Conducting Clinical Trials Part 5: Confidentiality Issues

Clinical trials have found their way into the spotlight of the coronavirus pandemic as multiple pharmaceutical and biotechnology companies race to develop and market vaccines and therapies. As breakthrough technologies are on the rise, so are the risks associated with vaccine and drug development. “Conducting Clinical Trials” is a podcast miniseries featuring Choate attorneys covering a number of topics related to clinical trials, including common mistakes companies make along the way and various strategic choices they face.

Clinical trial data can be among the most sensitive data held by a life sciences company. Despite contractual confidentiality provisions, there are many entities and organizations that would like to obtain access to information that would otherwise be confidential related to clinical trials. In the fifth and final episode of Choate’s Conducting Clinical Trials series, Julia Hesse and Danielle Pelot analyze confidentiality issues that can arise with clinical trial information and provide cautionary takeaways for when sponsors (life sciences companies) are planning and working with sites in structuring trials. 

 Listen to additional episodes →


Welcome to Choate’s Life Sciences Insights, a podcast series hosted by our Intellectual Property Litigation and Corporate attorneys covering trending topics at the intersection of science and law. 

Danielle Pelot:  Hi everyone, thanks for tuning in.  This episode is part of a series discussing various considerations when conducting clinical trials.  I am Danielle Pelot, a partner in Choate’s Government Enforcement and Compliance Group and joining me today is Julia Hesse, a partner in our Health Care Group.  Today we are going to talk about confidentiality issues that can arise with clinical trial information.  We’ll focus on an area of the law commonly referred to as FOIA, the abbreviation for the Federal Freedom of Information Act, and the term that is generally used to reference the federal law plus individual state laws that are similar in that they allow just about anyone to request public information.  It’s an area that might easily get overlooked in planning and conducting clinical trials but can have significant downstream impacts.  So Julia, before we dig into that specifically, you have a wealth of experience working with clients in the health care and life sciences space around structuring and conducting clinical trials so to get us started, set the stage a little bit around the types of sensitive information involving clinical trials and how you typically work with clients to protect that information from disclosure.

Julia Hesse:  Thanks Danielle.  For life sciences companies, clinical trial data can be among the most sensitive data held by the company.  In addition to the fact that it often includes or is tied to personal medical information of clinical trial subjects, it involves the company’s most sensitive trade secrets and likely its most valuable intellectual property, the pre-commercial medical device or drug inventions that are being tested for safety and efficacy in humans.  Almost all clinical trials involve some level of public and private partnerships.  Many clinical trials are funded in part by the federal government through the National Institute of Health or National Science Foundation grants.  For trials that are funded by a private industry, the research is often conducted at sites that are partially or wholly funded by state institutions like academic medical centers affiliated with large state universities.  The clinical trial agreements between sponsors -- meaning the life sciences companies -- and clinical trial sites -- the hospitals or academic medical center where research is being conducted -- include extensive confidentiality provisions intended to require the parties to maintain the data associated with the trial as confidential.  Despite those contractual confidentiality provisions, there are many entities and organizations that would like to obtain access to information that would otherwise be confidential related to clinical trials.  For example, competitors are keenly interested in knowing what research is being conducted by their competitors.  Litigants may seek information to support a lawsuit related to a particular product.  Industry watchdog groups or other nonprofit patient support groups focused on advocating for patients with specific diseases or genetic anomalies seek information about what public universities or sponsor companies are doing in terms of research and how much they are spending on research to see if the prices faced by the ultimate consumers of the outputs of that research are justified.  The motives for seeking information vary but the type of information sought can range from information about scope, type and timeline of trials, number of participants or total budget.  And, of course, people seeking information would be interested in getting access to the underlying data if theoretically possible to do so.  Given the extent of contractual confidentiality obligations in the clinical trial agreements, it is unlikely that detailed information being sought will be publicly available.  And as we have already discussed, the clinical trial agreement would ordinarily include strict confidentiality provisions preventing disclosure of information about the trial absent a legal obligation to disclose the information.  This legal obligation could be a court order, but we’ve also seen a trend where individuals are using state or federal Freedom of Information Acts to seek otherwise confidential information about clinical trials. 

DP:  Thanks Julia.  And I think that’s a really important takeaway that you just mentioned -- just knowing that this tactic is out there to access information potentially that people assume is always going to be kept confidential.  Now many of you listening are familiar with FOIA but let’s give some quick background.  The Federal Freedom of Information Act is a federal law.  It gives the public the right to request federal agency records for information except to the extent that the records are protected from disclosure usually by any of nine specific exemptions contained in the law or any of the three special law enforcement record exclusions.  The entities subject to FOIA requests are generally limited to agencies within the executive branch of the federal government, independent regulatory agencies and some components within the executive office of the president.  Now in addition, most states have public record laws that permit the public to request any documents or information in the possession of a state public agency.  Each state sets its own rules but generally the public records acts of a state apply to all parts of a state, so all state government agencies.  So while the federal law is somewhat limited in terms of which federal government agencies must comply, the state rules are much more likely to cover all state government entities.  Now the state public records laws tend to be invoked almost as frequently as the federal FOIA law.  The wrinkle is that they are not all exactly the same.  So while people often think of FOIA or a public records request as just being about big federal government agencies, they may not be as aware of how this comes up in a health care and life sciences context.  So sponsors really should know when selecting clinical trial sites that if they are picking, for example, a large research institution affiliated with a state university, their clinical trial data could be subject to a state law public information request.  One of the main complicating factors here for sponsors is that the sponsor does not receive the request directly.  The requestor can send a letter to the public entity that is covered by the law and that public entity then has the obligation to respond.  So as a first matter, the sponsor may have to deal with the challenge of not even knowing of the request.  Now ideally you can imagine you hope that the public entity both quickly notifies the sponsor about the request and then engages with the sponsor to navigate this in a way that both follows the law and protects everyone’s interest.

JH:  So on that point Danielle, in my practice I see clients and sponsors have a range of experiences in dealing with their research sites in terms of the level of resources and awareness that the sites may have about handling data and also the confidentiality issues that might come up in the context of a public records request.  I would imagine that similarly some federal or state institutions are very familiar with the public records request process generally, know their particular state laws well. 

DP:  Yes, we have seen that at some large state universities.  For example, they may have someone designated who knows this area of the law really well, knows the process and routinely handles these types of requests even across the whole university.  So that person can help or that office can help with handling the intake of a standard request letter, they may have template responses prepared that the sponsor can access and review, they may know the state of the current case law very well and what disputes tend to arise, how to interpret the rules of what may be disclosed, what exemptions are available and they can really help facilitate the timeline and the process for everyone involved.  So if you are lucky, you may be working with one of those types of institutions.

JH:  Right, but on the other hand if you are not lucky Danielle, even very sophisticated university systems can be less resourced or substantially less experienced in this area or simply not focused on the issue of providing responses to FOIA requests.  So even though it is the public entity that is obligated as the recipient of the request to respond to it, the responder cannot necessarily rely on the recipient of the request to protect the sponsor’s separate interests.  Danielle, you’ve mentioned an initial challenge presented by these issues even knowing whether a request has been received implicating the company’s documents or information held by the public entity and making sure that the sponsor has a say in the review.  What are some of the other potential risks you’ve seen for sponsors?

DP:  Well in that same vein you can probably tell that the process here is really important.  So, if the sponsor company’s documents are included in the recipient’s collection and they are subject to the requests, then the sponsor does have a right to object to the recipient producing those documents and can request that they be withheld on established grounds.  So the sponsor really needs to be able to (1) know what specific documents are in the recipient’s collection and (2) have an opportunity to review that content for sensitive information that could be protected.  Another complicating factor is that under FOIA, there is no central office in the U.S. government that processes all FOIA requests for all federal agencies that are covered.  Each agency responds to the request for its own records and each agency should actually have its own FOIA reference guide.  So, third parties should definitely consult the relevant agency rules and guides for detailed information and they are typically available on the internet.  There are some general rules for agencies to follow.  Typically under the federal law when it receives a proper federal FOIA request, the agency has to determine within 20 days whether to comply with that request.  So really a tight timeline for reaching out to third parties if they are going to do that and decide whether or not an initial response might say we actually need to extend this time limit.  Now to turn to the state side, the procedures under state laws again are going to vary very significantly.  Some states may have a centralized process for a sponsor company to object to a public records request that they have learned of usually through the Attorney General’s office of that state but in other states there is no such process and again you are going to be looking at going agency by agency or institution to look at their own set procedures for providing notice and an opportunity to object to the extent that they even chose to do that.  So again each state or state agency should have published its own public records guide but if there isn’t anything available that explains their process, a sponsor may really have to communicate directly with the state agency or the recipient of the request even to work out a procedure for raising any objections to the disclosures.  So, the takeaway here is that depending on the circumstances you may have relatively short timelines to identify documents, go back and forth with the agency and the recipient, formulate objections and really formulate an appropriate response.  You want to give an idea of some of the substantive objections and exemptions that exist.  Generally speaking, common objections include that the information is just simply confidential under existing law.  It could be protected health information, a trade secret, proprietary business information where a sponsor would be put at a competitive disadvantage if others gained access to that work.  Now sometimes these exemptions won’t actually be directly enumerated in the state’s public records law but they could fall under sort of a catchall provision that sometimes comes up in these laws and that basically says that well you can turn to or rely on other existing state or federal law for protection -- things like state or federal regulations or maybe the rules of evidence.  Now interestingly, some states will not explicitly exempt even those things that are commonly protected in the laws such as trade secrets but on the other hand, depending on local environment, they may actually have very specific niche exemptions for something like commercial fishing catch log data.  So as a policy matter, you can see states have taken the position sometimes that they will lean towards liberal disclosure and other states may have really specific and robust grounds to protect based on local environment and industry.

JH:  Yes and interestingly and notably in this issue is it’s rare to see an exemption that is specific to research data.  So a sponsor should not presume that a state public records or state FOIA law includes an exception for research data.  While many state FOIA laws do include an exception for medical information, these exceptions are often further limited to medical information that is individually identifiable.  Most clinical trial data though is coded or even fully de-identified and as a result may not fit neatly into the exception for medical records and therefore it may be subject to disclosure.  The risk I see in the critical trial context in particular where it is unlikely there is a specific exemption for research data under state law is that if a legitimate and properly crafted request for multiple requests are submitted, it can throw a wrench into the conduct of the research.  Specifically, if a research site that is subject to state FOIA laws were required to disclose clinical trial data, it could run the risk of breaking the line or delegitimizing the research being conducted.  It obviously would damage the relationship between the sponsor and the study site that received the request especially if the study site did not vigorously fight the FOIA request.  Successful FOIA requests will also have a chilling effect on the conduct of research at public institutions. 

DP:  And again, with all these risks at stake, it is important to remember that the federal agency may not have to be involved -- it may -- but it may not have to be and there may not be anyone at the state level in the Attorney General’s office who can be an arbiter either.  So the sponsor needs to expect that they can really end up driving the bus and working with the site director and the site directly and even with the requester to try and navigate all of these factors.

JH:  Exactly, so as a practical matter, sponsors need to be prepared for the fact that depending on where the request comes from and the fact that sometimes you have watchdog groups that issue the same request letter in multiple jurisdictions or may even be selective about which jurisdictions they request in because the watchdog groups already know the ins and outs of which states allow more disclosure than other, it can be common for there to be a bit of uncertainty for a sponsor in a public entity about how this will all be managed and a level of complexity to managing it when the request comes in.  With each request in each state in each entity, it’s not always crystal clear who’s responsible for evaluating and responding to the request, meaning is it the sponsor or is it the institution.  It’s also often not clear who’s willing to do what to manage the response to the requestor.  Who’s actually going to review the materials to see if they are confidential?  Who’s going to decide if it’s responsive to what was actually requested?  Who’s going to produce the materials that are responsive and ensure that any redactions are properly made?  Will all parties get copies?  Who’s going to push back and/or take on litigation if the requesting party is aggressive or if the request is in some way improper or overburdensome?  And finally, what if the research sponsor and the recipient public institution disagree about these questions?  How can the sponsor convince the public institution to align their respective positions on what information is protected given that their incentives are quite different.  The information that needs to be protected is held by the public institution and the public institution is required by law to produce responsive material and maybe interested in simply checking the box that the response obligation has been satisfied and the institution may be less concerned with protecting the sponsor’s otherwise confidential information.

DP:  So Julia, in thinking about all of these wrinkles in confidentiality, what have you found are some of the tips and tricks to think about when sponsors are planning and working with sites in structuring trials. 

JH:  So Danielle, the takeaway as I see from our conversation are really, be prepared and think ahead about this issue because it is foreseeable that this could occur.  When you are picking a site, ask questions about do you want to be working with the public institution?  Is the data sensitive enough to warrant restricting the institutions that you are working with?  How strong are the protections from disclosure in the relevant state under state law?  Does the sponsor want to do some research in advance and/or know the public records laws in various jurisdictions that are important to your business and have strategies for handling those that have little or no protection in a permissible disclosure approach?  Do they have a process?  Do they have resources?  How has the institution addressed these in the past?  And finally, in drafting clinical trial agreements, look really carefully about how you define confidentiality in the contract.  It’s really important to define the scope with specificity about what is confidential.  For example, does it include the existence of the study?  What about the budget?  The numbers and types of participants?  What are the research sponsor’s expectations about what the public entity or site will do if a request is received and are you communicating those expectations clearly?  Review the notice provisions in the agreement to ensure that there is something specific to require notification of third-party information requests.  Ensure that there is a provision requiring the site to cooperate with the sponsor in the response, even giving the sponsor the ability to direct the response as the sponsor’s data are being held by the site.  There can be many many moving parts obviously, particularly when the relationship with the institution is governed by the contract and the exemptions for research information under the applicable public records law may be arguable at best.  Research sponsors therefore think about how the institution could meet its obligations under relevant public records laws while at the same time avoiding any dispute with the company over disclosure of confidential research information before the parties finalize the clinical trial agreement.

DP:  Thank you so much Julia.  I think I would just add having a general sense of how important confidentiality may be to the sponsor given the nature of the project, if it really is “bet-the-company” important to keep everything you possibly can confidential on a particular project, just recognize that down the line you could be investing significant litigation costs to try and fix that on the backend and typically it can be avoided upfront with some simple less costly steps and just general awareness.  Thanks so much for chatting today Julia.  It’s been fun.  I hope we’ve given everyone an introduction to how sponsors can think ahead about confidentiality challenges in the form of public information requests, and if listeners have questions about this space and want to learn more, they can of course visit our website and reach out to us here at Choate. 

For more information, please visit  You can also listen to additional podcast episodes in the newsroom of our website and subscribe to them wherever you listen to podcasts including iTunes, Google podcasts and Spotify.

The information presented in this recording is for educational purposes only.  It does not constitute legal advice for specific situations.  If you wish to obtain legal advice, you should retain an attorney and explain the facts of your particular situation.