This chapter provides an overview of the ethical guidelines and United States regulations governing the privacy and confidentiality of individually identifiable information in human subject research. The chapter is organized into three parts:
-
Ethical codes governing research,
-
Major regulations, and
-
Practical issues that come up in applying the regulations.
In addition, please see the following section for some basic definitions related to human subject research privacy.
Basic Definitions
The privacy professional should have an understanding of the following basic terms related to research privacy: Research, Human Subject, Privacy, and Confidentiality. It is important to know and understand how to differentiate between a research situation involving human subjects and a health care situation involving patients in order to know which regulations apply to the situation. In addition, while the terms “privacy” and “confidentiality” are sometimes used in casual conversation to mean the same thing, it is important to distinguish between them for research purposes. The National Science Foundation provides the following useful definitions:[3]
Research. The Federal Policy for the Protection of Human Subjects (the Common Rule) and Health Insurance Portability and Accountability Act of 1996 (HIPAA) define “research” as “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.”[4] Note that in this definition, “research” is not limited to human subject research. Food and Drug Administration (FDA) regulations do not define the term “research,” but instead define the term “clinical investigation” as “any experiment that involves a test article [regulated by the FDA] and one or more human subjects.”[5] A test article includes, but is not limited to, drugs, devices, or biologicals.
Human Subject. The Common Rule defines a “human subject” as:
a living individual about whom an investigator (whether professional or student) conducting research:
Obtains information or biospecimens through intervention or interaction with the individual, and uses, studies, or analyzes the information or biospecimens; or
Obtains, uses, studies, analyzes, or generates identifiable private information or identifiable biospecimens.
It also defines three primary types of human subject research activities:
-
“Intervention” means physical procedures and manipulations of the subjects or their environment (such as a blood draw),
-
“Interaction” means communication or interpersonal contact between an investigator and a subject, and
-
“Private information” means information about behavior in which the individual can expect no observation or recording is taking place, and information provided for a specific purpose by an individual with a reasonable expectation that it will not be made public (such as a medical record).[6]
The FDA defines a “human subject” as “an individual who is or becomes a participant in research, either as a recipient of the test article or as a control. A subject may be either a healthy human or a patient.”[7] While not stated, one can infer that FDA studies are, by definition, interventions.
HIPAA does not define “human subject,” but its requirements related to research apply only to protected health information (PHI), which is health information that can reasonably identify an individual (and will be discussed more fully later).[8] Of note, while the Common Rule definition of “human subject” refers to living individuals, and the FDA definition implies that participants are alive, in general, HIPAA also applies to the PHI of deceased individuals.[9] (There are, however, some provisions that provide some flexibility for the PHI of deceased individuals used in research that also will be discussed more fully later).
Privacy “refers to persons; and to their interest in controlling the access of others to themselves.”
Confidentiality “refers to data; and to the agreements that are made about ways in which information is restricted to certain people.”[10]
Ethical Codes Governing Research
Three ethical codes—the Nuremberg Code, the Belmont Report, and the Declaration of Helsinki—provide a historical context and an ethical framework from which to understand the specific US regulations that apply to research privacy. These codes were written primarily to address research activities that were deemed to pose serious harm to the human subjects involved and to standardize the protections of human subjects going forward. The focus, then, was to protect the individuals with only a minor concern over the confidentiality of the data involved.
The codes address broad themes related to the ethical conduct of research, such as:
-
Obtaining individual consent of research participants,
-
Respect for human subjects,
-
Social justice,
-
Good science,
-
The limitation of risks and harm to subjects and making sure that risks taken are commensurate with the potential benefit of research,
-
Both the investigator’s and the participant’s ability to end an individual’s participation in a trial, and
-
An investigator’s ability to end a trial.
Written before today’s widespread concern about privacy and confidentiality, neither the Nuremberg Code nor the Belmont Report explicitly reference privacy or confidentiality. However, we can understand in today’s information-based society how the concepts of obtaining informed consent from research participants, and making sure that risks taken in research are commensurate to the potential benefit of the research, do relate to privacy and confidentiality. In particular, we understand the importance of informing research participants about how their individually identifiable information will be collected, used, disclosed, and protected, and obtaining their consent to use their information. In addition, the design of research studies must take into account, and provide adequate protections against, the financial, reputational, or other risks of individually identifiable information being breached or inappropriately used or disclosed.
The Declaration of Helsinki, while first developed in 1964, is a code for the ethical conduct of research and has been updated to reflect the privacy and confidentiality concerns related to the conduct of research in today’s society. Brief summaries of the three codes are found next.
Nuremberg Code
In 1947, the Counsel for War Crimes included as part of their verdict in the trial of doctors who were involved in Nazi human experimentation the Directives for Human Experimentation, which is known as “The Nuremberg Code.”[11] The code covers ten points, three of which include the following concepts that are relevant to a discussion of privacy:
-
Consent,
-
Avoiding all unnecessary physical and mental suffering and injury, and
-
Ensuring that the degree of risk to be taken never exceeds that determined by the humanitarian importance of the problem to be solved by the experiment.
Belmont Report
In 1979, following the discovery of ethical lapses in medical research in the US, such as the 1932–1972 Tuskegee syphilis study (where African-American men with syphilis were not informed of their diagnosis and were denied medically appropriate treatment),[12] the National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research published Ethical Principles and Guidelines for the Protection of Human Subjects of Research,[13] which is known as the Belmont Report, based on the conference center where it was in part developed.[14]
The Belmont Report identified the difference between medical practice and research, and determined that where research is taking place, three basic ethical principles need to be followed to protect human subjects:
-
Respect for Persons. This principle relates to the individual autonomy of each person, notes that some individuals have “diminished autonomy,” and that those with diminished autonomy must be adequately protected.
-
Beneficence. This principle relates to doing no harm, maximizing possible benefits, and minimizing possible harms.
-
Justice. This principle relates to the selection of research participants to assure that research does not inappropriately take advantage of disadvantaged populations.
The report expanded upon these ethical principles and applied them in three areas:
-
Informed consent,
-
Assessment of risk and benefits, and
-
Selection of subjects.
Practical concepts that are identified in the report that relate to a discussion of privacy in research include the notion of requiring informed consent from research participants, and that the informed consent process provide participants with sufficient information about the study so that they can “understand clearly the range of risk and the voluntary nature of participation.”[15] Furthermore, the report identifies that a review committee should determine whether the risks to participants in a study are justified.
Declaration of Helsinki
A third ethical code governing research is the World Medical Association (WMA) Declaration of Helsinki—Ethical Principles for Medical Research Involving Human Subjects. The Declaration of Helsinki was adopted by the WMA in Helsinki, Finland, in 1964, and has been amended at subsequent WMA General Assemblies through 2013.[16]
The WMA is an international association of physicians, and the Declaration of Helsinki states that it applies to physicians engaged in research regardless of the legal or regulatory frameworks that may apply in the jurisdictions where their research is carried out.
The current version of the Declaration of Helsinki comprises 37 numbered paragraphs, including the following three that directly relate to privacy:
It is the duty of physicians who are involved in medical research to protect the life, health, dignity, integrity, right to self-determination, privacy, and confidentiality of personal information of research subjects.[17]
Every precaution must be taken to protect the privacy of research subjects and the confidentiality of their personal information.[18]
For medical research using identifiable human material or data, such as research on material or data contained in biobanks or similar repositories, physicians must seek informed consent for its collection, storage and/or reuse. There may be exceptional situations where consent would be impossible or impracticable to obtain for such research. In such situations the research may be done only after consideration and approval of a research ethics committee.[19]
Major Regulations
The four principal United States regulations governing the privacy and confidentiality of individually identifiable information in research discussed below are:
-
Protection of Human Subjects (of which Subpart A is known as the Common Rule) ( 45 C.F.R. § 46 ),
-
FDA regulations on the Protection of Human Subjects and Institutional Review Boards ( 21 C.F.R. §§ 50 and 56 ),
-
HIPAA Privacy Rule ( 45 C.F.R. §§ 160 and 164 ), and
-
Public Health Service Act Certificates of Confidentiality ( 42 U.S.C. § 241(d) ).
Regulatory “Who’s Who”
All four regulations are overseen by offices or operating divisions of the Department of Health & Human Services (HHS) as noted in Figure 1.

Common Rule
The Protection of Human Subjects regulation was first published in 1974 and updated in 1981 in response to the Belmont Report.[20] It was most recently updated in 2018. The regulation contains Subparts A through E as follows:
-
Subpart A: Basic HHS Policy for Protection of Human Research Subjects,
-
Subpart B: Additional Protections for Pregnant Women, Human Fetuses and Neonates Involved in Research,
-
Subpart C: Additional Protections Pertaining to Biomedical and Behavioral Research Involving Prisoners as Subjects,
-
Subpart D: Additional Protections for Children Involved as Subjects in Research, and
-
Subpart E: Registration of Institutional Review Boards.
In 1983, the President’s Commission for the Study of Ethical Problems in Medicine and Biomedical and Behavioral Research issued “Implementing Human Research Regulations: The Adequacy and Uniformity of Federal Rules and of Their Implementation” (the Commission Report), which concluded that 45 C.F.R. § 46 , Subpart A is the benchmark policy for federal agencies.[21] In 1991, Subpart A was adopted by 16 federal agencies and became known as the Common Rule.[22] Today, the Common Rule applies to 19 agencies, one of which is HHS.[23] Subparts B through E are not part of the Common Rule.
Applicability
The Common Rule “applies to all research involving human subjects conducted, supported, or otherwise subject to regulation by any federal department or agency”[24] that has adopted the Common Rule. The Common Rule addresses requirements to protect human subjects in general, with only a subsection of the rule addressing privacy and confidentiality requirements. In addition, the Common Rule “requires compliance with pertinent federal laws or regulations that provide additional protections for human subjects.”[25] Each institution engaged in research that is subject to federal regulation must provide a written assurance of compliance with the Common Rule, which may be filed centrally with the HHS Office for Human Research Protections (OHRP).[26]
Institutional Review Boards
The Common Rule requires human subject research to be reviewed by institutional review boards (IRBs). IRBs must perform both an initial review of proposed research and then conduct continuing reviews not less than once a year. The rule establishes the following criteria that must be met in order for an IRB to approve research:[27]
-
Risks to subjects are minimized;
-
Risks to subjects are reasonable in relation to anticipated benefits;
-
Selection of subjects is equitable;
-
Informed consent is sought from each prospective subject or their legally authorized representative;
-
Informed consent is appropriately documented;
-
When appropriate, the research plan makes adequate provisions for monitoring data to ensure the safety of subjects;
-
When appropriate, there are adequate provisions to protect the privacy of subjects and to maintain the confidentiality of data; and
-
When some or all of the subjects are likely to be vulnerable to coercion or undue influence, additional safeguards have been included in the study to protect the rights and welfare of these subjects.
While the rule makes IRBs directly responsible for assuring that human subject research studies adequately protect the privacy of subjects and the confidentiality of data, the rule does not provide any additional detail on the standards that an IRB should follow in order to do so. Typically, an IRB will require information on what personally identifiable information will be collected, used, and disclosed as part of the study, and how that information will be safeguarded, as part of a human subject research study’s application for approval. In addition, at least for organizations that are subject to HIPAA, IRBs will expect applicants to comply with HIPAA and to follow the organization’s HIPAA policies and procedures for both privacy and security, which are discussed more fully later.
It should be noted that the Common Rule also confers on IRBs the authority to suspend or terminate their approval of research.[28] Therefore, if a human subject research study fails to appropriately protect privacy and confidentiality, the IRB may halt the study.
General Requirements for Informed Consent
The Common Rule also establishes requirements for the process of obtaining, the content, the documentation, and the waiver of informed consent.[29]
In general, the Common Rule requires that investigators provide subjects with “sufficient opportunity to discuss and consider whether or not to participate” in the study and that consent is obtained under circumstances that “minimize the possibility of coercion or undue influence.”[30] The Common Rule also requires that the informed consent use language understandable to the subject and specifies that the informed consent may not waive the subject’s legal rights or “release the investigator, the sponsor, the institution, or its agents from liability for negligence.”[31]
Of note for the privacy professional is that the IRB must determine in its review of a human subject research study that there are “adequate provisions to protect the privacy of subjects and to maintain the confidentiality of data.”[32] In addition, the Common Rule requires that the informed consent form explain to subjects “the extent, if any, to which confidentiality of records identifying the subject will be maintained.”[33] With the 2018 revision of the Common Rule, the form must also indicate whether or not “identifiers might be removed from the identifiable private information or identifiable biospecimens and that, after such removal, the information or biospecimens could be used for future research studies or distributed to another investigator for future research studies without additional informed consent.”[34]
Thus the Common Rule requires that the study tell subjects who or what institutions will have access to their personal information, but doesn’t require a study to outline for subjects specifically what information or types of information about the subject will be collected, used, or disclosed, or how the information will be protected, though such additional information may be provided. As discussed in a later section on HIPAA, for research being conducted by organizations covered by HIPAA, the HIPAA authorization will require more explicit communication regarding information to be used or disclosed for research purposes.
IRB Alterations or Waivers
The Common Rule allows an IRB to alter requirements of the informed consent procedure or content or to waive obtaining informed consent if:
-
Research involves no more than minimal risk to the subjects;
-
Waiver will not adversely affect the rights and welfare of the subjects;
-
Research could not practicably be carried out without the waiver or alteration; and
-
Whenever appropriate, subjects will be given pertinent information after participation.[35]
The Common Rule also provides for the waiver or alteration of informed consent for public benefit programs research.[36]
Common Rule Privacy Summary
The Common Rule’s privacy requirements can be summarized with the following:
-
The IRB must determine whether there are adequate provisions to protect the privacy of subjects and to maintain the confidentiality of data.[37]
-
The informed consent form must state the extent, if any, to which confidentiality of records identifying the subject will be maintained.[38]
-
The informed consent form must include a statement that (i) identifiers might be removed from identifiable private information or identifiable biospecimens and that, after such removal, they could be used for future research studies without additional informed consent, or (ii) the subject’s information or biospecimens collected as part of the research, even if identifiers are removed, will not be used or distributed for future research studies.[39]
-
The IRB may waive or alter the process or content requirements for informed consent.[40]
-
Documentation of informed consent may be waived in limited, minimal-risk situations.[41]