Question: Can we transfer patient data from our CTMS to our parent medical practice?


Our research site is a subsidiary of a medical practice. The financial controller, who works for both the practice and the research site, wants to export data from our clinical trial management system (CTMS) to the computer server housed within the medical practice. The report will be used to monitor for insurance, Medicare/Medicaid fraud and abuse.  The proposed report will include subject names, sponsor, and information about subject visits including dates and procedures performed. The financial controller is also requesting full access to the CTMS.


We are assuming that both the research site and the practice are a single covered entity.  Many physician practices have in place compliance programs to prevent erroneous or fraudulent insurance and Medicare/Medicaid claims, and this is acceptable.  These programs may include monitoring and auditing of medical records as well as research records.  In setting up this kind of financial compliance program, it will be important for the medical practice to address the concerns you raise about the protection of your research subject’s data and protected health information.

The HIPAA Privacy Rule guides the use and disclosure of protected health information. Your medical practice will need to consider the minimum necessary data the controller will need to carry out her compliance program.  Your practice should review your current HIPAA authorization to ensure that the HIPAA authorizations for medical care and participation in research that your patients routinely sign identifies the classes of persons within your medical practice who may use the PHI. 

The medical practice will also need to ensure that the program conforms with the HIPAA Security Rule. These rules lay out a set of security standards for protected health information that is part of an electronic medical record. The controller will have to follow all the measures that your medical practice already has in place to protect and control access to data and protected health information. For example, the controller will need to follow office policies on using privacy screens, password protection, logging off workstations.  She may need to consider use of encryption or password protection of documents containing protected health information. 

About the Author

Yvonne Higgins | Quality Assurance Advisor, Compliance

Yvonne has contributed to the cause of ethics and responsibility in human research for more than 20 years. During that time, she has served as Vice President of Quality Management for Copernicus Group IRB, Executive Director of the human research protections program (HRPP) and Institutional Review Boards (IRBs) at the University of Pennsylvania, Co-Chair of the workshop and didactic planning committee for PRIM&R’s Advancing Ethical Research annual conference, and Public Health Analyst within the US Department of Health and Human Services Office for Human Research Protections (OHRP).

More Content by Yvonne Higgins | Quality Assurance Advisor, Compliance
Previous Post
Questions on IRB Review of Grant Applications
Questions on IRB Review of Grant Applications

In NIH Policy NOT-OD-19-055, what does the term "certification" entail, and how is "recipient" defined? In ...

Next Post
Question: What elements of Informed Consent must we include when pre-screening?
Question: What elements of Informed Consent must we include when pre-screening?

We want to create a “pre-screening protocol” to screen patients for a specific mutation, with permission to...

Ask The IRB Experts

Submit Question