To expand on Glen's point - remember the law deals with
information. It has very little if anything to do with the fact of whether a person has or does not have a disease. Consider it logically - if your product is meant to be a "cure" (thinking here of something like antibiotics) and the person has the disease but then your product works as you expected and cures the issue then the person no longer has the disease. That doesn't mean that you can stop caring for the information collected as though the information is no longer protected by the law.
Any time that information can be used to trace back to a particular individual without need of some sort of coding you have to comply with the regulations under the law. So initials probably don't fit under this nor would a study specific identification number. But add a birthdate or some sort of national (or in the US social security number [even partials!]) and you have a potential for someone to trace that information back to someone specific. Any information stored together with that data will, in my opinion, fall under the requirements of data protection laws.
Whatever you and the company decide to do, remember - the information is the key to answering this question. How you decide to store the information and what data gets stored will invariably determine whether or not you must comply with data protection laws around the world. I tend to be a little conservative so in the interest of transparency I do tend to treat any close decision or any decision where I am not 100% certain that the data will not be regulated as protected private information and design data retention policies based on data protection laws.
I would also urge you to consider the potential of having to comply both with the US and the EU laws. I know that this is not necessarily a popular opinion based on some of the other responses but I am not an expert in this specific area of how these laws might be handled when overlapping issues might arise (collecting data in the US and then storing/analyzing in the EU). You might really want to consider the idea of discussing this with legal representation and make sure you have the correct requirements in place for any transfer of the data in systems as well as ensuring that you have a process to limit the information available and limit the number of people who can view the information on both sides of the Atlantic.
------------------------------
Victor Mencarelli
Global Director Regulatory Affairs
MelvilleNY
United States
------------------------------
Original Message:
Sent: 13-May-2021 06:12
From: Glen Park
Subject: HIPAA vs. GDPR clinical trial
Private health information is still being collected from healthy volunteers.
------------------------------
Glen Park PharmD
Vice President, Regulatory Affairs and Quality Assurance
Scynexis, Inc.
New York NY
United States
Original Message:
Sent: 12-May-2021 11:16
From: Anonymous Member
Subject: HIPAA vs. GDPR clinical trial
This message was posted by a user wishing to remain anonymous
Hello all,
I have a question related to this topic.
Does HIPAA apply also to information of healthy volunteers that are enrolled in a research study?
Thanks
Original Message:
Sent: 11-May-2021 08:58
From: Anonymous Member
Subject: HIPAA vs. GDPR clinical trial
This message was posted by a user wishing to remain anonymous
thank you very much. Very helpful.
Best regards
Original Message:
Sent: 11-May-2021 06:40
From: Glen Park
Subject: HIPAA vs. GDPR clinical trial
You would be operating under HIPAA rules, which as agnostic to where the data is stored. They are not nearly as complicated as GDPR and the only consideration from normal GCP actions in conduct of the trial is the specific HIPAA language in the consent form. Essentially the consent language will include a statement of how the data will be used, who will have access to it, and how long it may be kept.
------------------------------
Glen Park PharmD
Vice President, Regulatory Affairs and Quality Assurance
Scynexis, Inc.
New York NY
United States
Original Message:
Sent: 10-May-2021 08:57
From: Anonymous Member
Subject: HIPAA vs. GDPR clinical trial
This message was posted by a user wishing to remain anonymous
Hello,
we are a EU company and we would like to sponsor a medical device clinical study in USA. We will access and store (in Europe) only anonymized patients information (patients will be named with their initials + an automatically generated code). The original raw data and medical records will be seen only by the investigators in the trial.
Which data protection rule applies to this situation, between HIPAA (US patients) and GDPR (data stored in Europe)?
Would the anonymization release the company from any requirement of compliance with HIPAA and/or GDPR?
Thanks