Skip Ribbon Commands
Skip to main content

Research Compliance

Research Compliance


The U.S. Department of Health and Human Services (“HHS”) regulates research involving human subjects that (a) is conducted or supported by the federal government, through its Office for Human Research Protections (“OHRP”); (b) involves clinical investigations of drugs and devices, through the Food and Drug Administration (“FDA”); and/or (c) is conducted by “covered entities” under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), through its Office for Civil Rights (“OCR”).  This article will focus on the federal regulations applicable to institutions and investigators that are engaged in human subjects biomedical research.

Regulatory Summary

The primary human subjects protection regulation enforced by OHRP is the “Common Rule,” 45 C.F.R. § 46, Subpart A, which defines the scope of its coverage and outlines institutional and investigator responsibilities for the protection of research study participants, such as informed consent and institutional review board (“IRB”) oversight. For research conducted or supported specifically by HHS, the institution must also comply with 45 C.F.R. § 46, Subparts B, C and D, which include additional safeguards for research involving pregnant women, neonates and fetuses; prisoners; and children, respectively. 45 C.F.R. §§ 46.201-207, 46.301-306, 46.401–409.  The Common Rule also lists six categories of human subjects research that are exempt from the policy.  See 45 C.F.R. § 46.101(b).

Institutions that accept HHS funding for non-exempt human subjects research are required to file a Federalwide Assurance (“FWA”) with OHRP, documenting their commitments to conduct ethical research and to comply with the Common Rule for all such research, and designating one or more IRBs of record.  See 45 C.F.R. § 46.103.  An institution may voluntarily extend its FWA to its non-federally funded research, thereby giving OHRP jurisdiction over its entire human subjects research portfolio.  Based on new rulemaking effective July 14, 2009, all IRBs designated in an FWA or that review FDA-regulated research must register with HHS.  See 74 Fed. Reg. 2399 (2009) (to be codified at 45 C.F.R. §§ 46.501-505), and 74 Fed. Reg. 2358 (2009) (to be codified at 21 C.F.R. § 56.106).  The OHRP website includes a list of all institutions that have filed an FWA and a list of all registered IRBs.  See

The Common Rules defines research as “a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge”, 45 C.F.R. § 46.102(d), and a human subject as a “living individual about whom an investigator (whether professional or student) conducting research obtains (1) data through intervention or interaction with the individual, or (2) identifiable private information.” 45 C.F.R. § 46.102(f).

The FDA’s regulatory oversight extends to “clinical investigations” of “test articles” involving “human subjects.” 21 C.F.R §  56.102(c), (l), (e). The FDA’s regulatory oversight also covers informed consent of subjects, IRB oversight, and clinical investigator qualifications and responsibilities. The FDA rules also include specific provisions for research involving children.  See 21 C.F.R. § 50.50–56.

Both the Common Rule and the FDA regulations include requirements for IRB membership, see 45 C.F.R. § 46.107; 21 C.F.R. § 56.107, and operations, 45 C.F.R. §§ 46.108–110, 46.115; 21 C.F.R. §§ 56.108–110, 56.115, criteria for initial and continuing review and approval of research projects, 45 C.F.R. §§ 46.111, 46.109; 21 C.F.R. §§ 56.111, 56.109(f), and a list of elements required for informed consent. 45 C.F.R. § 46.116; 21 C.F.R. § 50.25.

The Common Rule provides for expedited IRB review of some studies, 45 C.F.R. § 46.110, and the FDA regulations include limited exemptions from, waivers of, and expedited procedures for, IRB review. 21 C.F.R. §§ 56.104, 56.105, 56.110.  The FDA’s exemption and waiver provisions are different from the exemption provisions set forth in the Common Rule, see 45 C.F.R. § 46.101(b), but the expedited review procedures are virtually identical.  Both agencies permit a single IRB member to approve minor changes to approved research and minimal risk research that falls into one of several agency-designated categories.  See 45 C.F.R. § 46.110; 21 C.F.R. § 56.110; 63 Fed. Reg. 60364 (1998); 63 Fed. Reg. 60353 (1998). All other studies must be reviewed by the IRB at a convened meeting of the full board.

Generally, research subjects must sign a written, IRB-approved consent form to participate in a study, see 45 C.F.R. §§ 46.116–117; 21 C.F.R. §§ 50.20, 50.27, although the Common Rule permits an IRB to approve consent procedures that omit or alter the required elements of informed consent, see 45 C.F.R. § 46.116(c), (d), and both sets of regulations allow an IRB to waive documentation of informed consent, see 45 C.F.R. § 46.117(c); 21 C.F.R. § 56.109(c)–(e), (g), or even waive informed consent altogether, if the IRB can document that precise criteria are met. See 45 C.F.R. § 46.116(c), (d); 21 C.F.R. §§ 50.23, 50.24. Under both sets of regulations, a study must undergo IRB continuing review at least annually, although the IRB can specify a shorter interval.  See 45 C.F.R. § 46.109(e); 21 C.F.R. § 56.109(f).

The IRB is authorized to approve, require modifications to secure approval of, or disapprove all research covered by the Common Rule and/or the FDA regulations.  45 C.F.R. § 46.109(a) (2008); 21 C.F.R. § 56.109(a).  In a typical review, the IRB would consider the research protocol, the informed consent form, the investigator’s credentials, any advertising materials that would be used to recruit subjects, and other relevant supporting documentation submitted by the investigator or sponsor, or requested by the IRB, such as investigators’ brochures for drugs and devices, published results of other, relevant studies or unpublished data from pilot studies.  An IRB may suspend or terminate its approval, based on investigator non-compliance or the discovery of unexpected risks to subjects.  See 45 C.F.R. § 46.113 (2008); 21 C.F.R. § 56.113.  There is no regulatory appeal process.

In addition to the institutional requirements described above, individual clinical investigators have personal responsibilities under both the Common Rule and the FDA regulations.

HHS does not define “investigator” in the Common Rule, but in OHRP guidance, an “investigator” is “an individual performing various tasks related to the conduct of human subjects research activities, such as obtaining informed consent from subjects, interacting with subjects, and communicating with the IRB[,]” and “any individual who is involved in conducting human subjects research studies.”  See OHRP Investigator Responsibility Frequently Asked Questions, available at  OHRP describes investigator duties on its website under “OHRP Investigator Responsibility Frequently Asked Questions.”  See id.  Essentially, in addition to the general requirement to conduct ethical research, investigators are required to submit the data and information to the IRB necessary for initial and continuing approval of their studies, comply with any additional reporting or recordkeeping obligations assigned by the IRB, secure IRB pre-approval for modifications to approved research, obtain and document prospective informed consent of subjects, and report to the IRB unanticipated problems or non-compliance.

The FDA defines an “investigator” as “an individual who actually conducts a clinical investigation (i.e., under whose immediate direction the test article is administered or dispensed to, or used involving, a subject) or, in the event of an investigation conducted by a team of individuals, is the responsible leader of that team.”  21 C.F.R. § 56.102(h).  Investigator responsibilities for drug studies vary somewhat from those for device studies.  See, e.g., 21 C.F.R. §§ 312.60–70 (drugs) and 21 C.F.R. §§ 812.100, 812.110 (devices).  In general, an investigator is responsible for ensuring that a research project is conducted according to the study protocol and in compliance with applicable regulations, protecting human subjects, ensuring IRB oversight, obtaining informed consent of subjects, filing progress reports and safety reports, controlling the drugs or devices under investigation and maintaining study-related records.  See id.  The FDA regulations also include specific requirements for investigators to disclose financial conflicts of interest in “covered clinical studies.”  21 C.F.R. § 54.  The FDA can disqualify non-compliant investigators from receiving investigational drugs or devices.  See 21 C.F.R. §§ 312.70 (drugs), 812.119 (devices).

There are some operational differences between the Common Rule and the FDA human subjects protection rules.  Therefore, institutions, investigators, and IRBs must determine whether one or both sets of rules apply to each protocol.  In addition, note that both sets of rules include non-preemption provisions, expressly allowing states or localities to require greater protections for human subjects in research.  See 45 C.F.R. §§ 46.101(f), 46.116(e); 21 C.F.R. §§ 50.25(c), 56.103(c).

The HIPAA Privacy Rule defines “research” as “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.”  45 C.F.R. § 164.501.  This includes the development of research repositories and databases for research. See National Institutes of Health, U.S. Department of Health and Human Services, Pub. No. 04-5498, Research Repositories, Databases, and the HIPAA Privacy Rule (2004), available at  A HIPAA “covered entity” may obtain, create, use and/or disclose individually identifiable health information for research by either obtaining a written authorization from the research subject that meets the requirements of the Privacy Rule, 45 C.F.R. § 164.508, or obtaining an IRB- or privacy board-approved alteration or waiver of individual authorization.  45 C.F.R. § 164.512(i)(1)(i).  The IRB or privacy board may approve alterations and waivers through expedited review procedures in certain circumstances.  45 C.F.R. § 164.512(i)(2)(iv).  Note that the standard “notice of privacy practices,” which health care providers often require patients to acknowledge in connection with regular clinical care, does not meet the requirements for a HIPAA research authorization, even if the notice includes “research” as a possible use of protected health information (“PHI”).  The HIPAA authorization for research must be specific and tailored to a particular research study.  45 C.F.R. § 164.508.  See also National Institutes of Health, U.S. Department of Health and Human Services, Pub. No. 03-5388, Protecting Personal Health Information In Research: Understanding the HIPAA Privacy Rule (2003, revised 2004), available at  If the HIPAA authorization for research is a stand-alone document, then there is no federal requirement that an IRB or privacy board review it; however, if the HIPAA authorization is combined with a Common Rule- or FDA-required informed consent form, then the IRB must review and approve the entire document.

A researcher may also use PHI without authorization to: (A) (i) conduct activities “preparatory to research,” 45 C.F.R. § 164.512(i)(1)(ii), or (ii) perform research using PHI of decedents, 45 C.F.R. § 164.512(i)(1)(iii), provided the researcher makes certain representations to the IRB or privacy board; or (B) conduct research using a “limited data set” under a “data use agreement.”  45 C.F.R. § 164.514(e).  In general, PHI disclosed for research without authorization is subject to the HIPAA “minimum necessary” and “accounting for disclosure” rules.  See 45 C.F.R. §§ 164.502(b), 164.512(i), 164.528.


The Common Rule was introduced in response to public outcry following a series of disclosures of research subject abuses.  See, e.g., Henry K. Beecher, Ethics and Clinical Research, 274 New Eng. J. Med. 1354 (1966) (citing numerous examples of unethical human subjects research), and Jean Heller, Syphilis Victims in U.S. Study Went Untreated for 40 Years; Syphilis Victims Got No Therapy, N.Y. Times, July 26, 1972, Page 1 (describing the so-called Tuskegee Syphilis Experiment, a 40-year Public Health Service study that denied available treatment to African-American men infected with syphilis).  The Common Rule is intended to ensure that institutions and investigators that engage in federally conducted or federally supported research treat study volunteers legally and ethically.

The FDA regulations are aimed primarily at drug and device manufacturers, and clinical investigators, and are designed both to ensure the quality of the data submitted to support drug and device marketing applications and to promote research subject safety.

The HIPAA Privacy Rule for research was designed to protect the confidentiality of individuals’ private health-related information and to facilitate the use of such information for legitimate research.


In 1974, Congress enacted the National Research Act, Pub. L. No. 93-348 (1974), which led to the adoption of basic human subjects protection provisions, and created the National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research (the “National Commission”).  The National Commission was charged with identifying the basic principles that should guide human subjects research in the United States.  In 1978, the National Commission published “Ethical Principles and Guidelines for the Protection of Human Subjects in Research,” which is known as the “Belmont Report.”  It articulated three principles for the ethical conduct of research: respect for persons, beneficence, and justice.  In 1981, based on the Belmont Report, HHS adopted the regulations that became known as the Common Rule.  The Common Rule derives additional statutory authority from 5 U.S.C. § 301 (2007) and 42 U.S.C. §§ 289, 300v-1(b).  Other federal departments and agencies have since adopted the same provisions, establishing the Common Rule as a uniform set of regulations that now governs virtually all human subjects research conducted or supported by the federal government.

The FDA’s rulemaking authority stems from the federal Food, Drug and Cosmetic Act, 21 U.S.C. §§ 301 et. seq.  FDA rulemaking authority also stems from 42 U.S.C. §§ 216, 241, 262, and 263b–263n.  The FDA first introduced human subjects protection provisions in the 1960s, and harmonized its rules with the HHS rules in 1981.

HHS promulgated the Privacy Rule for research as directed by HIPAA, specifically pursuant to sections 1171-1179 of the Social Security Act, as added by sections 262 and 264 of Public Law 104-191, and to part C of Title XI of the Social Security Act.

Agency Guidance

The OHRP, FDA, and OCR, have all issued abundant guidance on human subjects research compliance, all of which can be found on their respective websites.  See,, &

Future Direction

The current federal regulatory system for protecting human subjects in research has many critics, and there have been calls over the years for Congress or the regulators to amend the rules. Among the most common criticisms that may at some point be addressed by new rulemaking are that (i) an increasing volume of human subjects research is being funded privately and outside FDA’s jurisdiction, and subjects in those studies are not protected by the federal regulations; (ii) institutions, investigators and IRB members may have financial conflicts of interest that are not adequately disclosed or managed under the current rules; (iii) the Federalwide Assurance and IRB registration systems are vulnerable to manipulation and fraud; and (iv) the Common Rule is based on a biomedical model that is not appropriate for regulating social and behavioral research.  U.S. Government Accountability Office, GAO-09-448T, Human Subjects Research: Undercover Tests Show the Institutional Review Board System is Vulnerable to Unethical Manipulation (2009) (testimony before the Subcommittee on Oversight and Investigations, Committee on Energy and Commerce, House of Representatives; statement of Gregory D. Kutz, Managing Director, Forensic Audits and Special Investigations, GAO).  That being said, the Common Rule and the FDA human subjects protection rules have remained relatively unchanged for years, and neither OHRP nor FDA has announced any plans to make major policy changes.


The federal government has broad, but not universal, authority to regulate biomedical research involving human subjects.  Institutions and investigators must determine whether their activities constitute “research” within the jurisdiction of the OHRP, FDA and/or OCR, and if so, ensure that they are conducted in accordance with the applicable rules.


AHLA would like to thank Shelley Carlin, JD, MPH for drafting the initial version of this article, and Jill Berry, Amy Kearbey, and Summer Martin for their editorial assistance.