Skip subpage navigation
The Difference Between the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, also known as the “Privacy Rule,” and the Federal Policy for the Protection of Human Subjects, also known as the “Common Rule”
Researchers seeking to access and/or obtain Military Health System (MHS) data for research purposes must adhere to the separate and distinct requirements within the Common Rule and the Privacy Rule.
The chart and narrative below set forth the primary differences between the two applicable regulations.
| |
The Common Rule |
The HIPAA Privacy Rule |
| Federal Regulation |
Protection for Human Subjects (45 CFR 46) |
HIPAA Privacy Rule (45 CFR 160 and 164) |
| Department of Defense (DOD) Implementing Regulation |
Protection of Human Subjects (32 CFR 219); Protection of Human Subjects and Adherence to Ethical Standards in DOD-Supported Research (DoDI 3216.02) |
DOD Health Information Privacy Regulation (DOD 6025.18-R) |
| Primary Purpose |
Protect individuals who are the subject of research projects. Consideration is given to how various aspects of the research project, including privacy, confidentiality, data collection, data maintenance and data retention, impact physical, emotional, financial, and informational harms |
Protect individuals against information harm while allowing the necessary flow of health information with specific rules pertaining to the privacy and security of protected health information (PHI) |
| Threshold Requirement |
Informed consent from each research participant (oral and/or written) |
HIPAA Authorization from each research participant (must be written and signed) |
| Enforcement |
Office for Human Research Protections, United States Department of Health and Human Service (HHS), and DOD Assistant Secretary of Defense for Research and Engineering |
Office for Civil Rights, HHS |
| Administration |
Institutional Review Boards (IRBs) |
IRBs or HIPAA Privacy Boards |
| Exemptions |
Human Research Protection Officials (HRPOs) and/or IRBs can exempt certain research projects from IRB review in accordance with 32 CFR 219.101(b) |
None. All research projects seeking PHI from a HIPAA covered entity, including Defense Health Agency (DHA), must comply with the HIPAA Privacy Rule |
You are leaving Health.mil
The appearance of hyperlinks does not constitute endorsement by the Department of Defense of non-U.S. Government sites or the information, products, or services contained therein. Although the Defense Health Agency may or may not use these sites as additional distribution channels for Department of Defense information, it does not exercise editorial control over all of the information that you may find at these locations. Such links are provided consistent with the stated purpose of this website.
You are leaving Health.mil
View the external links disclaimer.
Last Updated: July 11, 2023