Biopharmaceutical companies have now seen the power of post-market approval and observational registries. Registries typically measure the effectiveness of a product after it is on the market. They evaluate physician dosing and product handling and assess patient compliance and attitudes towards the product. Registries are not clinical trials because they do not involve any experimental intervention. Rather, they rely on observations of patients using approved drugs, assessments of the progression of diseases, evaluations of non-adverse side effects, and other clinical observations made by prescribing physicians.

Planning for Data Protection

Data is the lifeblood of registries, but there are certain components that must be accounted for when planning a registry. Will the data collected be identifiable, de-identified or something in between? Will the data be transferred and, if so, to which countries? Will patient consent be needed and, if so, what should the consent form say? If data is obtained directly from patients or is otherwise identifiable, the registry itself is likely to be considered human subject research and is then dependant on prior ethics committee or institutional review board approvals.

While the planning and operation of a registry is extremely complex, it is even more so when patients or physicians serving as data sources are located in different countries. Although the European Union has attempted to harmonise privacy requirements through the Data Protection Directive (Directive 95/46/EC), each Member State maintains varying and multiple requirements. These difficulties are compounded when different limitations are imposed on US physicians and hospitals under the Health Insurance Portability and Accountability Act (HIPAA).

What Data Will You Collect?

Too often, researchers will seek more data than they actually need to conduct the registry. Even more often, researchers will seek data that clearly identifies a patient when a data set containing only generic identifiers, such as birth dates or postal codes, would suffice. As compared to the collection of de-identified data, the collection of identifiable patient data from a physician, or collection of data directly from a patient, will ultimately require patient consent. As a result, the registry’s structure must anticipate this need and plan accordingly. Patient consent must take into account local country requirements and languages, provide clear statements concerning the purpose and use of the data and indicate any cross-border transfers of the data, particularly to the United States.

Registration Requirements May Be Triggered

While many registries are structured using coded data, certain personnel associated with the registry are likely to have access to the code’s key, making the data identifiable at some level. This direct access, particularly by an employee of a sponsor or a clinical or contract research organisation (CRO), means that these organisations will be considered data processors and must therefore observe applicable privacy principles under EU law. This would not be the case under HIPAA which does not directly regulate biopharmaceutical companies or CROs. Just as important, in these circumstances, CROs are likely to be treated as “data controllers”. Data controllers must notify the appropriate authorities in each of the EU Member States where data is collected. This step is often overlooked by sponsors and their CROs, particularly those based in the United States and operating a registry within the European Union.

EU registration is a relatively straightforward process, yet failure to register can carry with it significant financial penalties. The United States, in contrast, does not impose this registration criteria. Instead, HIPAA and state laws limit physicians, hospitals and health plans from sharing identifiable health information without consent, or de-identifying the data or creating a limited data set.

Planning Can Prevent Implementation Problems

Because there are so many facets to data protection, particularly in a multinational registry, planning and micro-managing each operational aspect of the registry is the key to its success. Key questions to ask and answer are outlined in the table. Building a registry across multiple countries is achievable. Building one across countries that is cost-effective and compliant with local data protection requirements requires detailed planning, time and validation by researchers, participating physicians, patients and counsel.

[see table]