Data Privacy in Clinical Trials: Standards, Definitions, and Best Practices

Data privacy in clinical research

Patient records and patient data consist of private and confidential information that could reveal certain things about patients or which could be used to identify them. This data could be used maliciously or invasively if it were to be exposed to the wrong parties, and thus patient data privacy is a primary concern in clinical research.

In this article we will take a look at the regulations and standards that govern data privacy in the clinical research industry, and how clinical researchers and sponsors ensure that patient data remains secure and inaccessible to unauthorized parties.

What is the official definition of data privacy?

Data privacy relates to restricting data access and use to the parties and purposes for which it is explicitly obtained. In the case of clinical trials, this concerns sensitive personal information (see next section for definitions), which must be stored securely, such that it can’t be accessed for purposes other than those explicitly stated in the protocol, as well as informing the participant about the types of data that will be collected and obtaining their consent.

Patient data from clinical trials includes information relating to their medical condition, medications they are taking or have taken in the past, laboratory values and reports, medical history, and more. Data breaches could expose these individuals to potential discrimination or stigmatization. Data privacy regulations are measures taken to protect patient data from unethical and unauthorized use, viewing, access, and sharing with third parties.[1]

Personally identifiable information (PII) and Personal health information (PHI)

Personally identifiable information (PII) and personal health information (PHI) are two definitions that are important for clinical researchers and sponsors to understand in order to avoid compliance issues.

Personally identifiable information (PII) refers to any information that is - or that can be - directly or indirectly associated with a person’s identity.[2] This includes, but is not limited to, the individual’s name, phone number, address, email address, photos, biometric data, social security number, and other personal information that may be used to track or identify them. A certain piece of information is also considered PII if it could be used to identify someone when combined with another piece of information. Further, the definition of what is and is not PII can change with the context - for example, someone’s first name may not identify them in a city of one million people, whereas in a town of 100 it might allow for their direct identification.

Personal health information, or protected health information (PHI), is one aspect of PII, which refers specifically to health information about that patient.[3] Such information can include the patient’s health status, lab reports, hospital bills, and any information related to the individual’s past, existing, or future physical and/or mental health.

Regulations and standards impacting clinical research in the US

Clinical research is subject to various regulations and standards in relation to the ethical treatment of patients, which includes data privacy and security. These regulations mandate how patient data (PII and PHI) should be collected, stored, and shared securely and responsibly, and establish consequences for breaches (also called non-compliance). Pharmaceutical organizations are responsible for informing patients about how their personal health data will be collected and used, and for notifying of any data breaches. Let’s go over some of the principal regulatory bodies and regulations.

International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use (ICH)

The ICH is an initiative that connects regulatory bodies and the pharmaceutical sector to address scientific and technological aspects of the pharmaceutical industry under international standards and guidelines.[4] The program was established in 1990 and is on a mission to ensure the development, registration, and maintenance of high-quality and safe medicines that comply with international standards. One of the ICH’s main standards is ICH E6 (R2) - GCP (see next).

Good Clinical Practice (GCP)

Good Clinical Practice (GCP) is an international standard for scientific quality and for ensuring the ethical treatment and safety of participants involved in clinical trials.[5] GCP compliance in trial design, tracking, and reporting acts as assurance for the public that trial data is reliable and that participants were treated ethically and in a way that prioritized their safety and well-being.

The Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act of 1996, known as HIPAA, is a US federal law that called for the creation of standards to protect health information from being accessed or shared without the patient’s permission or knowledge.[6] The purpose of the law is to protect personal health data, including clinical trial data, by making it mandatory to obtain written authorization from participants for most uses. Patients are able to revoke this authorization any time. It is effectively enacted through the Privacy Rule (see below), which mandates “covered entities” to comply with these regulations.


The Health Information Technology for Economic and Clinical Health Act of 2009 is part of the American Recovery and Reinvestment Act (ARRA).[7] The act was multi-purpose, but served as an impulse to the adoption of electronic health records (EHRs) from paper records, and simultaneously solidified compliance with the HIPAA Privacy Rule and HIPAA Security Rule by ensuring covered entities were following regulations, further adding the requirement to report data breaches. This last point eventually augmented the ability to enforce regulations and penalize non-compliant organizations.[7]

European Union (EU): GDPR and CTR

In the European Union (EU), the GDPR and CTR are the two major regulations. GDPR - the General Data Protection Regulation - was developed in 2016, and mandates that companies, whether operating from within or outside of the EU, comply with data protection regulations in order to access and process data of EU citizens. The Clinical Trials Regulation (CTR) specifies how specific types of clinical trial data is to be stored and processed. More information on EU regulations can be found here.

What is the privacy rule in clinical trials?

The Privacy Rule establishes the concept of PHI, and states that such information may only be used or shared with other parties under certain circumstances or conditions. The Privacy Rule applies to PII and PHI that is either created by or held by a ‘covered entity’ - health insurers, healthcare clearing houses, and healthcare providers that transmit health information electronically in connection with certain transactions defined under HIPAA, such as claims and eligibility inquiries. Researchers are generally not covered entities, unless they are also healthcare providers or partake in any covered electronic transactions. However, researchers who work for a covered entity (e.g., a research hospital or clinic), likely have to comply with that company’s HIPAA privacy policies and procedures.[8]

Is clinical trial data subject to HIPAA?

The HIPAA Privacy Rule allows covered entities to access and use personal health information; however, in most circumstances, researchers need written authorization and informed consent from patients before any PHI or data can be collected or used.[9] HIPAA also specifies that PHI must be “used in a specific and meaningful manner.”[8]

Patients are informed that their health information will be shared in the case that it is required by law in order to prevent harm or the spread of disease. In some cases, the patient may not get access to their PHI until the study is completed. A trial sponsor is not allowed to reveal the identity of trial patients in any publication or presentation of the study.

Is clinical trial data confidential?

Clinical trial data is considered confidential information, which means that the security and integrity of trial data are a top priority. Organizations involved in clinical research are required to prevent data breaches as well as the loss, tampering, or unauthorized transmission of or access to trial data.

To that end, trial sponsors are allowed to share results in the form of general statistical information. They can also use pseudonymization or anonymization for participant confidentiality, and must implement steps of HIPAA data de-identification, which involves removing 18 established identifiers that can be used to identify or trace participants.

Who Is responsible for data security in a clinical trial?

A data protection officer or a clinical data manager may be responsible for data security in a clinical trial. These individuals are familiar with clinical trial regulations, how they are implemented, and data privacy issues specific to clinical trials. The person in charge of data security should remain updated on clinical trial data best practices, including staying compliant with ICH GCP, HIPAA, and other data security standards.

Besides this appointed person, any individual that views, uses, or processes personal health information in any aspect of trial operations needs to be properly trained on maintaining data security and privacy.

How do you ensure data privacy and confidentiality in research?

Now that we understand the importance of data privacy and who is responsible for it, we will take a look at some best practices for ensuring the privacy and proper handling of clinical trial data.[10]

1. Central data and monitoring

Creating a single, unified data server/database rather than relying on separate datasets stored in numerous repositories in different locations can help preserve the accuracy, integrity, and validity of your clinical trial data. Centralized data is easier to organize, maintain, validate, and clean. In addition, a single source of truth facilitates collaboration between various parties. Importantly, it makes it easier to monitor data, find out who is accessing or using it, and ensures that the final database is coherent, accurate, and unaltered.

2. Establish standard operating procedures (SOPs)

Clinical trial sponsors and sites should establish finely-tuned standard operating procedures (SOPs) for data processing to ensure data privacy and compliance with regulations. Such SOPs could cover diverse operations such as setting up new devices, use of software on employee’s personal devices, conventions for naming and filing documents, de-identification, data validation, and even guidelines for regularly reviewing and updating these SOPs to maintain their relevancy.

3. Education and training

In many cases, human error is responsible for compromising the validity or privacy of confidential data. Clinical research organizations and sites should thoroughly train all employees, as well as any collaborators, on how to handle sensitive data and how to identify data security threats should any arise. Training records should be kept to assist with compliance and audits.

4. Audits and automated edit checks

Audits can be a headache, but they can also be helpful as they can identify potential problems before they blow up into bigger issues. Periodic interim audits, which could also take the form of automated edit checks and validity checks, help organizations rectify errors quickly as well as improve their risk management and governance processes overall. This is helpful when it comes to demonstrating compliance with regulatory standards and data privacy laws.

5. Assign a data privacy manager

Assigning or contracting a dedicated data privacy manager may be useful for streamlining data processing and compliance across trial operations. A data privacy manager may be tasked with collecting and analyzing compliance documents and reports, reviewing the organization’s practices and procedures, establishing risk alerts for compliance issues, ensuring all employees receive relevant data privacy training, reporting to the sponsor, and offering expertise in various aspects of compliance.

A good data privacy manager will have a wealth of experience in the topic and specialized knowledge related to data security. As such, contracting a data privacy manager could save a sponsor/CRO time, money, and resources that may be otherwise spent on these tasks. Another option is to train someone internally to assume this position.


Patient healthcare data is highly personal and confidential. It is the responsibility of clinical research sponsors and organizations to ensure that PHI and patient data is used appropriately and remains secure, so that participants are not discriminated against due to their medical diagnoses or otherwise. To ensure this aim, clinical trial data is subject to various regulatory standards in the US, including ICH GCP, the HIPAA Privacy and Security Rules, and the HITECH Act (and in the EU, the GDPR and CTR). These regulatory standards both establish and enforce rules relating to clinical trial data privacy, setting fines/penalties for non-compliance as well as mandating the admission of data breaches.

Best practices for organizations dealing with trial data include centralizing clinical trial data storage and monitoring, establishing SOPs for data processing, educating all employees on the subject of data protection, and performing routine audits. For some sponsors and CROs, it could be a good idea to hire a dedicated data privacy manager or clinical data manager with extensive knowledge about data regulations and participant privacy, who can act as an internal expert and help implement optimal data privacy practices and ensure compliance, either at the level of the organization or for individual trials.