HIPAA & GDPR Compliance for Researchers: A Practical Guide

Why Compliance Matters for Biological Data Sharing

Modern biological research increasingly involves human subjects. Whether you are conducting genomic studies, clinical trials, proteomics research, or collecting patient samples, the data you generate often falls under strict regulatory frameworks. Two of the most important are HIPAA (in the United States) and GDPR (in the European Union), but similar frameworks exist in the UK (UK GDPR), Canada (PIPEDA), and Australia (Privacy Act).

Sharing this data — even with trusted collaborators at reputable institutions — without following proper protocols can result in serious consequences: regulatory fines, loss of funding, damage to institutional reputation, and harm to research participants who trusted you with their most sensitive information.

The good news is that with the right tools and practices, compliant data sharing is not only achievable — it can be straightforward.

Understanding HIPAA: The Basics for Researchers

The Health Insurance Portability and Accountability Act (HIPAA) governs how Protected Health Information (PHI) is handled in the United States. If your research involves human subjects and is conducted at or through a HIPAA-covered entity (hospitals, health plans, healthcare clearinghouses, or their business associates), HIPAA likely applies to your data.

What Counts as PHI?

PHI is any health information that can be linked to a specific individual. HIPAA identifies 18 categories of identifiers that, when combined with health data, constitute PHI:

• Names, geographic data smaller than state level, dates (birth, death, admission)
• Phone numbers, fax numbers, email addresses, social security numbers
• Medical record numbers, health plan beneficiary numbers, account numbers
• Certificate or license numbers, device identifiers, web URLs, IP addresses
• Biometric identifiers including finger and voice prints
• Full-face photographs and comparable images
• Any other unique identifying number or code

Genomic data presents a nuanced case. Raw genomic sequences are increasingly considered PHI because they can be used to re-identify individuals even after traditional identifiers are removed. If your study involves whole-genome sequencing, exome sequencing, or targeted panels from identifiable human subjects, treat that data as PHI.

The Safe Harbor and Expert Determination Methods

HIPAA provides two pathways to de-identify PHI so that it no longer requires the same level of protection. The Safe Harbor method requires removing all 18 categories of identifiers listed above. The Expert Determination method involves a qualified statistical expert certifying that the risk of re-identification is very small. For genomic data, Safe Harbor de-identification is generally not sufficient — an expert determination is recommended given the re-identification risk inherent in sequence data.

Understanding GDPR: Key Principles for Researchers

The General Data Protection Regulation applies to any processing of personal data belonging to individuals in the European Union, regardless of where the researcher or institution is located. If you are collecting samples or data from EU residents — even as part of a multi-national study primarily based in the US — GDPR applies.

Special Category Data

GDPR places genomic data, health data, and biometric data in a category called "special category personal data," which requires a higher level of protection than ordinary personal data. Processing this data requires either explicit consent from the data subject or another specific legal basis such as scientific research (Article 9(2)(j)), which still requires appropriate safeguards.

Key GDPR Principles Relevant to Research Data Sharing

• Purpose limitation: Data collected for one research purpose cannot be freely repurposed for an unrelated study without new consent or a compatibility assessment.
• Data minimisation: Share only the data actually needed for the collaboration. Do not transfer full datasets when a subset would suffice.
• Storage limitation: Data should not be retained longer than necessary. Establish clear data retention agreements with collaborators and use tools that enforce expiration.
• Integrity and confidentiality: Technical measures (encryption, access controls) must protect data throughout its lifecycle, including during transfer.
• International transfers: Transferring personal data outside the EU to countries without an adequacy decision requires additional safeguards such as Standard Contractual Clauses (SCCs).

Data Transfer Agreements: What You Need Before Sharing

Before transferring any human-subject data to a collaborator, you will typically need a formal agreement in place:

• Data Use Agreement (DUA): Required for sharing limited data sets under HIPAA. Specifies permitted uses, who is authorised to receive the data, and obligations to protect it.
• Material Transfer Agreement (MTA): Governs sharing of biological materials and often includes provisions for associated data.
• Data Sharing Agreement (DSA) / Data Processing Agreement (DPA): Required under GDPR when data is shared with a third party that will process it. Defines roles (controller vs. processor), security obligations, and data subject rights.

Your institution's research office, tech transfer office, or legal department typically handles these agreements. The technical transfer of data should not happen until the appropriate agreement is in place and signed.

Encryption Requirements Under HIPAA and GDPR

Both HIPAA and GDPR strongly recommend or require encryption for data in transit and at rest:

• HIPAA: The Security Rule does not mandate a specific encryption standard but considers encryption an "addressable" implementation specification. In practice, any covered entity transferring PHI electronically should use encryption — unencrypted transfers of PHI are a common cause of reportable breach incidents.
• GDPR: Article 32 requires "appropriate technical and organisational measures" including encryption of personal data. While no specific algorithm is mandated, AES-256 is considered the current best practice.

BioTransfer's Secure Transfer mode uses AES-GCM-256 encryption applied entirely in the browser before data reaches any server. This zero-knowledge architecture means that even if BioTransfer's infrastructure were compromised, the encrypted data would be unreadable without the key embedded in the recipient's share link. This approach aligns with the "privacy by design" principle central to GDPR and satisfies HIPAA's encryption addressable specification.

Practical Checklist for Compliant Data Sharing

• Confirm the applicable regulatory framework (HIPAA, GDPR, both, or other)
• Obtain IRB/Ethics Committee approval that covers data sharing with external collaborators
• Execute the appropriate data transfer agreement before any files are moved
• De-identify data where possible; apply appropriate safeguards to identifiable data
• Use end-to-end encrypted transfer for any data that cannot be de-identified
• Confirm the recipient's institution has equivalent security safeguards in place
• Set a data retention period and use a transfer tool that enforces expiration
• Document the transfer: who sent what to whom, when, and under which agreement

How BioTransfer Supports Compliant Research

BioTransfer was designed with research compliance in mind. The platform's Secure Transfer mode provides end-to-end encryption so that the service provider never has access to the content of transferred files — a key requirement for satisfying the HIPAA "minimum necessary" standard and GDPR's confidentiality principle. Files are automatically deleted after the retention period expires, supporting the GDPR principle of storage limitation. Transfer records include sender email, recipient email, and timestamp, providing an audit trail for documentation purposes.

For researchers who require longer retention for ongoing collaborations, Pro plans offer 30-day retention. All transfers are encrypted in transit via TLS, and Secure mode adds application-layer AES-GCM-256 encryption on top.