Data Protection in Research
Core summary
Research data governance involves navigating regulations like HIPAA (US) and GDPR (EU) that control how personal health data is collected, stored, and shared. Data Use Agreements formalize terms between institutions. Data Management Plans (now required by many funders) ensure data is handled responsibly throughout the research lifecycle.
Detailed explanation
Detailed explanation
HIPAA (Health Insurance Portability and Accountability Act) governs Protected Health Information (PHI) in the US. Research use of PHI requires either: patient authorization, a waiver approved by the IRB, or use of a Limited Data Set under a Data Use Agreement. The HIPAA Privacy Rule allows de-identified data to be used without restriction. GDPR (General Data Protection Regulation) applies to research involving EU residents' data. It requires: a lawful basis for processing (often 'public interest' for research), Data Protection Impact Assessments for high-risk processing, appointment of a Data Protection Officer, and the right to erasure (though research exemptions exist). Key differences: HIPAA focuses on healthcare entities; GDPR applies to any organization processing EU personal data. GDPR has broader consent requirements but also recognizes research exemptions. Data Use Agreements (DUAs) are contracts that specify who can access data, what it can be used for, security requirements, and destruction timelines. Data Management Plans (DMPs) describe how data will be collected, stored, backed up, shared, and archived. NIH, Wellcome Trust, and many other funders now require DMPs with grant applications.
Clinical example
Your hospital in the US collaborates with a European university on a cancer biomarker study. You must comply with both HIPAA (for US patient data) and GDPR (for EU patient data). Your institutions sign a DUA specifying data transfer mechanisms, encryption standards, and that de-identified data will be used. Both IRBs approve the protocol.
Research example
The NIH Data Management and Sharing Policy (effective January 2023) requires all NIH-funded researchers to submit a Data Management and Sharing Plan. The plan must address how scientific data will be managed, preserved, and shared — reflecting a broader push toward open science and data reuse.
Knowledge check
Q1. What is the key difference between HIPAA and GDPR in scope?
Q2. What does a Data Use Agreement (DUA) specify?
Q3. Why do funders like NIH now require Data Management Plans?