In December 2023, according to the Health Insurance Portability and Accountability Act Journal, it was reported that the year 2023 had the largest number of breaches for health data and privacy violations ever recorded in the history of modern health and clinical trial data technology. Source: The HIPAA Journal
The need for data to ascertain the safety and efficacy of medical interventions drives clinical trials. The search for this data necessitates the investment in the industry. However, as the data is gotten from human subjects, there is a whole regulatory and legal frame that has been put in place by different countries, international bodies like the European Union, and even intercontinental bodies to regulate the handling, transfer, storage, and the general privacy of the data collected in clinical trials.
To make matters complicated, there are potential and possible contradictions between regulations for different countries, and in such scenarios for studies that are occurring in different countries, the CROs need to be very familiar with the regulatory framework across all the countries in which the study will happen.
Regulatory violations and legal breaches have severe implications for the companies. For example, in 2024, Montefiore Medical Centre in the United States of America paid a fine of $4,705,000 due to various breaches that included a failure to conduct a proper risk analysis, failure to set up structures for reviewing data regularly and, a failure to maintain and review an audit trail.
In 2023, Banner Health paid a settlement of $1,250,000 due to absence of proper safeguards for verifying user access to health records and an absence of risk analysis frameworks. In 2022, Oklahoma State University – Center for Health Sciences paid a settlement of $875,000 due to a host of breaches that include an inadequate risk analysis framework, security incident response and reporting framework absence, lack of audit controls, breach notifications, and the impermissible disclosure of the PHI of 279,865 individuals.
What Steps Can CROs Take to Strengthen Data Security Processes and Compliance?
Although this will be discussed in more detail in the next article, a few guidelines include:
- Developing and maintaining a company culture that emphasises respect for subject/patient/client data and privacy.
- Provide periodic refresher training to staff on data security and privacy.
- Provide updated training to staff on data security and privacy.
- Run tests prior to study-go-live that simulates data transfer between sites, sponsors, regulatory bodies, other study team personnel to ensure that privacy risks are caught and addressed.
- Promote internal and external accountability.
- Create a default policy for denying access to PHI except by request and proper evaluation of said request.
- Create a Data Security Team that has the primary responsibility of ensuring company-wide compliance with data security and privacy regulations.
- Maintain up-to-date electronic and physical security measures and keep the necessary trained on the use of this measures.