You are viewing an archived webpage. The information on this page may be out of date. Learn about EPIC's recent work at

Privacy and The Common Rule

  • Federal Agencies Issue New Common Rule Regs, Delay Privacy Safeguards: The Department of Health and Human Services, along with fifteen other federal agencies, released a final revision for the Common Rule which establishes privacy rights for personal information collected from human subjects in federally funded research. EPIC submitted extensive comments, urging the agencies to adopt strong privacy protections for personal data for the revised Common Rule. However, the federal agency deferred new safegaurds, as well as privacy guidance for internal review boards, claiming that current privacy laws were adequate. (Jan. 27, 2017)
  • EPIC Urges HHS to Protect Privacy of Human Research Subjects: In comments to the Department of Health and Human Services, EPIC pointed out several flaws in proposed revisions to the "Common Rule," ethical rules regarding biomedical and behavioral research involving human subjects. While EPIC supports the agency's proposals to strengthen requirements for informed consent and to adopt a broad definition of Personally Identifiable Information, many of the proposed changes "place research interests ahead of the privacy interests" and fail to address the risks to human subjects of "Big Data" research. EPIC previously expressed concern about proposed changes to the Common Rule and continually advocates for health privacy rights. (Jan. 7, 2016)
  • Federal Agencies Seek Comment on Protections for Human Research Subjects: The Department of Health and Human Services is seeking public comment on proposed revisions to the "Common Rule," ethical rules regarding biomedical and behavioral research involving human subjects in the United States. The proposal seeks to strengthen requirements for informed consent but would also exempt certain categories of research from administrative review. The Department will accept public comments on the proposed revisions until December 6, 2015. EPIC previously submitted comments to the Department of Health and Human Services, warning that medical privacy standards for deidentification were "gravely inadequate" and urged support for stronger techniques of deidentification. EPIC routinely comments on privacy issues involved in health data. (Sep. 8, 2015)


For decades the United States has utilized human subjects for research experimentation. Highly publicized ethical abuses in research, such as the Tuskegee Syphilis Study in which African-American men in Tuskegee, Alabama were infected with syphilis and left untreated by the U.S. Public Health Service so that doctors could monitor effects of the disease, led to the enactment of the 1974 National Research Act (Pub. L. 93-348). The Act created the National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research (National Commission). In 1979, the National Commission published "Ethical Principles and Guidelines for the Protection of Human Subjects of Research,"-otherwise known as the Belmont Report. The Belmont Report focused on three essential ethical principles for human subjects research;-"respect for persons, beneficence, and justice."

The Department of Health and Human Services (HHS) was the first federal agency to revise its regulations for the protection of human subjects based upon the Belmont Report and incorporate the "Common Rule," codified at 45 CFR part 46, subparts A through E. Based partially on the Belmont Report, the Common Rule requires that "[f]ederally funded investigators in most instances obtain and document the informed consent of research subjects, and describes requirements for institutional review board (IRB) membership, function, operations, research review, and recordkeeping." Since its inception, 15 federal departments and agencies including HHS have codified the Common Rule in their agency regulations.

In response to the dramatic changes in the human subject research landscape, the Office of the Secretary of the Department of Health and Human Services and the Office of Science and Technology Policy issued an Advanced Notice of Proposed Rulemaking (ANPRM) in July 2011 requesting comment on possible Common Rule revisions. The ANPRM seeks comment on the following seven areas concerning the Common Rule: (1) ensuring risk-based protections; (2) streamlining IRB Review of Multi-Site Studies; (3) improving informed consent; (4) strengthening data protections to minimize information risks; (5) data collection to enhance system oversight; (6) extension of federal regulations; and (7) clarifying and harmonizing regulatory requirements and agency guidance.


The revisions to the Common Rule have important privacy implications. Concerning the first area of revision—ensuring risk-based protections—the ANPRM proposes "mandatory standards for data security and information protection whenever data are collected, generated, stored, or used." Further, the level of protection for these standards "would be calibrated to the level of identifiability of the information, which would be based on the standard of identifiability under the HIPAA Privacy Rule."

Concerning the third area of revision—improving informed consent—the ANPRM aims to shorten the lengthy boilerplate consent forms by removing extraneous legal terms and otherwise simplify the language to better ensure informed consent. The ANPRM also seeks recommendations to clarify statutory criteria that currently permit IRBs to waive obtaining informed consent in primary data collection. Additionally, the ANPRM also seeks comment detailing under what circumstances should consent for general unspecified research.

The ANPRM seeks recommendations concerning adopting HIPAA standards to establish "what constitutes individually identifiable information, a limited data set, and de-identified information." The ANPRM also proposes audits and additional enforcement tools to ensure data security and information protection compliance.

EPIC's Interest

EPIC continually advocates for health information privacy rights and deidentified patient data. In comments to the Department of Health and Human Services, Professor Latanya Sweeney, Director and Founder of Harvard University’s Data Privacy Lab, and EPIC urged the Department of Health and Human Services not to adopt standards that would weaken the privacy rights implicated by the Common Rule. Specifically, EPIC and Professor Sweeney underscored that "[a]pplying the HIPAA Privacy Rule standards for de-identification to research broadly in an attempt to protect against the information risks described in the [Advanced Notice of Proposed Rulemaking] is poorly understood and all evidence suggest the HIPAA standards are gravely inadequate."

In FAA v. Cooper, EPIC filed an amicus brief asserting that the government should be allowed to avoid liability by asserting that it caused only mental and emotional harm when it intentionally and willfully violated the Privacy Act. FAA v. Cooper involves the Social Security Administration's disclosure of a pilot's HIV Status. The oral arguments for the case will be held November 30, 2011.

In Sorrell v. IMS Health, 630 F.3d 263 (2nd Cir. 2010), a case that was later considered by the Supreme Court, EPIC filed an amicus brief in support of a challenged Vermont law that regulates data mining companies that sell or use doctors' prescribing records containing personal information on patients. EPIC argued that the privacy interest in safeguarding medical records is substantial and that the de-identification techniques adopted by data mining firms do not protect patient privacy. The Second Circuit struck down the Vermont law as violating the First Amendment. Writing in dissent and siding with EPIC, Judge Debra Ann Livingston said that the majority reached the "wrong result," creating "precedent likely to have pernicious broader effects"on medical privacy case law. The Supreme Court affirmed the Second Circuit decision.

In IMS Health v. Ayotte, 550 F.3d 42 (1st Cir. 2008), EPIC filed an amicus brief in support of a New Hampshire law that bans the sale of prescriber-identifiable prescription drug data for marketing purposes. EPIC argued that there is a substantial privacy interest in de-identified patient data. The First Circuit upheld the New Hampshire law, and the Supreme Court refused to hear the challenge to the law.

News Articles

Questioning Privacy Protection in Research, Patricia Cohen, The New York Times, October 23, 2011.

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security