Applicable Laws and Regulations


The Health Insurance Portability and Accountability Act (HIPAA) covers “protected health information” (PHI) held by “covered entities.”  Covered entities include most health care providers (including hospitals), health plans, and health care clearinghouses.  PHI is defined as individually identified health information that relates to the past, present, or future physical or mental health of an individual; the provision of care to the individual; or the payment for health care of an individual.  HIPAA includes both a Privacy Rule, found at 45 C.F.R. Part 160 and Subparts A and E of Part 164, which describes the circumstances in which PHI can be used or shared, and a Security Rule, found in Subpart D of Part 164, which outlines the security standards that must be followed when storing or transmitting PHI.

Common Rule

The Federal Common Rule, found at 45 C.F.R. Part 46, sets the requirements for obtaining approval of an Institutional Review Board (IRB) and informed consent from research participants for human subjects research.  The Common Rule applies to federally funded research; as a matter of institutional policy Georgetown applies the Common Rule to all research conducted by its faculty, staff, and students.


The European Union’s privacy law, the General Data Protection Regulation, establishes the rights of European Union individuals regarding personal data, including the right to be forgotten.  GDPR applies to “controllers” and “processors” of personal data.  It generally is not applicable to Georgetown research, unless (1) the research activities are taking place in the EU, with EU residents, or involve individuals located in the EU, or if the study sponsor or Clinical Research Organization (CRO) is based in the EU and is subject to GDPR requirements.


  • California/New York Privacy Laws
  • ICH-GCP via FDA Guidance
  • CDC guidelines