HIPAA Compliance and Clinical Trials: All the Information You Need

Clinical trials in the medical field primarily rely on patient data. The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996. The enactment of this federal law by the Unites States department of health and human services (HHS) required the creation of national standards to protect sensitive patient information falling into unauthorized hands .

The standards were meant to protect patients’ sensitive health information from getting disclosed. So the HHS issued the HIPAA privacy rule to implement the requirements of HIPAA. HIPAA security rule is meant to protect a subset of information covered by the privacy rule.

Initially, there was a misunderstanding that the HIPAA rule was meant to hinder clinical research. These concerns were, however, proven to be unfounded. That’s because the HIPAA rule was only meant to ensure that ethical practices are upheld during clinical trials.

Generally, a patient and the health plan members need to authorize the disclosure of healthcare information (PHI).

During the clinical trials, the HIPAA rule applies if you will get access to the PHI and facilitate the study. If you intend to create PHI during the study, you’ll have to ensure compliance with the HIPAA rule.

HIPAA Privacy Rule

The privacy rule standard is about the use and disclosure of patients’ health information by institutions subject to the privacy rule. These patients and institutions are referred to as covered entities.

The HIPAA privacy rules consists of the standards for patients’ right to know and control how their health information is used. The main objective of the privacy rule is to ensure that patients’ health information is protected. It also allows for the flow of the health information required to provide and promote high-quality healthcare and protect the public’s well-being.

The privacy rule permits the use of important data while protecting the privacy of the people seeking care and healing.

HIPAA Security Rule

While the HIPAA privacy rule takes care of safeguarding PHI, the security rule safeguards a subset of the information covered by the privacy rule.

The subset contains individually identifiable health information that the covered entity creates, receives, maintains, or transmits electronically. The health information is referred to as electronic protected health information or ePHI.

The HIPAA security rule does not apply to the PHI transmitted orally or in writing. To comply with the HIPAA security rules, the covered entities have to:

  • Validate conformity by their workforce.
  • Guarantee confidentiality, integrity, and the availability of ePHI.
  • Detects and protects against possible threats to the security of the information.
  • Safeguard against potential impermissible uses or disclosures that aren’t allowed by the security rule.

Covered entities are required to rely on professional ethics and the best judgment when considering requests for permissive uses and disclosures. The HHS office for civil rights implements HIPAA values and it’s also here that all the complaints must be reported. Note that violations to the HIPAA rule can result in civil, monetary or criminal penalties.

HIPAA Violation

Compliance with HIPAA means staying within the regulations stated in the privacy and security rules. If an organization fails to meet these standards to stay compliant, they are considered to be in violation of HIPAA. Here are some of the violations:

  • Unlawful exposure of ePHI to unlawful parties
  • Failure to meet administrative or training protocols
  • Failures to update, upgrade, or address compliance gaps
  • Failure to notify the affected parties and public officials about the relevant data breaches
  • Failure to follow the right security protocols as outlined by the HIPAA security rule

With that in mind, HIPAA breaks the violations into civil and criminal violations.

1. Civil violations are non-compliance incidents. These are situations where non-compliance was accidental or without malicious intent. Such situations include neglect or lack of awareness. The penalties below tend to be less for civil violations:

  • People with reasonable cause without neglect are fined at least $1000.
  • People who were unaware of the violations are fined $100 per incident.
  • People who carry out willful neglect are fined a minimum of $10,000 per incident.
  • Willful neglect that’s followed by the immediate rectification of the violation attracts a fine of $50,000 per violation.

2. Criminal violations are usually committed with malicious intent. The penalties in this case include:

  • Knowingly disclosing ePHI attracts a fine of up to $ 50,000 and a one year jail term.
  • Committing fraud as part of the violations will get you fined $100,000 and a 5 year jail term.
  • Committing violations with intent to profit from it will get you fined $250,000 and a 10 year jail term.

The Required Authorization Before Taking Part in Clinical Trials

Contrary to what people may think, the HIPAA rule doesn’t prevent researchers from conditioning participation in clinical trials. The rule does not outline the conditions necessary for enrollment and participation in clinical trials. Rather, it addresses the issue of authorization in the use of individuals’ health information.

Before beginning the clinical trials, participants must review the necessary documents. This ensures that you fully understand what the trial is about. The use of PHI in the trials will only be considered legal if the authorization is obtained from the patient. Here are the required elements for authorization:

  • The expiry date of the authorization
  • A statement to show that the patient can annul the authorization
  • A detailed description of the purpose of authorization, including the information that will be utilized during the clinical trials.
  • Personal information such as the names of the individuals that are authorized to create, use, or disclose the PHI

Keep in mind that participants can decide to revoke an authorization. However, researchers can still use and disclose the PHI obtained before the cancellation of the authorization. After the revocation, a researcher is only allowed to use and disclose participants’ new PHI as a necessity. This is meant to ensure the clinical trial’s integrity.

You don’t have to obtain a separate authorization for every PHI use or disclosure. You only need authorization from a subject. However, every use or disclosure of PHI must be part of a specific research activity. Likewise, the authorization must describe the type of disclosure that will result from the research.

Note that the HIPAA privacy rule does not mention who should draft the authorization form. This means that a researcher can also draft it. Moreover, an authorization form is only deemed compliant with the privacy rule when written in a plain language. It must also have the required statements and the core elements outlined in section 164.508 of the HIPAA privacy rule. 


Successful clinical studies are dependent on patients’ data. But before getting this information, study participants must be clear on what they are signing up for. The U.S government takes personal health information seriously. That’s why HIPAA was created to safeguard and ensure the confidentiality of every person using the healthcare system.

Medical Device News Magazinehttps://infomeddnews.com
Our publication is dedicated to bringing our readers the latest medical device news. We are proud to boast that our subscribers include medical specialists, device industry executives, investors, and other allied health professionals, as well as patients who are interested in researching various medical devices. We hope you find value in our easy-to-read publication and its overall purpose and objectives! Medical Device News Magazine is a division of PTM Healthcare Marketing, Inc. Pauline T. Mayer is the managing editor.

More News!

Clozapine has been established as the most effective antipsychotic medication for treatment-resistant schizophrenia. However, it is significantly underutilized mainly due to the risk of developing agranulocytosis and the need to frequently monitor the absolute neutrophil count (ANC).
Dagi-Ben Noon, CEO of Inspira Technologies, reflects on the partnership's significance: "By Integrating our technology to oxygenate blood directly with Ennocure's infection prevention solutions, we are focusing on potentially improving patient outcomes in ICUs and paving the way for safer, more effective life-support treatments. This collaboration is expected to accelerate the development and broaden the implementation of our advanced technology."
The findings suggest that the novel, non-invasive genomic test can help physicians guide next steps for these patients, enabling them to potentially avoid unnecessary invasive procedures or accelerate time to appropriate treatment.
“These study results are highly encouraging especially given the short treatment duration of 10 days with BX004,” said Jonathan Solomon, Chief Executive Officer of BiomX. “In Part 2 of the study, BX004 showed clinically meaningful improvement in pulmonary function compared to placebo, as measured by relative FEV11 improvement (5.67% at Day 17, 1 week after end of treatment) and Cystic Fibrosis Questionnaire-Revised (CFQ-R) respiratory domain (8.87 points at Day 17) in a predefined subgroup of patients with reduced lung function.”  
Importantly, the study reported no serious treatment-related adverse events from any of the 109 patients treated with InGeneron’s Transpose® RT cell therapy system.

By using this website you agree to accept Medical Device News Magazine Privacy Policy