Are You Compliant? The Overlapping Rules Governing Research Data Today

Researchers all around the world are expected to understand and demonstrate compliance with regulatory frameworks governing data collection, privacy, security, and ethics. Whether this be in North America or all the way across the Atlantic Ocean in Europe, Africa, or elsewhere, rules are in place and they must be followed. 

Understanding the distinctions between different laws and standards is essential for any research team, especially those working with sensitive data, human participants, or cross-border collaborators. This compliance primer provides an overview of five commonly referenced frameworks: HIPAA, PHIPA, PIPEDA, GDPR, and NIST 800-171. 

HIPAA: (United States)

Starting off with the United States, the Health Insurance Portability and Accountability Act (HIPAA) governs protected health information (PHI) in the country. It regulates the handling, storage, and sharing of PHI, including medical records as well as clinical data of individuals. HIPAA is sector-specific as it applies to healthcare providers, health plans, vendors handling PHI, and most importantly, researchers handling PHI. 

HIPPA limits access to personal health information strictly to those who require it, ensuring that the party handling the data is contractually obligated to protect it. Thus, there are a variety of forms, authorizations, and confidentiality agreements that must be filled out under HIPAA. For researchers, it usually requires a written authorization from the individuals whose personal health information is being used, disclosing that they permit the researcher to use it for their research purpose. Additionally, researchers must establish Business Associate Agreements (BAAs) with any third-party service providers that create, receive, maintain, or transmit PHI on their behalf. This is done to ensure that these vendors are bound by HIPAA’s privacy and security requirements. Penalties for HIPPA violations can vary from fines and civil violations to criminal charges.

NIST 800-171: (United States)

Another regulatory framework in the United States is the NIST 800-171. This framework applies primarily to research involving government funding or controlled unclassified information. It is very distinct from the other regulations that will be discussed, as it is not simply a privacy law; it is a technical cybersecurity standard. It evaluates where systems are robust enough to protect sensitive research data from unauthorized access or cyber threats. Naturally, this is important to protect innovation from malicious state actors that may have an interest in collecting Intellectual Property that may be government funded. 

PHIPA: (ON, Canada)

Ontario’s Personal Health Information Protection Act (PHIPA) is a legislation that protects personal health data, similar to HIPAA. It places a strong emphasis on patient consent, requiring that personal health information be collected, used, and disclosed only for appropriate purposes. By doing so, it grants individuals certain rights regarding their personal health data, including the ability to withdraw consent, the right to access and correct errors, and the right to submit complaints to the Information and Privacy Commissioner of Ontario (IPC). 

For researchers, the general rule is that they must obtain individuals’ consent regarding the collection, handling, and disclosure of personal health information. In order to use personal health information in research, researchers must also submit a thorough research data management plan (DMP) to a Research Ethics Board for approval. Naturally, supporting research data management platforms and protocols must be able to support these requirements if it is to conduct that research in Ontario.

PIPEDA: (Canada)

The way private sector entities in Canada handle personal information is governed by the Personal Information Protection and Electronic Documents Act (PIPEDA). Unlike health-specific laws such as HIPAA and PHIPA, it applies to customer, employee, and business data. 

The Ten Fair Information Principles, which control the handling of personal data, are the foundation of PIPEDA. This includes consent, accountability, limiting the collection of data, and safeguards in place to ensure data is protected.

Especially for PIPEDA, the reporting of a privacy breach is crucial. This act enforces that affected individuals, relevant third parties, and the Office of the Privacy Commissioner of Canada be notified of data breaches. The breach report must include a variety of details, including the cause of the breach, when it occurred, a description of the personal information that was compromised, the steps taken to risk the harm of this breach, and many more specific details. 

GDPR: (European Union)

Stepping outside of North America, the General Data Protection Regulation (GDPR) serves as Europe’s data privacy law. GDPR is one of the most comprehensive privacy regulations in the world as it applies to any research involving EU residents, regardless of where the research takes place. Though the GDPR has a broader scope of accountability, this regulation’s key principles are similar to the 10 Fair Information Principles that are found in PIPEDA. 

Key Differences at a Glance:

While these frameworks overlap, they differ in emphasis:

• HIPAA & PHIPA focus on health data protection

• PIPEDA & GDPR emphasize consent and participant rights

• NIST 800-171 evaluates technical security controls tied to funding accountability. 

For researchers working across borders, there is a layered responsibility to comply with various regulations.

Meeting Compliance Demands in a Global Research Landscape

It is overwhelmingly evident that a platform is needed to support compliance. A contemporary Research Data Management (RDM) environment must enable:

• Secure storage

• Role-based access

• Documentation of consent and ethics approvals

• Secure global collaboration

• Audit controls/capabilities

• Publishing tools

This is where platforms like myLaminin fit into the modern research ecosystem. myLaminin’s RDM platform supports researchers by providing infrastructure aligned with compliance expectations across multiple frameworks, whether this be enabling secure data storage, cross-border collaboration, comprehensive documentation, or trusted publishing.

Therefore, as research continues to scale globally and digitally, researchers need infrastructure that allows them not only to do responsible research but to ensure it is done responsibly as well.

Sources:

https://www.hhs.gov/hipaa/index.html

https://www.ncbi.nlm.nih.gov/books/NBK500019/

https://www.ama-assn.org/practice-management/hipaa/hipaa-violations-enforcement

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf

https://www.ontario.ca/laws/statute/04p03

https://www.ipc.on.ca/sites/default/files/legacy/2015/11/phipa-faq.pdf

https://laws-lois.justice.gc.ca/eng/acts/p-8.6/

https://gdpr-info.eu

__________________________________

Vafa Javadova (article author) is a myLaminin intern studying Management and Organizational Studies (BMOS) at Western University.