General mechanisms for protecting patients’ privacy are described below, yet these are often challenged in the context of pragmatic research.

• The Common Rule (45 CFR part 46) is applicable to research involving human subjects conducted, supported, or otherwise subject to regulation by any federal department or agency in the United States that has signed onto the Common Rule. It requires adequate provisions to protect the privacy of subjects and to maintain the confidentiality of data. Using identifiable patient data for research generally requires institutional review board (IRB) approval. This regulatory framework is described in more detail in the Consent, Disclosure, and Non-Disclosure chapter of the Living Textbook.
• The US Food and Drug Administration (21 CFR parts 50 and 56) regulates research that involves drugs, medical devices, food, dietary supplements, and some electronic products. FDA regulations require the IRB to determine (where appropriate) that there are adequate provisions to protect the privacy of subjects and to maintain confidentiality of data.
• The Health Insurance Portability and Accountability Act (HIPAA) allows covered entities and their business associates to release protected health information (PHI) only in certain controlled situations, including for treatment, payment, or operations; with authorization from the individual; or as a limited dataset. A full description of HIPAA as it relates to embedded pragmatic trials can be found in the Gaining Permission to Use Real-World Data section of the Acquiring Real-World Data chapter of the Living Textbook.

Understanding these mechanisms for protecting privacy is important for all research. In the sections that follow, we describe some of the unique considerations for embedded pragmatic clinical trials.