatives

Compliance Program Solutions

Document Corrective Action in the Breach Assessment and Maintain Records

17

18

10

Common Scenarios

Example 1 – Authorizations Not Signed

Example 2 – Identifiable Data Sent to Sponsor

Example 3 – Results Given to the Wrong Patient

Example 4 – Lost Investigator Laptop

Questions and Discussion

19

20

clinical research privacy

Documents