How to Comply with HIPAA and EU GDPR in Medical Device Studies

Just remember that in the U.S., regulations around personal data in clinical trials aren’t limited to HIPAA. The HHS and FDA’s Protection of Human Subjects Regulations have provisions that are separate from those of the Privacy Rule but must still be followed when carrying out research with human subjects.

Let’s start in the U.S. with HIPAA.

What is HIPAA?

Sponsors are also required to appoint a data protection officer (DPO) who shall take part in managing and documenting many of the activities that surround data and information processing. In addition, the DPO will also act as the main interface to the company if there are any data breaches or inbound inquiries. The DPO can either be an external hire or a current employee whom you train for the role.

HIPAA compliance is also required of business associates of a covered entity. That means if a covered entity engages with another business to help it fulfill its activities and functions, that associated business must also comply with HIPAA rules.

In the U.S., sponsors of a medical device clinical trial must abide by all three of the HIPAA rules (privacy, security, breach notification), but the Privacy Rule has the most immediate impact on research.

HIPAA and GDPR share some common goals and principles, but they do have many differences. Compliance with one doesn’t necessarily mean you’ll be in compliance with the other.

This is because clinical data can’t just be removed or transferred from a dataset without affecting the audit trail or the statistical outcome. Subjects can, however, choose to withdraw consent to prevent any additional data collection.

When medical device companies begin clinical trials for their devices, they invariably come into possession of subjects’ personal data, which means they may be required to comply with either (or both) of these regulations, depending on where the studies take place and who participates.

Published: Thursday, September 7, 2023 – 12:03

Untitled Document

Health Care

How to Comply with HIPAA and EU GDPR in Medical Device Studies

Penalties for noncompliance can be steep, so it’s essential to understand what’s required

Medical device companies, or clinical trial sponsors, must now identify the data to be processed, where they will be transferred to, who is processing them, what they will be used for, and which risks are involved. All of that must now be included in a separate informed consent (not the protocol-specific consent).

In the U.S., there is the Health Insurance Portability and Accountability Act of 1996 (HIPAA). In the EU, the broader General Data Protection Regulation (GDPR) also covers patient health information.

Similarities between HIPAA and GDPR

For instance, this can occur when the covered entity receives approval from an institutional review board (IRB) or privacy board. The U.S. Department of Health and Human Services provides a full list of the specific situations in which the covered entity may use or disclose PHI without authorization.

The three main HIPAA rules regarding protected health information (PHI) in the U.S. are:
• The Privacy Rule (Part 164, Subpart E): This rule safeguards the privacy of an individual’s health information and gives patients control over how their personal health information is used and disclosed, including the right to acquire a copy of their records.
• The Security Rule (Part 164, Subpart C): This rule establishes national standards for the security measures that covered entities must take to protect electronic health information they create, receive, use, or maintain.
• The Breach Notification Rule (Part 164, Subpart D): This rule requires covered entities and their business associates to provide notification if there is a breach of unsecured protected health information.

What is GDPR?

Our PROMISE: Quality Digest only displays static ads that never overlay or cover up content. They never get in your way. They are there for you to read, or not.

GDPR states that a clear and documented consent must be acquired from all data subjects in order to process their information. Such consent is not new to the industry, and in most cases, a trial subject is asked to sign an informed consent before initiating any data collection.

HIPAA and GDPR both focus on protecting the personal health information of individuals, and both regulations give people rights over the use of, and access to, their data.

In practice, this means there are instances where a covered entity may use or disclose PHI without authorization by the individual.

Organizations that process and manage clinical trial data must now conduct data impact assessments (DIA) on both electronic and hard copy data. A data impact assessment should cover what the data are used for, how they’re managed, and what action is needed to mitigate any risks.

HIPAA deals solely with protected health information, while GDPR applies to any data that could be used to identify someone, directly or indirectly.

GDPR also requires data protection “by design and by default,” which means that every organization that deals with personal data must consider these data protection principles while designing any new product or service.

Comparing HIPAA and GDPR

So please consider turning off your ad blocker for our site.

However, someone has to pay for this content. And that’s where advertising comes in. Most people consider ads a nuisance, but they do serve a useful function besides allowing media companies to stay afloat. They keep you aware of new products and services relevant to your industry. All ads in Quality Digest apply directly to products and services that most of our readers need. You won’t see automobile or health supplement ads.

GDPR compliance in clinical trials

“Covered entities,” meaning those that must comply with HIPAA rules, include:
• Healthcare providers
• Health insurance plans
• Healthcare clearinghouses (companies that process nonstandard health information received from another entity into a standard format)

Differences between HIPAA and GDPR

They both also require organizations that process personal health data to create specific safeguards for those data. Additionally, HIPAA and EU GDPR require organizations processing personal health information to notify anyone who is affected in the event of a data breach.

The Privacy Rule defines research as “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.” When it comes to research, the Privacy Rule is meant to protect health information that could identify individuals while also making sure that researchers can access the data they need.

The biggest difference between HIPAA and GDPR is their scope. The General Data Protection Act covers any organization processing personal data that could be used to identify someone in the EU. HIPAA is limited to the covered entities that process the protected health information (PHI) we mentioned earlier.

As its name implies, the General Data Protection Regulation (GDPR) is a broad regulation that encompasses more than just personal medical data. The GDPR went into force on May 25, 2018, with the goal of protecting the rights of EU citizens by enhancing privacy and minimizing the risk of data breaches.

Published Aug. 17, 2023, on the Greenlight Guru blog.


Similarly to HIPAA, GDPR does provide some exemptions regarding provisions, such as the right to be forgotten in certain cases. For instance, clinical trial data are considered “special data” because processing such data is necessary for research-specific purposes.

The U.N. recognizes privacy as a fundamental human right, and nowhere is this more important than in medical data. That’s why both the U.S. and the EU have regulations in place that govern the collection, storage, and use of patient data in healthcare.

HIPAA compliance in clinical trials

Quality Digest does not charge readers for its content. We believe that industry news is important for you to do your job, and Quality Digest supports businesses of all types.

GDPR applies to any information that could be used to identify someone in the EU, either directly or indirectly—also known as personally identifiable information (PII). That could include personal data such as telephone numbers or credit card numbers, but it also includes “sensitive personal data” such as patient health data.

The penalties for failure to comply with HIPAA can run up to $1.5 million per year, while GDPR’s fines can reach 4% of global revenue, or up to 20 million euros.

How do HIPAA and GDPR impact medical device clinical trials and their subjects?

Get a clinical data solution that ensures regulatory compliance. With such a strong regulatory focus on patient health data on both sides of the Atlantic, you can’t afford to use clinical data-capture tools that aren’t actively helping you comply with these regulations. With ready-to-use QA templates, system modules, and guidance documents, you can rest easy knowing your clinical data-capture software is built to help ensure the privacy and security of sensitive patient data.

According to the GDPR, clinical trial sponsors can be categorized as both a processor and a data controller. This is because a clinical trial operation includes data not only from subjects, but also personnel, sales, and subcontractors.

This means there are a number of different obligations that medtech companies must fulfill when conducting clinical trials in the EU, including:

Medical device companies conducting clinical studies will end up collecting personal health data from subjects. They are, therefore, subject to HIPAA and/or GDPR regulations, depending on the location of the clinical trial and who is participating in it.

The penalties for failing to comply with these regulations can be steep, so it’s essential that you understand what’s required of your company while handling patient health data.

Any organization that processes PII must abide by seven data protection principles laid out in Article 5.1–2 of the regulation:
• Lawfulness, fairness, and transparency—Processing must be lawful, fair, and transparent to the data subject.
• Purpose limitation—You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
• Data minimization—You should collect and process only as much data as are absolutely necessary for the purposes specified.
• Accuracy—You must keep personal data accurate and up to date.
• Storage limitation—You may only store personally identifying data for as long as necessary for the specified purpose.
• Integrity and confidentiality—Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g., by using encryption).
Accountability—The data controller is responsible for demonstrating GDPR compliance with all of these principles.

One of the biggest differences between the two regulations is GDPR’s inclusion of a “right to be forgotten.” Essentially, this means that individuals have the right to have their data erased by the organization controlling it, except under a limited number of specific circumstances.

The Health Insurance Portability and Accountability Act of 1996 was passed to create national standards for protecting sensitive patient health information from being disclosed without a patient’s consent or knowledge.