FDA and HIPAA Compliance


The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for sensitive patient data protection. Anyone who deal with protected health information (PHI) must have physical, network, and process security measures in place and follow them to ensure HIPAA Compliance.

It is important to note that there is no certification recognized by the US HHS for HIPAA compliance and that complying with HIPAA is a shared responsibility between eScan Clinical Trials and our research collaborators. Specifically, HIPAA demands compliance with the Security Rule, the Privacy Rule, and the Breach Notification Rule. eScan Clinical Trials supports HIPAA compliance, and our collaborators are responsible for evaluating their own HIPAA compliance. For more information learn how we perform patient de-identification.

eScan Clinical Trials will enter into Data Processing Agreement with all collaborators as necessary under HIPAA. eScan Clinical Trials is built and maintained with careful security consideration and details on our approach to security and data protection including details on organizational and technical controls regarding how we protects data, can be found here.

In addition to documenting our approach to security and privacy design, eScan Clinical Trials welcomes independent third party audits to provide clients with external verification.

Safe Harbor

The US Safe Harbor Compliance Statement for Data Privacy Framework sets out the privacy principles for the collection, use, and retention of personal information. eScan Clinical Trials complies with the Safe Harbor Framework regarding the collection, use, and retention of personal information relating to our users, and any such information transferred from the EU to the United States, as well as with the U.S.

21 CFR Part 11

eScan Clinical Trials adhere to 21 CFR Part 11 (part 11 of title 21 of the Code of Federal Regulations; Electronic Records; Electronic Signatures). In brief, this document provides guidance to persons and suppliers who, in fulfilment of a requirement in a statute or another part of FDA's regulations to maintain records or submit information to FDA. The document sets out controls for closed systems like eScan Clinical Trials. In particular, it specifies how to protect records, limit system access (each user must have a username and password to gain access), use of secure and computer generated audit trails (sender, study ID, study type, time stamps, etc.), perform authority checks to prevent unauthorized access, how to establish and adhere to written policies such as trial protocols. 

Part 11 Section 11.10a states: “Control for closed systems are to include the validation of systems to ensure accuracy, reliability, consistent, intended performance, and the ability to conclusively discern invalid or altered records”. Validation in eScan Clinical Trials is based on two principles: data integrity and standards conformance. We protect the integrity of your data through robust data encryption throughout the entire data collection and transfer process. Any change to the encrypted data will be flagged as incomplete, and rejected by the trial repository due to the potential safety breach. Standards conformance ensures that eScan Clinical Trial will automatically reject any file that does not meet the DICOM conformity specification outlined in the trial protocol. This ensures that only DICOM files meeting your data requirement and submitted by investigators enrolled in your study is collected and transferred to the central trial repository.

Part 11 Section 11.10(e) states: “Audit trails must be secure, computer-generated and timestamped to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying. Audit trails should say 'who did what to your records and when.” All operation in eScan Clinical Trials is logged carefully to ensure compliance with section 11.10(e), and includes sending investigator, institution, type and size of study incl. unique ID, number of images, number of series, resolution parameters, and timestamps. All transfer logs are securely kept for future audits.