LS&HC Horizons 2022 - Flipbook - Page 25
Hogan Lovells | 2022 Life Sciences and Health Care Horizons
25
Privacy and Cybersecurity
Complexity of privacy implications for clinical research increases
U.S. data collected and created in research studies can be subject to a
multitude of privacy laws and requirements. These laws can impact the
collection, use and disclosure of identifiable health information (and what
is considered de-identified information), notification requirements in the
event of a data breach, consent/authorization and sharing requirements,
as well as future research uses and activities. Research sponsors, study
sites, and other entities involved in research should be aware of the scope
of these laws to determine whether compliance is required.
There are requirements under the Federal Policy for the Protection of
Human Subjects (the “Common Rule”) that impose requirements on sites
that have a federal wide assurance and the FDA Protection of Human
Subjects Regulations (FDA Regulations) that would be applicable to
certain research studies and certain sponsors. In addition, in the absence
of comprehensive U.S. federal privacy legislation, states continue to enact
broad laws governing personal information which could be applicable.
Such laws, including in California, Colorado, and Virginia,1 impose
GDPR-like obligations on businesses, but generally include
some exemption for research information typically provided
the research is conducted in accordance with the Common Rule
and/or FDA Regulations. Some states (e.g., California) even
have their own laws governing research.
Other state health information privacy and sensitive condition laws
govern health information generally and certain sensitive conditions (e.g.,
genetic information, HIV/AIDS, substance abuse, STDs). Covered entity
sites also are typically subject to privacy, security and breach notification
regulations under the Health Insurance Portability and Accountability
Act of 1996 (HIPAA) as modified by the Health Information Technology
for Economic and Clinical Health (HITECH) Act, which will impact
the requirements governing the use and disclosure of protected health
information for research. State data breach laws could apply to a breach
involving research data, depending on the nature of the data and the
scope of the incident. Finally, Institutional Review Boards (IRBs) may
impose additional privacy requirements on research under their review
and oversight and certain NIH policies (e.g., the NIH Genomic Data
Sharing Policy) also may apply depending on the nature of the research.
Accordingly, entities involved in research should be careful when
navigating the varying federal and state privacy laws as such could impact
research activities and the ability of sites and sponsors to use and disclose
health information collected, including for future research.
1
California Consumer Privacy Act of 2018 (“CCPA”) as codified at Cal. Civ. Code Part 4, Division 3, Title 1.81.5, § 1798.100 et. seq., as amended by the California Privacy Rights Act of 2020 (“CPRA”) as codified at Cal. Civ.
Code Part 4, Division 3, Title 1.81.5, § 1798.100 et. seq.; Colorado Privacy Act, Cal. Rev. Stat. § 6-1-130 et seq (effective July 1, 2023); and Virginia Consumer Data Protection Act, Va. Code § 59.1-571 et seq.
Scott Loughlin
Partner, Washington, D.C.
Melissa Levine
Counsel, Washington, D.C.
Khaled Mowad
Senior Associate, New York
