In the selection of a Clinical Research Organization (CRO), the Sponsor must ensure that the CRO has careful policies and procedures in place to safeguard protected patient information. Also, Sponsors should evaluate their own privacy protection policies and SOPs in connection with handling and storing clinical trial participant data. CROs and Sponsors must be cognizant of state and federal laws in this regard; And their policies and procedures should mirror one another in this regard. Having these SOPs and policies in place and articulating them in the Master Services Agreement and Work Order(s) is critical.

A comprehensive review and analysis of the pertinent federal and state privacy statutes should be carefully reviewed by both the Sponsor and the CRO. For instance, starting with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and protected health information would be utilized. Moreover, each the privacy laws in each state (especially California) are complex and have considerable technical compliance requirements. Finally, both the Sponsor and the CRO should analyze any international privacy implications – for instance the EU’s General Data Protection Regulation (GDPR) regulatory construct.

With respect to patient recruitment efforts for clinical trials, if physician records are being utilized, the best practice is seeking a partial waiver of HIPAA authorization from the study’s IRB1 (See 45 C.F.R Section 164.512, et. seq.). Consent forms should be reviewed for compliance purposes and contain all the necessary elements to be valid as well. Moreover, all the proper parties should execute the consent forms – clinical participant, CRO, Sponsor and any ancillary participant(s) in the study (for example, the clinical participant’s physicians, among others). Also, CRO’s and Sponsors should be cognizant of the scope of the HIPAA waiver and any revocation by a clinical participant during any stage.

While HIPAA compliance is perfunctory and mandatory, it is not enough. For instance, depending on the geographical location of a trial (many trials are multi-jurisdictional), state laws should be considered. California’s privacy law is particularly instructive. It has enacted the Consumer Privacy Act of 2018 (CCPA) which protects personal information such as names, social security numbers, email addresses and biodata (fingerprints, etc.) among others2. The CCPA requirements are strict and apply to “for profit” businesses that “do business in California” and meet any of the following guidelines:

  1. Have gross revenues of over $25,000,000;
  2. Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or
  3. Derive 50% or more of their annual revenue from selling California residents’ personal information.3

These requirements may not apply to many Sponsors but may apply to CROs and therefore implicate Sponsors.

Both Sponsors and CROs should plan for how clinical participant data will be stored securely, maintained, and ultimately utilized for further studies. For instance, formulating a data security breach notification plan and having a data retention practices policy, with appropriate customer consent provisions, is also critical.

1 Kulynych J. HIPAA Compliance in Clinical Trials. J Oncol Pract. 2008 Jan;4(1):9-10. doi: 10.1200/JOP.0812505. PMID: 29443602; PMCID: PMC2793939.

2 California Consumer Privacy Act of 2018 [Sections 1798.100-1798.199, et. seq].

3 State of California Department of Justice: California Consumer Privacy Act (CCPA) – (August 15, 2022)