HIPAA for clinical research in the US

HIPAA requirements for US-based studies, Covered Entity vs. Business Associate responsibilities, and how Trialinx integrates.

HIPAA as applicable federal law

In the US, HIPAA applies to Covered Entities (healthcare providers, health plans, clearinghouses) and their Business Associates. Clinical research is in scope when the investigator or institution is a Covered Entity.

HITECH (2009) extended HIPAA so Business Associates also directly comply with the Security Rule. This means Trialinx, as a BA, has direct legal obligations.

Local authority: HHS Office for Civil RightsFederal enforcement authority

Minimum requirements for your study

  • Signed BAA before processing PHI with Trialinx
  • Updated institutional Privacy Rule policy
  • HIPAA training for all personnel with access
  • Documented Security Rule risk assessment (§164.308)
  • Incident response plan

Trialinx technical controls

  • Encryption at rest AES-256 (§164.312(a)(2)(iv))
  • Encryption in transit TLS 1.2+ (§164.312(e)(1))
  • Unique user ID + 2FA (§164.312(a)(1))
  • Audit controls (§164.312(b)) with 7 datapoints per event
  • Person/entity authentication (§164.312(d))
  • Automatic logoff (§164.312(a)(2)(iii))
  • Standard BAA signable on Institutional plan

FAQ

Is Trialinx directly a Covered Entity?

No. Trialinx acts as a Business Associate when processing PHI for a Covered Entity. The BAA formalizes this relationship.

Can I use the free plan with PHI?

Not recommended. BAA is only available on Institutional. For small projects with anonymized data, the free plan is fine.

What happens on a breach?

Trialinx notifies the Covered Entity without undue delay. The Covered Entity is responsible for notifying affected individuals and HHS per HIPAA timelines (60 days).

Need specific documentation?

Contact us and we'll prepare the package for your ethics committee or DPO.

Contact