Back to Top Skip to main content

HIPAA Privacy Rule vs. Common Rule

The Difference Between the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, also known as the “Privacy Rule,” and the Federal Policy for the Protection of Human Subjects, also known as the “Common Rule”

Researchers seeking to access and/or obtain Military Health System (MHS) data for research purposes must adhere to the separate and distinct requirements within the Common Rule and the Privacy Rule.

The chart and narrative below set forth the primary differences between the two applicable regulations. 

  The Common Rule The HIPAA Privacy Rule
Federal Regulation Protection for Human Subjects (45 CFR 46) HIPAA Privacy Rule(45 CFR 160 and 164)
Department of Defense (DoD) Implementing Regulation Protection of Human Subjects (32 CFR 219); Protection of Human Subjects and Adherence to Ethical Standards in DoD-Supported Research (DoDI 3216.02) DoD Health Information Privacy Regulation (DoD 6025.18-R)
Primary Purpose Protect individuals who are the subject of research projects. Consideration is given to how various aspects of the research project, including privacy, confidentiality, data collection, data maintenance and data retention, impact physical, emotional, financial, and informational harms Protect individuals against information harm while allowing the necessary flow of health information with specific rules pertaining to the privacy and security of protected health information (PHI)
Threshold Requirement Informed consent from each research participant (oral and/or written) HIPAA Authorization from each research participant (must be written and signed)
Enforcement Office for Human Research Protections, United States Department of Health and Human Service (HHS), and DoD Assistant Secretary of Defense for Research and Engineering Office for Civil Rights, HHS
Administration Institutional Review Boards (IRBs) IRBs or HIPAA Privacy Boards
Exemptions Human Research Protection Officials (HRPOs) and/or IRBs can exempt certain research projects from IRB review in accordance with 32 CFR 219.101(b) None. All research projects seeking PHI from a HIPAA covered entity, including Defense Health Agency (DHA), must comply with the HIPAA Privacy Rule

DHA Address: 7700 Arlington Boulevard | Suite 5101 | Falls Church, VA | 22042-5101

Some documents are presented in Portable Document Format (PDF). A PDF reader is required for viewing. Download a PDF Reader or learn more about PDFs.