Importance of Regulatory Compliance in the Health Care Industry
Regulatory compliance programs ensure that companies adhere to the laws, guidelines, regulations and specifications relevant to their business processes. Regulatory health compliance includes legal, ethical and professional standards that health care organizations and providers, including clinical research organizations (CROs), must follow in order to assure the safety and privacy of patients.
The need for regulatory compliance in clinical research is clear. Specifically, clinical trials are subject to complex regulatory requirements to ensure that new drugs are safe and effective before they are made available to patients, while also ensuring patients’ protected health information (PHI) is secure.
In addition to the serious potential consequences for patients who could be exposed to unsafe or ineffective drugs, non-compliance could also lead to legal liability for the sponsors of the trials. This could include fines, imprisonment, reputation damage or revenue losses, and potentially the loss of the ability to conduct more trials in the future.
Key components of regulatory compliance
There are several key elements that must be in place to ensure regulatory compliance in clinical trials. These include:
- Clear and concise protocol that outlines the objectives, design and conduct of the trial
- Well-trained and qualified research team
- Thorough informed consent procedures
- Robust data management system
- Comprehensive risk management plan
Protocols
The protocol is the blueprint for the clinical trial. It must be clear, concise and comprehensive. It should include information on the following:
- Background information
- Objectives of the trial
- Design of the trial
- Participant inclusion and exclusion criteria
- Interventions being studied
- Outcome measures
- Data collection procedures for patient and laboratory data
- Safety monitoring plan
Research team
The research team is responsible for conducting the clinical trial in accordance with the protocol, and for monitoring to ensure compliance with regulatory requirements. Team members must be appropriately educated, well trained, and possess the necessary knowledge and skills to collect data, manage risks and ensure the safety of participants.
Informed consent
Before participating in a clinical trial, researchers and volunteers discuss all aspects of the proposed research in a series of conversations known as informed consent. Overseen by independent ethics boards, informed consent is an educational process that ensures all aspects of a trial, including its risks as well as possible benefits, are understood by potential participants. Only after volunteers have demonstrated their understanding of the trial’s procedures, requirements and possible impacts are they allowed to consent to participate.
Data management
Reviewing, managing and analyzing the data collected in a clinical trial is key to ensuring both patient safety and proper trial conduct. This work spans the design and build of the patient database, edit checks, entry and cleaning of data and final delivery of clinical trial data.
The PPD clinical data management group offers global solutions with flexible models including full-service, select services, hybrid brick-and-mortar/mega-site services or functional service provider (FSP) partnerships spanning all time zones, allowing for 24-hour coverage.
Learn how our Preclarus® Patient Data Dashboard is revolutionizing the drug development process.
Risk management
In clinical trials, risk management refers to the process of identifying, assessing, monitoring and mitigating risks that could affect the quality or safety of a study. The International Council for Harmonisation (ICH) emphasizes the need for a robust risk management process by clinical trial sponsors and CROs. To design a reliable risk management plan, it is best to involve the whole study team that includes departments such as clinical operations, data collection, data management, project management, regulatory affairs, quality affairs, pharmacovigilance and patient safety, medical affairs and biostatistics.
Some of the critical processes for a risk-based approach include:
- Reporting adverse events to regulatory authorities in a timely manner
- Using technology to drive risk management processes
- Identifying and evaluating risks that affect data quality, patient safety and achievement of the study goals (also known as risk-based quality management)
- Prioritizing the risks based on the likelihood of their occurrence, the impact and the ability to detect the risk on time
Further, to control risks, sponsors and CROs need to be able to:
- Assess risk indicators appropriately
- Fix thresholds when corrective/mitigation measures need to be initiated during the study
- Assign responsibilities for risk management
Key regulatory requirements in health care compliance
Several key regulations affect the conduct of clinical trials
United States
In the U.S., the Health Insurance Portability and Accountability Act (HIPAA) was created to safeguard the data and interests of people covered through health insurance and governs the storage and privacy of their personal medical information. The act does not apply to medical or clinical research outside the need for patient consent for the use of their existing medical data in the context of a study.
This act granted the U.S. Department of Health and Human Services (HHS) oversight authority to enforce compliance. HIPAA violations can result in a company either paying a fine or agreeing to a settlement.
The HHS offers HIPAA guidance materials outlining the regulations and suggested safeguards to help covered entities implement HIPAA.
In clinical trials, HIPAA covers the authorization of the use of patient data held in a patient’s medical files. Researchers need both written authorization and an informed consent form from patients before commencing the trial. These forms ensure that each patient understands how their personal information will be used.
Recently, several U.S. states have passed comprehensive data privacy laws that are essentially aimed at consumers and medical research is exempted.
The U.S. Food and Drug Administration (FDA) also provides regulatory guidance. For example, the 1938 Food, Drug, and Cosmetic Act (FDCA) tightened controls over drugs and food, included new consumer protection against unlawful cosmetics and medical devices, and enhanced the government’s ability to enforce the law. Today, the FDA enforces the Act through administrative mechanisms, such as pre-market reviews of certain products, examinations and investigations, and dissemination of information to the public.
In 2007, President George W. Bush signed the Food and Drug Administration Amendments Act (FDAAA). Under this act, the FDA requires pharmaceutical companies to conduct post-marketing studies or clinical trials of human drugs, as well as develop Risk Evaluation and Mitigation Strategies (REMS) that help ensure the risk of using a drug does not outweigh its potential benefit.
European Union
In the European Union, the General Data Protection Regulation (GDPR) includes regulations that apply to entities collecting data from EU residents regardless of the location of the organization. Introduced in 2018, the GDPR supersedes previous national data protection rules across the EU, bringing uniformity by introducing just one main data protection law for organizations to comply with.
Since the GDPR is the most comprehensive regulation internationally, others have used it as a guide for their own data protection laws.
Punishment for noncompliance with the GDPR is a tiered system of fines. Severe or flagrant violations can lead to fines of up to 4% of the company’s global annual revenue or €20 million.
The EU Clinical Trial Regulation (CTR) [(EU) No_536/2014)] was implemented in January 2022 and aims to simplify and harmonize procedures for the authorization, assessment and supervision of clinical trials among EU Member States. The CTR allows sponsors to make one clinical trial application for all EU member states selected to participate in a given trial, via a centralized portal, the Clinical Trial Information System.
Compliance in health care operations
Impact of compliance regulations on health care operations: SOPs and GCP
Standard Operating Procedures (SOPs) are put in place to ensure that health care employees completing applicable tasks are doing them uniformly and according to set standards and guidelines, to support research and data integrity, and most importantly, to ensure patient safety.
Good Clinical Practice (GCP) is an international ethical and scientific quality standard for designing, conducting, recording and reporting trials that involve the participation of human subjects. The International Council for Harmonisation Good Clinical Practice (GCP) guidelines set the global framework for the ethical and scientific conduct of clinical trials.
Quality control and documentation
The current version ICH GCP (R2) defines quality control as “the operational techniques and activities undertaken within the [clinical trial] quality assurance system to verify that the requirements for quality of the trial-related activities have been fulfilled.” Further, in clinical research, a quality control process assures internal consistency by conducting periodic operational checks at every stage of the trial and by monitoring data handling to verify the compliance of the trial process and reliability of the data.
ICH GCP also requires essential documentation of each study to be maintained. “Essential documents” individually and collectively permit evaluation of the conduct of a trial and the quality of the data produced. They serve to demonstrate the compliance of the investigator, sponsor and monitor with the standards of GCP and with all applicable regulatory requirements.
Ensuring data compliance
Protecting patient information and data privacy
Data compliance plays a crucial role in the conduct of clinical trials.
HIPAA
In the U.S., HIPAA was passed and enacted in 1996 with the purpose of setting strict standards for how PHI must be protected. For health data to be considered PHI and to be regulated by HIPAA, it must be 1) personally identifiable to the patient and 2) used or disclosed to a covered entity during the course of care. Examples include personal identifiers, medical history and payment information.
HIPAA creates a safe harbor, outlining 18 different information identifiers within PHI that can be removed to bring it outside the scope of HIPAA as “de-identified data.” They are:
- Name
- Address (anything smaller than a state)
- Dates related to individuals, such as birthdate, admission date, etc.
- Phone number
- Fax number
- Email address
- Social Security number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate or license number
- Vehicle identifiers, such as license plate numbers and serial numbers
- Device identifiers
- Web URL
- Internet Protocol (IP) addresses
- Biometric IDs such as fingerprints or voiceprints
- Full-face photographs and other photos of identifying characteristics
- Any other unique qualifying characteristic
GDPR
In the European Union, the GDPR is the main data protection law, following these seven principles for handling data:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitations
- Integrity and confidentiality
- Accountability
Some of the key privacy and data protection requirements of the GDPR include:
- Typically requiring the consent of subjects for the processing of their data
- Anonymizing collected data to protect privacy, where possible
- Providing data breach notifications to individuals and regulators
- Making provision for the protection of data when it is transferred outside the EU
- Requiring certain companies to appoint a data protection officer to oversee GDPR compliance.
Measures and best practices for data compliance
The unauthorized release of PHI is a serious violation of HIPAA, which is why it is important for covered entities to take steps to secure sensitive patient data. This includes keeping the data confidential and ensuring that only authorized individuals can access it. Covered entities must have security measures in place to protect PHI, such as encryption, physical security and access control systems. Best practices include:
- Employ a defense-in-depth approach
- Leverage technology and automate compliance activities where possible
- Secure PHI without getting in the way of users, storing data in a password-protected and encrypted database
- Use multi-factor authentication to access PHI
- Use encryption for all data in motion and at rest
- Only collect the minimum amount of PHI necessary for business purposes and never share PHI without explicit consent from the individual involved
- Define role-based permissions for internal and external (third party) users
- Apply granular policy controls to protect data privacy
- Apply content risk policies consistently across all communication channels
Data breaches are rising
These measures are necessary because the health care industry is highly subject to cybersecurity attacks. The rate of health care data breaches doubled between 2018 and 2021.
Challenges and strategies for compliance
Common challenges in achieving and maintaining regulatory compliance
Regulatory compliance can be a challenge for clinical trials. Much of this is due to the complexity of the regulatory requirements, which can vary from country to country, province to province or state to state, and can change frequently. Many clinical trials are conducted in multiple countries to improve the generalizability of the results. The study sponsor must ensure that the trial is conducted in accordance with the regulations of all the localities involved.
Because health care organizations that collect, store and manage patient information are a target for cybersecurity threats, it is important to implement updated security systems and infrastructure across all levels.
A tiered approach is recommended in managing cybersecurity so that the appropriate security measures are implemented based on the gravity and size of the threat. It is also best to conduct regular cybersecurity training for personnel tasked with ensuring that patient data are safe.
In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted in the U.S. as part of the American Recovery and Reinvestment Act. The main goal of HITECH was to stimulate the adoption of health information technology and exchange to improve health care quality and efficiency. One way that it does so is by establishing requirements for the privacy and security of electronic health records. These requirements are designed to protect patients’ PHI from unauthorized access, use or disclosure.
Fostering a culture of compliance
In the health care field, regulatory compliance is everyone’s responsibility. Health care providers working in collaboration with various stakeholders, from regulators to payers to patients, can enable better outcomes and more efficient processes through robust compliance programs.
To foster a culture of compliance in clinical trials, sponsors and CROs should:
- Stay on top of changes in the global regulatory landscape.
- Develop and maintain a compliance code of conduct to create a culture of compliance in the workplace, including:
- The purpose and scope of the compliance policy. What regulations are covered?
- Who must follow the regulations. Are there any exceptions or limitations to the compliance policy?
- List of specific regulations that must be followed and the steps and procedures to maintain compliance.
- Communication protocols in the event of a violation, including authorities to notify.
- Procedures for monitoring and scheduling periodic reviews of compliance efforts.
- Document the compliance processes. This should be done with a clear delineation of the roles and responsibilities of staff involved in compliance management. Such documentation is crucial during regulatory compliance audits, which may be initiated internally or by an external third party.
- Periodically review the regulatory compliance policy to correct weaknesses in the policy and to ensure that compliance is up to date with the latest changes in the regulatory environment.
- Have a process in place to respond to complaints, violations or information breaches and necessary disciplinary actions for employees who violate expectations for conduct.
- Train employees in regulatory compliance by conducting workshops and training sessions and periodically assessing their knowledge of compliance requirements. Make sure employees know how to spot phishing attempts and other cybersecurity threats through rigorous and ongoing security awareness training.
FAQs
What is regulatory compliance in health care and why is it important?
Regulatory health compliance is ensured through a set of legal, ethical and professional standards that health care organizations and providers must follow in order to assure the safety and privacy of patients. Being compliant means your organization is actively striving to meet all regulations, reflecting an effort to ensure the best outcomes for patients. It also minimizes exposure to lawsuits and financial liabilities.
How is pharmacovigilance different from compliance?
Pharmacovigilance is defined as the science and activities related to the detection, assessment, understanding and prevention of adverse effects or any other medicine/vaccine-related problem. It is the systematic gathering of information regarding the overall risk-benefit profile of a drug, biologic, vaccine or medical device, and is a specific legal requirement of regulatory authorities in most countries globally.
What are some examples of regulation?
In the U.S., the Food, Drug, and Cosmetic Act (FDCA) provides consumer protection through administrative mechanisms, such as pre-market reviews of certain products, examinations and investigations, and dissemination of information to the public.
In addition, the Health Insurance Portability and Accountability Act (HIPAA) safeguards the data and interests of people covered through health insurance, and governs the storage and privacy of their personal medical information.
In the European Union, the EU Clinical Trial Regulation (CTR) allows sponsors to make one clinical trial application for all EU member states selected to participate in a given trial, via a centralized portal, the Clinical Trial Information System. The General Data Protection Regulation (GDPR) also includes regulations that apply to entities collecting data from EU citizens regardless of the location of the organization.
What is HIPAA compliance and why is it important to health care security?
All businesses that deal with protected health information (PHI), including clinical trial sponsors and CROs, must follow HIPAA, which was passed and enacted in 1996 with the purpose of setting strict standards for how PHI must be protected. These measures are necessary because the health care industry is highly subject to cybersecurity attacks. HIPAA compliance details different information identifiers for PHI that can be used to identify, contact, or locate the person.
What are the key regulatory agencies for health care worldwide?
The key regulatory agencies that oversee clinical trials vary from country to country. Some examples include:
- U.S. Food and Drug Administration (FDA)
- European Medicines Agency (EMA)
- Japanese Ministry of Health, Labour and Welfare (MHLW)
- World Health Organization (WHO)
- U.K. Medicines and Healthcare products Regulatory Agency (MHRA)
- China’s National Medical Products Administration (NMPA)
These agencies and others are responsible for ensuring that clinical trials are conducted in accordance with their respective regulations.
Regulatory support across the product life cycle
If you are planning to conduct a clinical trial, the PPD clinical research business of Thermo Fisher Scientific can support your compliance with all relevant regulations across the product life cycle. This will help you protect the safety of participants, ensure that the trial is conducted in an ethical and appropriate manner, and ultimately support the goal of achieving regulatory approval and market access.
Our global Regulatory Affairs team of nearly 400 professionals define, drive and lead global strategy around compliance. Their areas of expertise include:
