Federal Regulations and the Ethical Collection of Specimens and Data

Federal Regulations

Common Rule

The federal regulations protecting human research subjects are codified at 45 CFR Part 46 (also called the federal-wide “Common Rule”). The “Final Rule” revisions to the Common Rule were published January 19, 2017 after an administrative Notice and Public Comment period lasting more than five and a half years. The provisions of the revised Common Rule are also referred to as the “2018 Requirements”.

For more information about the revised common rule, see the Health and Human Services (HHS) Office for Human Research Protections (OHRP) Revised Common Rule Resources page. The HHS OHRP Secretary’s Advisory Committee on Human Research Protections (SACHRP) has issued a number of advisory documents on the revised Common Rule.

HIPAA Privacy Rule

The HIPAA Privacy Rule (45 CFR Part 160 and Subparts A and E of Part 164) establishes the conditions under which protected health information (PHI) may be used or disclosed by covered entities for research purposes. While the NIH is not a HIPAA covered entity, institutions such as hospitals, health plans, and laboratories that provide and bill for health care are generally covered.

Covered entities and their business associates may not use or disclose PHI without patient authorization, unless it has been de-identified in accordance with a formal determination by a qualified expert, or by the removal of 18 specified identifiers.

The HIPAA approach to de-identification notably differs from the Common Rule standard of identifiability, which is based on whether individual identity is "readily ascertainable" and is not linked to specified categories of information.

Under certain circumstances, a covered entity may disclose a limited data set to a researcher for research, public health, or health care operations. A limited data set excludes specified direct identifiers, and a data use agreement is required to establish by whom and for what the data will be used. See 45 CFR 164.514(e).

The Privacy Rule also defines how individuals will be informed about the uses and disclosures of their medical information for research purposes, and their rights to access their information that is held by covered entities. If a patient requests their medical record or testing results from a HIPAA covered provider, they are entitled to access that information. Where research is concerned, the HIPAA Privacy Rule protects the privacy of individual PHI, while also ensuring that researchers have access to medical information necessary to conduct vital research.

Ethical Guidance

Several commissions have published policy guidance related to the research use of biological specimens and associated data. The President’s Commission for the Study of Bioethical Issues issued two key reports in this area. In October 2012, the Commission published “Privacy and Progress in Whole Genome Sequencing,” which included considerations of informed consent, privacy and data sharing. In December 2013, “Anticipate and Communicate: Ethical Management of Incidental and Secondary Findings in the Clinical, Research, and Direct-to-Consumer Contexts” was published, offering recommendations on the ethical issues surrounding the return of incidental findings in research involving biospecimens.

In 1999, the National Bioethics Advisory Commission published the report "Research Involving Human Biological Materials: Ethical Issues and Policy Guidance," which initially addressed many issues that remain controversial today. View the Archived publications from the National Bioethics Advisory Commission.

The National Cancer Institute has worked with other NIH institutes and centers and with a variety of other groups to help clarify these issues and to provide education and models to assist the research community.

Informed Consent

Informed consent protects research participants who contribute samples and information to make research possible. Informed consent is generally required for research with human biological samples and data conducted or supported by federal funds, unless that research meets certain criteria described in the federal regulations protecting human research subjects (the revised Common Rule or “2018 Requirements”) at 45 CFR 46.104(d)(4). Under certain circumstances described in these regulations, secondary research uses of existing biospecimens and identifiable private information may be exempt from research participant protection requirements, including review by Institutional Review Boards (IRBs), and informed consent. One such circumstance is when the biospecimens and/or individually identifiable information are publicly available (45 CFR 46.104(d)(4)(i)). Another circumstance for exemption is when information about biospecimens is recorded without direct or indirect identifiers, and the investigator neither contacts nor re-identifies participants (45 CFR 46.104(d)(4)(ii)).

If specified criteria in the federal regulations at 45 CFR 46.116(f) have been met, IRBs may also waive consent for minimal risk research on existing specimens. Consent cannot be waived for research involving identifiable specimens or information, however, if the research could practicably be carried out using de-identified information or biospecimens.

For certain research involving high throughput sequencing technologies, there is emerging consensus that informed consent from participants should be obtained due to the elevated risk of re-identification. The revised Common Rule requires that for research involving biospecimens, the informed consent document must tell participants whether the research will or might include whole genome sequencing (45 CFR 46.116(c)(9)).

In 2018, the Health and Human Services (HHS) Office for Human Research Protections (OHRP) Secretary’s Advisory Committee on Human Research Protections (SACHRP) released Updated FAQs on Informed Consent for Use of Biospecimens and Data, with recommendations relating to informed consent under the revised common rule.

For research collection of identifiable specimens during routine medical care, there is an emerging consensus that informed consent should also be obtained. Consent for the acquisition, storage and use of biospecimens and associated data in research, including anticipated or potential known future research uses, should be sought when patients undergo surgery or biopsy. The consent process should include an explanation of the scientific rationale for research with the collected biospecimens and data.

The revised Common Rule authorizes the use of a broad consent model for collecting research tissue from patients for long-term storage and future approved research uses that are not precisely known or specified at the time of collection.

The National Cancer Institute has developed consent and patient information templates that aim to describe in clear and concise language what it means to participate in research involving biospecimens, including potential privacy risks, and the concept of a research biorepository.

Data Sharing: Privacy and Confidentiality

Human specimen collections often link to patient identities and other PHI. The privacy and confidentiality of personal information associated with human specimens, including electronic medical records and genomic data, raise important ethical and regulatory considerations.

Under the revised Common Rule, if an individual’s identity cannot “readily be ascertained or associated” with biospecimens or information that are obtained, used, studied, analyzed, or generated by researchers, then the research does not meet the regulatory definition of “human subject” and therefore does not require IRB review or informed consent. And under the federal Privacy Rule of HIPAA, researchers can access and share data without authorization so long as 18 specified identifiers are removed, or if the data has been otherwise de-identified in accordance with a formal determination by a qualified expert.

Even when individual identifiers are removed from specimens or associated data, the accessibility of linkable data in today’s highly networked data culture can be ethically problematic. There is growing concern about the ability to identify individuals from information stored in pooled group level databases, and from matched samples.

Next generation sequencing technologies are increasingly employed in cancer research, and large databases have been developed linking genome data with disease risk. The accumulation of potentially re-identifiable data creates added privacy risks for research participants. In 2012, the NCI hosted a think tank concerning the identifiability of biospecimens and “-omics” data to explore challenges surrounding this complex and multifaceted topic.

To promote robust sharing of genomic data while simultaneously providing both transparency and appropriate protections to individuals whose data is collected, stored, and disseminated to researchers, the NIH implemented a Genomic Data Sharing Policy (GDS) effective January 20, 2015. The NIH recently updated two practices under the GDS, modernizing security standards in the NIH Security Best Practices for Controlled-Access Data Subject to the NIH GDS Policy and establishing minimum expectations for access to controlled-access data by developers, effective January 25, 2025.

The GDS Policy applies to all NIH-funded research that generates large-scale human or nonhuman genomic data as well as the use of these data for subsequent research. NIH expects all funded investigators to adhere to the GDS Policy, and compliance with this Policy will become a special term and condition in the Notice of Award or the Contract Award.

The GDS Policy requires investigators using new collections of biospecimens and/or cell lines in generating large-scale genomic and phenotypic data to obtain informed consent from the people who provide the samples or cells, even if the data is de-identified.  NIH encourages investigators to also obtain consent for future research use and broad sharing of this kind of data.

The NIH has also made changes to its policy for issuing Certificates of Confidentiality, effective October 1st, 2017.

Respect for and protection of the interests of research participants are fundamental to NIH’s stewardship of human genomic data. The informed consent under which data or samples are collected is the basis of determination for:

• the appropriateness of data submission to NIH-designated data repositories, and
• whether the data should be available through unrestricted or controlled access.

Controlled-access data in NIH-designated data repositories are made available for secondary research only after investigators have obtained approval from an NIH data access committee to use the requested data for a particular project. Data in unrestricted-access repositories are publicly available to anyone.