How to Comply with HIPAA and EU GDPR in Medical Device Studies

The U.N. recognizes privacy as a fundamental human right, and nowhere is this more important than in medical data. That’s why both the US and the EU have regulations in place that govern the collection, storage, and use of patient data in healthcare. 

In the US, there is the Health Insurance Portability and Accountability Act of 1996 (HIPAA). And in the EU, the broader General Data Protection Regulation (GDPR) also covers patient health information. 

When medical device companies begin clinical trials for their devices, they invariably come into possession of subjects’ personal data, which means they may be required to comply with either (or both) of these regulations, depending on where the studies take place and who participates. 

The penalties for failing to comply with these regulations can be steep, so it’s essential that you have an understanding of what’s required of your company while handling patient health data.  

Let’s start in the US, with HIPAA.

FREE DEMO: Click here to see how you can streamline the collection and management of your clinical data in compliance with HIPAA and EU GDPR.

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 was passed to create national standards for the protection of sensitive patient health information from being disclosed without a patient’s consent or knowledge. 

Covered entities, meaning those that must comply with HIPAA rules, include:

• Healthcare providers
• Health insurance plans
• Healthcare clearinghouses (companies that process nonstandard health information received from another entity into a standard format)

HIPAA compliance is also required of business associates of a covered entity. That means if a covered entity engages with another business to help it fulfill its activities and functions, that associated business must also comply with HIPAA rules.

The three main HIPAA rules regarding Protected Health Information (PHI) in the US are:

• The Privacy Rule (Part 164 Subpart E): This rule safeguards the privacy of an individual's health information and gives patients control over how their personal health information is used and disclosed, including the right to acquire a copy of their records.
• The Security Rule (Part 164 Subpart C): This rule establishes national standards for the security measures covered entities must take to protect electronic health information they create, receive, use, or maintain.
• The Breach Notification Rule (Part 164 Subpart D): This rule requires covered entities and their business associates to provide notification if there is a breach of unsecured protected health information.

FREE DEMO: Click here to see how you can streamline the collection and management of your clinical data in compliance with HIPAA and EU GDPR.

What is GDPR?

As its name implies, the General Data Protection Regulation (GDPR) is a broad regulation that encompasses more than just personal medical data. The GDPR went into force on May 25th, 2018, with the goal of protecting the rights of EU citizens by enhancing privacy and minimizing the risk of data breaches.

GDPR applies to any information that could be used to identify someone in the EU, either directly or indirectly—also known as personally identifiable information (PII). That could include personal data such as telephone numbers or credit card numbers, but it also includes “sensitive personal data” such as patient health data. 

Any organization that processes PII must abide by seven data protection principles laid out in Article 5.1-2 of the regulation:

1. Lawfulness, fairness and transparency — Processing must be lawful, fair, and transparent to the data subject.
2. Purpose limitation — You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
3. Data minimization — You should collect and process only as much data as absolutely necessary for the purposes specified.
4. Accuracy — You must keep personal data accurate and up to date.
5. Storage limitation — You may only store personally identifying data for as long as necessary for the specified purpose.
6. Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
7. Accountability — The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.

GDPR also requires data protection “by design and by default”, which means that every organization that deals with personal data must consider these data protection principles while designing any new product or service.

FREE DEMO: Click here to see how you can streamline the collection and management of your clinical data in compliance with HIPAA and EU GDPR.

Comparing HIPAA and GDPR

HIPAA and GDPR share some common goals and principles, but they do have many differences, and compliance with one does not necessarily mean you’ll be in compliance with the other.

Similarities between HIPAA and GDPR

HIPAA and GDPR are both concerned with protecting the personal health information of individuals and both regulations give people rights over the use of their data and their access to that data. 

They both also require organizations that process personal health data to create specific safeguards for that data. Additionally, HIPAA and EU GDPR require organizations processing personal health information to notify anyone who is affected in the event of a data breach.

Differences between HIPAA and GDPR

The biggest difference between HIPAA and GDPR is their scope. 

The General Data Protection Act covers any organization processing personal data that could be used to identify someone in the EU. HIPAA is limited to the covered entities that process the Protected Health Information (PHI) we mentioned earlier. 

But there are still a handful of other differences to note:

• One of the biggest differences between the two regulations is GDPR’s inclusion of a “right to be forgotten”. Essentially, this means that individuals have the right to have their data erased by the organization controlling it, except under a limited number of specific circumstances.
• HIPAA deals solely with Protected Health Information, while GDPR applies to any data that could be used to identify someone, directly or indirectly.
• The penalties for failure to comply with HIPAA can run up to $1.5 million per year, while GDPR’s fines can reach 4% of global revenue or up to €20 million.

FREE DEMO: Click here to see how you can streamline the collection and management of your clinical data in compliance with HIPAA and EU GDPR.

How do HIPAA and GDPR impact medical device clinical trials and their subjects?

Medical device companies conducting clinical studies will end up collecting personal health data from subjects. They are, therefore, subject to HIPAA and/or GDPR regulations depending on the location of the clinical trial and who is participating in it.

HIPAA compliance in clinical trials

In the US, sponsors of a medical device clinical trial will need to abide by all three of the HIPAA rules (Privacy, Security, Breach Notification), but the Privacy Rule has the most immediate impact on research.

The Privacy Rule defines research as “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.” When it comes to research, the Privacy Rule is meant to protect health information that could identify individuals while also making sure that researchers can access the data they need.

In practice, this means there are instances where a covered entity may use or disclose PHI without authorization by the individual. 

For instance, this can occur when the covered entity receives approval from an Institutional Review Board (IRB) or Privacy Board. The Department of Health and Human Services provides a full list of the specific situations in which the covered entity may use or disclose PHI without authorization.

Just remember that in the US, regulations around personal data in clinical trials are not limited to HIPAA. The HHS and FDA’s Protection of Human Subjects Regulations have provisions that are separate from those of the Privacy Rule, but must still be followed when carrying out research with human subjects.

FREE DEMO: Click here to see how you can streamline the collection and management of your clinical data in compliance with HIPAA and EU GDPR.

GDPR compliance in clinical trials

According to the GDPR, clinical trial sponsors can be categorized as both a processor and a data controller. This is because a clinical trial operation includes data not only from subjects, but also personnel, sales, and sub-contractors.

This means there are a number of different obligations that MedTech companies must fulfill when conducting clinical trials in the EU, including:

• GDPR states that a clear and documented consent must be acquired from all data subjects in order to process their information. Such consent is not new to the industry, and in most cases, a trial subject is asked to sign an informed consent before initiating any data collection.
• Medical device companies, or clinical trial sponsors, must now identify the data to be processed, where it will be transferred to, who is processing it, what it will be used for, and which risks are involved. All of which must now be included in a separate informed consent (not the protocol-specific consent).
• Organizations that process and manage clinical trial data must now conduct data impact assessments (DIA) on both electronic and hard copy data. A data impact assessment should cover what the data is used for, how it’s managed, and what action is needed to mitigate any risks.
• Sponsors are also required to appoint a Data Protection Officer (DPO) which shall take part in managing and documenting many of the activities that surround data and information processing. In addition, the DPO will also act as the main interface to the company if there are any data breaches or inbound inquiries. The DPO can either be an external hire or a current employee who you train for the role.

Similarly to HIPAA, GDPR does provide some exemptions regarding provisions like the right to be forgotten in certain cases. For instance, clinical trial data is considered “special data”, because processing of such data is necessary for research-specific purposes.

This is due to the fact that clinical data cannot just be removed or transferred from a dataset, without affecting the audit trail or the statistical outcome. Subjects can, however, choose to withdraw their consent to prevent any additional data collection.

Get a clinical data solution that ensures regulatory compliance

With such a strong regulatory focus on patient health data on both sides of the Atlantic, you can’t afford to use clinical data capture tools that aren’t actively helping you comply with these regulations. 

That’s why Greenlight Guru Clinical is designed to simplify regulatory compliance with GDPR and HIPAA, as well as ISO 14155 (GCP) and FDA’s 21 CFR Part 11. With ready-to-use QA templates, system modules, and guidance documents, you can rest easy knowing your clinical data capture software is built to help ensure the privacy and security of sensitive patient data.

Ready to get a powerful and compliant EDC software solution for your next study or survey? Contact us today for your free demo of Greenlight Guru Clinical!