For existing data that includes identifiable health information (like medical records data), once the identifiable health information is transferred to the HCC, the data should be protected the same as PHI gathered in the U.S. when requirements of the other country are less protective than U.S. laws and institutional policy. It should be stored in a HIPAA compliant manner.

For prospective data and/or specimen collection, the consent form does not need to include HIPAA authorization language when the data/specimens are collected in another country. Rather, that country’s privacy laws would apply.

For more information related to privacy in international research, see the International Human Subjects Research Process Guidance.