Alleviating sponsor and investigator concerns around sharing of remote-assessment data in accordance with GCP and GDPR standards.
We have heard it from local clinical trial regulatory departments, hospitals, and country-level regulatory experts: “participant records cannot be shared by the investigator outside of the site.” The well-meaning declarant adding, “it violates GDPR.” That phrase has likely burned many protocols’ hopes and dreams of decentralized assessments in the European Union (EU). But is that statement true? This common interpretation of the good clinical practice (GCP) confidentiality principle may deter investigators from sharing study participants’ directly identifiable and health information with third-party home health providers in decentralized clinical trials (DCTs). However, a thorough reading of GCP demonstrates how an investigator may share identifiable participant information with third-party vendors in compliance with applicable GCP confidentiality requirements and the protections offered data subjects in the EU by the General Data Protection Regulation (GDPR).
It is important to be mindful that prior to determining that it is appropriate to include decentralized aspects in a clinical trial, the sponsor has conducted a risk-benefit analysis of the specific assessments that are proposed to be conducted remotely in the study.
The risk-benefit analysis should:
After these assessments are made determining that, for example, remote assessments by healthcare providers—so-called “home health visits”—are appropriate, the DCT protocol may include home health visits on its schedule of assessments. In a home health visit, a healthcare provider may meet with the study participant at the participant’s home or other off-site location to support the conduct of the clinical trial, including remote assessments (e.g., blood draw by a phlebotomist or nurse-administered medication).
GCP protocol-related activities are to be conducted by the investigator or through delegation and under supervision of the investigator, by a person determined by the investigator to be qualified by skill, education, and training to perform the task. Due to site staffing constraints or logistics, often a third-party vendor is retained to conduct these assessments.
To be able to perform the protocol-related tasks, the vendors must access the directly identifiable information of the participant. This may include the participant’s name, phone number, and email address to communicate with the participant to make appointments, home address for travel and planning, and year of birth to validate identification prior to the assessments.
This access by third-party healthcare providers to participants’ identifiable information is sometimes flagged by ethics committees, investigators, or country-level regulatory experts as a potential participant confidentiality concern under GCP or GDPR. Often, the concern is, in fact, a confusion of an investigator’s regulatory obligation to protect the confidentiality of participant identity and medical records with a misunderstanding that there is a complete prohibition to sharing that information with a person other than the investigator’s staff.
GCP requires that all reasonable precautions should be taken to protect the confidentiality of participants within the applicable regulatory constraints. This means that access to information that identifies the participant should be restricted to authorized parties, as needed, to conduct the trial or to audit the study for the protection of the participants and data quality.
In the case of the home health professional example earlier, the investigator verifies the qualifications of the third-party home health professional. In addition, the investigator reviews study plans for information regarding how the participant’s identifiable information will be handled by the home health professional to ensure that the information will be adequately kept confidential by the third-party vendor. This information may include results of due diligence reviews conducted by the sponsor into the third-party processes or systems that will handle participants’ directly identifiable information.
Once the investigator is satisfied that the third-party home health professional is qualified by training and skills and that appropriate processes and systems will be utilized to conduct the protocol-required activities, the home health professional will be formally delegated certain tasks in support of the study and added to the site delegation log.
Confidentiality is appropriately safeguarded when the investigator has reviewed in the study plan how the third-party nurse, for example, will conduct the visit and is assured that the nurse’s processes will also keep the participant information confidential. This additional review into the “qualification” of third-party vendors as required by GCP would not be required of the investigator but for the sponsor’s requirement of a remote visit in the protocol.
Investigators may seek reasonable reimbursement for their time and resources in making this important determination into qualification of the third-party vendor. Investigators may also seek assurances as to the results of any due diligence of the sponsor into the systems and processing of the third-party vendor and, therefore, may not need to complete their own assessments of complicated technical systems, which may be beyond the expertise of most investigators.
In this example, there is not a total ban on sharing the participants’ identifiable information, but instead a) review of the qualifications of the nurse; b) review of study plans to ensure the nurse will maintain confidentiality of the participant’s information in their processes and/or assurances by the sponsor as to results of the due diligence it performed on the vendor; and c) traceable documentation of the tasks delegated to the nurse, to substantiate the need for the investigator to share participant data (delegation log). In this instance, the investigator has taken reasonable precautions to protect the confidentiality of the participants and acted in accordance with GCP requirements.
GCP was initially adopted in the International Conference on Harmonization (ICH) revision 1 (R1) in the 1996 guideline, when most of the world was first experiencing e-mail. The 2016 revision 2 addendum (R2) improved content on the use of electronic systems but did not alter the language around confidentiality.
In 2022, ICH is preparing for the Revision 3 (R3) of the guideline. There is ample indication that, with this revision, the guideline will be brought into the decentralized era of clinical trials. About the principles of GCP, ICH writes: “The principles are intended to support improved and more efficient approaches to trial design and conduct.”
In its working paper for R3, the ICH working party addresses the perceived problem with trial design and conduct by including guidance for emerging technologies, innovations in trial designs, diversity of data sources, service providers, and other emerging complexities of today’s clinical trial designs.
In review of draft R3, for example, the principle around confidentiality has been altered, referring more directly to the privacy and data protection regulations. Draft R3 now reads: “The confidentiality of information that could identify participants should be protected in accordance with applicable privacy and data protection regulations.” The move from “confidentiality of records” in the current R2 to “confidentiality of information” that could identify participants in R3 is not insignificant. The revised language recognizes that participants’ identifiable information is not only hospital records but may be in other forms, possibly electronic systems—thus acknowledging that the confidentiality of information may be maintained outside of hospital records. The revision maintains the term “protected,” includes language around quality management, and takes a risk-based approach to the protection of trial participants. The revision requires identifying the critical processes for participant confidentiality, identifying, and evaluating potential risks and deciding on risk control measures and quality tolerance limits, prior to the beginning of the study. Thus, R3 seems to contemplate a scenario like the third-party nurse example earlier, where after adequate risk assessments by the sponsor and due diligence by the investigator, participant identifying information is accessed by third parties and yet confidentiality is protected in accordance with GCP.
Data protection laws (DPLs), including the GDPR, are a second, independent set of regulatory requirements applicable to clinical trials. While DPLs are fully distinct from GCP, the requirements of DPLs and GCP contain some similar provisions with respect to protecting personal data and maintaining patient confidentiality. However, it is critical that the specific requirements of both GCP and DPLs are independently considered and addressed.
For DPLs, that means providing proper notice and receiving consent to processing study participants’ personal data, utilizing adequate technical and organizational security measures, preventing access by or transfers to unauthorized parties, disclosing processing of the data by third parties, and limiting use of the data to the purpose for which it was collected.
Each of the DPL requirements identified in this article are consistent with the GCP principle for maintaining participant confidentiality. In some cases, such as information security, the same controls can satisfy the requirements of both GCP and DPLs. But care must be taken to avoid assuming that compliance with either GCP or a DPL automatically results in compliance with the other.
This brings us back to the quotation in first sentence of this article, “participant records cannot be shared by the investigator outside of the site…it violates GDPR.” While it’s a mistake to assume that satisfying one set of requirements means automatic compliance with the other, it’s also erroneous to assume that the GDPR is being violated without checking the statute. A careful review will show that if certain conditions are satisfied, the GDPR is not a barrier to sharing participant records outside of the site.
With the appropriate reviews of the third-party provider’s training and qualifications, confirmation that the third-party providers will protect participants’ confidential identifiable information and completion of delegation logs, the investigator may, in fact, share participant identifiable data with third-party providers in accordance with GCP and GDPR’s confidentiality requirements. Investigators should document their efforts to “qualify” these third-party vendors and the results of sponsor’s due diligence reviews of the vendor, in accordance with GCP, and may seek reasonable reimbursement for these efforts from sponsors of clinical trials. Future iterations of GCP are likely to make this approach to confidentiality of participant information clearer, underscoring the pre-trial risk assessments of sponsors and investigators.
The resolution of these issues and adoption of these practices will help relieve sponsor and investigator concerns of how remote assessments in DCT by third-party home health providers will be viewed in audits and inspections.
Owen Corbin, Senior Director, DCT Regulatory and Data Privacy, IQVIA Virtual Trials, IQVIA