Data Privacy & Security

StudyTeam is designed to strengthen privacy compliance with data protection built from the ground up.

Patient PII is secure in StudyTeam by design.

What users are saying about StudyTeam's privacy features

The system is very intuitive and user-friendly. The fact that we can use patient names in a safe and protected way really helps our workflow. Sharing updates automatically with the sponsor team is wonderful! The more trials use StudyTeam, the better for us.

-Site user

The interesting thing about [StudyTeam] is that the site buy-in is completely separate from [the Sponsor]. … We just get what we need without getting any personally identifying information. I learned so much about it when we went through [the Sponsor’s] European data privacy assessment, and [StudyTeam] is a super tight system. It keeps everything really organized, keeps us from getting personally identifiable information accidentally like we sometimes do from paper logs.

-Sponsor CPL

This is much easier than paper! I actually think because they can enter personally identifiable information into StudyTeam, it lets them manage better. It is better for privacy than completing paper logs and giving them to the sponsor with potential errors of personally identifiable information included.

-CRO User

I really do like Study Team. It is truly a study coordinator/recruitment nurse’s dream to keep everything in one place. And I absolutely love the feature of being able to send recruitment updates directly to the sponsor and Study Team does the work of de-identifying protected health information.

-Site User

StudyTeam's features such as patient timeline and demographic information space are very useful because I was [previously] entering this information on paper. StudyTeam keeps [our site’s information] in [the] same place and secure.

-Site User

StudyTeam: Privacy by Design

In developing StudyTeam, Reify has incorporated data protection into the software from the ground up. StudyTeam has integrated appropriate technical and organizational safeguards to ensure compliance with data protection principles such as data minimization, accountability, integrity, and confidentiality. The software is also abundantly flexible to ensure that data controllers, such as clinical trial sites, are truly in control over what data goes into the software, where it is transferred, and for how long it is retained.

Moreover, StudyTeam features hard-coded protections against human error. StudyTeam locks—without possibility of override—data fields known or likely to contain identifying patient information, thus prohibiting those fields from being replicated outside of the site’s particular instance of StudyTeam. Built-in protections like these allow sites to eliminate their risk of inadvertent disclosure of sensitive patient information.

Data Protection & Compliance

What data do sites enter into StudyTeam?

Sites have a broad range of options in determining what data to enter into StudyTeam. StudyTeam can even be configured such that no identifying patient information is entered at all. However, most sites find it useful to enter at least some patient identifying data. StudyTeam for Sites can store patient data. StudyTeam also stores information about a site’s authorized users.

Do sites need to obtain Ethics Committee or IRB approval for their use of StudyTeam?

Ethics Committees and IRBs can vary in their approaches and for that reason, each site is best positioned to determine whether or not formal review of StudyTeam is required.

In our experience, the overwhelming majority of sites worldwide determine that they do not need to submit StudyTeam for EC/IRB review. This is because StudyTeam is not a patient-facing software. Rather, it is used by sites to support their internal operations. In the rare event that a site decides to seek EC/IRB review of StudyTeam, Reify supports that process.

How does Reify handle Data Subject Access Requests (DSARs)?

Reify Health does not typically receive DSARs from patients, and in the event such a request were to come directly to Reify, Reify does not communicate directly with patients. In such a case, Reify will forward a patient’s data request to the site to allow the site to instruct Reify on how to proceed. If Reify is instructed by a site to modify or delete patient data, Reify will provide confirmation to the site when the request has been fulfilled. The site may then contact the individual to confirm the modification/deletion in accordance with the site’s internal communication practices.

Data Security & Vendor Qualification

How does StudyTeam protect site data?

Reify has established robust technical and organizational measures (TOMs) appropriate to the nature of the data and processing activity. Our TOMs include appropriate policies defining data classification, encryption, data retention, and incident response. For more information, please contact our Security team.

What is the data retention policy applicable to site data in StudyTeam?

In order to provide the flexibility for sites, as data controllers, to direct the retention of their data, StudyTeam does not impose a pre-determined retention period for site data. 

Reify will follow each site’s instructions with respect to the processing and deletion of its data (unless such instructions would be prohibited by applicable law, interfere with Reify’s legal obligations, or are subject to a legal exemption).

How does Reify qualify vendors?

Reify requires all third-party vendors, tools, and service providers to undergo a privacy assessment and a data security assessment prior to contract signature. These assessments form a central part of Reify’s vendor qualification process and allow Reify’s Data Protection Officer and Security Officer visibility and an opportunity to ensure that each third party meets legal requirements and Reify’s own robust standards. Third parties are routinely required to execute data protection agreements, data transfer agreements, and contractual data security terms as part of the contracting process.

Patient Relationships

What role does Reify play when it comes to patient notice and consent?

As the data controller, each site follows its established notice and consent practices when doing any patient-facing work. Reify supports these practices but recognizes that each site has its own procedures and may be subject to unique requirements. Notice and consent are frequently discussed during the site engagement process and Reify is responsive to each particular site's needs and instructions on this topic.

Communications directly with patients, including notification of subprocessing and obtaining consent, are managed by sites in accordance with their internal information handling practices. While Reify does not control a site’s policies and practices with respect to patient consent and notice provision, Reify does partner with, and provide support to, sites to ensure that regulatory requirements are met.