Healthcare Information Security

Patient Privacy News

Research Data Privacy Regulations Updated in Final Federal Rule

A recent final rule updates certain data privacy issues concerning research participants, including exempting secondary research involving identifiable private data.

Patient data privacy discussed in final federal rule

Source: Thinkstock

By Elizabeth Snell

- A final rule strengthening protections for research participants, including areas of data privacy was recently issued by the Department of Health and Human Services (HHS) and other federal agencies.

Current regulations, referred to as the “Common Rule,” have been in place since 1981. This was before the use of digital data and when the majority of research projects were performed at universities and medical institutions, according to HHS.

“The new rule strengthens protections for people who volunteer to participate in research, while ensuring that the oversight system does not add inappropriate administrative burdens, particularly to low-risk research,” HHS said in a statement. “It also allows more flexibility in keeping with today’s dynamic research environment.”

One new area established in the final rule is adding exempt categories of research based on the level of risk they pose to participants. There is now an exemption for secondary research involving identifiable private information if the research is HIPAA regulated and participants are protected under HIPAA.

Researchers also now have the option “of relying on broad consent obtained for future research as an alternative to seeking IRB approval to waive the consent requirement.” Furthermore, researchers are still not required to obtain consent for studies on non-identified stored data or biospecimens.

Dr. Jerry Menikoff directs the HHS Office for Human Research Protections, which led the regulation overhaul. Menikoff said the agency is optimistic that the changes help reduce unnecessary administrative burdens and will help researchers and research participants.

“Over the years, many have argued that consent forms have become these incredibly lengthy and complex documents that are designed to protect institutions from lawsuits, rather than providing potential research subjects with the information they need in order to make an informed choice about whether to participate in a research study,” Menikoff said in a statement.

However, not all rule proposals were included in the final product.

For example, proposed standardized privacy safeguards for identifiable private information and identifiable biospecimens are not in the rule. Additionally, it is not required for research involving non-identified biospecimens to be subject to the Common Rule. Consent is also not required to conduct such research.

Several comments on the rule discussed how PII and PHI should be defined, with 10 arguing to replace the Common Rule's identifiability standard with either the Federal Government's concept of PII or HIPAA's definition of PHI.

“One state department of health and human services noted that adopting PII would be consistent with other confidentiality laws, policies, and industry standards that require organizations to protect the privacy and security of PII, achieving consistency across standards and helping organizations comply with the various privacy and security requirements,” the rule stated.

Regardless of the direction of the final rule, the majority commenters agreed that additional guidance in this area of privacy and security will be necessary to reduce ambiguity.

The final rule did incorporate some proposed exclusions. This included human subjects research activities that were either considered low risk, or if there were appropriate safeguards already in place independent of the Common Rule.

One such category included research regulated as “health care operations,” “public health activities,” or “research” under HIPAA.

Per HIPAA regulations, a covered entity is permitted, but not required, to use and disclose PHI, without an individual’s authorization for certain public interest and benefit activities. This includes research, which is defined as “any systematic investigation designed to develop or contribute to generalizable knowledge.”

While HHS and other agencies have made significant steps in clarifying areas of how research participants’ data may be used, it is still crucial for organizations to review applicable regulations, including HIPAA. Knowledge gained from research can be greatly beneficial, but patient data privacy cannot be overlooked.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks