Learn About Ethical and Legal Aspects

Protect Human Research Participants

Informed Consent
What is informed consent?
Informed consent is a process for making sure that patients and caregivers who give information to a registry understand how that information will be used. Registry participants sign a form stating they understand the reason for participating in your registry. By signing the form, participants show that they agree to voluntarily share their personal and rare disease information.

You are responsible for informing participants about the information you intend to collect and how the information will be used. You also need to explain who will have access to the information and how the registry might affect participants. You must answer registry participants’ questions and give them regular updates about the registry after they’ve signed the informed consent form.

How does informed consent apply to registries?
If you plan to share participant information from your registry with researchers who are developing treatments for rare diseases, you must get participants’ informed consent. Without informed consent from registry participants and their legal guardian, you can’t give patient data to researchers.

Institutional Review Board (IRB)
What is an IRB?
An IRB is responsible for protecting the rights and welfare of people who participate in research studies. An IRB is a group of people with diverse backgrounds, such as healthcare professionals, patient advocates, and non-science professionals.

The IRB will review studies, including clinical trials that use registries, before the studies begin recruiting participants. Based on its review, the IRB either approves or does not approve each study.

The IRB can require changes to the study plans. These changes typically ensure that risks to participants are limited and the study collects informed consent. The IRB might also require changes to protect participants’ privacy and make sure that the study follows all relevant laws and rules. The IRB also has the authority to monitor the research once it starts.

How does the IRB apply to registries?
If you plan to share participant information from your registry with researchers, an IRB must first review the clinical trial that your participants are being asked to join.

The Federal Policy for the Protection of Human Subjects ('Common Rule')
What is Common Rule?
The Common Rule is a federal policy that protects personally identifiable information of participants in federally funded research studies. Personally identifiable information is information that could be used to identify the participant.

How does the Common Rule apply to registries?
If a researcher invites your registry members to participate in a federally funded study, the researcher has to follow the Common Rule.

 

Know U.S. Laws & Regulations

The Health Insurance Portability and Accountability Act (HIPAA)
HIPAA prevents improper sharing of sensitive patient information (also known as protected health information [PHI]). Any health information that can be used to identify a person is PHI. Examples of PHI include 18 identifiers (e.g., name, address, birth date, and Social Security number). A full list of PHI types is available on the National Institutes of Health website.

HIPAA protects patient privacy and protects patient data from theft and fraud. Personally identifiable information is data that other people could use to figure out who a participant is. Patients who want to share their health data with health care professionals must give permission to release their PHI.

This table compares the HIPAA rules that protect the privacy and security of PHI.

Patient Privacy
Data Security
What is it? Protects the use of patient
information and puts policies
in place to ensure that patient information is being collected,
shared, and used in
appropriate ways.
Focuses on protecting
patient information from malicious computer attacks and the stealing of patient information for profit.
Rule HIPAA Privacy Rule HIPAA Security Rule
How can I apply the rule? Your registry can:

  • De-identify patient information.
  • Use patient information for purposes only mentioned in the informed consent.
  • Share patient information only with those mentioned in the informed consent.
Your registry can:

  • Convert the data into special codes
    that hide the information from people who don’t have permission to see the data.
  • Control who has access to the data.
  • Give people with different needs access to different types of information (such as more-detailed or less-detailed information).

How does HIPAA apply to registries?
If you plan to share PHI from your registry with researchers, you need to follow HIPAA. HIPAA can help you protect the information in your registry from hackers and other people who could change or use the data without your permission or the permission of your registry participants.


Food and Drug Administration (FDA) Regulations
What are the FDA regulations?
FDA rules protect people who participate in research studies that FDA regulates. FDA rules protect research participants’ privacy and the confidentiality of their information used in research.

FDA publishes its rules in Title 21 of the Code of Federal Regulations (CFR) (also known as 21 CFR). The Federal Register is the official daily publication of U.S. government rules, proposed rules, and notices. The federal government updates the CFR once a year.

How do FDA regulation apply to registries?
If the participant information collected in your rare disease patient registry will be used in research involving an FDA-regulated food or drug, and if it requires an informed consent, you must follow the regulations outlined in 21 CFR. If your registry’s participant information will be used in a U.S. Department of Health and Human Services (HHS) study, the regulations in 21 CFR part 50  and 45 CFR part 46 must be followed. Where the regulations differ, those that offer the greater protection to participants should be followed.

Federal Information Security Management Act (FISMA)
What is FISMA?
FISMA protects the unauthorized use of electronic and paper information that contains federal data. This also applies to information associated with National Institutes of Health grants and contracts. FISMA prevents people who don’t have permission from having access to protected information in data systems, such as registries, that have funding from the federal government.

How does it apply to registries?
The law covers registries that collect, store, use, or send patient data on behalf of a federal agency. The law also covers registries that have money through a federal grant or contract.

 

 

Be Informed of International Laws

General Data Protection Regulation (GDPR)
What is the GDPR?
The GDPR is a regulation that sets guidelines for collecting and processing personal information from individuals who live in the European Union (EU) and the European Economic Area. The 27 member countries of the EU share a set of economic and political policies. Three other countries (Iceland, Liechtenstein, and Norway) are part of the European Economic Area, which allows these countries to be part of the single EU market.

The GDPR also regulates the release of personal information outside the EU and European Economic Area. The GDPR simplifies regulations that give individuals control over their personal information regardless of where in the world that information is used.

How does the GDPR apply to registries?
If your registry includes participants from the EU or European Economic Area, it must comply with the GDPR. These regulations apply to the personally identifiable information of people in the registry, regardless of the location of the registry.

Resources

Protect Human Research Participants
Know U.S. Laws & Regulations
HIPAA Basics – Privacy and Security U.S. Department of Health and Human Services (HHS) (link)
Be Informed of International Laws

As soon as you decide to create a registry, become familiar with the ethical and legal responsibilities of running a registry. If you don’t follow the laws and rules from the beginning of your registry, your registry might not be usable for research or, ultimately, the treatment-approval process.

Make sure that your registry follows local, state, and federal laws and rules that cover the collection of personal and health information. In some cases, you need to follow international laws and rules as well. Which rules and regulations your registry needs to follow depends on the type of information the registry collects, how the registry will be used, and who gives and uses the information.

It might be a good idea to talk to a lawyer or ethics expert. These experts can help make sure that your registry follows the relevant laws and rules.

Informed Consent
What is informed consent?
Informed consent is a process for making sure that patients and caregivers who give information to a registry understand how that information will be used. Registry participants sign a form stating they understand the reason for participating in your registry. By signing the form, participants show that they agree to voluntarily share their personal and rare disease information.

You are responsible for informing participants about the information you intend to collect and how the information will be used. You also need to explain who will have access to the information and how the registry might affect participants. You must answer registry participants’ questions and give them regular updates about the registry after they’ve signed the informed consent form.

How does informed consent apply to registries?
If you plan to share participant information from your registry with researchers who are developing treatments for rare diseases, you must get participants’ informed consent. Without informed consent from registry participants and their legal guardian, you can’t give patient data to researchers.

Institutional Review Board (IRB)
What is an IRB?
An IRB is responsible for protecting the rights and welfare of people who participate in research studies. An IRB is a group of people with diverse backgrounds, such as healthcare professionals, patient advocates, and non-science professionals.

The IRB will review studies, including clinical trials that use registries, before the studies begin recruiting participants. Based on its review, the IRB either approves or does not approve each study.

The IRB can require changes to the study plans. These changes typically ensure that risks to participants are limited and the study collects informed consent. The IRB might also require changes to protect participants’ privacy and make sure that the study follows all relevant laws and rules. The IRB also has the authority to monitor the research once it starts.

How does the IRB apply to registries?
If you plan to share participant information from your registry with researchers, an IRB must first review the clinical trial that your participants are being asked to join.

The Federal Policy for the Protection of Human Subjects ('Common Rule')
What is Common Rule?
The Common Rule is a federal policy that protects personally identifiable information of participants in federally funded research studies. Personally identifiable information is information that could be used to identify the participant.

How does the Common Rule apply to registries?
If a researcher invites your registry members to participate in a federally funded study, the researcher has to follow the Common Rule.

 

The Health Insurance Portability and Accountability Act (HIPAA)
HIPAA prevents improper sharing of sensitive patient information (also known as protected health information [PHI]). Any health information that can be used to identify a person is PHI. Examples of PHI include 18 identifiers (e.g., name, address, birth date, and Social Security number). A full list of PHI types is available on the National Institutes of Health website.

HIPAA protects patient privacy and protects patient data from theft and fraud. Personally identifiable information is data that other people could use to figure out who a participant is. Patients who want to share their health data with health care professionals must give permission to release their PHI.

This table compares the HIPAA rules that protect the privacy and security of PHI.

Patient Privacy
Data Security
What is it? Protects the use of patient
information and puts policies
in place to ensure that patient information is being collected,
shared, and used in
appropriate ways.
Focuses on protecting
patient information from malicious computer attacks and the stealing of patient information for profit.
Rule HIPAA Privacy Rule HIPAA Security Rule
How can I apply the rule? Your registry can:

  • De-identify patient information.
  • Use patient information for purposes only mentioned in the informed consent.
  • Share patient information only with those mentioned in the informed consent.
Your registry can:

  • Convert the data into special codes
    that hide the information from people who don’t have permission to see the data.
  • Control who has access to the data.
  • Give people with different needs access to different types of information (such as more-detailed or less-detailed information).

How does HIPAA apply to registries?
If you plan to share PHI from your registry with researchers, you need to follow HIPAA. HIPAA can help you protect the information in your registry from hackers and other people who could change or use the data without your permission or the permission of your registry participants.


Food and Drug Administration (FDA) Regulations
What are the FDA regulations?
FDA rules protect people who participate in research studies that FDA regulates. FDA rules protect research participants’ privacy and the confidentiality of their information used in research.

FDA publishes its rules in Title 21 of the Code of Federal Regulations (CFR) (also known as 21 CFR). The Federal Register is the official daily publication of U.S. government rules, proposed rules, and notices. The federal government updates the CFR once a year.

How do FDA regulation apply to registries?
If the participant information collected in your rare disease patient registry will be used in research involving an FDA-regulated food or drug, and if it requires an informed consent, you must follow the regulations outlined in 21 CFR. If your registry’s participant information will be used in a U.S. Department of Health and Human Services (HHS) study, the regulations in 21 CFR part 50  and 45 CFR part 46 must be followed. Where the regulations differ, those that offer the greater protection to participants should be followed.

Federal Information Security Management Act (FISMA)
What is FISMA?
FISMA protects the unauthorized use of electronic and paper information that contains federal data. This also applies to information associated with National Institutes of Health grants and contracts. FISMA prevents people who don’t have permission from having access to protected information in data systems, such as registries, that have funding from the federal government.

How does it apply to registries?
The law covers registries that collect, store, use, or send patient data on behalf of a federal agency. The law also covers registries that have money through a federal grant or contract.

 

 

General Data Protection Regulation (GDPR)
What is the GDPR?
The GDPR is a regulation that sets guidelines for collecting and processing personal information from individuals who live in the European Union (EU) and the European Economic Area. The 27 member countries of the EU share a set of economic and political policies. Three other countries (Iceland, Liechtenstein, and Norway) are part of the European Economic Area, which allows these countries to be part of the single EU market.

The GDPR also regulates the release of personal information outside the EU and European Economic Area. The GDPR simplifies regulations that give individuals control over their personal information regardless of where in the world that information is used.

How does the GDPR apply to registries?
If your registry includes participants from the EU or European Economic Area, it must comply with the GDPR. These regulations apply to the personally identifiable information of people in the registry, regardless of the location of the registry.

Resources

Protect Human Research Participants
Know U.S. Laws & Regulations
HIPAA Basics – Privacy and Security U.S. Department of Health and Human Services (HHS) (link)
Be Informed of International Laws