Appendix: Regulatory Frameworks

Consent, Disclosure, and Non-Disclosure

Section 7

Appendix: Regulatory Frameworks


Kevin Weinfurt, PhD

Jeremy Sugarman, MD, MPH


Contributing Editor

Karen Staman, MS

The Common Rule

In 1991, the Department for Health and Human Services (DHHS) and 14 other federal departments adopted a set of rules for the protection of human subjects, The Federal Policy for the Protection of Human Subjects, also known as the Common Rule. The Common Rule includes identical language in the separate regulations of those departments and agencies (see list of departments and agencies that adhere to the Common Rule). The Common Rule applies to most federally funded research (or research conducted in federally funded institutions) and outlines the basic requirements for Institutional Review Boards (IRBs), obtaining and documenting informed consent, and assurances of compliance by research institutions.

Federal regulations define research as “a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge.”

21 CFR

The FDA has special authority to oversee research conducted for the purpose of marketing approval for medical products. These FDA regulations are published in Title 21 of the Code of Federal Regulations (CFR); those that concern the protection of human research subjects include:

Although the provisions of 21 CFR and the Common Rule are similar, there are some important differences (see table comparing FDA and other DHHS human subjects protection regulations). Regardless of the source of funding, most of the research conducted in the U.S. to support government approval for marketing is required to adhere to FDA regulations, as well as broader guidelines that govern research conduct, such as the International Conference on Harmonisation (ICH) guidelines for good clinical practice (GCP).

Resources for Regulatory Information

21st Century Cures Act

In December 2016, the United States Congress passed a law, the 21st Century Cures Act (HR 6), to accelerate the development, discovery, and delivery of therapies. The law allocates that $6.3 billion dollars to remove the barriers to increased collaboration, incorporate the patient’s voice in the drug development and review process, identify disease earlier through personalized medicine, and modernize clinical trials. The Act eases the regulatory burden for the approval of new drugs by allowing pharmaceutical companies to provide summary data or approval of new drugs. It also emphasizes the need for “real-word evidence” in the approval of new indications of FDA approved drugs.

See the two-page summary written by the Energy and Commerce Committee.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA)

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, requires the Secretary of the Department of Health and Human Services (HHS) to publicize standards for the electronic exchange, privacy, and security of health information (104th Congress). To implement this law, HSS developed and published the Standards for Privacy of Individually Identifiable Health Information, known as the Privacy Rule, in December 2000, with final revisions taking effect in March 2002 (Department of Health and Human Services 2002). The HSS Office of Civil Rights enforces the Privacy Rule, which protects the privacy of individually identifiable health information. The rule applies to “covered entities,” which include health plans, healthcare clearinghouses, and those healthcare providers that conduct certain healthcare-related transactions electronically.

A key aim of the Privacy Rule is “to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well-being. The rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing" (Department of Health and Human Services 2003).

Privacy is a crucial factor for maintaining trust between a healthcare system and those it serves, and for allowing “the flow of health information” to inform both research and clinical care. However, public mistrust regarding the handling of sensitive data remains a significant factor; nearly 1 in 8 patients has withheld information from a healthcare provider due to privacy concerns (Agaku et al. 2013).

International Conference on Harmonisation Good Clinical Practice (ICH-GCP)

In June of 1996, the International Conference on Harmonisation of Technical Requirements for Registration of Pharmaceuticals for Human Use published their guidelines for good clinical practice (ICH-GCP). The guidelines were meant provide a uniform standard to protect the safety and rights of participants in trials and ensure the documentation of informed consent and the integrity of the data, and were intended to facilitate the conduct of multinational drug trials sponsored by the pharmaceutical industry (ICH Harmonised Tripartite Guideline 1996).

“Good Clinical Practice (GCP) is an international ethical and scientific quality standard for designing, conducting, recording and reporting trials that involve the participation of human subjects. Compliance with this standard provides public assurance that the rights, safety and well-being of trial subjects are protected, consistent with the principles that have their origin in the Declaration of Helsinki, and that the clinical trial data are credible" (ICH Harmonised Tripartite Guideline 1996).

Although ICH is a standards organization, not a regulatory agency, and its guidelines do not carry the legal force of federal regulations, ICH guidelines nevertheless have been widely adopted across national and international research settings and govern the conduct of much clinical investigation.




back to top

104th Congress. Health Insurance Portability and Accountability Act of 1996.

Agaku IT, Adisa AO, Ayo-Yusuf OA, Connolly GN. 2013. Concern about security and privacy, and perceived control over collection and use of health information are related to withholding of health information from healthcare providers. J Am Med Inform Assoc. doi:10.1136/amiajnl-2013-002079. PMID: 23975624.

Department of Health and Human Services. 2002. Standards for Privacy of Individually Identifiable Health Information.

Department of Health and Human Services. 2003. Summary of the Privacy Rule.

ICH Harmonised Tripartite Guideline. 1996. Guideline for Good Clinical Practice E6(R1).

Version History

Published August 25, 2017


Weinfurt K, Sugarman J. Consent, Disclosure, and Non-Disclosure: Appendix: Regulatory Frameworks. In: Rethinking Clinical Trials: A Living Textbook of Pragmatic Clinical Trials. Bethesda, MD: NIH Health Care Systems Research Collaboratory. Available at: Updated November 13, 2018. DOI: 10.28929/027.