Guest Column | May 15, 2026

Contracting For AI In Clinical Trials: Data Rights And Regulatory Compliance (Part 2)

By Katherine Leibowitz, Leibowitz Law

AI contract-GettyImages-2207503201

This second installment of a three-part series on AI in clinical trial operations focuses on the contract provisions that address the resulting risks, particularly intellectual property, data rights, and regulatory compliance. Each section lists key contract clauses to review. Even where not listed separately, indemnification and limitation of liability should be considered throughout. For a primer on AI in clinical trial operations and the questions organizations should be asking, start with Part 1.

Many agreements now include AI-specific provisions.  There is no standard form, and their content varies depending on how AI is used and the risks involved.  The issues below span multiple contract provisions and should be considered in that context.

For purposes of this series, “data” refers broadly to data, documents, communications, and other information relating to the clinical trial, including outputs generated by AI systems using such information.

Intellectual Property And Data Ownership

Contract Clauses: Intellectual Property, Data License, Representations and Warranties, and Audit

Organizations should assess who owns:

  • data inputs
  • AI-generated outputs
  • data used to train the AI
  • the trained model or AI tool itself.

It is also important to determine whether the contracting party owns the technology it uses or relies on third-party vendors that embed AI functionality.

Depending on the role of the AI and level of risk involved, it may be appropriate to obtain contractual assurances regarding ownership and licensing rights.

Data Rights And Secondary Use

Contract Clauses: Data License, Intellectual Property, AI, Confidentiality, EHR, HIPAA, Audit, Documentation, Termination Obligations, Storage and Retention, and Indemnification

One of the most consequential issues in AI contracting is how data may be used after it enters an AI system, particularly whether that data can be used to train or improve the AI tool.  The following issues are central to understanding and addressing data rights. They are often introduced at a high level in an AI clause but must be implemented through the data license and related provisions to be effective.

Data Mapping

Each party must identify and map the data that the AI tool accesses, processes, or generates, and track how and for what purpose that data is used.  AI may touch far more than clinical data sets.  Examples include:

  • protocols and informed consent documents
  • trial systems, such as EDC, CTMS, eTMF, and EHR platforms
  • operational records and communications
  • transcripts from ambient listening tools
  • analyses of trial data or operational workflows.

Personnel may inadvertently disclose data by entering trial-related materials into AI tools that retain or transmit that information externally.

AI data mapping should be treated as an ongoing exercise, not a one-time diligence task.

Scope Of Data Use

Contracts should clearly define the purposes for which the contracting party or its vendors may touch data, keeping in mind that data includes AI-generated outputs.

Key questions include:

  • Is use of data limited to performing the contracted services?
  • May data be used for internal analytics, product development, or other non-service purposes?
  • May data be used to train, refine, or improve the contracting party’s or vendor’s AI systems beyond the services being provided?
  • Are heightened protections applied to sensitive data?
  • What internal controls govern AI access to and use of data?
  • How does the contracting party control or restrict use of everyday AI tools?
  • Is the use consistent with the parties’ confidentiality obligations?

Where AI training or improvement is permitted, contracts should also clarify who benefits and how broadly data may be used for those purposes.

For example, training or improvement may be subject to:

  • Siloed use:  Restricted to the services provided (i.e., “siloed” for the contracting party)
  • Vendor-, site-, or sponsor-wide use: Used to improve the vendor’s platform for its customers or to support other trials conducted by the institution or sponsor
  • Broader AI use: Used to improve the vendor’s broader AI products

De-Identified Data

To avoid siloing obligations, some vendors seek to use de-identified data for secondary purposes, such as model training, refinement, or analytics.  However, the meaning of de-identification can vary. For example, the HIPAA Safe Harbor method of de-identification requires removal of patient identifiers but not of sponsor names, study products, protocols, or other proprietary information. As a result, de-identified data may still create competitive or intellectual property risks. Contracts should define what de-identified means, address removal of proprietary and trial-specific information, and clearly limit permitted downstream use.

Data Retention and Deletion

Contracts should address how data is handled by the AI tool after AI processing, including:

  • whether data inputs or outputs are retained
  • deletion obligations
  • post-termination obligations.

Where AI systems are trained or fine-tuned using data, complete deletion may not always be technically feasible.

Commercial Exploitation Risk

AI tools may enable the contracting party or its vendors to extract insights from data and use those insights to develop or enhance tools, data sets, or services beyond the contracted services. Without clear restrictions, this can result in one party monetizing value derived from data generated at the other party’s expense. For example, AI insights may be used to identify biomarkers, develop predictive algorithms, inform future study design, or generate cross-study performance metrics offered to other customers.

In addition, use of AI systems without appropriate confidentiality, retention, and use restrictions may result in unintended disclosures that could start the clock on the U.S. one-year patent grace period or jeopardize patent rights in jurisdictions that require absolute novelty prior to filing

Takeaways: The key issue is not whether AI is used but how broadly data is used by the AI tool and who benefits. Contracts should clearly define whether data use is limited to the services or may be used more broadly, including for training or product improvement.

Training Data

Contract Clauses: Intellectual Property, Representations and Warranties, Audit, Indemnification, and Limitation of Liability

Organizations should evaluate:

  • what data was used to train the AI system
  • how that training data was obtained — by license, web scraping, or another method
  • whether those acquisition methods were lawful
  • whether the AI is being deployed in accordance with those rights.

Takeaway: Training data provenance is a core risk area. Do not assume AI systems are trained on properly sourced data. Contracts should contain clear representations regarding acquisition and permitted use of training data, along with audit rights and appropriate allocation of liability.

Compliance And Regulatory Risk

Contract Clauses: HIPAA, Informed Consent, Compliance with Applicable Laws, Representations and Warranties, Documentation, Recordkeeping, Audit, and Indemnification

AI use in clinical trials may implicate federal and state laws, including privacy, human subject protection, and FDA regulatory requirements.

Patient Privacy and Human Subject Protection

For patient data, AI use may trigger processing or disclosure obligations under HIPAA and evolving state privacy, wiretapping, and AI laws.  For example:

  • HIPAA: AI tools must comply with HIPAA when creating, receiving, maintaining, and storing protected health information (PHI).
  • Wiretapping: State wiretapping laws may require patient consent before the use of ambient listening tools.
  • State Privacy and AI Laws: State privacy or AI laws may require disclosure of AI usage or consent by the patient.
  • Informed Consent: Informed consent regulations, including 45 CFR 46 and 21 CFR Part 50, require that subjects (participants) be provided with the information a reasonable person would want to have in order to make an informed decision about participation. While neither regulation explicitly addresses AI, where AI is used in ways that could affect subject privacy, data integrity, or the reliability of study outputs, that use may be material to the patient’s decision to participate, particularly if it introduces risks or uncertainties beyond those of conventional trial conduct.
  • Subject Safety: AI use may also raise human subject protection considerations, including whether use of AI in trial operations could affect subject safety.

Contracting parties should assess whether the AI tool is designed and implemented to comply.

FDA Regulatory Obligations

  • FDA Framework: In January 2025, FDA issued draft guidance establishing a risk-based framework for AI used to produce information or data intended to support regulatory decision-making for drugs and biologics.  The guidance applies to sponsors and “other interested parties,” a term that is not defined.  In practice, this may include contracting parties that use AI to generate information supporting regulatory decision-making.  The draft guidance does not specifically address AI embedded in site-level tools, such as EHR systems, leaving uncertainty about how those uses should be evaluated where outputs may affect patient safety or the reliability of study results. For sponsors, this gap carries practical significance: FDA may evaluate how AI is used to generate or influence trial data during inspections or submission review, regardless of whether that AI sits with the sponsor, a CRO, or a site.
  • Digital Health TechnologiesFDA’s December 2023 final guidance on digital health technologies used in clinical investigations, which we wrote about here and here, is addressed to sponsors, investigators, and other stakeholders.  The DHT guidance requires that DHTs used to collect clinical trial data be fit for purpose and appropriately validated for their intended use. AI-enabled tools that function as DHTs, including ambient listening tools and AI-assisted documentation platforms whose outputs become part of the trial record, would be subject to these requirements.  The guidance does not carve out an exception for tools characterized as operational.
  • GCP Oversight: Sponsors retain oversight obligations under GCP. Even when AI tools are used by sites or vendors, sponsors remain responsible for trial conduct, including oversight of any CROs or vendors deploying AI-enabled systems on their behalf.
  • Inspections: AI use may raise inspection readiness challenges.  Sponsors and sites should be prepared to explain how AI tools are used, how outputs are validated, and how data integrity is maintained.  FDA’s BIMO inspectors expect personnel to understand the processes that generate trial records.  If staff cannot explain the role of AI in generating or analyzing trial documentation, regulators may question the reliability of the underlying records.
  • Data Integrity:  The parties should consider whether and how data touched by AI is used in trial records and regulatory submissions, including whether investigators are required to attest to the accuracy of entries generated or modified by AI (e.g., in EDC) and whether sponsors rely on AI-generated (or impacted) outputs in submissions to regulatory authorities. The FDA’s ALCOA+ framework requires that records be attributable, legible, contemporaneous, original, and accurate; entries generated or modified by AI can create tension with several of these requirements, particularly attribution and originality.
  • Informed Consent: See section above on patient disclosures and consents.

Audit and Cooperation

  • Audit Rights and Change Control: Each party should retain the right to audit the other party’s use of AI tools, including access to validation records, change logs, and model documentation, along with notice of material model changes, approval rights where AI tools touch regulated data, and flow-down obligations to each party’s vendors.
  • Regulatory Cooperation: All parties and their vendors should be contractually obligated to support inspection readiness, including providing validation documentation and cooperating with FDA requests.

Governance

Parties should also consider what oversight exists for AI use and whether the contracting party has an AI governance policy appropriate to the tool and the risks involved.  Where no such policy exists, or where the policy does not specifically address use in regulated clinical trial activities, that gap itself represents a compliance risk.

Takeaway: Regulatory responsibility cannot be contracted away. Sponsors remain accountable for trial conduct regardless of how AI tools are deployed, and all parties should ensure that contracts reflect their compliance obligations, including audit rights, change control, and regulatory cooperation, before AI tools touch regulated data or records.

Risks Are Plenty When Using AI

As AI becomes more deeply embedded across trial operations and supporting technologies, organizations must understand where it is used, how it interacts with data, and where the risks lie.

In Part 3 of this series, we continue examining how contracts address these risks, covering cybersecurity, monitoring and validation, indemnification, and limitation of liability.

A version of this article first appeared on Leibowitz Law's blog. It is republished here with permission.

About The Author:

Katherine Leibowitz has supported the clinical trials enterprise for over 25 years. She cofounded Leibowitz Law in 2013 after spending 17 years at a top global law firm. Her boutique life sciences regulatory and transactional law firm is laser-focused on clinical trials and technology commercialization, serving sponsors/manufacturers, technology service providers, research institutions, CROs, and digital health companies.

Katherine handles the full clinical trial operations contracting process from CTAs and budgets to HIPAA authorizations, informed consent forms, EDC vendor agreements, CRO MSAs, committee membership, physician consulting, and more. In today’s fast-evolving world of electronic databases, decentralized trials, AI, cyber risk, secondary research, and biobanking, she excels at modernizing contract templates and negotiations to align with the shifting landscape and move deals forward efficiently.

A frequent speaker and author, Katherine enjoys combining the multiple regulatory, legal, and industry norms to provide integrated, practical guidance to the life sciences community.