Part 1: Navigating Patient Privacy During Remote Monitoring in the Age of COVID-19

April 8, 2020

By Felicia Ford-Rice, Director, Strategic Compliance

Patient Privacy

Patient Privacy is a mainstay of clinical trials and is incorporated into the International Council on Harmonization (ICH) E6 (R2) Good Clinical Practices (GCP) guideline1.  The role of clinical monitors is essential to ensuring compliance with clinical protocols and timely communications between the sponsor and clinical trial sites.  Due to safety concerns related to the COVID-19 pandemic and governmental authority restrictions (e.g.,  Shelter-in-Place, availability of personal protective equipment), clinical monitors may not be able conduct on-site monitoring activities, including but not limited to Source Data Verification (SDV) and Source Documentation Review (SDR).  Under these circumstances, sponsors can follow Health Authorities and ICH E6 (R2) requirements to maintain GCP oversight through the conduct of remote (centralized) monitoring activities including maintaining data privacy provisions.  

Requirements for health information privacy is described in the US Health Insurance Portability and Accountability Act of 1996 (HIPAA) (see Table 1).

Table 1. HIPAA Data Privacy Requirements Data Privacy Requirement

Data Privacy Requirement

Data from a clinical trial during its entire life-cycle, from its collection by the sites as source data to its reporting, archival and destruction including:

❖ Demographic Information that can be used to identify a patient

❖ Physical Health

❖ Mental Health

❖ Biometric data

❖ Genetic data  

 

Additionally, the ICH E6 (R2) Good Clinical Practices1 requires “The confidentiality of records that could identify subjects should be protected, respecting the privacy and confidentiality rules in accordance with the applicable regulatory requirement(s).”  On 15 March 2020, the US Secretary of the Department of Health and Human Services took the extraordinary step of issuing a COVID-19 and HIPAA Bulletin2 waiving sanctions and penalties against a covered hospital that does not comply with the multiple provisions of the HIPAA Privacy Rule, necessary for purposes of public health.  Of the five (5) provisions of the HIPAA Privacy Rule, included in the waiver, the following two have the potential to impact remote (central) monitoring: (1) Right to request privacy restrictions (45 CFR 164.522(a)) and (2) Right to request confidential communications (45 CFR 164.522(b)).  

Clinical Research Associates or Clinical Study Monitors responsible for conducting monitoring of clinical trial data may have access to personal health information (PHI), which is acceptable based upon the inclusion of one or more of the following controls: (1) IRB / EC approved Informed Consent document signed by the patient or their legal representative includes the authorization for access to PHI; (2) HIPAA Authorization signed by the patient or their legal representative grants access to their PHI; (3) Waiver of HIPAA Authorization by the IRB/EC or (4) Use of de-identified patient information. Patient data privacy requirements are also codified within Health Authority GCP regulations and corresponding guidelines.  Therefore, the change in privacy considerations with respect to the two HIPAA provisions listed within the HHS COVID-19 & HIPAA Bulletin2 will not significantly change the conduct of monitoring.  Whether or not monitoring is conducted on-site or remotely (centralized), sponsor activities related to clinical trials are also subject to the above listed GCP data privacy controls to protect patient rights and confidentiality.

 

References

1 E6(R2) Good Clinical Practice: Integrated Addendum to ICH E6(R1) Guidance for Industry, March 2018

2 COVID-19 & HIPAA Bulletin Limited Waiver of HIPAA Sanctions and Penalties During a Nationwide Public Health Emergency, March 20201

 

Previous Article
Part 2: Navigating Patient Privacy During Remote Monitoring in the Age of COVID-19
Part 2: Navigating Patient Privacy During Remote Monitoring in the Age of COVID-19

Following on from part 1,  I addressed how to maintain patient privacy in the COVID-19 pandemic. In this bl...

Next Article
Perspective on the FDA enforcement policy for ventilators, accessories and other respiratory devices during COVID-19
Perspective on the FDA enforcement policy for ventilators, accessories and other respiratory devices during COVID-19

Background  There is an insufficient supply of ventilators to treat patients around the globe desperatel...