ICH E6 has broader requirements than FDA or HHS concerning confidentiality of medical records and access by third parties. If investigators are complying with ICH E6 guideline, they must:
Clearly disclose to subjects in the informed consent form that the monitor, auditor, IRB/IEC, and the regulatory authorities may have access to the subject's medical records.
ICH (2016) E6 Section 4.8.10(n) states that the informed consent should indicate that "the monitor(s), the auditor(s), the IRB/IEC, and the regulatory authority(ies) will be granted direct access to the subject's original medical records for verification of clinical trial procedures and/or data, without violating the confidentiality of the subject, to the extent permitted by the applicable laws and regulations and that, by signing a written informed consent form, the subject or the subject's legally acceptable representative is authorizing such access."
The FDA regulations at 21 CFR 50.25(a)(5) (Protection of Human Subjects 2016) state only that in seeking informed consent, the following information shall be provided to each subject:. . . (5) A statement describing the extent, if any, to which confidentiality of records identifying the subject will be maintained and that notes the possibility that the Food and Drug Administration may inspect the records.
While it is true that data sent out of the U.S. loses certain federal protections, this statement is not required. The possibility of hacking data is a risk that should be addressed in the study design and conduct.
Non-disclosure forms are not required for communications with primary care providers.