Regulations Governing Research (2013 update) - Retired

Editor's note: This practice brief supersedes the 2011 practice brief "Regulations Governing Research."

The US Department of Health and Human Services (HHS) and other federal agencies and departments including the Office for Human Research Protections, Department of Education, the National Science Foundation, and the Consumer Product Safety Commission jointly promulgated regulations now known as the "common rule" regarding the protection of human subjects involved in research. For purposes of these regulations, "research" is defined as "a systematic investigation including research development, testing, and evaluation designed to develop or contribute to generalizable knowledge."1

This practice brief reviews the federal regulations that affect research and the requirements regarding the use and protection of an individual's information.

Federal Regulations Regarding Research

The Common Rule is a basic set of protections for all human subjects of research conducted or supported by HHS. The common rule requires, among other things, that an institutional review board (IRB) review all research protocols under its purview even if informed consent to participate in the research study or protocol is to be obtained from individual participants.

Certain research activities are exempt from HHS and common rule oversight, including "research involving the collection or study of existing data, documents, records, pathological specimens, or diagnostic specimens, if these sources are publicly available or if the information is recorded by the investigator in such a manner that subjects cannot be identified, directly or through identifiers linked to the subjects."2

However, research involving human subjects is generally regulated under the common rule. According to HHS regulations, "human subjects" are defined as "living individuals about whom an investigator conducting research obtains either data throughout intervention or interaction with the individual or identifiable private information." Research involving existing databases or abstract data from medical records falls under the same rules relating to access of protected health information (PHI).3

The Food and Drug Administration (FDA) also imposes similar regulations on research involving human subjects. For FDA purposes, "human subject" means "an individual who is or becomes a participant in research, either as a recipient of the test article or as a control. A subject may be either a healthy individual or a patient."4

Each institution engaged in research covered by the common rule and conducted or supported by a federal department or agency must provide written assurance satisfactory to the department or agency head that it will comply with the common rule's requirements. While completely private funding for research may exist, it is not common, nor is it under federal control, and the common rule requirements do not apply. If an organization meets the definition of covered entity (CE) for purposes of HIPAA and does not otherwise participate in federally funded research, only HIPAA's research rules would apply. If, however, an organization meets the CE definition under HIPAA, conducts federally funded research, and has given written assurances of compliance with the common rule, it must adhere to both sets of regulations.

Minimum Provisions

The common rule requires that research be reviewed and approved by an IRB and subject to continuing review by the IRB. At a minimum, the organization conducting research must provide:

  • A statement of principles governing the institution in the discharge of its responsibilities for protecting the rights and welfare of human subjects of research conducted at or sponsored by the institution
  • Designation of an IRB, including sufficient staff to support the IRB's review and record-keeping duties
  • A list of IRB members identified by name, earned degrees, representative capacity, indications of experience such as board certifications and licenses sufficient to describe each member's chief anticipated contributions to IRB deliberations
  • Written procedures that the IRB will follow for conducting review of research and for reporting its findings and actions to the investigator and the institution; for determining which projects require review more often than annually and which projects need verification from sources other than the investigators that no material changes have occurred since previous IRB review; and for ensuring prompt reporting to the IRB of proposed changes in a research activity
  • Written procedures for ensuring prompt reporting to the IRB, appropriate institutional officials, and the federal authority of any unanticipated problems involving risks to subjects or others, any serious or continuing noncompliance, or any suspension or termination of IRB approval

IRB Membership

The composition of the IRB is also dictated by regulation. Each organization must ensure the IRB has at least five members with varying backgrounds to promote complete and adequate review of research activities commonly conducted by the organization. The IRB shall be sufficiently qualified through the experience, expertise, and diversity of the members, including consideration of race, gender, and cultural backgrounds and sensitivity to issues such as community attitudes, to promote respect for its advice and counsel in safeguarding the rights and welfare of human subjects.

In addition to possessing the professional competence necessary to review specific research activities, the IRB must be able to ascertain the acceptability of proposed research in terms of institutional commitments and regulations, applicable law, and standards of professional conduct and practice. IRB membership must be diverse, with members from the scientific and non-scientific community represented. At least one member must not be affiliated with the organization and the IRB may invite individuals with competence in special areas to assist in the review of issues that require expertise in addition to that available on the IRB.

Expedited Review

Not all areas of research must undergo scrutiny of the full IRB membership. A process known as "expedited review" has been established for research activities that present no more than minimal risk to human subjects and that involve procedures listed in the categories below. The IRB chairperson may request expedited review by one or more experienced reviewers designated by the chairperson from among members of the IRB. Each IRB that uses an expedited review procedure must ensure that all members are advised of research proposals that have been approved under the expedited review procedure.

It is important to note that expedited reviews may not be used where identification of the subjects or their responses would reasonably place them at risk of criminal or civil liability or be damaging to their financial standing, employability, insurability, or reputation; nor should it be used when identification could be stigmatizing, unless reasonable and appropriate protections are implemented so that risks related to invasion of privacy and breach of confidentiality are no greater than minimal. Requirements for informed consent (or its waiver, alteration, or exception) apply to both expedited and full IRB review.

A list of potential expedited reviews is listed below:

  • Clinical studies of drugs and medical devices only when an investigational new drug application is not required or research on medical devices for which an investigational device exemption application is not required
  • Collection of blood samples by finger stick, heel stick, ear stick, or venipuncture from certain classes of persons
  • Prospective collection of biological specimens for research purposes by noninvasive means such as hair or sputum samples
  • Collection of data through noninvasive procedures such as physical sensors that are applied to the surface of the body
  • Research involving materials (data, documents, records, or specimens) that have been collected, or will be collected, solely for nonresearch purposes (such as medical treatment or diagnosis)
  • Collection of data from voice, video, digital, or image recordings made for research purposes
  • Research on individual or group characteristics or behavior or research employing survey, interview, oral history, focus group, program evaluation, human factors evaluation, or quality assurance methodologies
  • Continuing review of research previously approved by the convened IRB
  • Continuing review of research, not conducted under an investigational new drug application or investigational device exemption, where categories two through eight do not apply but the IRB has determined and documented at a convened meeting that the research involves no greater than minimal risk and no additional risks have been identified

Informed Consent

A research investigator may not involve a human being as a subject in research unless the investigator has obtained a legally effective informed consent from the research subject. The information that is given to the research subject must be in plain language and contain at least the following:

  • A statement that the study involves research, an explanation of the purposes of the research, the expected duration of the subject's participation, a description of the procedures to be followed, and identification of any procedures that are experimental
  • A description of any reasonably foreseeable risks or discomforts to the subject
  • A description of any benefits to the subject or to others that may reasonably be expected from the research
  • A disclosure of appropriate alternative procedures or courses of treatment, if any, that might be advantageous to the subject
  • A statement describing the extent, if any, to which confidentiality of records identifying the subject will be maintained
  • For research involving more than minimal risk, an explanation as to whether any compensation and an explanation as to whether any medical treatments are available if injury occurs and, if so, what they consist of or where further information may be obtained
  • Contact information for answers to pertinent questions about the research and research subjects' rights and in the event of a research-related injury to the subject
  • A statement that participation is voluntary, refusal to participate will involve no penalty or loss of benefits to which the subject is otherwise entitled, and the subject may discontinue participation at any time without penalty or loss of benefits to which the subject is otherwise entitled

If appropriate and necessary, one or more of the following elements of information may also be provided to the research subject:

  • A statement that the particular treatment or procedure may involve risks to the subject (or to the embryo or fetus, if the subject is or may become pregnant), which are currently unforeseeable
  • Anticipated circumstances under which the subject's participation may be terminated by the investigator without regard to the subject's consent
  • Any additional costs to the subject that may result from participation in the research
  • The consequences of a subject's decision to withdraw from the research and procedures for orderly termination of participation by the subject
  • A statement that significant new findings developed during the course of the research that may relate to the subject's willingness to continue participation will be provided to the subject
  • The approximate number of subjects involved in the study

General information on informed research consent can be found at 45 CFR 46.116(a)(8) and 45 CFR 46.116(b)(2) and (4) in the Federal Register.

Waiver of Informed Consent

An IRB has the power to dispense with the need for written consent from the research subject. The IRB may approve a process that does not include, or which alters, some or all of the elements of informed consent set forth above or may waive the requirement to obtain informed consent provided the IRB finds and documents that:

  • The research is to be conducted by or is subject to the approval of state or local government officials and is designed to study, evaluate, or otherwise examine public benefit or service programs; procedures for obtaining benefits or services under those programs; possible changes in or alternatives to those programs or procedures; or possible changes in methods or levels of payment for benefits or services under those programs
  • The research could not practicably be carried out without the waiver or alteration

An IRB may also approve a consent procedure that does not include, or which alters, some or all of the elements of informed consent or waive the requirement to obtain informed consent if the IRB has documented evidence presented to it that:

  • The research involves no more than minimal risk to the subjects
  • The waiver or alteration will not adversely affect the rights and welfare of the subjects
  • The research could not practicably be carried out without the waiver or alteration
  • Whenever appropriate, the subjects will be provided with additional pertinent information after participation

An IRB may also waive the requirement for the investigator to obtain a signed consent form for some or all subjects if it finds either that:

  • The only record linking the subject and the research would be the consent document and the principal risk would be potential harm resulting from a breach of confidentiality; each subject will be asked whether the subject wants documentation linking the subject with the research, and the subject's wishes will govern.
  • The research presents no more than minimal risk of harm to subjects and involves no procedures for which written consent is normally required outside of the research context.

While waiver or alteration of consent or authorization may be allowed, these threshold determinations by and through an IRB must take place. For example, even an investigator who wants to use an existing database to create a mailing to recruit participants into a study will require an IRB review to ensure that the minimal risk determinations are appropriately made. And in cases in which the written documentation of informed consent or authorization requirement is waived, the IRB may still require the investigator to provide research subjects with a written statement regarding the research.

IRB/Privacy Board Approval

HIPAA allows for research without individual authorization, under the following conditions (45 CFR 164.512 (i)(1)(i)):

  • An IRB, established in accordance with relevant CFRs, has approved the waiver or alteration of the individual authorization required by Section 164.508 for use or disclosure of PHI
  • The privacy board includes:
    • A varied membership with appropriate professional competency to adequately review the research request and evaluate the effect of the research on an individual's privacy rights
    • At least one member who is not associated with the CE, the researcher, or sponsor of research, and not related to anyone associated with the CE, researcher, or sponsor of research
    • No members who participate in the review of any project while having a conflict of interest

The IRB or privacy board must upon the approval of the research:

  • Document the date the alteration or waiver of authorization was approved
  • State that the alteration or waiver of authorization satisfies the three criteria in the rule
  • Briefly describe the PHI to be used or accessed
  • Document that the alteration or waiver of authorization has been reviewed and approved under normal or expedited review procedures
  • Record the signature of the chair or acting chair of the IRB or privacy board, as applicable

For an IRB or privacy board to approve a waiver of authorization, three criteria must be met:

  • There is no more than a minimal risk to the privacy of individuals included in the research
  • The research could not be conducted without the waiver of authorization or alteration
  • The research could not be conducted without access to and use of the PHI5

Preparatory to Research

Under HIPAA's requirements, a CE does not need to obtain an authorization for use and disclosure of PHI when the use is preparatory to research and the researcher documents that:

  • The use of PHI is to prepare a research protocol or another similar purpose
  • No PHI will be removed from the CE by the researcher
  • The PHI is necessary for research purposes

Decedent Information

A CE does not need to obtain an authorization for use and disclosure of PHI when the use is regarding a decedent. The researcher must document the use of PHI is for research and that the PHI is necessary for the research purpose. The research must also document the death of the individuals if the CE requests it. Though the Omnibus Rule states that a decedent's health information is no longer considered PHI after 50 years, the organization may still request a proof of death prior to releasing the information if they do not have a record of the patient's death.

Limited Data Sets

A CE and a researcher may enter into an agreement for use of a limited data set (Section 164.514(e)) only for the purposes of research, public health, or healthcare operations. A limited data set is data with the following 16 direct identifiers of the individual, or of relatives, employers, or household members of the individual excluded or removed:

  • Name
  • Address
  • Telephone number
  • Fax number
  • E-mail address
  • Social Security number
  • Medical record number
  • Health plan beneficiary number
  • Account numbers
  • Certificate/ license numbers
  • Vehicle identification numbers and license plate numbers
  • Device identifiers and serial numbers
  • Web universal resource locators (URLs)
  • Internet protocol (IP) address numbers
  • Biometric identifiers, including finger and voice prints
  • Full face photographic images and any comparable images

The limited data use agreement must document the permitted uses and disclosures of the information, who is permitted to use or receive the limited data set, and that the researcher agrees to:

  • Not use or further disclose the information according to the terms of the agreement
  • Use appropriate safeguards to prevent misuse or inappropriate disclosure
  • Report to the CE any misuse or inappropriate disclosure
  • Ensure that any agents, including a subcontractor, agree to the terms and conditions of the limited data use agreement
  • Not identify the information or contact the individuals

Privacy and Research

The HIPAA privacy rule builds on the existing federal research protections. When research is performed without individual authorization, the CE must obtain one of the following:

  • IRB or privacy board approval in accordance with provisions above
  • Representations from the researcher that the use or disclosure of the PHI is solely to prepare a research protocol for similar purposes preparatory to research
  • Representations from the researcher that use or disclosure is solely for research on the PHI of decedents
  • Limited data set use agreement entered into by both the CE and researcher

Organizations must ensure that research activities include mechanisms to keep PHI confidential. They must:

  • Determine if the IRB will make decisions regarding access to PHI. 
    • If the organization has not sanctioned an IRB, it should establish a privacy board to make determinations regarding access to PHI for research beyond healthcare operations.
  • Determine how PHI requests for preparatory research activities will be addressed.
  • Determine how decedent PHI requests will be addressed.
  • Determine if they will accept approvals from an outside IRB.
  • Educate IRB or privacy board members on privacy and security policies and procedures.

Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules outline new standards for the sale of PHI, compound authorizations for research, and authorizing future research use and disclosure. It also clarifies that researchers, IRBs, and privacy boards are not business associates.

Sale of PHI and Research

The prohibition on sale of PHI states that a CE must obtained a valid authorization for any disclosure of PHI which it receives remuneration in exchange for any PHI. The authorization must have a statement that the disclosure will result in remuneration to the covered entity.

A research exception can be found in section 164.502(A), which states that if the purpose of the exchange of PHI is for research (as described in sections CFR 164.512 (i) or 164.514 (e)) and the price charged reflects a reasonable cost-based fee for the preparation and transmittal of the data for such purpose, no authorization is required.

Research Authorizations

Compound authorizations (164.508(b)(3)(i) and (iii)) have been amended to allow compound (conditioned and unconditioned) authorizations for research. The research authorization must clearly differentiate between the conditioned and unconditioned research components. Individuals must be able to easily opt out of the unconditioned research activities. This provision does not apply to psychotherapy notes.

Compound authorizations for research can include an authorization for use of PHI in a clinical trial and optional sub-studies or biospecimen banking that also permits future secondary use of the data (to the extent the authorization meets the future use requirements). Authorizations are still allowed to be combined with the informed consent documents for the research study.

Authorizations for future research use or disclosure (164.508(c)(1)(iv)) still follow the HIPAA authorization elements. The "purpose" interpretation has changed for research. An authorization for uses and disclosures of PHI for future research must adequately describe what the individual is to expect when his or her PHI may be used or disclosed for future research. In addition, the description of the PHI may include information collected beyond the time of the original study.

Withdrawal from Research

On September 21,2010, the Office for Human Research Protections published additional guidance regarding withdrawal of subjects from research. The guidance is based off 45 CFR 46.116(a)(8), which states that subjects have the right to withdraw from or discontinue participation in research studies at any time. The Office for Human Research Protections recommends that investigators always plan for the possibility that subjects will withdraw from research.  If a subject decides to withdraw from a study the investigator must discontinue all activities including:

  • Interacting with the subject in order to obtain data for the study
  • Obtaining additional identifiable private information about the subject by collecting or receiving information from any source
  • Obtaining additional identifiable private information about the subject by observing or recording private behavior without direct intervention (e.g., using video cameras)


1. US Department of Health and Human Services. "Protection of Human Subjects." Code of Federal Regulations, 2009. 45 CFR, Part 46.

2. "Protection of Human Subjects," Section 101.

3. "Protection of Human Subjects," Section 102.

4. US Department of Health and Human Services. "Food and Drugs." Code of Federal Regulations, 2002. 21 CFR, Part 56, Section 102.

5. Office for Civil Rights. "Medical Privacy?National Standards to Protect the Privacy of Personal Health Information." Section "Research."


Amatayakul, Margret. "Another Layer of Regulations: Research Under HIPAA." Journal of AHIMA 74, no. 1 (2003): 16A-16D.

Office for Human Research Protections. "Guidance on Withdrawal of Subjects from Research: Data Retention and Other Related Issues" Federal Register 75, no. 182 (Sept. 21, 2010): 57469-70.

Updated (2013) by

Diana Warner, MS, RHIA, CHPS, FAHIMA

Update Acknowledgements:

Angela Dinh Rose, MHA, RHIA, CHPS
Beth Liette MS, RHIA
Deanna Panzarella, CHPS
Cheryl Rogers, RHIA, CDIP, CCDS
Rayna Scott, MS, RHIA, CHDA
Kim Turtle Dudgeon, RHIT, HIT Pro-IS/TS CMT
Lou Ann Wiedemann, MS, RHIA, CDIP, FAHIMA, CPEHR

Update (2011) by

Patricia Cunningham, MS, RHIA


Rebecca Clayton, RHIT, CCS
Jan DeSpiegelaere, MBA, RHIA, CCS, FAHIMA
Angela Dinh, MHA, RHIA, CHPS
Julie Dooling, RHIT
Stacy Jowers Dorris, MBA, RHIA, CPHQ
Renato L. Estrella, MSHA, RHIA, FAHIMA
Lisa Fink, MBA, RHIA, CPHQ
Gwen Jimenez, RHIA
Mona Nabers, MBA, RHIA
Lori Nobles, RHIA
Debi Primeau, RHIA, FAHIMA, MA
Mary Stanfill, MBI, RHIA, CCS, CCS-P, FAHIMA
Diana Warner, MS, RHIA, CHPS
Lou Ann Wiedemann, MS, RHIA, FAHIMA, CPEHR
Allison Viola, MBA, RHIA

Original (2003) Prepared by

Jill Burrington-Brown, MS, RHIA 
Dorothy G. Wagg, JD, RHIA, CHP

Acknowledgments (original)

Beth Hjort, RHIA, CHP
Harry Rhodes, MBA, RHIA

Article citation:
AHIMA Practice Brief. "Regulations Governing Research (2013 update) - Retired" (Updated May 2013)