HIPAA Compliance Audit for Clinical Trial Patient Recruitment: 22 Requirements to Check

HIPAA compliance in patient recruitment is not a legal abstraction — it is a specific set of operational requirements that affect how you advertise, collect data, communicate, and select vendors. Most sites have at least three compliance gaps they are not aware of. This 22-point audit tells you exactly what to check.

Section 1: Advertising Compliance (Check These 6)

• 1. General advertising uses no PHI. Ads to the general public (Google, Facebook, print) should not use identified patient information. Targeting by health-related interest categories on Facebook is generally compliant — targeting by uploaded patient lists is not without specific authorization.
• 2. Social media ads comply with platform health policies. Facebook and Google both restrict clinical trial advertising that targets based on sensitive health conditions. Review your targeting settings — “interest in diabetes management” may be allowed; targeting diabetes medication users specifically may not.
• 3. IRB-approved advertising materials are being used. Your recruitment advertisements (web, print, social) should be within the scope of your IRB-approved recruitment plan. If your digital ads weren’t submitted to the IRB, check whether your protocol requires it.
• 4. No identifiable patient images are used without signed release. Photographs of patients in advertising require a signed HIPAA-compliant release that specifically covers marketing use.
• 5. Testimonials have written authorization. Any patient quote, story, or testimonial requires a HIPAA marketing authorization that covers name, condition, and participation status.
• 6. ClinicalTrials.gov listing contains no PHI. Your public trial listing should not include investigator notes or screening data that could identify individuals.

Section 2: Data Collection Compliance (Check These 5)

• 7. Pre-screening data is collected on HIPAA-compliant forms. Web forms that collect health information must be hosted on HIPAA-compliant infrastructure — this excludes standard Google Forms, basic Wix/Squarespace forms, and most free form builders.
• 8. A Business Associate Agreement exists with your form/CRM vendor. Any vendor that stores or processes PHI on your behalf must sign a BAA. If you use any digital intake tool, check whether a BAA is in place.
• 9. Pre-screening data is encrypted at rest and in transit. Health information collected during pre-screening must be stored encrypted and transmitted via HTTPS. Verify with your IT/web host.
• 10. Role-based access controls are in place. Only staff who need pre-screening data for their role should be able to access it. Document who has access and review quarterly.
• 11. A retention and destruction policy exists for pre-screening data. Data collected from patients who did not enroll must be retained for the period required by your IRB protocol and then securely destroyed. Document the policy.

Section 3: Patient Communication Compliance (Check These 5)

• 12. SMS messages containing health information use HIPAA-compliant messaging. Standard SMS (Twilio basic, most phone apps) is not HIPAA-compliant. If your automated pre-screening sequence contains health information, it must use a HIPAA-compliant SMS platform with a BAA.
• 13. Email containing PHI uses encrypted, BAA-covered email. Standard Gmail, Outlook, or Yahoo is not HIPAA-compliant for PHI. Use a HIPAA-compliant email service for any messages that include patient health information.
• 14. Review responses contain no PHI. Responding to Google or Yelp reviews that reference health conditions or visit details can constitute unauthorized PHI disclosure. Your response templates should never confirm that the reviewer was a patient or reference their health information.
• 15. Voicemails are handled appropriately. Leaving detailed health information on a voicemail that others may access is a compliance risk. Your policy should specify what information can be left in a voicemail versus what requires a callback.
• 16. Patient photos in marketing have signed authorization. Any photo that identifies a patient and references their health status requires a signed marketing authorization.

Section 4: Vendor Compliance (Check These 6)

• 17. Every vendor that touches PHI has signed a BAA. List every vendor in your recruitment stack and verify BAA status. Common gap: CRM platforms, scheduling tools, and email marketing platforms often lack BAAs on default plans.
• 18. Physician referral processes comply with HIPAA’s treatment exception. A physician sharing limited patient information for referral to a clinical trial must be within the treatment relationship and disclosure must be limited to what is needed for the referral.
• 19. Your recruitment vendor does not use PHI for targeting. Some patient recruitment platforms maintain patient databases built from health data. Using these platforms may constitute use of PHI you did not collect — verify the data sourcing with your vendor.
• 20. Staff training on HIPAA is documented annually. Every staff member who handles PHI must complete documented HIPAA training. Recruitment coordinators are specifically within scope.
• 21. A process exists to respond to patient data requests. Patients have the right to access and correct their PHI. Document how your site responds to these requests.
• 22. A breach notification procedure is documented. If PHI is exposed, you have a specific notification timeline (60 days for breach notification). Verify your procedure is documented and your staff knows it.

Your 48-Hour Compliance Audit

1. List every vendor in your recruitment stack and check BAA status
2. Verify your web form host is HIPAA-compliant
3. Check whether your SMS platform has a BAA available
4. Review your review response templates for PHI exposure
5. Confirm annual HIPAA training is documented for recruitment staff