September 9, 2025 • 43 mins
As clinical research becomes increasingly digital, the legal and compliance landscape is shifting. Hal Porter, Director of Consulting Services, Clearwater, speaks with Dianne Bourque, Partner, Holland & Knight LLP, about the legal, regulatory, and ethical considerations when clinical trial data is compromised. They discuss issues related to regulatory frameworks and legal obligations, risk exposure and liability, impacts of a breach that go beyond privacy, cross border data and transfer risks, and mitigating the risk and fallout of data breaches in clinical trials. Sponsored by Clearwater.
Watch this episode: https://youtu.be/XwtZXXGmLx4
Learn more about Clearwater: https://clearwatersecurity.com/
Essential Legal Updates, Now in Audio
AHLA's popular Health Law Daily email newsletter is now a daily podcast, exclusively for AHLA Premium members. Get all your health law news from the major media outlets on this podcast! To subscribe and add this private podcast feed to your podcast app, go to americanhealthlaw.org/dailypodcast.
Stay At the Forefront of Health Legal Education
Learn more about AHLA and the educational resources available to the health law community at https://www.americanhealthlaw.org/.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
SPEAKER_00 (00:00):
This episode of AHLA Speaking of Health Law is
sponsored by Clearwater.
For more information, visitclearwatersecurity.com.
SPEAKER_02 (00:17):
Welcome to this episode of the AHLA Speaking of
Health Law series.
I'm Hal Porter, Director ofConsulting Services for
Clearwater's Digital HealthTeam, and today's episode is
titled Beyond PrivacyImplications, Understanding Data
Breaches in Clinical Trials.
As clinical research becomesincreasingly digital, the legal
and compliance landscape isshifting under our feet.
(00:38):
It's no longer just aboutsafeguarding patient privacy.
Data breaches now carryimplications for regulatory
compliance, trial integrity,sponsor liability, And even the
admissibility of trial results.
(01:17):
industry clients on a broadrange of regulatory issues,
including data acquisition anduse in AI algorithm training,
research, product development,and digital health applications.
Diane, welcome.
SPEAKER_01 (01:30):
Thanks, Hal.
It's great to be here, and I'mlooking forward to this
discussion.
As you mentioned, I'm a partnerin the Boston office of Holland&
Knight, and I have been dealingwith both HIPAA and clinical
research for the entirety of mycareer.
So I love talking about both ofthose topics and I'm even more
excited to talk about them atthe same time.
SPEAKER_02 (01:54):
Excellent.
Well, it's great speaking withyou today, Diane.
On today's episode, we will beunpacking real-world risks,
discussing emerging regulatorytrends, and offering practical
strategies for reducingorganizational exposure in an
increasingly interconnectedtrial environment.
So, Diane, with regard toregulatory landscape and
obligations, what are theprimary regulatory frameworks
(02:16):
that govern data protection inU.S.
clinical trials, and how do theyintersect with
multi-jurisdictional studies?
SPEAKER_01 (02:24):
Yeah, it's a great question.
So anybody who's dealt withprivacy and data security in the
United States knows that wealways have multiple overlapping
frameworks that we have to dealwith.
And that is absolutely the casein clinical research.
So at the federal level, ofcourse, you have to think about
HIPAA.
(02:45):
And the reason is that clinicaltrial data is primarily
collected by healthcareproviders or other covered
entities, entities that aregoverned by HIPAA.
And so HIPAA governs a lot ofdifferent aspects of clinical
trials.
For example, accessing recordsto facilitate recruitment, even
to develop a protocol, accessingsource documentation to get
(03:08):
underlying history for studyparticipants and collecting
their data.
It's involved in the consentprocess because you have to not
only obtain a study consent, butyou need an authorization for
the use and disclosure of PHIfor those studies.
So HIPAA has all kinds ofrelevance for clinical research.
(03:31):
At the federal level, you alsohave to think about human
subject protection regulations.
So for example, there's theCommon Rule, which is like the
NIH human subject protectionrule.
And the Common Rule, and it'scalled that, by the way, because
a number of federal agencies usethat to govern human subject
research that they fund.
(03:51):
So they all have that rule incommon.
That's why it's called theCommon Rule.
common rule.
But the common rule requiresresearchers to implement
protections for the privacy ofsubjects and the confidentiality
of their data.
So it's built right into whatthe researchers are obligated to
do.
The common rule also hasdifferent privacy provisions
(04:15):
relating to the storage andmaintenance of identifiable
study data and identifiablebiospecimens when those are
being used for secondaryresearch, and that's a huge
priority of the federalgovernment as a policy matter.
The government wants toencourage secondary use of
existing materials and databecause it minimizes the burden
(04:39):
on participants and it expeditesresearch because you already
have these things available, butthere are special rules, privacy
rules that apply for that.
Also at the federal level, thereare FDA human subject protection
regulations, and those rulesrequire that in the consent
process, participants in an FDAregulated study are advised of
(05:03):
the extent to which theirrecords and their personal
information will be maintainedconfidentially.
And they also have to be advisedthat the FDA and others may
inspect those identifiablerecords.
So again, researchers have toreally think about privacy and
data security when they'rebuilding out their study and
thinking about how theirpresenting it to study
(05:26):
participants.
Okay, so that's all federalconsiderations.
At the state level, again,there's always multiple
different rules at the statelevel with respect to privacy
and data security.
Most often, the rules that areof concern are the ones that add
special protections to certaintypes of information.
(05:47):
So for example, most states havelaws protecting genetic test
results.
So if you're studying involvesgenetic testing.
You need to think about thoserules and what they require.
And you also, when you'rethinking about all of these
rules, have to keep in mind thatyou're dealing with research
(06:07):
information and research, whichis not treatment.
A lot of the health informationprivacy rules at the state level
relate to treatment or theyapply to folks who are providing
treatment.
And so you always need to keepin mind research is not
treatment and think carefullyabout if and how those special
(06:28):
state laws apply.
So that's in the United Statesnow.
Of course, if you're doing astudy that has sites overseas,
you have to think about all therules that apply in the relevant
jurisdiction where the study isbeing conducted.
For example, if you have studysites in the European Union, you
need to think about the GDPR.
(06:50):
You need to think about the EUclinical trials rate which
governs the conduct of clinicaltrials.
It also requires much like UShuman subject protection rules
requires the protection of theconfidentiality of participant
information.
And again, all of theseoverlapping frameworks, they
(07:16):
create complexity just in theexecution of a trial, but they
also create complexity undertime pressure in the event of
Absolutely.
SPEAKER_02 (07:28):
So in the event of a data breach, what are the
immediate legal obligations forsponsors and CROs?
SPEAKER_01 (07:35):
So that's a great question.
First of all, the legalobligations, they could land in
a variety of places given thenumber of folks involved in
conducting a clinical trial.
Ultimately, though, the sponsoris really obligated for what
(07:56):
goes on in a clinical trial.
As a regulatory matter, thesponsor is responsible for the
clinical trial.
So ultimately, the sponsor is onthe hook, but they're going to
share, just like in theexecution of a trial, they're
going to share the sort ofimplementation of the response
with other parties that areinvolved.
So the immediate obligation whenthere's a data breach in a
(08:19):
clinical trial or involvingclinical trial information, as
is the case in any sort of otherdata breach circumstances, to
stop the breach and mitigateharm.
And whoever is responsible forthat really depends on what the
breach was, where it occurred,whose system was involved, and
(08:41):
whoever is in a position to stopthe breach is the one that has
to stop the breach.
That's obligation number one.
These obligations apply all atonce.
If you've been involved in adata breach, you know it's a
(09:01):
multifaceted process with somany different moving parts, but
one of the moving parts afteryou immediately try to stop and
mitigate harm, stop the breachand mitigate harm, is to assess
the regulatory obligations andfigure out, first of all, what
happened.
Is it a data breach?
Is it a reportable data breach?
What laws matter?
(09:22):
All those laws that we justtalked about, someone has to
look at them, figure out whatlaw is implicated.
It's a very fact-specificdetermination based on what
happened.
And as you know, as the facts ofa breach evolve.
The analysis could completelychange.
And so someone really has tohave a careful eye on what
(09:44):
underlying laws are implicatedby the incident that just
happened.
And then, of course, who dealswith what is a factor of those
underlying laws and the natureof the incident.
Because it's a clinical trialand not just a sort of clinical
(10:04):
care, everyday data breach, youalso have to assess your human
subject protection obligationsin the aftermath of a breach.
And that may be IRB notice, FDAnotification, study subject
notification.
So again, looking back at thoserules that apply, the common
rule requires the reporting ofunanticipated problems involving
(10:27):
risks to participants or others.
And so clearly a data breachcould fit within that definition
and federal guidance makes clearthat it does contemplate a
confidentiality issue such aswould arise in the aftermath of
(10:49):
a data breach.
So the common rule requiresinvestigators to report these
kinds of incidents to the IRB.
The IRB is going to have toreport the incidents to
institutional officials, topotentially the funding agency
if there's federal fundinginvolved in a study.
to the Office of Human ResearchProtections, the federal agency
(11:11):
involved in implementing thecommon rule.
Similarly, FDA has reportingrequirements for unanticipated
problems involving risks tosubjects.
So again, you're dealing withthis potentially in the
aftermath of a data breach.
And then the actual reportingrequirements like who you talk
to, who's responsible forreporting what, where may vary
(11:35):
depending on the nature of theinvestigational product.
So like a device study is goingto have a different reporting
obligations than a drug study.
So that's another sort of aspectto think about when the study
involves FDA regulated products.
Just a pro tip I want to throwout here.
When you do make these reportsto regulators, when you make any
(11:57):
sort of incident report toregulators, but especially in
the data breach context, youwant to make sure that you are
in able, hopefully, to reportthe measures that you took in
the immediate aftermath that wejust talked about, mitigating
the harm, right?
Stopping the breach, mitigatingthe harm.
Because when you report to theregulators and you're able to
(12:19):
say, you know, this bad thinghappened, but here's what we did
and here's why everybody's okayand it's fine now, you're going
to have a much differentresponse than if you report
without having done any of thosethings and say, oh, something
horrible happened and it's stillgoing on.
You know, again, the focus is onon harm to participants.
(12:39):
And if you can convey that theharm has been contained or
minimized or doesn't even exist,you're gonna have a better time
with your regulators.
And just a couple of more pointson the aftermath of a data
breach.
You do wanna assess yourcontractual obligations because
even though the relevant lawsare going to dictate who does
(13:00):
what or who's responsible forwhat, contractually the parties
may alter those.
responsibilities or may, in thecase of a clinical study, may
delegate those responsibilities.
So your CRO may have a differentset of obligations,
notwithstanding what privacy lawdictates.
And again, if your studyinvolves jurisdictions outside
(13:22):
of the United States, forexample, if you're in a GDPR
regulated study, you may havevery, very immediate
notification obligations to dataprotection authorities.
72 hours upon becoming aware ofthe breach is a very short
amount of time.
You may have notification toaffected individuals'
(13:47):
obligations if the breach posesa risk to individuals' rights
and freedoms under GDPR.
So an additional set ofobligations there.
SPEAKER_02 (14:03):
Excellent.
Well, thank you.
That's very good coverage.
Kind of digging into that alittle bit, how does HIPAA
applicability complicate thingswhen there's a breach involving
clinical trial data?
SPEAKER_01 (14:13):
Yeah, HIPAA applicability is always
challenging because it's not asstraightforward as you would
think.
HIPAA, as you know, applies tocovered entities, to providers,
healthcare providers, certainhealthcare providers, actually.
If you find a healthcareprovider that only uses paper
records, you don't have a HIPAAissue.
health plans and healthcareclearinghouses.
(14:35):
So what complicates things inthe clinical trial context is
that a provider, a healthcareprovider is usually the
investigator, or quite often theinvestigator, like a physician
investigator.
And they're conducting researchprocedures, they're recording
data for the clinical trialwithin a provider institution,
study data is stored within theinstitution, they're pulling
(15:00):
health information from people'scharts, that into case report
forms, also storing it in theinstitution.
And that all looks likeprotected health information.
It looks like PHI because of thephysician or provider
investigator's involvement.
However, in most interventionalclinical trials, so a study
(15:21):
where somebody is given a drugor a device is used on them,
participants have signed a HIPAAauthorization that expressly
permits the use of their healthinformation for purposes of the
clinical study.
And health information that hasbeen released pursuant to an
authorization is not PHI.
(15:43):
It's no longer subject to HIPAA.
In fact, if you look at therules, HIPAA's requirements for
an authorization includes arequirement to warn people that
once your data is releasedpursuant to this authorization,
it may no longer be protected byHIPAA.
So even though it looks a lotlike if it's been released by
(16:06):
authorization, it's not PHIanymore.
And I like to think of it asresearch data versus PHI.
So trying to keep that straightin your head sometimes is a good
way to sort through all of this,but everybody gets it wrong.
And I have a great example ofthis being just not clear.
(16:27):
There was within the recentpast, the Office for Civil
Rights, which enforces HIPAA,brought an enforcement action
against MD Anderson in responseto a breach.
It impacted a little bit over30,000 people.
And the underlying breachinvolved the theft of an
(16:49):
unencrypted laptop and thumbdrives that contained research
information.
And they were fined$4.3 millionby OCR for this incident.
They appealed the penalty to anadministrative law judge.
And in that appeal, theadministrative law judge, I'm
going to read the quote from thecase.
(17:12):
MD Anderson asserts that HIPAAdoesn't apply in this case
because the EPHI contained inthe stolen and lost devices was
research information that isoutside the statute and
regulations reach.
This argument rests on what isat best a fanciful
interpretation of governingregulations, and I find it to be
without merit.
(17:34):
That absolutely broke my heartto read that.
But it's a great example of howeasy it is to confuse PHI with
research data.
Incidentally, MD Anderson didhave that penalty vacated on
appeal to the Circuit Court ofAppeals.
Again, also breaking my heart,they did not overturn the
(17:56):
underlying decision because ofthe research data versus PHI
argument.
They overturned it because thepenalty exceeded statutory
maximums under HIPAA.
So So I would have loved to havein case law have that point
clarified, but I don't alwaysget everything I want, which is
really a shame.
But it's confusing.
(18:17):
So it's definitely the ball thateverybody needs to keep their
eye on when they're dealing withthis.
SPEAKER_02 (18:24):
That's an excellent example.
Thank you very much.
So when considering riskexposure and liability, there
are many key stakeholders inclinical trials who all play
critical roles in the trial'sdesign, conduct, oversight, and
ethical execution.
These stakeholders typicallyinclude the sponsor, the CRO,
the investigator site, andthird-party vendors, just to
(18:46):
mention a few.
From a legal standpoint, whotypically bears the liability in
the clinical trial data breach?
And I think you touched on thisa little earlier
SPEAKER_01 (18:54):
Right.
Yeah.
Again, because the sponsor as apractical and a regulatory
matter is responsible for theoverall study.
They're the ones that areultimately going to bear
responsibility and really end upholding the bag in the aftermath
of a data breach.
(19:16):
So as a practical matter,they're going to probably absorb
the cost.
They definitely are going toabsorb the cost of the disrupted
or the discontinued study.
It may disrupt their largerclinical program.
There's reputational damageassociated with, as you know,
(19:36):
with a data breach.
There may be harm to affectedstudy participants.
And the sponsor, depending onwho it is, may be a more
appealing target than theentity, whether it's a CRO or a
site or some other vendor.
The sponsor may be a moreappealing target for a plaintiff
lawyer.
Again, depending on theunderlying facts, the actual
(20:01):
responsibility may lay somewhereelse.
It could be with the CRO, thePI, the vendor, some other third
party, but ultimately thesponsor is going to suffer the
consequences of the data breach.
SPEAKER_02 (20:17):
How do indemnity clauses typically address
liability in the event of abreach?
Where do those clauses reside?
And what red flags shouldcompliance officers be looking
for?
SPEAKER_01 (20:31):
Yeah, so it's a really important thing to think
about.
Beyond having and making surethat everyone has a
comprehensive securityinfrastructure in connection
with the clinical trial, carefulcontracting, including
indemnity, as well as cyberliability insurance are really
the best ways to minimize risk.
(20:52):
Indemnity provisions are goingto allocate risk and
responsibility as between theparties.
And there's a lot of differentagreements where these might
live.
For example, you'll find them inclinical trial agreements, which
are the agreements between thesponsor and the site or the CRO
and the site on behalf of thesponsor.
You may find them in masterservices agreements between
(21:16):
sponsors and CROs.
or with other service providers.
One thing to think about,clinical trial agreements
between the sponsor and the sitedon't always have an indemnity
flowing from the site to thesponsor.
And the reason is that a lot oftimes a site like a university
(21:39):
hospital or a communityhospital, it may be an arm of
the state.
So there may be statutoryprohibitions on indemnities.
A lot of times you can't get anindemnity from a study site.
And I'll throw out another protip.
If you are in a situation wherethere's a statutory prohibition
(22:01):
on indemnity, you can at leastinsert a responsibility
provision or a provision makingexpressly clear that the site's
not obligated to indemnify thesponsor, but it is responsible
for whatever damages arise fromits own negligence or failure to
comply with clinical trialagreement requirements.
(22:25):
Separate from that, if there'sno statutory prohibition, there
should be a fairly broadbilateral indemnity between the
sponsor and others involved inexecuting the study.
Sponsors need to watch carefullyfor CROs, which typically offer
a pretty narrow indemnity.
And if you think about it fromtheir perspective, that makes a
(22:47):
lot of sense because they're notthe ones who conceived of the
study.
It's not their investigationalcompound that you're giving to
people.
It's not their device thatyou're trying out on people.
They're merely executing whatthe sponsor thought of.
So they shouldn't carry the riskof a compound hurting someone or
a device hurting someone.
(23:08):
But maintaining study data isnot outside the scope of their
responsibilities.
And so there should be anindemnity that's broad enough to
capture a data breach.
And another thing to watch outfor is Indemnity provisions that
are limited to a party'snegligence.
(23:28):
And that's because there can bea data breach without
negligence.
You could have the mostcompliant, flawless security
infrastructure that anyone couldimagine, and an employee could
go rogue.
And even if that employee hadtraining, you could do
everything right and still havea breach.
So you want to make sure thatit's not limited to negligence
(23:52):
and that someone is actuallyresponsible.
And think about data breacheswhen you're thinking about the
scope of your indemnity.
And then one other pro tip I'llthrow out there, and it kind of
surprises me, but clinical trialagreements, MSAs, the agreements
that you typically see in theclinical research context,
rarely require the reporting,specific reporting of data
(24:14):
breaches.
And in this day and age, thatseems a little funny, but, you
know, maybe it's time that webuck the trend and start putting
those express, you know,provisions in those agreements
because you certainly don't wantto get blindsided by a data
breach or find out after thefact, right?
After you've committed moremoney and more effort and time
on a study that suddenly gets,you know, whacked by a breach or
(24:36):
a change in the risk profile ofyour study because of a breach.
So including those things is nota bad idea.
SPEAKER_02 (24:45):
No, absolutely.
Excellent.
Excellent pro tips.
Um, so Diane, when lookingbeyond privacy, uh, with regard
to, uh, regard for breachimpact, how can a data breach
compromise the integrity oradmissibility of trial data in
regulatory submissions, forexample, to FDA?
SPEAKER_01 (25:02):
Yeah, it's a, it's all part of the sponsor holding
the bag.
I mean, a breach, it, again, itdepends on what happened in the
underlying breach.
The facts are so important.
Um, And that's one thing to keepin mind.
But a breach could potentiallyraise data integrity issues with
(25:23):
FDA or some other regulator.
And that's a very serious thing.
A breach, depending on whathappened, it could unblind a
study.
It could involve the destructionor the alteration of data.
Or even if it doesn't actuallydo that, it could suggest the
possibility that data wasdestroyed or altered.
(25:46):
And other significant impactslike that that could lead to the
rejection of the study data.
It could lead to the rejectionof the entire marketing
application.
And sometimes the regulatoryauthority will require that the
study be repeated.
And that's going to set back thesponsor's potentially entire
(26:08):
clinical program.
It is going to burn time andmoney.
Depending on the sponsor, ifit's a startup, if it's a
smaller company, they may nothave the cash runway to repeat
work that has been invalidatedby a data breach.
(26:28):
And ultimately all of thesethings, all of these setbacks
delay the advancement of scienceand they delay access to
products that could improvepatient care So there's a whole
lot of tragedy that flows from aclinical trial data breach.
And it's ideal to avoid that.
SPEAKER_02 (26:49):
Absolutely.
So I think you've touched alittle bit on it in your
explanation there, but whatwould be some potential
consequences beyond what you'vejust spoken of regarding a
breach in terms of trialsuspension, IRB ethics boards
interventions, litigation,potential litigation by affected
trial participants?
SPEAKER_01 (27:09):
Right.
Yeah.
And all those things are strongpossibilities.
And again, it's really going todepend on the underlying facts.
You can have one of those sortof benign briefings.
that technically it's a breach,but you don't have all those,
you don't have a risk of harm toindividuals.
You don't have all thosepotential bad outcomes.
But you could also have a breachthat does present a risk of
(27:30):
harm.
You could have a breachresulting from a protocol
deviation.
So say your protocol, your studyprotocol requires the
implementation of securitymeasures and security
infrastructure.
And that wasn't, those weren'tfall followed.
(27:51):
ultimately your data breach isthe result of a protocol
violation or deviation.
And that is a serious thing.
And an IRB or an ethicscommittee can certainly suspend
the study in response to that.
You also have the risk oflitigation.
If there's a large scale databreach, as you all know, those
(28:17):
kinds of breaches are typicallyfollowed by a rash of class
action lawsuits So you can havethat in the There's regulatory,
(28:53):
there's practical, there's legalconsequences ultimately that
really hurt the sponsor and thathurt patients.
SPEAKER_02 (29:04):
All right.
So, and shifting just a littlebit to look at cross-border data
and transfer risks, how shouldorganizations address
conflicting obligations betweenlocal laws in the context of a
breach?
So, for example, between federaland state law.
SPEAKER_01 (29:20):
Right.
So, that's what makes, in theUnited States, data breaches so
enthralling.
And as in the case with clinicalcare or some other context of a
data breach, in the clinicaltrial context of You have to
deal with all of theoverlapping, potentially
conflicting laws and comply.
(29:40):
And in the context of a databreach, you're doing it under
pressure, time pressure.
And in the context of a clinicaltrial data breach, you're doing
that with the additional layerof human subject protection
concerns.
So lots going on.
Hopefully you've done all ofthat analysis upstream that we
(30:01):
talked about, figuring out whatlaws apply and what you're
dealing with when the incidenthappens.
And in order to comply with allof the applicable laws, it may
mean that you have to providesome sort of participant notice
under state law, even ifnotification isn't required
(30:22):
under federal law because HIPAAis not implicated.
You may actually spend a goodbit of time fighting about why
HIPAA is not implicated becauseyou could have a faction of
voices yelling, this is a breachof PHI And you have to go back
to that MD Anderson analysis anddefend your position that we are
not talking about PHI, if that'sthe case.
(30:44):
One of my favorite things iscompeting notice timing
requirements.
So you have differentjurisdictions imposing different
timeframes for providing anyrequired notice.
So you pick the shortest one,that way you can comply with
everybody.
It's always awesome to sortthrough notice requirements when
they confirm Always give noticeabout what happened.
(31:07):
Never say exactly what happened.
Give general notice about whathappened.
You've got to sort through allof that.
How do you prepare yourself forthat?
How do you anticipate that?
It's hard because, again,breaches are so fact-specific.
You just don't know what you'regoing to be dealing with.
But in advance, if you can atleast appreciate the regulatory
(31:28):
environment that you'reoperating in and know what
resources are available to youand where you can access them if
you need to start immersingyourself in all these issues.
That's helpful in the timecrunch of a data breach.
And that'll help you sortthrough all of those conflicts,
(31:48):
hopefully.
SPEAKER_02 (31:51):
Absolutely.
And that brings a topic.
One of the things, you know,that we work with our clients
here at Clearwater is businessresiliency.
You know, and you kind oftouched on being able to
understand and know whatdifferent timings are required
and all the different agenciespotentially that need
notification.
And so, you know, we activelyencourage our organizations to,
(32:13):
or the clients that we work withto really dig in and do incident
response, you know, solidincident response planning, as
well as testing and instantresponse tabletop exercises.
And historically, we've seen alot of times where the legal
aspect of it is really more ofa, well, they won't necessarily
participate in the exercise,either because it's very
(32:35):
difficult to get the time orit's expensive.
But given the current climateand the way it's going with more
complexity and morerequirements, what are your
thoughts on including the legalaspect in that instant response
exercise and testing?
SPEAKER_01 (32:51):
Yeah, so that's a really important point.
(33:21):
of a breach, nobody wants tosay, oh, I'm to blame, it was
me.
Like, it's really hard.
So the more that you can thinkabout this in advance and have
everybody clear on who does whatand who they are and how they,
the fact that they worktogether, you know, whatever you
(33:42):
have to do to prepare that inadvance is so, so critical.
And quite frankly, just doingthat in the context of clinical
research, that almost neverhappens.
It's hard enough, as you know,to get your clients to do that
advanced preparation and thatadvanced work just in the
day-to-day operational context.
I've never seen it in thecontext of clinical research,
(34:03):
but really the same thoughtshould be brought to bear in the
clinical trial context.
Like who's going to do what?
Who gets a phone call?
What lawyers are involved?
Like where are the lawyers andhow do we involve them?
And do they know these people?
Have the lawyers met the CRO?
Like are Are they going toscreen the call when it comes
in?
High likelihood.
(34:24):
So it's a really important thingto do and it's not often done.
SPEAKER_02 (34:31):
Unfortunately, that's true.
And those are some greatthoughts around that.
So thank you.
You know, so far, we've talked alot about the standard
traditional centralized clinicaltrial model.
But, you know, now withdecentralized clinical trials,
maybe can you explain what thatis and how they're increasing
data security risks?
SPEAKER_01 (34:51):
Yeah, it's a really important evolving model of
clinical trial.
And it's an important thing tothink about when you're thinking
about clinical trial relateddata breaches and avoid them.
So decentralized clinical trialsis a model that has been
evolving for a number of years.
It really took off during thepandemic.
But what it is, it's a modelthat allows study participants
(35:18):
to participate in a clinicaltrial from home or from some
remote location through the useof digital technology, digital
health technology, or throughthe use of visiting nurses,
people going to them rather thanmaking them come into an
academic medical center wheresort of conventional clinical
trials have historically beenconducted.
(35:42):
Keep in mind that a lot oftimes, like say an oncology
study, the participants arepotentially very, very sick
people.
And so if it's possible tostructure a study where you
don't have to have them schlepinto the academic medical center
repeatedly for for studyprocedures, that's a good
(36:05):
outcome.
If they can have thoseprocedures and have that
monitoring at home, it can be alot better for them.
And it's something that welearned works pretty well during
the COVID pandemic.
Decentralized clinical trialsalso help diversify clinical
trial participation.
So again, as a practical matter,if the study is conducted within
(36:26):
the four walls of an academicmedical center in an urban area,
say, Only people who canparticipate or people who can
readily access the academicmedical center.
If you have a decentralizedtrial, you can gather people
from all over the place and thatleads to broader participation
and it leads to more broadlyapplicable outcomes.
(36:48):
You can say with a lot moreconfidence, this intervention is
going to help everybody asopposed to saying this
intervention is gonna help thepopulation of people who live in
the immediate surrounding areaof an academic medical center.
So they're a good thing.
Of course, when every good thingcomes to the flip side, this
model of clinical trial cancertainly increase privacy and
(37:10):
security risks and opportunitiesfor a data breach.
And that's because data willpotentially be residing on
devices and in platforms whereit would not reside.
It may not travel around as muchoutside of an academic medical
center in a conventionalclinical trial.
(37:30):
It could be residing in aclinical trial.
on laptops.
It could be on tablets.
It's getting transferred backand forth from the institution
to the home of the participant.
So it doesn't mean that it's abad model.
It just means it requiresadditional planning and analysis
and thinking, just like a riskanalysis does under HIPAA or in
(37:54):
the clinical context.
You need to think about whereyour data is, where that
information is, how it'straveling, what risks it faces
as it's traveling so that youcan address those risks and
hopefully avoid an incident.
FDA recognizes the growingimportance of decentralized
(38:15):
clinical trials.
And in 2023, they publishedguidance on remote data
acquisition for clinical trials,such as through hardware,
software, wearables, mobileapps.
And that guidance addressesprivacy related risks um one
thing that that guidanceaddresses which is an important
(38:37):
consideration that um it's moreof a clinical trial
consideration but it's somethingto think about a lot of the a
lot of the digital healthtechnologies that are involved
in a clinical study are areproducts that have their own end
user license terms and so thoseterms may vary contractual terms
they may vary the liability thatwe talked about earlier they may
(39:01):
they may contain languagedirected at study participants
that is not consistent with whatthe consent has.
So yeah, there's lots to thinkabout in this context, but the
guidance is helpful for, youknow, planning a decentralized
clinical trial and importantly,you know, mitigating the unique
(39:22):
privacy and security riskspresented by the model.
SPEAKER_02 (39:29):
Diane, what final thoughts would you like to leave
with our audience regardingproactive legal and contractual
measures that organizations cantake to mitigate the risk and
fallout of data breaches inclinical trials?
SPEAKER_01 (39:41):
Yeah, probably we're ending on the most important
point here.
Just like in the clinicalcontext, it's really, really
important for the parties in aclinical trial to keep data
security at the top of theirminds.
We talked about contractualconsiderations, indemnity,
breach notification language,cyber liability coverage.
(40:04):
In fact, insurance becomes evenmore important if you can't get
an indemnity.
So yay insurance.
Another important considerationis diligencing your partners and
your collaborators who areworking with you in the study.
I think that it's reallyimportant to strike a balance
when you're doing this.
(40:25):
So you want to confirm that acollaborator or a partner in
this work has a maturecompliance infrastructure and
they are a safe repository foryour data versus actually fully
inserting yourself in thecompliance effort.
going into another party'sbusiness and looking
(40:48):
specifically at their security.
You're like, show us where youhide the keys to the front door.
That's a terrible idea in mymind.
First of all, because itpresents a security risk in and
of itself.
But if you get that involved insomebody's security
infrastructure, you potentiallyare on the hook if it goes
wrong, if it fails, right?
(41:10):
So it's really important tostart strike a balance.
But you do need to make surethat you're working with people
that are responsible and thatare thoughtful about privacy and
security and that they're notgoing to create risks by virtue
of just participating.
And then just the regular thingsthat you do in any sort of
(41:32):
operational situation withrespect to privacy and security.
Training is really important.
I'm a big fan of the informalsecurity reminders as a good way
to keep security top of mind.
I like when informal remindershave entertainment value because
people pay attention to them.
(41:53):
So to the extent that you canmake them readable and short and
punchy, you have a better chanceof everyone taking them to
heart.
Again, as you mentioned,testing, incident response
plans, tabletop exercises withrelevant parties, including
counsel, those go a long waytoward minimizing confusion,
(42:17):
scrambling, and wasted time inthe aftermath of an incident.
So...
You know, if you can't do all ofthose things, at the very least,
get representations from yourcollaborators that they have
done what they need to do withrespect to privacy and security.
(42:38):
Because if nothing else, you canfall on that.
Well, they told us that's whatthey did, but ultimately
actually fix the problem,address the problem the way
we've discussed.
But at the very least, get thoserepresentations.
SPEAKER_02 (42:51):
Absolutely.
Well, Diane, I want to thank youvery much for your time today
and providing your experience,your expertise, all the
wonderful pro tips that help meand our audience to better
understand looking beyondprivacy implications and better
understanding data breaches inclinical trials.
Thank you very much.
SPEAKER_01 (43:10):
Sure.
No, it was great.
I'm glad we had theconversation.
UNKNOWN (43:15):
Thank you.
SPEAKER_00 (43:18):
If you enjoyed this episode, be sure to subscribe to
AHLA's Speaking of Health Lawwherever you get your podcasts.
For more information about AHLAand the educational resources
available to the health lawcommunity, visit
AmericanHealthLaw.org.
And stay updated on breakinghealthcare industry news from
the major media outlets withAHLA's Health Law Daily Podcast,
exclusively for AHLAComprehensive members.
(43:41):
To subscribe and add thisprivate podcast feed to your
podcast app, go toAmericanHealthLaw.org slash
Daily Podcast.
UNKNOWN (43:48):
you
This episode of AHLA Speaking of Health Law is
sponsored by Clearwater.
For more information, visitclearwatersecurity.com.
SPEAKER_02 (00:17):
Welcome to this episode of the AHLA Speaking of
Health Law series.
I'm Hal Porter, Director ofConsulting Services for
Clearwater's Digital HealthTeam, and today's episode is
titled Beyond PrivacyImplications, Understanding Data
Breaches in Clinical Trials.
As clinical research becomesincreasingly digital, the legal
and compliance landscape isshifting under our feet.
(00:38):
It's no longer just aboutsafeguarding patient privacy.
Data breaches now carryimplications for regulatory
compliance, trial integrity,sponsor liability, And even the
admissibility of trial results.
(01:17):
industry clients on a broadrange of regulatory issues,
including data acquisition anduse in AI algorithm training,
research, product development,and digital health applications.
Diane, welcome.
SPEAKER_01 (01:30):
Thanks, Hal.
It's great to be here, and I'mlooking forward to this
discussion.
As you mentioned, I'm a partnerin the Boston office of Holland&
Knight, and I have been dealingwith both HIPAA and clinical
research for the entirety of mycareer.
So I love talking about both ofthose topics and I'm even more
excited to talk about them atthe same time.
SPEAKER_02 (01:54):
Excellent.
Well, it's great speaking withyou today, Diane.
On today's episode, we will beunpacking real-world risks,
discussing emerging regulatorytrends, and offering practical
strategies for reducingorganizational exposure in an
increasingly interconnectedtrial environment.
So, Diane, with regard toregulatory landscape and
obligations, what are theprimary regulatory frameworks
(02:16):
that govern data protection inU.S.
clinical trials, and how do theyintersect with
multi-jurisdictional studies?
SPEAKER_01 (02:24):
Yeah, it's a great question.
So anybody who's dealt withprivacy and data security in the
United States knows that wealways have multiple overlapping
frameworks that we have to dealwith.
And that is absolutely the casein clinical research.
So at the federal level, ofcourse, you have to think about
HIPAA.
(02:45):
And the reason is that clinicaltrial data is primarily
collected by healthcareproviders or other covered
entities, entities that aregoverned by HIPAA.
And so HIPAA governs a lot ofdifferent aspects of clinical
trials.
For example, accessing recordsto facilitate recruitment, even
to develop a protocol, accessingsource documentation to get
(03:08):
underlying history for studyparticipants and collecting
their data.
It's involved in the consentprocess because you have to not
only obtain a study consent, butyou need an authorization for
the use and disclosure of PHIfor those studies.
So HIPAA has all kinds ofrelevance for clinical research.
(03:31):
At the federal level, you alsohave to think about human
subject protection regulations.
So for example, there's theCommon Rule, which is like the
NIH human subject protectionrule.
And the Common Rule, and it'scalled that, by the way, because
a number of federal agencies usethat to govern human subject
research that they fund.
(03:51):
So they all have that rule incommon.
That's why it's called theCommon Rule.
common rule.
But the common rule requiresresearchers to implement
protections for the privacy ofsubjects and the confidentiality
of their data.
So it's built right into whatthe researchers are obligated to
do.
The common rule also hasdifferent privacy provisions
(04:15):
relating to the storage andmaintenance of identifiable
study data and identifiablebiospecimens when those are
being used for secondaryresearch, and that's a huge
priority of the federalgovernment as a policy matter.
The government wants toencourage secondary use of
existing materials and databecause it minimizes the burden
(04:39):
on participants and it expeditesresearch because you already
have these things available, butthere are special rules, privacy
rules that apply for that.
Also at the federal level, thereare FDA human subject protection
regulations, and those rulesrequire that in the consent
process, participants in an FDAregulated study are advised of
(05:03):
the extent to which theirrecords and their personal
information will be maintainedconfidentially.
And they also have to be advisedthat the FDA and others may
inspect those identifiablerecords.
So again, researchers have toreally think about privacy and
data security when they'rebuilding out their study and
thinking about how theirpresenting it to study
(05:26):
participants.
Okay, so that's all federalconsiderations.
At the state level, again,there's always multiple
different rules at the statelevel with respect to privacy
and data security.
Most often, the rules that areof concern are the ones that add
special protections to certaintypes of information.
(05:47):
So for example, most states havelaws protecting genetic test
results.
So if you're studying involvesgenetic testing.
You need to think about thoserules and what they require.
And you also, when you'rethinking about all of these
rules, have to keep in mind thatyou're dealing with research
(06:07):
information and research, whichis not treatment.
A lot of the health informationprivacy rules at the state level
relate to treatment or theyapply to folks who are providing
treatment.
And so you always need to keepin mind research is not
treatment and think carefullyabout if and how those special
(06:28):
state laws apply.
So that's in the United Statesnow.
Of course, if you're doing astudy that has sites overseas,
you have to think about all therules that apply in the relevant
jurisdiction where the study isbeing conducted.
For example, if you have studysites in the European Union, you
need to think about the GDPR.
(06:50):
You need to think about the EUclinical trials rate which
governs the conduct of clinicaltrials.
It also requires much like UShuman subject protection rules
requires the protection of theconfidentiality of participant
information.
And again, all of theseoverlapping frameworks, they
(07:16):
create complexity just in theexecution of a trial, but they
also create complexity undertime pressure in the event of
Absolutely.
SPEAKER_02 (07:28):
So in the event of a data breach, what are the
immediate legal obligations forsponsors and CROs?
SPEAKER_01 (07:35):
So that's a great question.
First of all, the legalobligations, they could land in
a variety of places given thenumber of folks involved in
conducting a clinical trial.
Ultimately, though, the sponsoris really obligated for what
(07:56):
goes on in a clinical trial.
As a regulatory matter, thesponsor is responsible for the
clinical trial.
So ultimately, the sponsor is onthe hook, but they're going to
share, just like in theexecution of a trial, they're
going to share the sort ofimplementation of the response
with other parties that areinvolved.
So the immediate obligation whenthere's a data breach in a
(08:19):
clinical trial or involvingclinical trial information, as
is the case in any sort of otherdata breach circumstances, to
stop the breach and mitigateharm.
And whoever is responsible forthat really depends on what the
breach was, where it occurred,whose system was involved, and
(08:41):
whoever is in a position to stopthe breach is the one that has
to stop the breach.
That's obligation number one.
These obligations apply all atonce.
If you've been involved in adata breach, you know it's a
(09:01):
multifaceted process with somany different moving parts, but
one of the moving parts afteryou immediately try to stop and
mitigate harm, stop the breachand mitigate harm, is to assess
the regulatory obligations andfigure out, first of all, what
happened.
Is it a data breach?
Is it a reportable data breach?
What laws matter?
(09:22):
All those laws that we justtalked about, someone has to
look at them, figure out whatlaw is implicated.
It's a very fact-specificdetermination based on what
happened.
And as you know, as the facts ofa breach evolve.
The analysis could completelychange.
And so someone really has tohave a careful eye on what
(09:44):
underlying laws are implicatedby the incident that just
happened.
And then, of course, who dealswith what is a factor of those
underlying laws and the natureof the incident.
Because it's a clinical trialand not just a sort of clinical
(10:04):
care, everyday data breach, youalso have to assess your human
subject protection obligationsin the aftermath of a breach.
And that may be IRB notice, FDAnotification, study subject
notification.
So again, looking back at thoserules that apply, the common
rule requires the reporting ofunanticipated problems involving
(10:27):
risks to participants or others.
And so clearly a data breachcould fit within that definition
and federal guidance makes clearthat it does contemplate a
confidentiality issue such aswould arise in the aftermath of
(10:49):
a data breach.
So the common rule requiresinvestigators to report these
kinds of incidents to the IRB.
The IRB is going to have toreport the incidents to
institutional officials, topotentially the funding agency
if there's federal fundinginvolved in a study.
to the Office of Human ResearchProtections, the federal agency
(11:11):
involved in implementing thecommon rule.
Similarly, FDA has reportingrequirements for unanticipated
problems involving risks tosubjects.
So again, you're dealing withthis potentially in the
aftermath of a data breach.
And then the actual reportingrequirements like who you talk
to, who's responsible forreporting what, where may vary
(11:35):
depending on the nature of theinvestigational product.
So like a device study is goingto have a different reporting
obligations than a drug study.
So that's another sort of aspectto think about when the study
involves FDA regulated products.
Just a pro tip I want to throwout here.
When you do make these reportsto regulators, when you make any
(11:57):
sort of incident report toregulators, but especially in
the data breach context, youwant to make sure that you are
in able, hopefully, to reportthe measures that you took in
the immediate aftermath that wejust talked about, mitigating
the harm, right?
Stopping the breach, mitigatingthe harm.
Because when you report to theregulators and you're able to
(12:19):
say, you know, this bad thinghappened, but here's what we did
and here's why everybody's okayand it's fine now, you're going
to have a much differentresponse than if you report
without having done any of thosethings and say, oh, something
horrible happened and it's stillgoing on.
You know, again, the focus is onon harm to participants.
(12:39):
And if you can convey that theharm has been contained or
minimized or doesn't even exist,you're gonna have a better time
with your regulators.
And just a couple of more pointson the aftermath of a data
breach.
You do wanna assess yourcontractual obligations because
even though the relevant lawsare going to dictate who does
(13:00):
what or who's responsible forwhat, contractually the parties
may alter those.
responsibilities or may, in thecase of a clinical study, may
delegate those responsibilities.
So your CRO may have a differentset of obligations,
notwithstanding what privacy lawdictates.
And again, if your studyinvolves jurisdictions outside
(13:22):
of the United States, forexample, if you're in a GDPR
regulated study, you may havevery, very immediate
notification obligations to dataprotection authorities.
72 hours upon becoming aware ofthe breach is a very short
amount of time.
You may have notification toaffected individuals'
(13:47):
obligations if the breach posesa risk to individuals' rights
and freedoms under GDPR.
So an additional set ofobligations there.
SPEAKER_02 (14:03):
Excellent.
Well, thank you.
That's very good coverage.
Kind of digging into that alittle bit, how does HIPAA
applicability complicate thingswhen there's a breach involving
clinical trial data?
SPEAKER_01 (14:13):
Yeah, HIPAA applicability is always
challenging because it's not asstraightforward as you would
think.
HIPAA, as you know, applies tocovered entities, to providers,
healthcare providers, certainhealthcare providers, actually.
If you find a healthcareprovider that only uses paper
records, you don't have a HIPAAissue.
health plans and healthcareclearinghouses.
(14:35):
So what complicates things inthe clinical trial context is
that a provider, a healthcareprovider is usually the
investigator, or quite often theinvestigator, like a physician
investigator.
And they're conducting researchprocedures, they're recording
data for the clinical trialwithin a provider institution,
study data is stored within theinstitution, they're pulling
(15:00):
health information from people'scharts, that into case report
forms, also storing it in theinstitution.
And that all looks likeprotected health information.
It looks like PHI because of thephysician or provider
investigator's involvement.
However, in most interventionalclinical trials, so a study
(15:21):
where somebody is given a drugor a device is used on them,
participants have signed a HIPAAauthorization that expressly
permits the use of their healthinformation for purposes of the
clinical study.
And health information that hasbeen released pursuant to an
authorization is not PHI.
(15:43):
It's no longer subject to HIPAA.
In fact, if you look at therules, HIPAA's requirements for
an authorization includes arequirement to warn people that
once your data is releasedpursuant to this authorization,
it may no longer be protected byHIPAA.
So even though it looks a lotlike if it's been released by
(16:06):
authorization, it's not PHIanymore.
And I like to think of it asresearch data versus PHI.
So trying to keep that straightin your head sometimes is a good
way to sort through all of this,but everybody gets it wrong.
And I have a great example ofthis being just not clear.
(16:27):
There was within the recentpast, the Office for Civil
Rights, which enforces HIPAA,brought an enforcement action
against MD Anderson in responseto a breach.
It impacted a little bit over30,000 people.
And the underlying breachinvolved the theft of an
(16:49):
unencrypted laptop and thumbdrives that contained research
information.
And they were fined$4.3 millionby OCR for this incident.
They appealed the penalty to anadministrative law judge.
And in that appeal, theadministrative law judge, I'm
going to read the quote from thecase.
(17:12):
MD Anderson asserts that HIPAAdoesn't apply in this case
because the EPHI contained inthe stolen and lost devices was
research information that isoutside the statute and
regulations reach.
This argument rests on what isat best a fanciful
interpretation of governingregulations, and I find it to be
without merit.
(17:34):
That absolutely broke my heartto read that.
But it's a great example of howeasy it is to confuse PHI with
research data.
Incidentally, MD Anderson didhave that penalty vacated on
appeal to the Circuit Court ofAppeals.
Again, also breaking my heart,they did not overturn the
(17:56):
underlying decision because ofthe research data versus PHI
argument.
They overturned it because thepenalty exceeded statutory
maximums under HIPAA.
So So I would have loved to havein case law have that point
clarified, but I don't alwaysget everything I want, which is
really a shame.
But it's confusing.
(18:17):
So it's definitely the ball thateverybody needs to keep their
eye on when they're dealing withthis.
SPEAKER_02 (18:24):
That's an excellent example.
Thank you very much.
So when considering riskexposure and liability, there
are many key stakeholders inclinical trials who all play
critical roles in the trial'sdesign, conduct, oversight, and
ethical execution.
These stakeholders typicallyinclude the sponsor, the CRO,
the investigator site, andthird-party vendors, just to
(18:46):
mention a few.
From a legal standpoint, whotypically bears the liability in
the clinical trial data breach?
And I think you touched on thisa little earlier
SPEAKER_01 (18:54):
Right.
Yeah.
Again, because the sponsor as apractical and a regulatory
matter is responsible for theoverall study.
They're the ones that areultimately going to bear
responsibility and really end upholding the bag in the aftermath
of a data breach.
(19:16):
So as a practical matter,they're going to probably absorb
the cost.
They definitely are going toabsorb the cost of the disrupted
or the discontinued study.
It may disrupt their largerclinical program.
There's reputational damageassociated with, as you know,
(19:36):
with a data breach.
There may be harm to affectedstudy participants.
And the sponsor, depending onwho it is, may be a more
appealing target than theentity, whether it's a CRO or a
site or some other vendor.
The sponsor may be a moreappealing target for a plaintiff
lawyer.
Again, depending on theunderlying facts, the actual
(20:01):
responsibility may lay somewhereelse.
It could be with the CRO, thePI, the vendor, some other third
party, but ultimately thesponsor is going to suffer the
consequences of the data breach.
SPEAKER_02 (20:17):
How do indemnity clauses typically address
liability in the event of abreach?
Where do those clauses reside?
And what red flags shouldcompliance officers be looking
for?
SPEAKER_01 (20:31):
Yeah, so it's a really important thing to think
about.
Beyond having and making surethat everyone has a
comprehensive securityinfrastructure in connection
with the clinical trial, carefulcontracting, including
indemnity, as well as cyberliability insurance are really
the best ways to minimize risk.
(20:52):
Indemnity provisions are goingto allocate risk and
responsibility as between theparties.
And there's a lot of differentagreements where these might
live.
For example, you'll find them inclinical trial agreements, which
are the agreements between thesponsor and the site or the CRO
and the site on behalf of thesponsor.
You may find them in masterservices agreements between
(21:16):
sponsors and CROs.
or with other service providers.
One thing to think about,clinical trial agreements
between the sponsor and the sitedon't always have an indemnity
flowing from the site to thesponsor.
And the reason is that a lot oftimes a site like a university
(21:39):
hospital or a communityhospital, it may be an arm of
the state.
So there may be statutoryprohibitions on indemnities.
A lot of times you can't get anindemnity from a study site.
And I'll throw out another protip.
If you are in a situation wherethere's a statutory prohibition
(22:01):
on indemnity, you can at leastinsert a responsibility
provision or a provision makingexpressly clear that the site's
not obligated to indemnify thesponsor, but it is responsible
for whatever damages arise fromits own negligence or failure to
comply with clinical trialagreement requirements.
(22:25):
Separate from that, if there'sno statutory prohibition, there
should be a fairly broadbilateral indemnity between the
sponsor and others involved inexecuting the study.
Sponsors need to watch carefullyfor CROs, which typically offer
a pretty narrow indemnity.
And if you think about it fromtheir perspective, that makes a
(22:47):
lot of sense because they're notthe ones who conceived of the
study.
It's not their investigationalcompound that you're giving to
people.
It's not their device thatyou're trying out on people.
They're merely executing whatthe sponsor thought of.
So they shouldn't carry the riskof a compound hurting someone or
a device hurting someone.
(23:08):
But maintaining study data isnot outside the scope of their
responsibilities.
And so there should be anindemnity that's broad enough to
capture a data breach.
And another thing to watch outfor is Indemnity provisions that
are limited to a party'snegligence.
(23:28):
And that's because there can bea data breach without
negligence.
You could have the mostcompliant, flawless security
infrastructure that anyone couldimagine, and an employee could
go rogue.
And even if that employee hadtraining, you could do
everything right and still havea breach.
So you want to make sure thatit's not limited to negligence
(23:52):
and that someone is actuallyresponsible.
And think about data breacheswhen you're thinking about the
scope of your indemnity.
And then one other pro tip I'llthrow out there, and it kind of
surprises me, but clinical trialagreements, MSAs, the agreements
that you typically see in theclinical research context,
rarely require the reporting,specific reporting of data
(24:14):
breaches.
And in this day and age, thatseems a little funny, but, you
know, maybe it's time that webuck the trend and start putting
those express, you know,provisions in those agreements
because you certainly don't wantto get blindsided by a data
breach or find out after thefact, right?
After you've committed moremoney and more effort and time
on a study that suddenly gets,you know, whacked by a breach or
(24:36):
a change in the risk profile ofyour study because of a breach.
So including those things is nota bad idea.
SPEAKER_02 (24:45):
No, absolutely.
Excellent.
Excellent pro tips.
Um, so Diane, when lookingbeyond privacy, uh, with regard
to, uh, regard for breachimpact, how can a data breach
compromise the integrity oradmissibility of trial data in
regulatory submissions, forexample, to FDA?
SPEAKER_01 (25:02):
Yeah, it's a, it's all part of the sponsor holding
the bag.
I mean, a breach, it, again, itdepends on what happened in the
underlying breach.
The facts are so important.
Um, And that's one thing to keepin mind.
But a breach could potentiallyraise data integrity issues with
(25:23):
FDA or some other regulator.
And that's a very serious thing.
A breach, depending on whathappened, it could unblind a
study.
It could involve the destructionor the alteration of data.
Or even if it doesn't actuallydo that, it could suggest the
possibility that data wasdestroyed or altered.
(25:46):
And other significant impactslike that that could lead to the
rejection of the study data.
It could lead to the rejectionof the entire marketing
application.
And sometimes the regulatoryauthority will require that the
study be repeated.
And that's going to set back thesponsor's potentially entire
(26:08):
clinical program.
It is going to burn time andmoney.
Depending on the sponsor, ifit's a startup, if it's a
smaller company, they may nothave the cash runway to repeat
work that has been invalidatedby a data breach.
(26:28):
And ultimately all of thesethings, all of these setbacks
delay the advancement of scienceand they delay access to
products that could improvepatient care So there's a whole
lot of tragedy that flows from aclinical trial data breach.
And it's ideal to avoid that.
SPEAKER_02 (26:49):
Absolutely.
So I think you've touched alittle bit on it in your
explanation there, but whatwould be some potential
consequences beyond what you'vejust spoken of regarding a
breach in terms of trialsuspension, IRB ethics boards
interventions, litigation,potential litigation by affected
trial participants?
SPEAKER_01 (27:09):
Right.
Yeah.
And all those things are strongpossibilities.
And again, it's really going todepend on the underlying facts.
You can have one of those sortof benign briefings.
that technically it's a breach,but you don't have all those,
you don't have a risk of harm toindividuals.
You don't have all thosepotential bad outcomes.
But you could also have a breachthat does present a risk of
(27:30):
harm.
You could have a breachresulting from a protocol
deviation.
So say your protocol, your studyprotocol requires the
implementation of securitymeasures and security
infrastructure.
And that wasn't, those weren'tfall followed.
(27:51):
ultimately your data breach isthe result of a protocol
violation or deviation.
And that is a serious thing.
And an IRB or an ethicscommittee can certainly suspend
the study in response to that.
You also have the risk oflitigation.
If there's a large scale databreach, as you all know, those
(28:17):
kinds of breaches are typicallyfollowed by a rash of class
action lawsuits So you can havethat in the There's regulatory,
(28:53):
there's practical, there's legalconsequences ultimately that
really hurt the sponsor and thathurt patients.
SPEAKER_02 (29:04):
All right.
So, and shifting just a littlebit to look at cross-border data
and transfer risks, how shouldorganizations address
conflicting obligations betweenlocal laws in the context of a
breach?
So, for example, between federaland state law.
SPEAKER_01 (29:20):
Right.
So, that's what makes, in theUnited States, data breaches so
enthralling.
And as in the case with clinicalcare or some other context of a
data breach, in the clinicaltrial context of You have to
deal with all of theoverlapping, potentially
conflicting laws and comply.
(29:40):
And in the context of a databreach, you're doing it under
pressure, time pressure.
And in the context of a clinicaltrial data breach, you're doing
that with the additional layerof human subject protection
concerns.
So lots going on.
Hopefully you've done all ofthat analysis upstream that we
(30:01):
talked about, figuring out whatlaws apply and what you're
dealing with when the incidenthappens.
And in order to comply with allof the applicable laws, it may
mean that you have to providesome sort of participant notice
under state law, even ifnotification isn't required
(30:22):
under federal law because HIPAAis not implicated.
You may actually spend a goodbit of time fighting about why
HIPAA is not implicated becauseyou could have a faction of
voices yelling, this is a breachof PHI And you have to go back
to that MD Anderson analysis anddefend your position that we are
not talking about PHI, if that'sthe case.
(30:44):
One of my favorite things iscompeting notice timing
requirements.
So you have differentjurisdictions imposing different
timeframes for providing anyrequired notice.
So you pick the shortest one,that way you can comply with
everybody.
It's always awesome to sortthrough notice requirements when
they confirm Always give noticeabout what happened.
(31:07):
Never say exactly what happened.
Give general notice about whathappened.
You've got to sort through allof that.
How do you prepare yourself forthat?
How do you anticipate that?
It's hard because, again,breaches are so fact-specific.
You just don't know what you'regoing to be dealing with.
But in advance, if you can atleast appreciate the regulatory
(31:28):
environment that you'reoperating in and know what
resources are available to youand where you can access them if
you need to start immersingyourself in all these issues.
That's helpful in the timecrunch of a data breach.
And that'll help you sortthrough all of those conflicts,
(31:48):
hopefully.
SPEAKER_02 (31:51):
Absolutely.
And that brings a topic.
One of the things, you know,that we work with our clients
here at Clearwater is businessresiliency.
You know, and you kind oftouched on being able to
understand and know whatdifferent timings are required
and all the different agenciespotentially that need
notification.
And so, you know, we activelyencourage our organizations to,
(32:13):
or the clients that we work withto really dig in and do incident
response, you know, solidincident response planning, as
well as testing and instantresponse tabletop exercises.
And historically, we've seen alot of times where the legal
aspect of it is really more ofa, well, they won't necessarily
participate in the exercise,either because it's very
(32:35):
difficult to get the time orit's expensive.
But given the current climateand the way it's going with more
complexity and morerequirements, what are your
thoughts on including the legalaspect in that instant response
exercise and testing?
SPEAKER_01 (32:51):
Yeah, so that's a really important point.
(33:21):
of a breach, nobody wants tosay, oh, I'm to blame, it was
me.
Like, it's really hard.
So the more that you can thinkabout this in advance and have
everybody clear on who does whatand who they are and how they,
the fact that they worktogether, you know, whatever you
(33:42):
have to do to prepare that inadvance is so, so critical.
And quite frankly, just doingthat in the context of clinical
research, that almost neverhappens.
It's hard enough, as you know,to get your clients to do that
advanced preparation and thatadvanced work just in the
day-to-day operational context.
I've never seen it in thecontext of clinical research,
(34:03):
but really the same thoughtshould be brought to bear in the
clinical trial context.
Like who's going to do what?
Who gets a phone call?
What lawyers are involved?
Like where are the lawyers andhow do we involve them?
And do they know these people?
Have the lawyers met the CRO?
Like are Are they going toscreen the call when it comes
in?
High likelihood.
(34:24):
So it's a really important thingto do and it's not often done.
SPEAKER_02 (34:31):
Unfortunately, that's true.
And those are some greatthoughts around that.
So thank you.
You know, so far, we've talked alot about the standard
traditional centralized clinicaltrial model.
But, you know, now withdecentralized clinical trials,
maybe can you explain what thatis and how they're increasing
data security risks?
SPEAKER_01 (34:51):
Yeah, it's a really important evolving model of
clinical trial.
And it's an important thing tothink about when you're thinking
about clinical trial relateddata breaches and avoid them.
So decentralized clinical trialsis a model that has been
evolving for a number of years.
It really took off during thepandemic.
But what it is, it's a modelthat allows study participants
(35:18):
to participate in a clinicaltrial from home or from some
remote location through the useof digital technology, digital
health technology, or throughthe use of visiting nurses,
people going to them rather thanmaking them come into an
academic medical center wheresort of conventional clinical
trials have historically beenconducted.
(35:42):
Keep in mind that a lot oftimes, like say an oncology
study, the participants arepotentially very, very sick
people.
And so if it's possible tostructure a study where you
don't have to have them schlepinto the academic medical center
repeatedly for for studyprocedures, that's a good
(36:05):
outcome.
If they can have thoseprocedures and have that
monitoring at home, it can be alot better for them.
And it's something that welearned works pretty well during
the COVID pandemic.
Decentralized clinical trialsalso help diversify clinical
trial participation.
So again, as a practical matter,if the study is conducted within
(36:26):
the four walls of an academicmedical center in an urban area,
say, Only people who canparticipate or people who can
readily access the academicmedical center.
If you have a decentralizedtrial, you can gather people
from all over the place and thatleads to broader participation
and it leads to more broadlyapplicable outcomes.
(36:48):
You can say with a lot moreconfidence, this intervention is
going to help everybody asopposed to saying this
intervention is gonna help thepopulation of people who live in
the immediate surrounding areaof an academic medical center.
So they're a good thing.
Of course, when every good thingcomes to the flip side, this
model of clinical trial cancertainly increase privacy and
(37:10):
security risks and opportunitiesfor a data breach.
And that's because data willpotentially be residing on
devices and in platforms whereit would not reside.
It may not travel around as muchoutside of an academic medical
center in a conventionalclinical trial.
(37:30):
It could be residing in aclinical trial.
on laptops.
It could be on tablets.
It's getting transferred backand forth from the institution
to the home of the participant.
So it doesn't mean that it's abad model.
It just means it requiresadditional planning and analysis
and thinking, just like a riskanalysis does under HIPAA or in
(37:54):
the clinical context.
You need to think about whereyour data is, where that
information is, how it'straveling, what risks it faces
as it's traveling so that youcan address those risks and
hopefully avoid an incident.
FDA recognizes the growingimportance of decentralized
(38:15):
clinical trials.
And in 2023, they publishedguidance on remote data
acquisition for clinical trials,such as through hardware,
software, wearables, mobileapps.
And that guidance addressesprivacy related risks um one
thing that that guidanceaddresses which is an important
(38:37):
consideration that um it's moreof a clinical trial
consideration but it's somethingto think about a lot of the a
lot of the digital healthtechnologies that are involved
in a clinical study are areproducts that have their own end
user license terms and so thoseterms may vary contractual terms
they may vary the liability thatwe talked about earlier they may
(39:01):
they may contain languagedirected at study participants
that is not consistent with whatthe consent has.
So yeah, there's lots to thinkabout in this context, but the
guidance is helpful for, youknow, planning a decentralized
clinical trial and importantly,you know, mitigating the unique
(39:22):
privacy and security riskspresented by the model.
SPEAKER_02 (39:29):
Diane, what final thoughts would you like to leave
with our audience regardingproactive legal and contractual
measures that organizations cantake to mitigate the risk and
fallout of data breaches inclinical trials?
SPEAKER_01 (39:41):
Yeah, probably we're ending on the most important
point here.
Just like in the clinicalcontext, it's really, really
important for the parties in aclinical trial to keep data
security at the top of theirminds.
We talked about contractualconsiderations, indemnity,
breach notification language,cyber liability coverage.
(40:04):
In fact, insurance becomes evenmore important if you can't get
an indemnity.
So yay insurance.
Another important considerationis diligencing your partners and
your collaborators who areworking with you in the study.
I think that it's reallyimportant to strike a balance
when you're doing this.
(40:25):
So you want to confirm that acollaborator or a partner in
this work has a maturecompliance infrastructure and
they are a safe repository foryour data versus actually fully
inserting yourself in thecompliance effort.
going into another party'sbusiness and looking
(40:48):
specifically at their security.
You're like, show us where youhide the keys to the front door.
That's a terrible idea in mymind.
First of all, because itpresents a security risk in and
of itself.
But if you get that involved insomebody's security
infrastructure, you potentiallyare on the hook if it goes
wrong, if it fails, right?
(41:10):
So it's really important tostart strike a balance.
But you do need to make surethat you're working with people
that are responsible and thatare thoughtful about privacy and
security and that they're notgoing to create risks by virtue
of just participating.
And then just the regular thingsthat you do in any sort of
(41:32):
operational situation withrespect to privacy and security.
Training is really important.
I'm a big fan of the informalsecurity reminders as a good way
to keep security top of mind.
I like when informal remindershave entertainment value because
people pay attention to them.
(41:53):
So to the extent that you canmake them readable and short and
punchy, you have a better chanceof everyone taking them to
heart.
Again, as you mentioned,testing, incident response
plans, tabletop exercises withrelevant parties, including
counsel, those go a long waytoward minimizing confusion,
(42:17):
scrambling, and wasted time inthe aftermath of an incident.
So...
You know, if you can't do all ofthose things, at the very least,
get representations from yourcollaborators that they have
done what they need to do withrespect to privacy and security.
(42:38):
Because if nothing else, you canfall on that.
Well, they told us that's whatthey did, but ultimately
actually fix the problem,address the problem the way
we've discussed.
But at the very least, get thoserepresentations.
SPEAKER_02 (42:51):
Absolutely.
Well, Diane, I want to thank youvery much for your time today
and providing your experience,your expertise, all the
wonderful pro tips that help meand our audience to better
understand looking beyondprivacy implications and better
understanding data breaches inclinical trials.
Thank you very much.
SPEAKER_01 (43:10):
Sure.
No, it was great.
I'm glad we had theconversation.
UNKNOWN (43:15):
Thank you.
SPEAKER_00 (43:18):
If you enjoyed this episode, be sure to subscribe to
AHLA's Speaking of Health Lawwherever you get your podcasts.
For more information about AHLAand the educational resources
available to the health lawcommunity, visit
AmericanHealthLaw.org.
And stay updated on breakinghealthcare industry news from
the major media outlets withAHLA's Health Law Daily Podcast,
exclusively for AHLAComprehensive members.
(43:41):
To subscribe and add thisprivate podcast feed to your
podcast app, go toAmericanHealthLaw.org slash
Daily Podcast.
UNKNOWN (43:48):
you
Popular Podcasts
My Favorite Murder with Karen Kilgariff and Georgia Hardstark
My Favorite Murder is a true crime comedy podcast hosted by Karen Kilgariff and Georgia Hardstark. Each week, Karen and Georgia share compelling true crimes and hometown stories from friends and listeners. Since MFM launched in January of 2016, Karen and Georgia have shared their lifelong interest in true crime and have covered stories of infamous serial killers like the Night Stalker, mysterious cold cases, captivating cults, incredible survivor stories and important events from history like the Tulsa race massacre of 1921. My Favorite Murder is part of the Exactly Right podcast network that provides a platform for bold, creative voices to bring to life provocative, entertaining and relatable stories for audiences everywhere. The Exactly Right roster of podcasts covers a variety of topics including historic true crime, comedic interviews and news, science, pop culture and more. Podcasts on the network include Buried Bones with Kate Winkler Dawson and Paul Holes, That's Messed Up: An SVU Podcast, This Podcast Will Kill You, Bananas and more.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com