ACR Bulletin

Covering topics relevant to the practice of radiology

The Legal Landscape of Data Sharing and Protection

Registry developers play a critical role in making sure data contributors view medical registries as trustworthy repositories — and can do so by proactively bolstering their compliance measures and their ability to protect registry data.
Jump to Article

Medical advances await and medical registries will be among the vehicles that get us there.

July 16, 2021

Medical registries are becoming increasingly indispensable tools to garner insights on disease progression, manifestation, and treatment. The COVID-19 pandemic has pulled medical registries to the fore as a way to accelerate strategies to combat the virus. Building on its long history of registry development, the ACR recently announced a joint effort of the ACR Center for Research and Innovation™ (CRI) and the ACR Informatics team to launch an innovative conglomeration of its registries, called the ACR National Clinical Imaging Research Registry™ (ANCIRR) — including several COVID-19 registries.

Current and future registries housed under the ANCIRR will collect images and clinical data from multiple practice settings — enabling researchers to address complex scientific questions and produce results applicable across various care settings, geographic locations, and populations (learn more at This column will explore the legal and regulatory landscape that the CRI navigates in ensuring proper data sharing, collection, and protection — an environment rife with landmines that can too often hinder meaningful registry development and scientific advancement.

Looking Back at Medical Registries

Medical registries are not new to the ACR. The ACR launched its first registry, the National Radiology Data Registry (NRDR®), in 2008. The ACR has continued on this path of registry development, establishing or collaborating on — among others — several coverage with evidence development registries, including the Imaging Dementia — Evidence for Amyloid Scanning study and the National Oncologic PET Registry.

The COVID-19 pandemic accelerated ACR’s activities in partnering with entities that were interested in establishing datasets that could reveal trends and medically relevant patterns in disease manifestation and patient experience. As the virus progressed around the world, medical teams and researchers found, however, that they were outpaced by the disease and would need tools that could capture and curate medical data from multiple sources as quickly as possible and combine that data into registries that would facilitate meaningful analyses. Several groups undertook the challenge of corralling the abundance of COVID-19 data that medical centers were generating. Federal agencies, such as the National Center for Advancing Translational Science, spearheaded working groups that collected, combined, and prepared anonymized clinical data from U.S. patients diagnosed with the virus. Recognizing that the treatment of COVID-19 generates imaging data, the National Institutes of Health (NIH) funded the Medical Imaging and Data Resource Center (MIDRC) — a multi-institutional initiative, driven by the medical imaging community, to accelerate innovation and the transfer of knowledge during the pandemic (learn more at

Reviewing Data Sharing Policies

Much of the COVID-19 data that has been generated in the last eighteen months is controlled and maintained by private medical or public academic centers. Data protection is key in maintaining patient trust and abiding by the stringent requirements of HIPAA. Data sharing with organizations that create multicenter medical registries, although permitted by HIPAA, has historically been anathema to these tenets when the data being sought is protected health information (PHI). However, COVID-19 has changed the perspective of some medical and academic centers when it comes to data sharing and the potential to contribute to the larger public good. New opportunities exist for the creation of government-sponsored databases which will make de-identified data available to the public (MIDRC) and there are other opportunities to create secure, privately managed databases that include PHI that may be critical to answering other research questions (such as the COVID-19 Imaging Research Registry™).

Indeed, the ability to quickly develop a COVID-19 vaccine was directly attributable to the prior experience of the U.S. in data sharing. The data sharing norms established by the U.S. government-led Human Genome Project, an effort to map the entire sequence of human DNA, greatly sped up the development of the mRNA coronavirus vaccines. A Chinese lab announced the discovery of the novel coronavirus on Jan. 9, 2020, sequenced it over the next weekend, and released the genome sequence to the public immediately thereafter. By the end of January 2020, labs around the world were developing vaccines based on the genome sequence — despite not yet having an actual sample. Without a commitment to open data, coronavirus vaccines might still be months away.1 In this vein, the NIH has expanded its data sharing policy, effective January 2023, and views data sharing as essential for the expedited translation of research results into knowledge, products, and procedures to improve human health. The new policy will require NIH-funded researchers to develop a plan for sharing scientific data generated with federal funds.2

In making its registries accessible to as many researchers as possible, the ACR must manage the regulatory, compliance, and legal responsibilities of a registry owner.

Navigating the Regulatory Landscape

The objective of developing a medical registry is to create a set of searchable and analyzable data to discern trends and understand disease manifestation. In most instances, the owner of the registry is not the only entity interested in using the registry to conduct scientific inquiry. Medical registries intrigue anyone who is interested in improving patient outcomes, benchmarking, and using clinical decision support. In making its registries accessible to as many researchers as possible, the ACR must manage the regulatory, compliance, and legal responsibilities of a registry owner. This requires an understanding of the obligations imposed by federal and state regulations, such as HIPAA, and state privacy laws that govern any PHI. Additionally, the ACR must adhere to the legal obligations of the data use agreements it enters to receive clinical and imaging data from contributing sites — whether that data is de-identified or not.

Exporting medical data to multi-institutional registries may be conceptually appealing to medical and academic centers, but it is not a common exercise. Overly restrictive terms and conditions that these entities tend to include in their contracts reflect their paramount interests in ensuring that they can trust registry owners to protect and properly use their contributed data. Many agreements restrict the use of contributed data outside the U.S. The level of trust an institution has in the registry owner will dictate how readily the institution agrees to share its data. Finally, the registry owner must have systems and processes in place that ensure proper use of the registry by third-party researchers.

Even if the hurdles of data access are cleared, other aspects of the regulatory and legal landscape can serve as obstacles to creating a usable dataset. Some medical and academic centers are willing to share their data but impose constraints on how it can be used. For example, data contributors may limit use only for research, or only allow use of de-identified versions of the contributed data. Others impose non-transferable license rights — effectively prohibiting a further transfer of license rights to third-party researchers and foreclosing use in other datasets. In other instances, a data contributor may only permit non-commercial use of its data. Presumably, a commercial use would entail accumulating the data to sell to another party or charging researchers for access to the registry. Any broader interpretation, such as limiting use to non-commercial entities or researchers, would severely limit the value of a registry for research purposes. Being prepared with an Institutional Review Board- approved protocol that describes the strategy of the registry has generally helped data contributors understand that the intended use of the data aligns with the requirement that the research is non-commercial.

Finally, both contractual constraints and regulations can render a registry unusable. Compliance with HIPAA regulations, by removing those elements that constitute PHI, can often render data unusable. While PHI may be de-identified so that it is no longer PHI, the requirement that data be deleted limits the value of de-identified data in future research.

Looking Ahead

Mastery of the precepts of data privacy and data sharing are required to ensure the continued burgeoning of medical registries. Entities interested in developing registries play a critical role in making sure data contributors view medical registries as trustworthy repositories — and can do so by proactively bolstering their compliance measures and their ability to protect and secure registry data. Medical advances await and medical registries will be among the vehicles that get us there. Your legal advisor can help you navigate the ever-changing landscape of data sharing and privacy to ensure your registry successfully launches.


1. Deming, D. Balancing privacy with data sharing for the
public good. The New York Times. Published February 19,
2021. Accessed June 21, 2021.
2. NIH Data Sharing Policy. National Institutes of Health.
Updated November 3, 2020. Available at
Accessed June 21, 2021.