| Federal Regulation |
Protection for Human Subjects (45 CFR 46) |
HIPAA Privacy Rule(45 CFR 160 and 164) |
| Department of Defense (DoD) Implementing Regulation |
Protection of Human Subjects (32 CFR 219); Protection of Human Subjects and Adherence to Ethical Standards in DoD-Supported Research (DoDI 3216.02) |
DoD Health Information Privacy Regulation (DoD 6025.18-R) |
| Primary Purpose |
Protect individuals who are the subject of research projects. Consideration is given to how various aspects of the research project, including privacy, confidentiality, data collection, data maintenance and data retention, impact physical, emotional, financial, and informational harms |
Protect individuals against information harm while allowing the necessary flow of health information with specific rules pertaining to the privacy and security of protected health information (PHI) |
| Threshold Requirement |
Informed consent from each research participant (oral and/or written) |
HIPAA Authorization from each research participant (must be written and signed) |
| Enforcement |
Office for Human Research Protections, United States Department of Health and Human Service (HHS), and DoD Assistant Secretary of Defense for Research and Engineering |
Office for Civil Rights, HHS |
| Administration |
Institutional Review Boards (IRBs) |
IRBs or HIPAA Privacy Boards |
| Exemptions |
Human Research Protection Officials (HRPOs) and/or IRBs can exempt certain research projects from IRB review in accordance with 32 CFR 219.101(b) |
None. All research projects seeking PHI from a HIPAA covered entity, including Defense Health Agency (DHA), must comply with the HIPAA Privacy Rule |