HIPAA

The Health Insurance Portability and Accountability Act of 1996 was passed to create
national standards for the protection of sensitive patient health information from being
disclosed without a patient’s consent or knowledge.

Covered entities, meaning those that must comply with HIPAA rules, include:

Healthcare providers
Health insurance plans
Healthcare clearinghouses (companies that process nonstandard health information received
from another entity into a standard format)

Type 1 attests an organization’s use of

HIPAA compliance is als
compliant systems and processes at a specific point in
time. Conversely, Type 2 is an attestation of compliance over a
period (usually 12 months).

A Type 1 report describes the controls in use by an

organization, and confirms that the controls are properly
designed and enforced. A Type 2 report includes everything
that’s part of a Type 1 report, along with the attestation that the
controls are operationally effective.

o required of business associates of a covered entity. That means if a covered entity engages
with another business to help it fulfill its activities and functions, that associated business
must also comply with HIPAA rules.

The three main HIPAA rules regarding Protected Health Information (PHI) in the US are:

The Privacy Rule (Part 164 Subpart E): This rule safeguards the privacy of an individual's
health information and gives patients control over how their personal health information is
used and disclosed, including the right to acquire a copy of their records.

The Security Rule (Part 164 Subpart C): This rule establishes national standards for the
security measures covered entities must take to protect electronic health information they
create, receive, use, or maintain.

The Breach Notification Rule (Part 164 Subpart D): This rule requires covered entities and
their business associates to provide notification if there is a breach of unsecured protected
health information.

HIPAA and GDPR share some common goals and principles, but they do have many
differences, and compliance with one does not necessarily mean you’ll be in compliance with
the other.
HIPAA and GDPR are both concerned with protecting the personal health information of
individuals and both regulations give people rights over the use of their data and their access
to that data.

They both also require organizations that process personal health data to create specific
safeguards for that data. Additionally, HIPAA and EU GDPR require organizations
processing personal health information to notify anyone who is affected in the event of a data
breach.

The biggest difference between HIPAA and GDPR is their scope.

The General Data Protection Act covers any organization processing personal data that could
be used to identify someone in the EU. HIPAA is limited to the covered entities that process
the Protected Health Information (PHI) we mentioned earlier.

But there are still a handful of other differences to note:

One of the biggest differences between the two regulations is GDPR’s inclusion of a “right to
be forgotten”. Essentially, this means that individuals have the right to have their data erased
by the organization controlling it, except under a limited number of specific circumstances.
HIPAA deals solely with Protected Health Information, while GDPR applies to any data that
could be used to identify someone, directly or indirectly.
The penalties for failure to comply with HIPAA can run up to $1.5 million per year, while
GDPR’s fines can reach 4% of global revenue or up to €20 million.

In the US, sponsors of a medical device clinical trial will need to abide by all three of the
HIPAA rules (Privacy, Security, Breach Notification), but the Privacy Rule has the most
immediate impact on research.

The Privacy Rule defines research as “a systematic investigation, including research

development, testing, and evaluation, designed to develop or contribute to generalizable
knowledge.” When it comes to research, the Privacy Rule is meant to protect health
information that could identify individuals while also making sure that researchers can access
the data they need.

In practice, this means there are instances where a covered entity may use or disclose PHI
without authorization by the individual.

For instance, this can occur when the covered entity receives approval from an Institutional
Review Board (IRB) or Privacy Board. The Department of Health and Human Services
provides a full list of the specific situations in which the covered entity may use or disclose
PHI without authorization.

Just remember that in the US, regulations around personal data in clinical trials are not
limited to HIPAA. The HHS and FDA’s Protection of Human Subjects Regulations have
provisions that are separate from those of the Privacy Rule, but must still be followed when
carrying out research with human subjects.
According to the GDPR, clinical trial sponsors can be categorized as both a processor and a
data controller. This is because a clinical trial operation includes data not only from subjects,
but also personnel, sales, and sub-contractors.

This means there are a number of different obligations that MedTech companies must fulfill
when conducting clinical trials in the EU, including:

GDPR states that a clear and documented consent must be acquired from all data subjects in
order to process their information. Such consent is not new to the industry, and in most cases,
a trial subject is asked to sign an informed consent before initiating any data collection.
Medical device companies, or clinical trial sponsors, must now identify the data to be
processed, where it will be transferred to, who is processing it, what it will be used for, and
which risks are involved. All of which must now be included in a separate informed consent
(not the protocol-specific consent).
Organizations that process and manage clinical trial data must now conduct data impact
assessments (DIA) on both electronic and hard copy data. A data impact assessment should
cover what the data is used for, how it’s managed, and what action is needed to mitigate any
risks.
Sponsors are also required to appoint a Data Protection Officer (DPO) which shall take part
in managing and documenting many of the activities that surround data and information
processing. In addition, the DPO will also act as the main interface to the company if there
are any data breaches or inbound inquiries. The DPO can either be an external hire or a
current employee who you train for the role.
Similarly to HIPAA, GDPR does provide some exemptions regarding provisions like the right
to be forgotten in certain cases. For instance, clinical trial data is considered “special data”,
because processing of such data is necessary for research-specific purposes.

This is due to the fact that clinical data cannot just be removed or transferred from a dataset,
without affecting the audit trail or the statistical outcome. Subjects can, however, choose to
withdraw their consent to prevent any additional data collection.