Healthcare organizations that run FDA-regulated research face a compliance situation that catches a lot of sites off guard: HIPAA and 21 CFR Part 11 both apply, but they apply in different ways, to different things, for different reasons. Getting one right doesn't mean you've satisfied the other.
The confusion is understandable. Both regulations care about electronic records, both require audit trails, both restrict who can access data, and both demand that systems protect against unauthorized alteration. But HIPAA governs protected health information (PHI) across the organization: who can see it, how it's stored, when it can be disclosed. Part 11 governs electronic records and signatures used in FDA-regulated activities, specifically whether they're trustworthy enough to substitute for paper. A hospital conducting a Phase II oncology trial is almost certainly subject to both. So is an academic medical center running NIH-funded studies with an IND. So is any research site signing FDA Form 1572 on an electronic platform.
This post breaks down what each regulation actually requires from an electronic signature standpoint, where the two frameworks overlap, where they diverge, and how to build a compliant workflow that satisfies both without duplicating effort.
Key Takeaways
- HIPAA and 21 CFR Part 11 are complementary frameworks with different scopes. HIPAA protects PHI; Part 11 governs FDA-regulated electronic records and signatures.
- Most healthcare research sites are subject to both at the same time, particularly for informed consent forms, adverse event reports, and delegation of authority logs.
- A BAA is a HIPAA requirement with no Part 11 equivalent. Any e-signature vendor that won't execute one can't legally be used for PHI-containing research documents.
- Part 11 has requirements HIPAA doesn't: two-component authentication at signing, signature meaning displayed on the record, and a non-repudiation letter to FDA under 11.100(b).
- A platform that genuinely meets Part 11's technical requirements will also satisfy HIPAA's Security Rule technical safeguards for the same documents. The reverse isn't always true.
When Both Regulations Apply
HIPAA applies to covered entities: health plans, healthcare clearinghouses, and healthcare providers that transmit health information electronically, and their business associates. If your site provides clinical care, you're almost certainly a covered entity. If your research involves patient data that originated in the course of care, that data is likely PHI.
Part 11 applies when FDA regulations require records and your organization keeps those records electronically. The key concept is the predicate rule: the underlying FDA regulation that requires the record in the first place. FDA regulations governing clinical investigations (21 CFR Parts 50, 54, 56, 312, and 812) require various records: signed informed consent documents, investigator statements (Form 1572), delegation of authority logs, protocol amendments, and serious adverse event reports. When a research site creates and signs those records electronically, Part 11 applies.
So a clinical research site at a hospital is almost always in dual-compliance territory. The informed consent document contains PHI. It identifies the patient and links them to a diagnosis. It's also an FDA-required record under 21 CFR 50.27. The electronic signature on that document has to satisfy Part 11's technical requirements. The storage and access controls around the document have to satisfy HIPAA's Security Rule. Both at once.
What Part 11 Requires That HIPAA Doesn't
Part 11 has requirements with no real HIPAA equivalent. The most important ones for electronic signatures at research sites:
Two-Component Authentication at the Point of Signing
Section 11.200(a) requires that electronic signatures not based on biometrics use at least two distinct identification components, typically a username/password combination. Section 11.300 requires that these components be unique to each individual signer and never shared. HIPAA's person-or-entity authentication standard (45 CFR 164.312(d)) requires that users be verified, but it doesn't prescribe two-component authentication at the moment of signing the way Part 11 does. A platform can satisfy HIPAA's authentication standard with password-only login. It can't satisfy Part 11 that way.
Signature Meaning on the Face of the Record
Section 11.50 requires that signed electronic records display the printed name of the signer, the date and time of signing, and the meaning associated with the signature: approval, review, authorship, responsibility, or whatever role the signature serves in that workflow. HIPAA has no equivalent requirement for how signature information appears on the face of a document. This matters for inspection readiness. An FDA investigator reviewing a signed protocol amendment expects to see the signature meaning clearly associated with the signature. A system that captures signature metadata only in a backend audit log, without displaying it on the document itself, doesn't meet 11.50.
Non-Repudiation Letter to FDA
Before using electronic signatures in FDA-regulated activities, organizations must certify in writing to FDA under 11.100(b) that those signatures are the legally binding equivalent of traditional handwritten signatures. This is a one-time organizational submission, not a per-study requirement. HIPAA has no parallel organizational certification requirement. Many research sites at healthcare organizations have never submitted one, which creates a documentation gap that surfaces during FDA inspections. For a full treatment of what the letter must include and how to submit it, see our guide on the FDA Part 11 non-repudiation letter.
Computer-Generated, Tamper-Evident Audit Trails
Section 11.10(e) specifies that audit trails must be secure, computer-generated, and time-stamped, and that they independently record the date and time of operator entries and actions that create, modify, or delete electronic records. HIPAA's audit control standard (45 CFR 164.312(b)) requires that you implement "hardware, software, and/or procedural mechanisms that record and examine activity," but it doesn't specify that trails be computer-generated or prohibit manual logging. For clinical research records, Part 11's stricter standard controls.
What HIPAA Requires That Part 11 Doesn't
HIPAA covers the entire lifecycle of PHI, which extends well beyond the records that Part 11 touches.
Business Associate Agreement
Before any vendor processes PHI on your behalf, including an e-signature platform that stores signed patient documents, you need a signed BAA under 45 CFR 164.308(b)(1). Part 11 has no BAA equivalent. A platform could be fully Part 11 compliant and still be unusable for healthcare research if the vendor won't execute a BAA. This is frequently the failure point when research sites adopt general-purpose e-signature tools without checking whether a BAA is available.
Minimum Necessary Standard
The Privacy Rule (45 CFR 164.502(b)) requires that uses and disclosures of PHI be limited to the minimum necessary for the intended purpose. When sharing signed study documents with sponsors or CROs, research sites need to consider whether all identifiable patient information is necessary for the sponsor's regulatory purpose. Part 11 doesn't impose this kind of data minimization requirement.
Breach Notification
The HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D) requires covered entities to notify affected individuals, HHS, and in some cases the media when unsecured PHI is compromised. A security incident involving signed study documents stored on an e-signature platform could trigger breach notification obligations. Part 11 has no notification requirement.
Six-Year Policy Retention
HIPAA requires that policies, procedures, and related documentation be retained for six years from creation or the date last in effect (45 CFR 164.530(j)). FDA retention schedules for clinical trial records (typically two years post-approval under 21 CFR 312.62) are often shorter. The longer period controls. Sites should apply the six-year floor as the default for any document that sits at the HIPAA/Part 11 intersection.
Where the Two Frameworks Align
The area of genuine overlap is substantial for the controls that matter most. A platform that satisfies Part 11's technical requirements will, in practice, satisfy HIPAA's Security Rule technical safeguards for the same documents:
| Control | 21 CFR Part 11 | HIPAA Security Rule |
|---|---|---|
| User authentication | Two-component, unique identifiers (11.200, 11.300) | Person-or-entity authentication (164.312(d)) |
| Audit trails | Computer-generated, time-stamped (11.10(e)) | Record and examine activity (164.312(b)) |
| Access controls | Authority checks by user role (11.10(g)) | Role-based access (164.312(a)(1)) |
| Data integrity | Cryptographic binding of signature to record (11.30) | Integrity controls to detect alteration (164.312(c)) |
| Workforce training | Required in validation SOPs | Required (164.308(a)(5)) |
But the reverse isn't reliable. A HIPAA-compliant platform may lack Part 11-specific controls: signature meaning display, two-factor authentication enforced at the moment of signing (rather than at login), or the validated system controls in 11.10. Healthcare research sites that select a platform primarily for HIPAA compliance can find themselves with a technical gap when the FDA comes to review their electronic records.
The Informed Consent Form: Where Dual Compliance Is Most Acute
No document in clinical research sits more squarely at the intersection of HIPAA and Part 11 than the informed consent form (ICF). Consider what the ICF is simultaneously:
- An FDA-required record under 21 CFR 50.27, meaning the electronic signature must satisfy Part 11 Subpart C
- A HIPAA authorization for the use and disclosure of PHI in research (often combined with the consent in practice, though regulators recommend keeping them conceptually distinct)
- A legal record subject to state-specific informed consent laws that vary significantly
FDA's October 2024 final guidance on electronic systems in clinical investigations addressed ICF signatures directly. Q&A #14 confirmed that electronic signatures on consent documents must meet Part 11 requirements. The guidance also clarified that hybrid workflows, where some consent elements are paper and some are electronic, require careful documentation of which records are Part 11-covered. You can't electronically sign part of the consent and paper-sign another part without explicitly mapping the boundary and validating the workflow.
For the HIPAA authorization portion, the Privacy Rule (45 CFR 164.508) requires that the authorization be signed and dated by the individual. It doesn't prohibit electronic signatures, and federal e-signature law under the ESIGN Act (15 U.S.C. § 7001) recognizes electronic signatures as legally valid. So a compliant electronic signature on a combined consent/authorization satisfies both the FDA record requirement and HIPAA's authorization signature requirement, provided the platform satisfies Part 11's technical controls.
For the full treatment of document management requirements at investigator sites, see our guide on clinical trial document management and e-signature requirements.
The Regulatory Threshold Question
Not every document at a healthcare organization is subject to Part 11. The test is whether there's an FDA predicate rule requiring that specific record. Non-FDA-regulated research, quality improvement projects, and purely administrative documents don't trigger Part 11, even if they contain PHI and the same platform handles them.
That threshold question matters because it determines the compliance floor. For non-FDA records that contain PHI, HIPAA controls. For FDA-regulated records that also contain PHI, both apply. Sites that treat everything as Part 11-governed create unnecessary validation burden. Sites that treat everything as HIPAA-only risk a Part 11 gap on the records that actually matter to FDA.
The practical answer for most clinical research sites: map your document types explicitly. Consent forms, 1572s, delegation of authority logs, serious adverse event reports, monitoring visit records, and protocol amendments are all FDA-regulated records. They're also almost always PHI-containing at sites that provide patient care. Dual compliance applies to all of them. SOPs that simply say "this platform is compliant" without specifying which regulation and which section don't hold up to a data integrity inspection.
Building a Workflow That Satisfies Both
Sites that try to maintain separate HIPAA-compliant and Part 11-compliant workflows tend to create more risk, not less. Records get split across systems, audit trails become fragmented, and investigators trying to reconstruct the history of a signed record have to pull from multiple places. The cleaner approach is a single platform that satisfies both frameworks, with SOPs that map each control to the specific CFR section it satisfies.
A practical checklist before selecting or re-evaluating a platform:
- BAA availability: Does the vendor execute a Business Associate Agreement? If not, the conversation ends here. The platform can't be used for PHI-containing research documents regardless of its Part 11 capabilities.
- Two-factor authentication at signing: Is 2FA enforced at the point of each signing action, not just at session login? Part 11's 11.200 requires it at signing.
- Signature meaning on the record: Does the signed document display the signer's name, timestamp, and signature meaning on its face, not just in a backend log?
- Cryptographic integrity: Is each signed document bound to its signature via a cryptographic hash so any post-signing alteration is detectable?
- Validation documentation: Does the vendor provide IQ/OQ/PQ documentation to support your Part 11 system validation? For a deep dive on this, see our IQ/OQ/PQ validation guide.
- Audit trail exportability: Can you export the full audit trail on demand for both FDA inspection purposes (Part 11) and HIPAA security event review (164.312(b))?
The Bottom Line
HIPAA and 21 CFR Part 11 aren't redundant. They're complementary frameworks that each cover ground the other misses. HIPAA protects patients by controlling who can access their health information and mandating breach response. Part 11 protects regulatory data integrity by requiring that electronic records and signatures are technically trustworthy. Neither one subsumes the other.
Healthcare research sites that handle both FDA-regulated study records and patient PHI, which is most of them, need a platform built to satisfy both, not a HIPAA platform retrofitted with Part 11 claims, or a Part 11 platform that skips the BAA requirement.
The right starting point is knowing which documents in your workflows are subject to which rules. From there, the platform requirements follow naturally. And the SOPs write themselves once you've mapped each document type to its applicable CFR sections.
For details on how Certivo's technical controls map to both Part 11 and HIPAA's Security Rule, visit our compliance overview. If you're evaluating your current SOPs, our guide on electronic signature SOPs for FDA Part 11 walks through the six SOPs every regulated site needs.