Refresh Your CTA Strategy With Cybersecurity And EHRs In Mind, Part One

By Katherine Leibowitz and Catherine London, Leibowitz Law

With AI advancing at lightning speed, cybersecurity threats multiplying, and electronic health records (EHRs) now the norm, it’s time to revisit your clinical trial agreements (CTAs). Emerging technologies are transforming the clinical research landscape, and your contracts need to keep up. A CTA refresh is a strategic move to safeguard sensitive data, manage cybersecurity risks, and ensure regulatory compliance.

This two-part series explores emerging trends in clinical research and technology, highlighting the risks posed by rapid technological advancements. We examine how these developments affect key CTA provisions and provide practical, technology-inspired updates for your CTAs. Part one explores cybersecurity and EHR standards. Part two delves into two emerging drivers of change: secondary use of study data and AI.

Whether you’re drafting new CTAs or revising existing ones, our insights will help you manage risks and keep your contracts aligned with today’s legal and technological landscape. Let’s get started.

Cybersecurity

Cybersecurity awareness exploded during the pandemic and continues to merit very close attention. As cyberattacks grow in sophistication and frequency, the healthcare industry has become one of the primary targets. In a blog post about cybersecurity for CTAs during the COVID-19 pandemic, we addressed cybersecurity issues that contracting parties need to consider when drafting and negotiating CTAs. Here, we focus on what has changed since then.

What’s New

Ransomware attacks on the healthcare sector rose sharply in 2023, nearly doubling from the previous year¹.Despite these trends (and the urging of worried counsel), CTAs still lag in addressing cybersecurity, and many remain silent on the issue. The good news is that study sponsors and study sites are increasingly prioritizing cybersecurity, and more frequently addressing it in CTAs. Often, sites take the initiative in adding cybersecurity language, but sponsors are also starting to proactively integrate it into their CTA templates. In addition, more sites and sponsors maintain cyber liability insurance today than five years ago.

Contracting Party Perspectives

• Sites: As HIPAA-covered entities, sites have historically been more attuned to security risks and often lead the push for cybersecurity provisions in the CTA.
• Sponsors: With the continued escalation of cyber incidents and the proliferation of state privacy and security laws, sponsors have become increasingly concerned about balancing cybersecurity obligations within the CTA.

Options For Addressing Cybersecurity

If addressed in the CTA, cybersecurity obligations typically appear as a stand-alone security clause or embedded within confidentiality provisions.

• Stand-alone Security Clause. The study obligations, HIPAA, monitoring, or recordkeeping sections of the CTA may include an independent cybersecurity provision that imposes one or more of the following obligations in the event of a security incident (or possibly a suspected incident):
  • Notice
  • Cooperation
  • Breach notification to participants
  • Mitigation
  • Remediation
  • Communications to the public
  • Coverage of costs
  • Encryption
  • Endpoint protection
  • Other IT requirements
• Confidentiality Section. Cybersecurity obligations in the confidentiality section can be unintentional and indirect or deliberately structured to address specific cyber risk issues:
  • Coverage by Default. Confidentiality provisions inherently have cybersecurity implications. If a recipient of confidential information under a CTA experiences a cyber event affecting that information, the recipient may be in breach of the confidentiality provision. This will depend on the CTA’s language and the event’s impact. While confidentiality obligations offer some cyber protection, they typically fall short of the safeguards found in a stand-alone security provision.
  • Intentional Coverage. Confidentiality sections can expressly address cybersecurity by adding or refining the notice requirements. Many CTAs do not mandate notice of unauthorized use or disclosure of confidential information, but if they do, then expanding the notice to include unauthorized access to, modification, or destruction of confidential information strengthens cyber protections. Some CTAs go a step further, incorporating system breach into the notice requirement.
  • Sweeping Scope. Whether or not the confidentiality section explicitly covers cyber events, a broad definition of confidential information by its nature increases the recipient’s cyber risk simply because there is more data to protect.
  • Low/No Fault Attacks. Advances in cybercrime technology expose recipients to a higher risk of confidential breaches. Before electronic data capture (EDC) systems, confidential information was largely paper-based, making access easier to control. Today, cyberattacks — such as ransomware targeting vendors or subcontractors — can lead to unauthorized access without negligence by the site or sponsor.
  • One-way or Mutual. Historically, confidentiality provisions in CTAs were one-sided, protecting only the sponsor’s confidential information. Increasingly, they are mutual, requiring both parties to assess the cybersecurity implications.

Key Takeaways

• Inclusion of Mutual Security Obligations. Although cybersecurity language is often one-sided, either party can experience a security incident that impacts the other. At a minimum, both parties need to receive notice of a security incident (or suspected incident) so they can take steps to mitigate the impact on their data and systems. The Stand-alone Security Clause section above outlines elements to include, some of which may prolong negotiations, especially regarding responsibility for costs. Making the provision mutual usually yields a more balanced result for both parties. All security obligations need to be vetted by each party’s IT department.
• Careful Review of Confidentiality Obligations. Each party should thoroughly consider the confidentiality section to avoid unintended consequences. If cybersecurity risks are addressed through the confidentiality language, recognize that this approach is usually an incomplete solution.
• Cyber Insurance. The CTA should require both parties to maintain adequate cyber liability insurance. Maintaining it is a baseline requirement for any credible healthcare business or institution today. If the other party does not have it, that is a red flag. We will explore cyber insurance, including first- and third-party protections, in part two of this series.
• No Standard Language…Yet. The clinical research industry has not yet established standard cybersecurity terms for CTAs. Sponsors and sites should continue refining language to address the issues above and work to establish CTA language that is widely acceptable.
• Key Risk Mitigation Issues. As we covered in this blog post, additional cybersecurity concerns include:
  • Coordinating cybersecurity terms with:
    • Indemnification
    • Limitation of liability
    • Vendor agreements
  • Implementing appropriate controls for remote monitoring and ensuring access is limited to only the data necessary for remote source data verification.
  • Clearly defining key terms and avoiding vague or overly broad language.
• Artificial Intelligence. Any AI usage agreed upon by the parties (see part two) should be vetted for cybersecurity risks. Proactive assessment helps reduce vulnerabilities.

EHR System Standards

Background

• Role of EHRs. EHRs play a significant role in modern clinical studies. Sites manage EHRs, which house a wide range of patient medical information, including medical history, diagnoses, lab results, prescriptions, and treatment plans. Given the wealth of information contained in EHRs, they serve as a key source of data in clinical trials. Investigators often rely heavily on EHR data to recruit patients, analyze patient data, aggregate data, maintain study records, and facilitate post-study follow up.
• FDA Guidance. In July 2018, the FDA issued guidance titled “The Use of Electronic Health Record Data in Clinical Investigations” (EHR guidance) to advise sponsors, investigators, and other stakeholders on the use of EHR data in FDA-regulated clinical investigations. In the EHR guidance, the FDA states that “[s]ponsors and clinical investigators should ensure that policies and processes for the use of EHRs at the clinical investigation site are in place and that there are appropriate security measures employed to protect the confidentiality and integrity of the study data.” FDA then sets forth recommendations for sites and sponsors with respect to such security measures².
• EHR Growth. EHRs have become even more ubiquitous in the six years since the EHR guidance was released. As of 2021, 96% of non-federal acute care hospitals and 78% of office-based physicians had adopted a certified EHR (up from 28% and 34%, respectively, in 2011).³ Today, except with respect to a limited number of small or rural providers, it is very rare for a site to not have an EHR, making it important for sponsors and sites to understand what safeguards are in place to protect the confidentiality, security, and integrity of data contained in EHR systems.

Contracting Party Perspectives

• Sites:
  • Control of EHR System. The site owns and maintains the EHR system, often contracted through a third-party vendor. Accordingly, the site controls the EHR system and would consider it inappropriate for sponsors to impose extensive obligations on the site’s EHR.
  • Reasonable Representations and Certifications. Due to the complexity of EHR systems, sites often seek to limit overly restrictive CTA language or broad representations or certifications regarding their EHR. Instead, they want to ensure that any representations or certifications they make in a CTA align with applicable legal requirements but do not go beyond what is necessary.

• Sponsors:
  • Integrity of Study Data. The source data contained in an EHR system underpins much of the study data that sponsors use for regulatory submissions. Sponsors need assurance regarding the integrity of that source data.
  • Compliance with EHR Guidance. To help ensure the reliability of source data and delivered study data (particularly if the EHR system communicates directly with the sponsor’s EDC system), sponsors often focus on whether a site’s EHR system complies with the EHR guidance and incorporates appropriate data integrity measures and cybersecurity controls. The sponsor’s CTA template may include a certification by the site and investigator(s) that their EHR systems meet the EHR guidance standards.

Key Takeaways

• EHR Controls. EHRs need to have appropriate controls in place to protect the confidentiality, security, and integrity of study data.
• EHR Guidance Standards. Sponsors should include language in the CTA requiring EHR system compliance with the EHR guidance. This could include requiring sites to confirm that their EHR systems are certified under the Health IT Certification Program of the Office of the National Coordinator for Health Information Technology (ONC)⁴ or that the EHR system’s controls include data use policies and processes, data security protection measures, and other protections required under the EHR guidance.⁵
• Careful Review of Representations and Certifications. Sites should understand what security standards their EHR systems meet and make sure that any EHR-related representations or certifications they make are narrowly tailored and in line with industry standards.

Looking Ahead To Secondary Research And AI

Now that we’ve explored cybersecurity and EHR standards' impact on CTAs, it’s time to address two other factors changing CTA strategy: secondary use of study data and the evolving landscape of AI. In part two, understand the hidden risks and unexpected opportunities these two factors present. From navigating non-exclusive royalty-free licenses (NERFs) in an AI-driven world to the crucial considerations of EHR access, we’ll equip you with the insights needed to future-proof your contracts.

References/Footnotes:

1. Ransomware Attacks Surge in 2023; Attacks on Healthcare Sector Nearly Double, https://www.dni.gov/files/CTIIC/documents/products/Ransomware_Attacks
   _Surge_in_2023.pdf (Feb. 28, 2023).
2. In the EHR guidance, FDA makes clear that it does not intend to assess EHR systems for compliance with Part 11. Even though Part 11 does not apply, the EHR guidance does include other important standards.
3. Office of the National Coordinator for Health Information Technology, National Trends in Hospital and Physician Adoption of Electronic Health Records (last visited Jan. 20, 2025).
4. In July, the federal Department of Health and Human Services announced a reorganization of ONC, the federal office that is responsible for establishing and overseeing a national health information technology infrastructure. ONC has been renamed the Assistant Secretary for Technology Policy and Office of the National Coordinator for Health Information Technology (ASTP/ONC). ASTP/ONC oversees technology, data, and AI policy and strategy and has established several new roles within the office, including a chief AI officer.
5. In December 2023, the U.S. Department of Health and Human Services issued a final rule titled “Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing,” which, among other things, establishes transparency requirements for AI and other predictive algorithms that are part of certified health IT. This rule provides additional considerations in connection with EHR systems that incorporate AI tools. 

A version of this article first appeared on Leibowitz Law's blog. It is republished here with permission.

About The Experts:

Katherine Leibowitz has supported the clinical trials enterprise for 25 years. She co-founded Leibowitz Law in 2013 after spending 17 years at a top global law firm. Her boutique life sciences regulatory and transactional law firm is laser-focused on clinical trials and technology commercialization, serving sponsors/manufacturers, technology service providers, research institutions, CROs, and digital health companies.

Katherine handles the full clinical trial operations contracting process from CTAs and budgets to HIPAA authorizations, informed consent forms, EDC vendor agreements, CRO MSAs, committee membership, physician consulting, and more. In today’s fast-evolving world of electronic databases, decentralized trials, AI, cyber risk, secondary research, and biobanking, she excels at modernizing contract templates and negotiations to align with the shifting landscape and move deals forward efficiently.

A frequent speaker and author, Katherine enjoys combining the multiple regulatory, legal, and industry norms to provide integrated, practical guidance to the life sciences community.

Catherine London has over a decade of experience representing life sciences companies and health care providers on clinical research contracting and compliance matters, providing comprehensive legal support to sponsors, research institutions, CROs, and other stakeholders involved in sponsored research.

Catherine draws on her deep regulatory expertise to counsel clients nationwide on issues impacting clinical trials, including informed consent, IRB considerations, patient privacy, conflicts of interest, and risk management. She is well-versed in the laws, regulations, and industry standards governing clinical trials, including FDA requirements, the Common Rule, HIPAA, and Good Clinical Practice, as well as fraud and abuse laws, Medicare and Medicaid requirements, and transparency reporting requirements. Catherine employs this expertise to help clients navigate the intricacies of clinical trial agreements, ensuring that they align with regulatory requirements, protect business interests, and foster successful collaborations.