Inside Cybersecurity

November 20, 2019

Daily News

HHS advisers urge talks with EU to avoid regulatory clash under upcoming data rules

May 3, 2018

An advisory group to the Department of Health and Human Services is urging Secretary Alex Azar to meet with European counterparts to avoid adverse impacts on U.S.-based medical research from upcoming EU rules for data security and privacy, including protecting the personal information of patients and clinical trial subjects.

The HHS Secretary's Advisory Committee on Human Research and Protections warns the EU data regulations going into effect on May 25 could disrupt U.S.-based research, and says reaching a “workable” arrangement with European regulators “is of critical importance to the mission of the HHS.”

The advisory group -- which includes physicians, researchers and lawyers -- laid out its concerns in an April 11 letter to Azar with an attached set of recommendations approved by the group on March 14.

At issue is the EU's General Data Protection Regulation which goes into effect this month and affects the handling and processing of EU citizens' personal information anywhere, including the United States. The EU rules also set a 72-hour reporting requirement for data breaches and would impose stiff penalties of 20 million euros or more, among other measures.

An HHS official said, “We are reviewing the recommendations.” The Food and Drug Administration's press office did not respond to a request for comment.

“Harmony amongst national bodies of law would ease the regulatory burden on U.S.-based researchers and would facilitate the conduct of multi-national scientific and medical research, which benefits society at large, both in the U.S. and the EU member states.” the committee writes in its recommendations.

The GDPR replaces the EU's decades-old directive on data management by adopting a much broader view of the types of information covered by the regulations and the scope of activities addressed.

“The GDPR will apply extraterritorially in a broader range of circumstances than the Directive,” according to the advisory group. “Unlike the Directive, the GDPR applies to the processing of personal data by a controller or processor not established” in the European Economic Area.

As a result, the EU rule could force a major overhaul of U.S.-based research and conflict with FDA regulations for retaining information about clinical trial subjects.

“This means that the GDPR will apply directly to, and will directly regulate, much of the U.S.-based use and processing of personal data that have been collected in the EEA for clinical and other research purposes,” according to the group. The concerns raised by the advisory group “will soon confront U.S.-based researchers, institutions, research funders (such as the [the National Institutes of Health]), and industry sponsors of research, including private pharmaceutical, biotechnology and medical device companies, as they seek to use personal data collected at research sites based in the EEA and transferred to the U.S.”

HIPAA concerns

The group also warns HHS of the broad impacts of the EU GDPR not specifically addressed in its letter, such as compliance with the Health Insurance Portability and Accountability Act, which governs data security and privacy for the healthcare sector in the United States.

“While this letter focuses on a select jurisdictional issue and on the particular issues of consent that arise for the research community under the GDPR, it is worth noting that there are many additional ways in which the GDPR diverges from HIPAA, including extensive enforcement penalties that exceed those imposed for HIPAA violations,” the advisory group writes.

The group is pressing HHS to seek additional guidance from EU officials on how implementation and enforcement of GDPR will take into account U.S. requirements under HIPAA and by the FDA.

EU officials “should be encouraged to issue guidance clarifying that, if a data subject withdraws his or her consent to processing, another basis may be relied upon for storing and posting personal data to preserve the integrity of the research and to fulfill regulatory obligations,” according to the group's letter.

“These clarifications would align the GDPR more closely with requirements of HIPAA, the Common Rule and FDA, thereby promoting an EU privacy framework that is workable for multi-site, trans-national clinical research while respecting individuals’ privacy rights.”

The EU Article 29 Working Party, which is responsible for GDPR policy and implementation, issued guidance on consent for use of data on April 4. But the guidelines were issued without revisions recommended by U.S healthcare groups to address potential conflicts with HIPAA requirements.

“In contrast with HIPAA, the Working Party Draft Guidelines observe that, 'withdrawal of consent could undermine types [of] scientific research that require data that can be linked to individuals, however the GDPR is clear that consent can be withdrawn and controllers must act upon this [because] there is no exemption to this requirement for scientific research,'” according to the HHS advisory group in describing its recommended revisions to a draft version of the recently issued EU guidance.

“Such deletion, however, could seriously imperil the integrity of the research, thereby undermining the investment made by HHS in multi-site, trans-national studies with sites located in the EEA,” the advisory group asserts in its letter. “It could also imperil the ability of U.S.-based research institutions, industry sponsors and researchers to respond to requests from FDA and/or from cognizant [institutional review boards], as they would be hindered from using for their responses the personal data of the individual who has withdrawn consent.”

Yet the EU working group issued the guidelines without those revisions, which has prompted U.S. business leaders to express concern that neither European or U.S. government officials appear to fully understand what's at stake.

“The U.S. has never adequately weighed in on the effect [of GDPR] on science,” which is a commercial product, said Mark Barnes, who co-chairs the HHS advisory group's subcommittee that developed the recommendations on the EU GDPR.

The U.S. industry's “comments have not been heard” by EU officials, Barnes said in an interview with Inside Cybersecurity.

Barnes detailed those concerns about the EU's lack of responsiveness in an article with several of his colleagues at the law firm Ropes & Gray published in Bloomberg Law's Life Sciences Law & Industry Report on April 30.

“The Final Guidelines contain many of the provisions that made the Draft Guidelines problematic to the research community,” Barnes wrote. He said the unrevised guidance means the regulated industry will remain confused as the EU rules take effect “about how the GDPR can be successfully implemented in a way that does not defy current, long-established research practices and does not undermine any long-established research practices or compliance with other concurrent EU and U.S. regulatory obligations.” -- Rick Weber (rweber@iwpnews.com)