Regulatory Open Forum

This message was posted by a user wishing to remain anonymous

Hello,
we are a EU company and we would like to sponsor a medical device clinical study in USA. We will access and store (in Europe) only anonymized patients information (patients will be named with their initials + an automatically generated code). The original raw data and medical records will be seen only by the investigators in the trial.

Which data protection rule applies to this situation, between HIPAA (US patients) and GDPR (data stored in Europe)?
Would the anonymization release the company from any requirement of compliance with HIPAA and/or GDPR?
Thanks

Good day Anon,

Your questions are probably a lot more involved than could be answered only on the forum.  There are intricacies with HIPAA and GDPR which depends on the type of Patient Health Information being gathered, stored, maintained, or accessed.  In your case, speaking about a clinical study I think it would be hard to anonymise release of the information depending on how you are using the information for your clinical reporting.  Also it is not just about anonymising the data because someone at some point will be gathering information from the patient.  You may have to apply the requirements of both HIPAA and GDPR and unfortunately the requirements are not the same.  If you are Sponsor of a study, you still need to make sure the sites are storing and maintaining the data properly as well.

------------------------------
Richard Vincins RAC
Vice President Global Regulatory Affairs
Oriel STAT A MATRIX - ENTERPRISE
------------------------------

Original Message:
Sent: 10-May-2021 08:57
From: Anonymous Member
Subject: HIPAA vs. GDPR clinical trial

This message was posted by a user wishing to remain anonymous

Hello,
we are a EU company and we would like to sponsor a medical device clinical study in USA. We will access and store (in Europe) only anonymized patients information (patients will be named with their initials + an automatically generated code). The original raw data and medical records will be seen only by the investigators in the trial.

Which data protection rule applies to this situation, between HIPAA (US patients) and GDPR (data stored in Europe)?
Would the anonymization release the company from any requirement of compliance with HIPAA and/or GDPR?
Thanks

You would be operating under HIPAA rules, which as agnostic to where the data is stored. They are not nearly as complicated as GDPR and the only consideration from normal GCP actions in conduct of the trial is the specific HIPAA language in the consent form. Essentially the consent language will include a statement of how the data will be used, who will have access to it, and how long it may be kept.

------------------------------
Glen Park PharmD
Vice President, Regulatory Affairs and Quality Assurance
Scynexis, Inc.
New York NY
United States
------------------------------

Original Message:
Sent: 10-May-2021 08:57
From: Anonymous Member
Subject: HIPAA vs. GDPR clinical trial

This message was posted by a user wishing to remain anonymous

Hello,
we are a EU company and we would like to sponsor a medical device clinical study in USA. We will access and store (in Europe) only anonymized patients information (patients will be named with their initials + an automatically generated code). The original raw data and medical records will be seen only by the investigators in the trial.

Which data protection rule applies to this situation, between HIPAA (US patients) and GDPR (data stored in Europe)?
Would the anonymization release the company from any requirement of compliance with HIPAA and/or GDPR?
Thanks

This message was posted by a user wishing to remain anonymous

thank you very much. Very helpful.
Best regards
Original Message:
Sent: 11-May-2021 06:40
From: Glen Park
Subject: HIPAA vs. GDPR clinical trial

You would be operating under HIPAA rules, which as agnostic to where the data is stored. They are not nearly as complicated as GDPR and the only consideration from normal GCP actions in conduct of the trial is the specific HIPAA language in the consent form. Essentially the consent language will include a statement of how the data will be used, who will have access to it, and how long it may be kept.

------------------------------
Glen Park PharmD
Vice President, Regulatory Affairs and Quality Assurance
Scynexis, Inc.
New York NY
United States

Original Message:
Sent: 10-May-2021 08:57
From: Anonymous Member
Subject: HIPAA vs. GDPR clinical trial

This message was posted by a user wishing to remain anonymous

Hello,
we are a EU company and we would like to sponsor a medical device clinical study in USA. We will access and store (in Europe) only anonymized patients information (patients will be named with their initials + an automatically generated code). The original raw data and medical records will be seen only by the investigators in the trial.

Which data protection rule applies to this situation, between HIPAA (US patients) and GDPR (data stored in Europe)?
Would the anonymization release the company from any requirement of compliance with HIPAA and/or GDPR?
Thanks

This message was posted by a user wishing to remain anonymous

Hello all, 
I have a question related to this topic.
Does HIPAA apply also to information of healthy volunteers that are enrolled in a research study?
Thanks
Original Message:
Sent: 11-May-2021 08:58
From: Anonymous Member
Subject: HIPAA vs. GDPR clinical trial

This message was posted by a user wishing to remain anonymous

thank you very much. Very helpful.
Best regards
Original Message:
Sent: 11-May-2021 06:40
From: Glen Park
Subject: HIPAA vs. GDPR clinical trial

You would be operating under HIPAA rules, which as agnostic to where the data is stored. They are not nearly as complicated as GDPR and the only consideration from normal GCP actions in conduct of the trial is the specific HIPAA language in the consent form. Essentially the consent language will include a statement of how the data will be used, who will have access to it, and how long it may be kept.

------------------------------
Glen Park PharmD
Vice President, Regulatory Affairs and Quality Assurance
Scynexis, Inc.
New York NY
United States

Original Message:
Sent: 10-May-2021 08:57
From: Anonymous Member
Subject: HIPAA vs. GDPR clinical trial

This message was posted by a user wishing to remain anonymous

Hello,
we are a EU company and we would like to sponsor a medical device clinical study in USA. We will access and store (in Europe) only anonymized patients information (patients will be named with their initials + an automatically generated code). The original raw data and medical records will be seen only by the investigators in the trial.

Which data protection rule applies to this situation, between HIPAA (US patients) and GDPR (data stored in Europe)?
Would the anonymization release the company from any requirement of compliance with HIPAA and/or GDPR?
Thanks

Private health information is still being collected from healthy volunteers.

------------------------------
Glen Park PharmD
Vice President, Regulatory Affairs and Quality Assurance
Scynexis, Inc.
New York NY
United States
------------------------------

Original Message:
Sent: 12-May-2021 11:16
From: Anonymous Member
Subject: HIPAA vs. GDPR clinical trial

This message was posted by a user wishing to remain anonymous

Hello all,
I have a question related to this topic.
Does HIPAA apply also to information of healthy volunteers that are enrolled in a research study?
Thanks
Original Message:
Sent: 11-May-2021 08:58
From: Anonymous Member
Subject: HIPAA vs. GDPR clinical trial

This message was posted by a user wishing to remain anonymous

thank you very much. Very helpful.
Best regards
Original Message:
Sent: 11-May-2021 06:40
From: Glen Park
Subject: HIPAA vs. GDPR clinical trial

You would be operating under HIPAA rules, which as agnostic to where the data is stored. They are not nearly as complicated as GDPR and the only consideration from normal GCP actions in conduct of the trial is the specific HIPAA language in the consent form. Essentially the consent language will include a statement of how the data will be used, who will have access to it, and how long it may be kept.

------------------------------
Glen Park PharmD
Vice President, Regulatory Affairs and Quality Assurance
Scynexis, Inc.
New York NY
United States

Original Message:
Sent: 10-May-2021 08:57
From: Anonymous Member
Subject: HIPAA vs. GDPR clinical trial

This message was posted by a user wishing to remain anonymous

Hello,
we are a EU company and we would like to sponsor a medical device clinical study in USA. We will access and store (in Europe) only anonymized patients information (patients will be named with their initials + an automatically generated code). The original raw data and medical records will be seen only by the investigators in the trial.

Which data protection rule applies to this situation, between HIPAA (US patients) and GDPR (data stored in Europe)?
Would the anonymization release the company from any requirement of compliance with HIPAA and/or GDPR?
Thanks

To expand on Glen's point - remember the law deals with information.  It has very little if anything to do with the fact of whether a person has or does not have a disease.  Consider it logically - if your product is meant to be a "cure" (thinking here of something like antibiotics) and the person has the disease but then your product works as you expected and cures the issue then the person no longer has the disease.  That doesn't mean that you can stop caring for the information collected as though the information is no longer protected by the law.

Any time that information can be used to trace back to a particular individual without need of some sort of coding you have to comply with the regulations under the law.  So initials probably don't fit under this nor would a study specific identification number.  But add a birthdate or some sort of national (or in the US social security number [even partials!]) and you have a potential for someone to trace that information back to someone specific.  Any information stored together with that data will, in my opinion, fall under the requirements of data protection laws.  

Whatever you and the company decide to do, remember - the information is the key to answering this question.  How you decide to store the information and what data gets stored will invariably determine whether or not you must comply with data protection laws around the world.  I tend to be a little conservative so in the interest of transparency I do tend to treat any close decision or any decision where I am not 100% certain that the data will not be regulated as protected private information and design data retention policies based on data protection laws.  

I would also urge you to consider the potential of having to comply both with the US and the EU laws.  I know that this is not necessarily a popular opinion based on some of the other responses but I am not an expert in this specific area of how these laws might be handled when overlapping issues might arise (collecting data in the US and then storing/analyzing in the EU).  You might really want to consider the idea of discussing this with legal representation and make sure you have the correct requirements in place for any transfer of the data in systems as well as ensuring that you have a process to limit the information available and limit the number of people who can view the information on both sides of the Atlantic.

------------------------------
Victor Mencarelli
Global Director Regulatory Affairs
MelvilleNY
United States
------------------------------

Original Message:
Sent: 13-May-2021 06:12
From: Glen Park
Subject: HIPAA vs. GDPR clinical trial

Private health information is still being collected from healthy volunteers.

------------------------------
Glen Park PharmD
Vice President, Regulatory Affairs and Quality Assurance
Scynexis, Inc.
New York NY
United States

Original Message:
Sent: 12-May-2021 11:16
From: Anonymous Member
Subject: HIPAA vs. GDPR clinical trial

This message was posted by a user wishing to remain anonymous

Hello all,
I have a question related to this topic.
Does HIPAA apply also to information of healthy volunteers that are enrolled in a research study?
Thanks
Original Message:
Sent: 11-May-2021 08:58
From: Anonymous Member
Subject: HIPAA vs. GDPR clinical trial

This message was posted by a user wishing to remain anonymous

thank you very much. Very helpful.
Best regards
Original Message:
Sent: 11-May-2021 06:40
From: Glen Park
Subject: HIPAA vs. GDPR clinical trial

You would be operating under HIPAA rules, which as agnostic to where the data is stored. They are not nearly as complicated as GDPR and the only consideration from normal GCP actions in conduct of the trial is the specific HIPAA language in the consent form. Essentially the consent language will include a statement of how the data will be used, who will have access to it, and how long it may be kept.

------------------------------
Glen Park PharmD
Vice President, Regulatory Affairs and Quality Assurance
Scynexis, Inc.
New York NY
United States

Original Message:
Sent: 10-May-2021 08:57
From: Anonymous Member
Subject: HIPAA vs. GDPR clinical trial

This message was posted by a user wishing to remain anonymous

Hello,
we are a EU company and we would like to sponsor a medical device clinical study in USA. We will access and store (in Europe) only anonymized patients information (patients will be named with their initials + an automatically generated code). The original raw data and medical records will be seen only by the investigators in the trial.

Which data protection rule applies to this situation, between HIPAA (US patients) and GDPR (data stored in Europe)?
Would the anonymization release the company from any requirement of compliance with HIPAA and/or GDPR?
Thanks