Skip to main content

Military Health System

Clear Your Browser Cache

This website has recently undergone changes. Users finding unexpected concerns may care to clear their browser's cache to ensure a seamless experience.

Skip subpage navigation

HIPAA Privacy Rule vs. Common Rule

The Difference Between the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, also known as the “Privacy Rule,” and the Federal Policy for the Protection of Human Subjects, also known as the “Common Rule”

Researchers seeking to access and/or obtain Military Health System (MHS) data for research purposes must adhere to the separate and distinct requirements within the Common Rule and the Privacy Rule.

The chart and narrative below set forth the primary differences between the two applicable regulations. 

  The Common Rule The HIPAA Privacy Rule
Federal Regulation Protection for Human Subjects (45 CFR 46) HIPAA Privacy Rule (45 CFR 160 and 164)
Department of Defense (DOD) Implementing Regulation Protection of Human Subjects (32 CFR 219); Protection of Human Subjects and Adherence to Ethical Standards in DOD-Supported Research (DoDI 3216.02) DOD Health Information Privacy Regulation (DOD 6025.18-R)
Primary Purpose Protect individuals who are the subject of research projects. Consideration is given to how various aspects of the research project, including privacy, confidentiality, data collection, data maintenance and data retention, impact physical, emotional, financial, and informational harms Protect individuals against information harm while allowing the necessary flow of health information with specific rules pertaining to the privacy and security of protected health information (PHI)
Threshold Requirement Informed consent from each research participant (oral and/or written) HIPAA Authorization from each research participant (must be written and signed)
Enforcement Office for Human Research Protections, United States Department of Health and Human Service (HHS), and DOD Assistant Secretary of Defense for Research and Engineering Office for Civil Rights, HHS
Administration Institutional Review Boards (IRBs) IRBs or HIPAA Privacy Boards
Exemptions Human Research Protection Officials (HRPOs) and/or IRBs can exempt certain research projects from IRB review in accordance with 32 CFR 219.101(b) None. All research projects seeking PHI from a HIPAA covered entity, including Defense Health Agency (DHA), must comply with the HIPAA Privacy Rule
Last Updated: July 11, 2023
Follow us on Instagram Follow us on LinkedIn Follow us on Facebook Follow us on X Follow us on YouTube Sign up on GovDelivery