As clinical trials move off-site, legal teams prepare for new challenges

The Covid-19 pandemic forever changed how the life sciences industry operates. Seemingly overnight, doctors, nurses, and researchers had to transition their practices from in-person appointments to virtual engagements, a hybrid model, or even temporarily shut down.

The pandemic also disrupted clinical research around the globe with some studies suspended and others halting patient recruitment as lockdowns became more common. Suddenly, the implementation and adoption of the decentralized clinical trial (DCT) model became paramount to not only rescue trials already in flight but to conduct trials at all. As important, research for the COVID-19 treatments and vaccine started leveraging decentralized trial methods with great success.

It has been a seismic shift to DCTs or a hybrid version of DCTs, and while they offer tremendous benefits for participants, study sponsors, and science, they also introduce a new layer of complexity that merits greater legal and privacy consideration.

The Changing Nature of Clinical Trials
The traditional randomized clinical trial (RCT) model originated in the 1700s. Over the last century, computers and the internet revolutionized the industry, accelerating advancements and reducing turnaround time for new drugs and devices. Most recently, wearables, mobile technology, and real-world data (RWD) transformed and drove this revolution even further.

Although clinical trials provide the evidence that a drug or device is safe and effective for patients, they have long-excluded certain demographics, whether because of intentional or unintentional bias, policy, or logistics. Decentralized trials enable the collection of more robust, diverse data on a potential drug by affording new possibilities for people located in rural areas, for people who couldn’t get childcare to go to the site, or different parts of the world to have access to clinical trials for the first time. By facilitating convenience and encouraging inclusion, DCTs are also motivating more patients to continue with trials for the duration to reap the benefits of ongoing, high-quality care while also improving trial data quality.

Decentralized Trials Pose New Legal Questions
DCTs reduce patient burden by allowing participants to handle all or some of the documentation, measurements, and routine clinician visits at home. By coupling these objective measurements with the subjective electronic patient-reported outcomes (ePROs), the research team benefits with richer, real time information captured in a patient’s natural environment as well as higher participant retention, which saves time and money. Ultimately, this method can yield more complete, higher-quality datasets for a better understanding of how the trial is working throughout the trial (rather than at the end).

However, the convenience of taking measurements at home adds complexity to the process. How will measurements be taken – for instance, what type of device, and can that same device be delivered to all patients? How will patients be trained to use the device? How will they be recorded outside of a clinical setting? How will that data be verified? These questions and more create data-related holes that need to be plugged before a hybrid or decentralized trial starts.

Managing Roles and Responsibilities for Data Capture
In analyzing any proposed decentralized trial structure, the first step is to clearly understand how the data will be processed at every stage, from cradle to grave. Creating a data map of the data flows and understanding the data processing inputs and outputs, provides a picture of the contemplated data processing activities, how the data will be stored, used and/or transferred, the jurisdictions in which the research is taking place, any proposed data transfers, and the identification of the controllers, processors, and if any, joint controllers.

Creating a data map involves several steps and may look quite complicated but is an important tool to help effectively manage data. By mapping all data flows, a picture will emerge of the controller activities, the processor activities, the sub-processors involved and the applicability of regulatory considerations of the jurisdictions in which the research is taking place. This will allow the team to review and confirm that all the necessary data protection and data transfer agreements are in place between and amongst each of the respective entities involved in processing the data.

Devices also need to be addressed, particularly whether deploying consumer-grade, such as a smart watch, or medical-grade device, such as a pulse oximeter that requires a prescription. For example, in one data mapping exercise, Medable discovered that one of the consumer-grade wearables only worked with the company’s software application. In the privacy statement for the app, the manufacturer stated that it was the Controller of that data, which helped inform development of legal contracts.

In another data mapping exercise, information from a medical-grade device was to be uploaded to the manufacturer’s server for use in an algorithm that made the output human-readable. In this unique case, more information was needed about the location of those servers. Once determined, this information helped to align all parties and ensured drafting of the proper data agreements, clearly outlining what data is collected and how it will be used by each party.

Often, DCTs may require several different agreements to accurately reflect all parties’ roles and responsibilities. Typically, the study sponsor acts as the data controller, maintains rights over the data, and provides the data processors with specifications on what data should be captured, for what purposes, and how long that data will be kept. Conversely, the data processor acts on behalf of the data controller to handle the data according to their instructions. If permitted by the data controller, the data processor may utilize “sub-processors” to handle some activities, provided all required privacy and security controls flow down to those sub-processors.

Understanding Local Data Regulations
Now that trials can happen nearly anywhere, privacy teams and lawyers need to understand how data is collected, stored, managed, disseminated, and ultimately, archived or deleted. Data mapping provides a clear picture to depict the network of data flows between devices, trial locations, servers, and patient location. The next layer of complexity is accounting for geographic regulatory differences. Before the data map is completed, DCT teams must investigate the processing requirements of each region by cross-checking each jurisdiction’s regulations.

In the EU, for example, the General Data Protection Regulation (GDPR), a comprehensive set of privacy and security requirements, governs the processing of personal data. The U.S., instead, takes a sectoral-based approach to privacy, such as with the Health Insurance Portability and Accountability Act (HIPAA), for personal health information. These disparate systems can be tricky for research teams to navigate when conducting global clinical trials.

Identifying the different jurisdictions in the data map highlights what regional nuances must be further researched, whether it be data localization, residency, notices, or more. Failure to adhere to a country’s data protection laws can result in needless risk to the individual, reputational damage to the organizations running the trial, significant fines, sanctions on data processing activities, or worse.

Ultimately, the clinical trial involves real humans who care about their health and medical information. By understanding the data being collected, specifically, the inputs and outputs of data, geographic jurisdiction, the technology employed to capture this data, and how this information will be used in the trial, allows DCT sponsors to better inform all patient participants. These patients benefit from having full possession of the facts to make an informed decision about one’s data – and this is just one more way to make clinical research more patient-centric.

Successful Decentralized Trials in an Evolving Industry
The key to success is to be proactive and collaborative. As patients begin to understand how their data is collected, used, and disclosed, it also needs to be protected. It’s vital that researchers, engineers, and device makers have a collaborative relationship with lawyers and privacy specialists on staff and to maintain free and open lines of communications.

DCTs demand a highly collaborative team to ensure seamless data management. While the clinicians and clinical research associates do their important work of caring for the patient, the data processors play a key role in the trial. To keep the process streamlined, each trial should have a privacy committee made up of a team of experts including legal, privacy, security, IT, and vendor management who understand the data law and regional regulatory nuances as well as the technological aspects of data collection. This team should meet regularly.

Technology has opened the door to conduct patient-centric decentralized clinical trials from anywhere in the world. And, as much hope and excitement as these innovations offer, details about data protection and management must be top-of-mind at every step of the process. A solid foundation of understanding data flows coupled with a team of experts in regular communication will ensure organizations successfully navigate the legal challenges that can come with decentralized clinical trials.

Photo: Warchi, Getty Images

Related posts

Leave a Comment