02/08/2022
Photo by NordWood Themes on Unsplash
Recently, many guidance documents and draft guidance documents regarding digital health information have been released. This is in response to the increase in numbers of devices used in the course of a clinical trial, including wearable devices, ePRO, eCOA, software such as apps, home monitors, etc. These devices collect health information and store or transmit it outside of the collection site. Such vendors need to be aware of how they are classified to ensure compliance with applicable regulations. If they are not directly considered a medical device, the device manufacturers and app developers may be considered vendors of personal health records (PHR) and would then need to comply with the Federal Trade Commission’s (FTC) Breach Notification Rule. The FTC released a Policy Statement to clarify the scope of this Rule.
The Rule applies to entities who are not covered under the Health Insurance Portability and Accountability Act (HIPAA). We have blogged before that under HIPAA, not all clinical research sites meet the definition of covered entities, and sponsors are usually not business associates. A third group, technology providers for sponsors of clinical trials that offer platforms that sites use, is a category that has many gray areas and a wide range of management and interpretation, that could risk the security of trial participants’ data. But this Rule is intended to ensure that health data is secure from data breaches or unauthorized access and requires the vendors to notify those whose personal health records are disclosed or acquired, as well as the FTC, and if large enough scope, also the media. Violations accrue civil money penalties.
The Rule applies to vendors of PHR that have individually identifiable health information that is created or received by health care providers. The Policy Statement clarifies that the developer of a health app or connected device is a “health care provider” because it “furnish[es] health care services or supplies.” Apps are covered by the Rule if “they are capable of drawing information from multiple sources”, such as blood pressure from a cuff and date/time from a phone app.
A distinction should be made if the vendor is supplying services to a covered entity (CE), because they would need to be considered a Business Associate (BA) and HIPAA would apply. They would not be doing Treatment, Payment, Health Care Operations (TPO) to be classified as a CE themselves, but they are providing a service. Sites who are CEs should look at what data are being collected and determine if it falls under the HIPAA jurisdiction. If it does, the site who is a CE needs to work with their legal team and the vendor to get a Business Associate Agreement (BAA) in place. Sponsors are not CEs and therefore are not required to get a BA with the app vendor.
You may also enjoy the following blogs:
Not sure if your site is a CE? Does your vendor need a BAA? Clinical Pathways offers an interactive eLearning course with comprehensive case scenarios: HIPAA Training for Clinical Trial Professionals
Description:
HIPAA's requirements for the use and disclosure of Protected Health Information (PHI) during the conduct of a clinical trial is not simple and depends on the situation. But there is a way to use a core set of principles and questions that provide an ability to manage and facilitate the needs of all stakeholders. The regulatory authority of HIPAA, the OCR and FDA agree that the two sets of regulations do not conflict and work well together. HIPAA does not restrict the GCP requirements of a site. Learn the answer to these questions and more in the eLearning course available HERE.
Did you know that not all clinical trial sites are covered entities?
How do you know if a clinical research site is a covered entity?
If a site is, do you know what they must do to follow HIPAA requirements to safeguard PHI?
- The Clinical Pathways Team
Enjoy this blog? Please like, comment, and share with your contacts.