Patient Data Privacy & Research Ethics — Biotech Scenario

A Colleague Wants to Share Trial Participant Data With a Vendor Not Listed in the Consent Documents. “The IRB Will Never Know.” What Do You Do?

A real biotech and pharma compliance scenario — with three decision options and the right answer.

The Situation

You are a research coordinator at a biotech company conducting a Phase 2 clinical trial. A colleague asks you to share the complete list of trial participants — including names, contact information, and diagnosis — with a third-party vendor your company has hired to conduct follow-up patient experience surveys. The surveys are intended to collect quality-of-life data to support the regulatory submission. The vendor is not named in the trial’s informed consent documentation, which was approved by the Institutional Review Board (IRB). Your colleague says the vendor is reputable, the data is for a good purpose, and “the IRB will never know — it’s just a survey.”

Choice A Share the participant list. The surveys serve the patients’ interests by contributing to the regulatory submission, the vendor is reputable, and the IRB process is administrative rather than clinical. The purpose is legitimate and no one is harmed.

Choice B Refuse to share the participant list and escalate to the IRB and your Privacy Officer. Sharing identifiable patient data with a party not specified in the consent documentation is a HIPAA violation and a research protocol violation regardless of the vendor’s purpose or reputation. The proper pathway is an IRB protocol amendment.

Choice C Ask the vendor to sign a confidentiality and data protection agreement before sharing the data — this addresses the security concern while allowing the surveys to proceed on the original timeline.

The Right Call

Choice B — Refuse and escalate to the IRB and Privacy Officer.

Informed consent in clinical research is a foundational ethical and legal requirement. Patients agreed to participate in the trial under specific conditions — including the specific parties who would have access to their personal and medical information. Sharing their data with a vendor not named in those consent documents violates that agreement regardless of the vendor’s purpose or reputation. A confidentiality agreement with the vendor (Choice C) addresses data security but does not create the patient consent that is missing — it is a contract between your company and the vendor, not a consent from the patients themselves.

The purpose is genuinely patient-focused — and that makes the violation feel justified.

The surveys are intended to help the regulatory submission, which ultimately helps patients access the therapy. The colleague isn’t trying to exploit the data for commercial gain. But the consent framework in clinical research is not suspended because the data use is beneficial. Patients provided their data under specific conditions, and those conditions matter regardless of the intended use of the data.

“The IRB will never know” is a compliance red flag, not a risk assessment.

The IRB oversight process exists precisely to review proposed changes to how participant data is used. Framing the decision around whether the IRB will detect the violation is not a compliance analysis — it is a statement that the person asking knows the action would not be approved through the proper process. Any time the conversation shifts from “is this permitted” to “will we be caught,” the answer to the underlying question is already clear.

A confidentiality agreement with the vendor does not substitute for patient consent.

Choice C addresses one legitimate concern — the vendor’s data security practices — but it does not address the actual compliance issue. The HIPAA and consent violations are not about whether the vendor will protect the data. They concern whether the patients agreed to have their data shared with this vendor. A contract between your company and the vendor cannot create rights that the patients did not grant.

What is informed consent in clinical research and why does it matter for data sharing?

Informed consent is the process through which a clinical trial participant agrees to participate after being fully informed about the study, including who will have access to their personal and medical data. It is a foundational ethical and legal requirement under the Common Rule, the Declaration of Helsinki, and HIPAA. Sharing participant data with parties not named in the consent document violates the terms under which the patient agreed to participate — regardless of the purpose of the subsequent data use.

What is a HIPAA Business Associate Agreement (BAA) and does it authorize data sharing with new vendors?

A Business Associate Agreement is a contract required by HIPAA between a covered entity and a vendor who will access protected health information (PHI). A BAA is necessary but not sufficient for sharing clinical trial participant data — it addresses the vendor’s data handling obligations but does not address the consent issue. Sharing PHI with a new vendor requires both a BAA and alignment with the participant’s informed consent terms.

What is an IRB protocol amendment and when is one required?

An IRB protocol amendment is a formal request to modify an approved research protocol — including changes to data collection procedures, the addition of new vendors who will access participant data, or changes to how data will be used. It is required when a change to the study is material enough that participants would need to be informed or re-consented. Adding a third-party survey vendor to an approved trial protocol typically requires an amendment.

What are the consequences of unauthorized sharing of clinical trial participant data?

Consequences can include HIPAA civil monetary penalties (up to $1.9 million per violation category per year), IRB suspension of the trial, FDA findings of Good Clinical Practice violations that affect the regulatory submission, institutional review and sanctions, and significant reputational damage. The breach may also require notification to affected participants and, depending on severity, to the Office for Civil Rights.

What should a research coordinator do when a colleague asks them to share participant data in a way that may violate consent?

Decline to share the data and escalate immediately to your IRB coordinator and Privacy Officer. Document the request and your response. If there is a legitimate research need for the surveys, work with the IRB to submit a protocol amendment that addresses it properly. The fact that a colleague made the request does not change the coordinator’s individual obligation to protect participant data.

How to Use This Scenario in Training

Data privacy and research ethics training establishes the policy. This scenario makes it stick.

This scenario is most valuable for clinical operations, research coordination, regulatory affairs, and data management teams in biotech and pharmaceutical organizations. The recognition skill is identifying the gap between data security (addressed by a BAA) and informed consent (not addressed by a BAA)—two distinct compliance obligations that are frequently conflated.

More Compliance Scenarios

Compliance Training Built for Biotech and Pharma

Xcelus develops scenario-based compliance training for pharmaceutical and biotech organizations — including HIPAA in clinical research, informed consent, IRB compliance, and data privacy scenarios built for your clinical and operations teams.

View Compliance Programs →
Contact Xcelus