Led by the framework of the General Data Protection Regulation (GDPR) within the European Economic Alliance (EEA), the privacy landscape in the United States and much of the world is quickly evolving. Clinical trials involve the collection of Personal Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its accompanying regulations within the US and “Personal Data” as defined by the GDPR within the EEA. In nearly all cases, one or both privacy laws may govern data collection, use, and storage in the setting of clinical research. Additionally, many states within the U.S. are implementing privacy laws at the state level.These laws impose many obligations similar to obligations under GDPR, including notice, consumer/data subject rights, and security measures; however, to date, effective state laws all contain an exception for personal information collected in the context of HIPAA subject data or research activities such as clinical trials. In this article, we will discuss three areas where evolving data privacy protections and clinical trials intersect, resulting in important considerations to ensure our ability to continue meaningful clinical research while protecting participating data subjects: (1) The importance of defining your role and knowing your responsibilities; (2) Cross-border transfers of Personal Data; and (3) The complicated reality of notice requirements.
(1) The importance of defining your role and knowing your responsibilities…
