Learn About Ethical and Legal Aspects

Know U.S. Laws & Regulations

The Health Insurance Portability and Accountability Act (HIPAA)
HIPAA prevents improper sharing of sensitive patient information (also known as protected health information [PHI]). Any health information that can be used to identify a person is PHI. Examples of PHI include 18 identifiers (e.g., name, address, birth date, and Social Security number). A full list of PHI types is available on the National Institutes of Health website.

HIPAA protects patient privacy and protects patient data from theft and fraud. Personally identifiable information is data that other people could use to figure out who a participant is. Patients who want to share their health data with health care professionals must give permission to release their PHI.

This table compares the HIPAA rules that protect the privacy and security of PHI.

Patient Privacy
Data Security
What is it? Protects the use of patient
information and puts policies
in place to ensure that patient information is being collected,
shared, and used in
appropriate ways.
Focuses on protecting
patient information from malicious computer attacks and the stealing of patient information for profit.
Rule HIPAA Privacy Rule HIPAA Security Rule
How can I apply the rule? Your registry can:
  • De-identify patient information.
  • Use patient information for purposes only mentioned in the informed consent.
  • Share patient information only with those mentioned in the informed consent.
Your registry can:
  • Convert the data into special codes
    that hide the information from people who don’t have permission to see the data.
  • Control who has access to the data.
  • Give people with different needs access to different types of information (such as more-detailed or less-detailed information).

How does HIPAA apply to registries?
If you plan to share PHI from your registry with researchers, you need to follow HIPAA. HIPAA can help you protect the information in your registry from hackers and other people who could change or use the data without your permission or the permission of your registry participants.

Food and Drug Administration (FDA) Regulations
What are the FDA regulations?
FDA rules protect people who participate in research studies that FDA regulates. FDA rules protect research participants’ privacy and the confidentiality of their information used in research.

FDA publishes its rules in Title 21 of the Code of Federal Regulations (CFR) (also known as 21 CFR). The Federal Register is the official daily publication of U.S. government rules, proposed rules, and notices. The federal government updates the CFR once a year.

How do FDA regulation apply to registries?
If the participant information collected in your rare disease patient registry will be used in research involving an FDA-regulated food or drug, and if it requires an informed consent, you must follow the regulations outlined in 21 CFR. If your registry’s participant information will be used in a U.S. Department of Health and Human Services (HHS) study, the regulations in 21 CFR part 50   and 45 CFR part 46 must be followed. Where the regulations differ, those that offer the greater protection to participants should be followed.

Federal Information Security Management Act (FISMA)
What is FISMA?
FISMA protects the unauthorized use of electronic and paper information that contains federal data. This also applies to information associated with National Institutes of Health grants and contracts. FISMA prevents people who don’t have permission from having access to protected information in data systems, such as registries, that have funding from the federal government.

How does it apply to registries?
The law covers registries that collect, store, use, or send patient data on behalf of a federal agency. The law also covers registries that have money through a federal grant or contract.




Know U.S. Laws & Regulations
HIPAA Basics – Privacy and Security U.S. Department of Health and Human Services (HHS) (link)
Be Informed of International Laws