AHLA's Speaking of Health Law
The American Health Law Association (AHLA) is the largest nonprofit, nonpartisan educational organization devoted to legal issues in the health care field. AHLA's Speaking of Health Law podcasts offer thoughtful analysis and insightful commentary on the legal and policy issues affecting the American health care system.
AHLA's Speaking of Health Law
Beyond Privacy Implications: Data Breaches in Clinical Trials
As clinical research becomes increasingly digital, the legal and compliance landscape is shifting. Hal Porter, Director of Consulting Services, Clearwater, speaks with Dianne Bourque, Partner, Holland & Knight LLP, about the legal, regulatory, and ethical considerations when clinical trial data is compromised. They discuss issues related to regulatory frameworks and legal obligations, risk exposure and liability, impacts of a breach that go beyond privacy, cross border data and transfer risks, and mitigating the risk and fallout of data breaches in clinical trials. Sponsored by Clearwater.
Watch this episode: https://youtu.be/XwtZXXGmLx4
Learn more about Clearwater: https://clearwatersecurity.com/
Essential Legal Updates, Now in Audio
AHLA's popular Health Law Daily email newsletter is now a daily podcast, exclusively for AHLA Premium members. Get all your health law news from the major media outlets on this podcast! To subscribe and add this private podcast feed to your podcast app, go to americanhealthlaw.org/dailypodcast.
Stay At the Forefront of Health Legal Education
Learn more about AHLA and the educational resources available to the health law community at https://www.americanhealthlaw.org/.
This episode of AHLA Speaking of Health Law is sponsored by Clearwater. For more information, visit clearwatersecurity.com.
SPEAKER_02:Welcome to this episode of the AHLA Speaking of Health Law series. I'm Hal Porter, Director of Consulting Services for Clearwater's Digital Health Team, and today's episode is titled Beyond Privacy Implications, Understanding Data Breaches in Clinical Trials. As clinical research becomes increasingly digital, the legal and compliance landscape is shifting under our feet. It's no longer just about safeguarding patient privacy. Data breaches now carry implications for regulatory compliance, trial integrity, sponsor liability, And even the admissibility of trial results. industry clients on a broad range of regulatory issues, including data acquisition and use in AI algorithm training, research, product development, and digital health applications. Diane, welcome.
SPEAKER_01:Thanks, Hal. It's great to be here, and I'm looking forward to this discussion. As you mentioned, I'm a partner in the Boston office of Holland& Knight, and I have been dealing with both HIPAA and clinical research for the entirety of my career. So I love talking about both of those topics and I'm even more excited to talk about them at the same time.
SPEAKER_02:Excellent. Well, it's great speaking with you today, Diane. On today's episode, we will be unpacking real-world risks, discussing emerging regulatory trends, and offering practical strategies for reducing organizational exposure in an increasingly interconnected trial environment. So, Diane, with regard to regulatory landscape and obligations, what are the primary regulatory frameworks that govern data protection in U.S. clinical trials, and how do they intersect with multi-jurisdictional studies?
SPEAKER_01:Yeah, it's a great question. So anybody who's dealt with privacy and data security in the United States knows that we always have multiple overlapping frameworks that we have to deal with. And that is absolutely the case in clinical research. So at the federal level, of course, you have to think about HIPAA. And the reason is that clinical trial data is primarily collected by healthcare providers or other covered entities, entities that are governed by HIPAA. And so HIPAA governs a lot of different aspects of clinical trials. For example, accessing records to facilitate recruitment, even to develop a protocol, accessing source documentation to get underlying history for study participants and collecting their data. It's involved in the consent process because you have to not only obtain a study consent, but you need an authorization for the use and disclosure of PHI for those studies. So HIPAA has all kinds of relevance for clinical research. At the federal level, you also have to think about human subject protection regulations. So for example, there's the Common Rule, which is like the NIH human subject protection rule. And the Common Rule, and it's called that, by the way, because a number of federal agencies use that to govern human subject research that they fund. So they all have that rule in common. That's why it's called the Common Rule. common rule. But the common rule requires researchers to implement protections for the privacy of subjects and the confidentiality of their data. So it's built right into what the researchers are obligated to do. The common rule also has different privacy provisions relating to the storage and maintenance of identifiable study data and identifiable biospecimens when those are being used for secondary research, and that's a huge priority of the federal government as a policy matter. The government wants to encourage secondary use of existing materials and data because it minimizes the burden on participants and it expedites research because you already have these things available, but there are special rules, privacy rules that apply for that. Also at the federal level, there are FDA human subject protection regulations, and those rules require that in the consent process, participants in an FDA regulated study are advised of the extent to which their records and their personal information will be maintained confidentially. And they also have to be advised that the FDA and others may inspect those identifiable records. So again, researchers have to really think about privacy and data security when they're building out their study and thinking about how their presenting it to study participants. Okay, so that's all federal considerations. At the state level, again, there's always multiple different rules at the state level with respect to privacy and data security. Most often, the rules that are of concern are the ones that add special protections to certain types of information. So for example, most states have laws protecting genetic test results. So if you're studying involves genetic testing. You need to think about those rules and what they require. And you also, when you're thinking about all of these rules, have to keep in mind that you're dealing with research information and research, which is not treatment. A lot of the health information privacy rules at the state level relate to treatment or they apply to folks who are providing treatment. And so you always need to keep in mind research is not treatment and think carefully about if and how those special state laws apply. So that's in the United States now. Of course, if you're doing a study that has sites overseas, you have to think about all the rules that apply in the relevant jurisdiction where the study is being conducted. For example, if you have study sites in the European Union, you need to think about the GDPR. You need to think about the EU clinical trials rate which governs the conduct of clinical trials. It also requires much like US human subject protection rules requires the protection of the confidentiality of participant information. And again, all of these overlapping frameworks, they create complexity just in the execution of a trial, but they also create complexity under time pressure in the event of Absolutely.
SPEAKER_02:So in the event of a data breach, what are the immediate legal obligations for sponsors and CROs?
SPEAKER_01:So that's a great question. First of all, the legal obligations, they could land in a variety of places given the number of folks involved in conducting a clinical trial. Ultimately, though, the sponsor is really obligated for what goes on in a clinical trial. As a regulatory matter, the sponsor is responsible for the clinical trial. So ultimately, the sponsor is on the hook, but they're going to share, just like in the execution of a trial, they're going to share the sort of implementation of the response with other parties that are involved. So the immediate obligation when there's a data breach in a clinical trial or involving clinical trial information, as is the case in any sort of other data breach circumstances, to stop the breach and mitigate harm. And whoever is responsible for that really depends on what the breach was, where it occurred, whose system was involved, and whoever is in a position to stop the breach is the one that has to stop the breach. That's obligation number one. These obligations apply all at once. If you've been involved in a data breach, you know it's a multifaceted process with so many different moving parts, but one of the moving parts after you immediately try to stop and mitigate harm, stop the breach and mitigate harm, is to assess the regulatory obligations and figure out, first of all, what happened. Is it a data breach? Is it a reportable data breach? What laws matter? All those laws that we just talked about, someone has to look at them, figure out what law is implicated. It's a very fact-specific determination based on what happened. And as you know, as the facts of a breach evolve. The analysis could completely change. And so someone really has to have a careful eye on what underlying laws are implicated by the incident that just happened. And then, of course, who deals with what is a factor of those underlying laws and the nature of the incident. Because it's a clinical trial and not just a sort of clinical care, everyday data breach, you also have to assess your human subject protection obligations in the aftermath of a breach. And that may be IRB notice, FDA notification, study subject notification. So again, looking back at those rules that apply, the common rule requires the reporting of unanticipated problems involving risks to participants or others. And so clearly a data breach could fit within that definition and federal guidance makes clear that it does contemplate a confidentiality issue such as would arise in the aftermath of a data breach. So the common rule requires investigators to report these kinds of incidents to the IRB. The IRB is going to have to report the incidents to institutional officials, to potentially the funding agency if there's federal funding involved in a study. to the Office of Human Research Protections, the federal agency involved in implementing the common rule. Similarly, FDA has reporting requirements for unanticipated problems involving risks to subjects. So again, you're dealing with this potentially in the aftermath of a data breach. And then the actual reporting requirements like who you talk to, who's responsible for reporting what, where may vary depending on the nature of the investigational product. So like a device study is going to have a different reporting obligations than a drug study. So that's another sort of aspect to think about when the study involves FDA regulated products. Just a pro tip I want to throw out here. When you do make these reports to regulators, when you make any sort of incident report to regulators, but especially in the data breach context, you want to make sure that you are in able, hopefully, to report the measures that you took in the immediate aftermath that we just talked about, mitigating the harm, right? Stopping the breach, mitigating the harm. Because when you report to the regulators and you're able to say, you know, this bad thing happened, but here's what we did and here's why everybody's okay and it's fine now, you're going to have a much different response than if you report without having done any of those things and say, oh, something horrible happened and it's still going on. You know, again, the focus is on on harm to participants. And if you can convey that the harm has been contained or minimized or doesn't even exist, you're gonna have a better time with your regulators. And just a couple of more points on the aftermath of a data breach. You do wanna assess your contractual obligations because even though the relevant laws are going to dictate who does what or who's responsible for what, contractually the parties may alter those. responsibilities or may, in the case of a clinical study, may delegate those responsibilities. So your CRO may have a different set of obligations, notwithstanding what privacy law dictates. And again, if your study involves jurisdictions outside of the United States, for example, if you're in a GDPR regulated study, you may have very, very immediate notification obligations to data protection authorities. 72 hours upon becoming aware of the breach is a very short amount of time. You may have notification to affected individuals' obligations if the breach poses a risk to individuals' rights and freedoms under GDPR. So an additional set of obligations there.
SPEAKER_02:Excellent. Well, thank you. That's very good coverage. Kind of digging into that a little bit, how does HIPAA applicability complicate things when there's a breach involving clinical trial data?
SPEAKER_01:Yeah, HIPAA applicability is always challenging because it's not as straightforward as you would think. HIPAA, as you know, applies to covered entities, to providers, healthcare providers, certain healthcare providers, actually. If you find a healthcare provider that only uses paper records, you don't have a HIPAA issue. health plans and healthcare clearinghouses. So what complicates things in the clinical trial context is that a provider, a healthcare provider is usually the investigator, or quite often the investigator, like a physician investigator. And they're conducting research procedures, they're recording data for the clinical trial within a provider institution, study data is stored within the institution, they're pulling health information from people's charts, that into case report forms, also storing it in the institution. And that all looks like protected health information. It looks like PHI because of the physician or provider investigator's involvement. However, in most interventional clinical trials, so a study where somebody is given a drug or a device is used on them, participants have signed a HIPAA authorization that expressly permits the use of their health information for purposes of the clinical study. And health information that has been released pursuant to an authorization is not PHI. It's no longer subject to HIPAA. In fact, if you look at the rules, HIPAA's requirements for an authorization includes a requirement to warn people that once your data is released pursuant to this authorization, it may no longer be protected by HIPAA. So even though it looks a lot like if it's been released by authorization, it's not PHI anymore. And I like to think of it as research data versus PHI. So trying to keep that straight in your head sometimes is a good way to sort through all of this, but everybody gets it wrong. And I have a great example of this being just not clear. There was within the recent past, the Office for Civil Rights, which enforces HIPAA, brought an enforcement action against MD Anderson in response to a breach. It impacted a little bit over 30,000 people. And the underlying breach involved the theft of an unencrypted laptop and thumb drives that contained research information. And they were fined$4.3 million by OCR for this incident. They appealed the penalty to an administrative law judge. And in that appeal, the administrative law judge, I'm going to read the quote from the case. MD Anderson asserts that HIPAA doesn't apply in this case because the EPHI contained in the stolen and lost devices was research information that is outside the statute and regulations reach. This argument rests on what is at best a fanciful interpretation of governing regulations, and I find it to be without merit. That absolutely broke my heart to read that. But it's a great example of how easy it is to confuse PHI with research data. Incidentally, MD Anderson did have that penalty vacated on appeal to the Circuit Court of Appeals. Again, also breaking my heart, they did not overturn the underlying decision because of the research data versus PHI argument. They overturned it because the penalty exceeded statutory maximums under HIPAA. So So I would have loved to have in case law have that point clarified, but I don't always get everything I want, which is really a shame. But it's confusing. So it's definitely the ball that everybody needs to keep their eye on when they're dealing with this.
SPEAKER_02:That's an excellent example. Thank you very much. So when considering risk exposure and liability, there are many key stakeholders in clinical trials who all play critical roles in the trial's design, conduct, oversight, and ethical execution. These stakeholders typically include the sponsor, the CRO, the investigator site, and third-party vendors, just to mention a few. From a legal standpoint, who typically bears the liability in the clinical trial data breach? And I think you touched on this a little earlier
SPEAKER_01:Right. Yeah. Again, because the sponsor as a practical and a regulatory matter is responsible for the overall study. They're the ones that are ultimately going to bear responsibility and really end up holding the bag in the aftermath of a data breach. So as a practical matter, they're going to probably absorb the cost. They definitely are going to absorb the cost of the disrupted or the discontinued study. It may disrupt their larger clinical program. There's reputational damage associated with, as you know, with a data breach. There may be harm to affected study participants. And the sponsor, depending on who it is, may be a more appealing target than the entity, whether it's a CRO or a site or some other vendor. The sponsor may be a more appealing target for a plaintiff lawyer. Again, depending on the underlying facts, the actual responsibility may lay somewhere else. It could be with the CRO, the PI, the vendor, some other third party, but ultimately the sponsor is going to suffer the consequences of the data breach.
SPEAKER_02:How do indemnity clauses typically address liability in the event of a breach? Where do those clauses reside? And what red flags should compliance officers be looking for?
SPEAKER_01:Yeah, so it's a really important thing to think about. Beyond having and making sure that everyone has a comprehensive security infrastructure in connection with the clinical trial, careful contracting, including indemnity, as well as cyber liability insurance are really the best ways to minimize risk. Indemnity provisions are going to allocate risk and responsibility as between the parties. And there's a lot of different agreements where these might live. For example, you'll find them in clinical trial agreements, which are the agreements between the sponsor and the site or the CRO and the site on behalf of the sponsor. You may find them in master services agreements between sponsors and CROs. or with other service providers. One thing to think about, clinical trial agreements between the sponsor and the site don't always have an indemnity flowing from the site to the sponsor. And the reason is that a lot of times a site like a university hospital or a community hospital, it may be an arm of the state. So there may be statutory prohibitions on indemnities. A lot of times you can't get an indemnity from a study site. And I'll throw out another pro tip. If you are in a situation where there's a statutory prohibition on indemnity, you can at least insert a responsibility provision or a provision making expressly clear that the site's not obligated to indemnify the sponsor, but it is responsible for whatever damages arise from its own negligence or failure to comply with clinical trial agreement requirements. Separate from that, if there's no statutory prohibition, there should be a fairly broad bilateral indemnity between the sponsor and others involved in executing the study. Sponsors need to watch carefully for CROs, which typically offer a pretty narrow indemnity. And if you think about it from their perspective, that makes a lot of sense because they're not the ones who conceived of the study. It's not their investigational compound that you're giving to people. It's not their device that you're trying out on people. They're merely executing what the sponsor thought of. So they shouldn't carry the risk of a compound hurting someone or a device hurting someone. But maintaining study data is not outside the scope of their responsibilities. And so there should be an indemnity that's broad enough to capture a data breach. And another thing to watch out for is Indemnity provisions that are limited to a party's negligence. And that's because there can be a data breach without negligence. You could have the most compliant, flawless security infrastructure that anyone could imagine, and an employee could go rogue. And even if that employee had training, you could do everything right and still have a breach. So you want to make sure that it's not limited to negligence and that someone is actually responsible. And think about data breaches when you're thinking about the scope of your indemnity. And then one other pro tip I'll throw out there, and it kind of surprises me, but clinical trial agreements, MSAs, the agreements that you typically see in the clinical research context, rarely require the reporting, specific reporting of data breaches. And in this day and age, that seems a little funny, but, you know, maybe it's time that we buck the trend and start putting those express, you know, provisions in those agreements because you certainly don't want to get blindsided by a data breach or find out after the fact, right? After you've committed more money and more effort and time on a study that suddenly gets, you know, whacked by a breach or a change in the risk profile of your study because of a breach. So including those things is not a bad idea.
SPEAKER_02:No, absolutely. Excellent. Excellent pro tips. Um, so Diane, when looking beyond privacy, uh, with regard to, uh, regard for breach impact, how can a data breach compromise the integrity or admissibility of trial data in regulatory submissions, for example, to FDA?
SPEAKER_01:Yeah, it's a, it's all part of the sponsor holding the bag. I mean, a breach, it, again, it depends on what happened in the underlying breach. The facts are so important. Um, And that's one thing to keep in mind. But a breach could potentially raise data integrity issues with FDA or some other regulator. And that's a very serious thing. A breach, depending on what happened, it could unblind a study. It could involve the destruction or the alteration of data. Or even if it doesn't actually do that, it could suggest the possibility that data was destroyed or altered. And other significant impacts like that that could lead to the rejection of the study data. It could lead to the rejection of the entire marketing application. And sometimes the regulatory authority will require that the study be repeated. And that's going to set back the sponsor's potentially entire clinical program. It is going to burn time and money. Depending on the sponsor, if it's a startup, if it's a smaller company, they may not have the cash runway to repeat work that has been invalidated by a data breach. And ultimately all of these things, all of these setbacks delay the advancement of science and they delay access to products that could improve patient care So there's a whole lot of tragedy that flows from a clinical trial data breach. And it's ideal to avoid that.
SPEAKER_02:Absolutely. So I think you've touched a little bit on it in your explanation there, but what would be some potential consequences beyond what you've just spoken of regarding a breach in terms of trial suspension, IRB ethics boards interventions, litigation, potential litigation by affected trial participants?
SPEAKER_01:Right. Yeah. And all those things are strong possibilities. And again, it's really going to depend on the underlying facts. You can have one of those sort of benign briefings. that technically it's a breach, but you don't have all those, you don't have a risk of harm to individuals. You don't have all those potential bad outcomes. But you could also have a breach that does present a risk of harm. You could have a breach resulting from a protocol deviation. So say your protocol, your study protocol requires the implementation of security measures and security infrastructure. And that wasn't, those weren't fall followed. ultimately your data breach is the result of a protocol violation or deviation. And that is a serious thing. And an IRB or an ethics committee can certainly suspend the study in response to that. You also have the risk of litigation. If there's a large scale data breach, as you all know, those kinds of breaches are typically followed by a rash of class action lawsuits So you can have that in the There's regulatory, there's practical, there's legal consequences ultimately that really hurt the sponsor and that hurt patients.
SPEAKER_02:All right. So, and shifting just a little bit to look at cross-border data and transfer risks, how should organizations address conflicting obligations between local laws in the context of a breach? So, for example, between federal and state law.
SPEAKER_01:Right. So, that's what makes, in the United States, data breaches so enthralling. And as in the case with clinical care or some other context of a data breach, in the clinical trial context of You have to deal with all of the overlapping, potentially conflicting laws and comply. And in the context of a data breach, you're doing it under pressure, time pressure. And in the context of a clinical trial data breach, you're doing that with the additional layer of human subject protection concerns. So lots going on. Hopefully you've done all of that analysis upstream that we talked about, figuring out what laws apply and what you're dealing with when the incident happens. And in order to comply with all of the applicable laws, it may mean that you have to provide some sort of participant notice under state law, even if notification isn't required under federal law because HIPAA is not implicated. You may actually spend a good bit of time fighting about why HIPAA is not implicated because you could have a faction of voices yelling, this is a breach of PHI And you have to go back to that MD Anderson analysis and defend your position that we are not talking about PHI, if that's the case. One of my favorite things is competing notice timing requirements. So you have different jurisdictions imposing different timeframes for providing any required notice. So you pick the shortest one, that way you can comply with everybody. It's always awesome to sort through notice requirements when they confirm Always give notice about what happened. Never say exactly what happened. Give general notice about what happened. You've got to sort through all of that. How do you prepare yourself for that? How do you anticipate that? It's hard because, again, breaches are so fact-specific. You just don't know what you're going to be dealing with. But in advance, if you can at least appreciate the regulatory environment that you're operating in and know what resources are available to you and where you can access them if you need to start immersing yourself in all these issues. That's helpful in the time crunch of a data breach. And that'll help you sort through all of those conflicts, hopefully.
SPEAKER_02:Absolutely. And that brings a topic. One of the things, you know, that we work with our clients here at Clearwater is business resiliency. You know, and you kind of touched on being able to understand and know what different timings are required and all the different agencies potentially that need notification. And so, you know, we actively encourage our organizations to, or the clients that we work with to really dig in and do incident response, you know, solid incident response planning, as well as testing and instant response tabletop exercises. And historically, we've seen a lot of times where the legal aspect of it is really more of a, well, they won't necessarily participate in the exercise, either because it's very difficult to get the time or it's expensive. But given the current climate and the way it's going with more complexity and more requirements, what are your thoughts on including the legal aspect in that instant response exercise and testing?
SPEAKER_01:Yeah, so that's a really important point. of a breach, nobody wants to say, oh, I'm to blame, it was me. Like, it's really hard. So the more that you can think about this in advance and have everybody clear on who does what and who they are and how they, the fact that they work together, you know, whatever you have to do to prepare that in advance is so, so critical. And quite frankly, just doing that in the context of clinical research, that almost never happens. It's hard enough, as you know, to get your clients to do that advanced preparation and that advanced work just in the day-to-day operational context. I've never seen it in the context of clinical research, but really the same thought should be brought to bear in the clinical trial context. Like who's going to do what? Who gets a phone call? What lawyers are involved? Like where are the lawyers and how do we involve them? And do they know these people? Have the lawyers met the CRO? Like are Are they going to screen the call when it comes in? High likelihood. So it's a really important thing to do and it's not often done.
SPEAKER_02:Unfortunately, that's true. And those are some great thoughts around that. So thank you. You know, so far, we've talked a lot about the standard traditional centralized clinical trial model. But, you know, now with decentralized clinical trials, maybe can you explain what that is and how they're increasing data security risks?
SPEAKER_01:Yeah, it's a really important evolving model of clinical trial. And it's an important thing to think about when you're thinking about clinical trial related data breaches and avoid them. So decentralized clinical trials is a model that has been evolving for a number of years. It really took off during the pandemic. But what it is, it's a model that allows study participants to participate in a clinical trial from home or from some remote location through the use of digital technology, digital health technology, or through the use of visiting nurses, people going to them rather than making them come into an academic medical center where sort of conventional clinical trials have historically been conducted. Keep in mind that a lot of times, like say an oncology study, the participants are potentially very, very sick people. And so if it's possible to structure a study where you don't have to have them schlep into the academic medical center repeatedly for for study procedures, that's a good outcome. If they can have those procedures and have that monitoring at home, it can be a lot better for them. And it's something that we learned works pretty well during the COVID pandemic. Decentralized clinical trials also help diversify clinical trial participation. So again, as a practical matter, if the study is conducted within the four walls of an academic medical center in an urban area, say, Only people who can participate or people who can readily access the academic medical center. If you have a decentralized trial, you can gather people from all over the place and that leads to broader participation and it leads to more broadly applicable outcomes. You can say with a lot more confidence, this intervention is going to help everybody as opposed to saying this intervention is gonna help the population of people who live in the immediate surrounding area of an academic medical center. So they're a good thing. Of course, when every good thing comes to the flip side, this model of clinical trial can certainly increase privacy and security risks and opportunities for a data breach. And that's because data will potentially be residing on devices and in platforms where it would not reside. It may not travel around as much outside of an academic medical center in a conventional clinical trial. It could be residing in a clinical trial. on laptops. It could be on tablets. It's getting transferred back and forth from the institution to the home of the participant. So it doesn't mean that it's a bad model. It just means it requires additional planning and analysis and thinking, just like a risk analysis does under HIPAA or in the clinical context. You need to think about where your data is, where that information is, how it's traveling, what risks it faces as it's traveling so that you can address those risks and hopefully avoid an incident. FDA recognizes the growing importance of decentralized clinical trials. And in 2023, they published guidance on remote data acquisition for clinical trials, such as through hardware, software, wearables, mobile apps. And that guidance addresses privacy related risks um one thing that that guidance addresses which is an important consideration that um it's more of a clinical trial consideration but it's something to think about a lot of the a lot of the digital health technologies that are involved in a clinical study are are products that have their own end user license terms and so those terms may vary contractual terms they may vary the liability that we talked about earlier they may they may contain language directed at study participants that is not consistent with what the consent has. So yeah, there's lots to think about in this context, but the guidance is helpful for, you know, planning a decentralized clinical trial and importantly, you know, mitigating the unique privacy and security risks presented by the model.
SPEAKER_02:Diane, what final thoughts would you like to leave with our audience regarding proactive legal and contractual measures that organizations can take to mitigate the risk and fallout of data breaches in clinical trials?
SPEAKER_01:Yeah, probably we're ending on the most important point here. Just like in the clinical context, it's really, really important for the parties in a clinical trial to keep data security at the top of their minds. We talked about contractual considerations, indemnity, breach notification language, cyber liability coverage. In fact, insurance becomes even more important if you can't get an indemnity. So yay insurance. Another important consideration is diligencing your partners and your collaborators who are working with you in the study. I think that it's really important to strike a balance when you're doing this. So you want to confirm that a collaborator or a partner in this work has a mature compliance infrastructure and they are a safe repository for your data versus actually fully inserting yourself in the compliance effort. going into another party's business and looking specifically at their security. You're like, show us where you hide the keys to the front door. That's a terrible idea in my mind. First of all, because it presents a security risk in and of itself. But if you get that involved in somebody's security infrastructure, you potentially are on the hook if it goes wrong, if it fails, right? So it's really important to start strike a balance. But you do need to make sure that you're working with people that are responsible and that are thoughtful about privacy and security and that they're not going to create risks by virtue of just participating. And then just the regular things that you do in any sort of operational situation with respect to privacy and security. Training is really important. I'm a big fan of the informal security reminders as a good way to keep security top of mind. I like when informal reminders have entertainment value because people pay attention to them. So to the extent that you can make them readable and short and punchy, you have a better chance of everyone taking them to heart. Again, as you mentioned, testing, incident response plans, tabletop exercises with relevant parties, including counsel, those go a long way toward minimizing confusion, scrambling, and wasted time in the aftermath of an incident. So... You know, if you can't do all of those things, at the very least, get representations from your collaborators that they have done what they need to do with respect to privacy and security. Because if nothing else, you can fall on that. Well, they told us that's what they did, but ultimately actually fix the problem, address the problem the way we've discussed. But at the very least, get those representations.
SPEAKER_02:Absolutely. Well, Diane, I want to thank you very much for your time today and providing your experience, your expertise, all the wonderful pro tips that help me and our audience to better understand looking beyond privacy implications and better understanding data breaches in clinical trials. Thank you very much.
SPEAKER_01:Sure. No, it was great. I'm glad we had the conversation.
UNKNOWN:Thank you.
SPEAKER_00:If you enjoyed this episode, be sure to subscribe to AHLA's Speaking of Health Law wherever you get your podcasts. For more information about AHLA and the educational resources available to the health law community, visit AmericanHealthLaw.org. And stay updated on breaking healthcare industry news from the major media outlets with AHLA's Health Law Daily Podcast, exclusively for AHLA Comprehensive members. To subscribe and add this private podcast feed to your podcast app, go to AmericanHealthLaw.org slash Daily Podcast.
UNKNOWN:you