ORI Issues New Confidentiality Guidance Under the Revised Research Misconduct Regulations

The U.S. Department of Health and Human Services' (HHS) Office of Research Integrity (ORI), on March 5, 2026, published its third tranche of guidance documents to help institutions develop policies and procedures that comply with the revised 2024 Final Rule on Public Health Service (PHS) Policies on Research Misconduct, 42 C.F.R. Part 93 (2024) (the 2024 Final Rule), which became applicable to all research institutions on January 1, 2026.¹

The 2024 Final Rule represents the most substantial update to the federal research misconduct framework since 2005 and reflects ORI’s effort to promote clarity, transparency and a more streamlined process.²

In this latest tranche of guidance documents, ORI provides new nonbinding guidance on the 2024 Final Rule’s confidentiality obligations (the Confidentiality Guidance). This Holland & Knight alert summarizes important provisions of the Confidentiality Guidance and highlights key takeaways and practical implications for universities, academic medical centers, private health systems and other institutions that receive PHS funding for biomedical or behavioral research or research training.

A Quick Refresher: The 2024 Final Rule and Confidentiality

The 2024 Final Rule, published in September 2024, revised the PHS Policies on Research Misconduct, which define and govern the reporting and resolution of research misconduct (i.e., fabrication, falsification or plagiarism) in PHS-funded research. The 2024 Final Rule also introduced several changes to the confidentiality framework at Section 93.106, which the Confidentiality Guidance now interprets.³

To appreciate what changed, it helps to understand what came before. Under the prior regulation, Part 93 required institutions to limit disclosure of the identities of respondents and complainants to a need-to-know basis "to the extent possible" but provided little guidance regarding 1) who fell within the scope of that protection, 2) who could determine that a "need to know" existed and 3) when the disclosure limitation ceased to apply.⁴ The 2024 Final Rule addressed each of these issues, which are further clarified in the Confidentiality Guidance.

What the Confidentiality Guidance Says: 6 Key Takeaways

1. Witnesses Get a Seat at the Confidentiality Table

One notable change codified in the 2024 Final Rule and highlighted in the Confidentiality Guidance is the inclusion of witnesses among the categories of individuals whose identities are subject to disclosure limitations.⁵ Under the prior regulation, only respondents and complainants were expressly protected. By adding witnesses, ORI is recognizing that disclosure of witness identities can chill participation in misconduct proceedings and expose witnesses to retaliation.⁶

2. Institutions Own the "Need to Know" Determination

The core confidentiality standard remains familiar: Section 93.106(a) limits disclosure of the identities of respondents, complainants and witnesses to those who "need to know," consistent with "a thorough, competent, objective, and fair research misconduct proceeding, and as allowed by law."⁷ The revised regulation places the "need to know" determination squarely in the hands of the institution conducting the proceeding,⁸ reducing ambiguity where previously authority was not expressly assigned.

The 2024 Final Rule and Confidentiality Guidance offer an illustrative, but not exhaustive, list of those who may have a "need to know": institutional review boards (IRBs), journals, editors, publishers, co-authors and collaborating institutions.⁹ The Confidentiality Guidance encourages research integrity officers (RIOs) to consult with institutional counsel on other legal obligations that may impact disclosures when determining who falls within the scope of the "need to know" limitation.¹⁰

3. Sunset of Confidentiality Restrictions

A persistent source of confusion under the former regulation was whether and when confidentiality obligations ended. The Confidentiality Guidance confirms that the regulatory limitation on disclosure of the identities of respondents, complainants and witnesses "no longer applies once an institution has made a final determination of research misconduct findings."¹¹ This temporal boundary was not explicit in the prior regulation. For institutions that have struggled with how freely they can communicate with funding agencies, journals and collaborating institutions after a proceeding concludes, this guidance is a welcome clarification.

4. Timely Correction of the Scientific Record

This may be the most practically useful takeaway in the Confidentiality Guidance. RIOs have long grappled with this difficult dilemma: When a misconduct proceeding reveals that a published paper may contain unreliable data but the proceeding is months away from concluding, must the institution abstain from taking action while potentially flawed research circulates in the literature? The Confidentiality Guidance says no.

The Confidentiality Guidance explains that 42 C.F.R. Part 93 does not prohibit institutions from "managing published data or acknowledging that the data may be unreliable during or after the conclusion of a research misconduct proceeding" (emphasis added).¹² Institutions may take "appropriate steps to correct the research record, including, for example, corrections to the published literature and reporting to funding agencies."¹³ The Confidentiality Guidance clarifies that institutions have the discretion to address unreliable data while proceedings are still in progress to facilitate "expeditious corrections or retractions" of unreliable data.¹⁴ Further, even if a proceeding does not result in a finding of research misconduct, institutions retain the discretion to correct honest errors or other unreliable data even if the institution cannot determine the source of such data.¹⁵

These clarifications are important because the prior regulation arguably left uncertainty as to whether confidentiality obligations prevented RIOs from communicating with journals and publishers about data-integrity concerns in published papers during an ongoing proceeding or in the absence of a finding of research misconduct. The Confidentiality Guidance makes clear that institutions have discretion to initiate corrections or retractions expeditiously.

5. Redact If You Like, But Not for ORI

The Confidentiality Guidance addresses both sides of the record-handling coin.

On the internal side, institutions may use redactions to protect the identities of complainants, witnesses or others during internal proceedings. However, the Confidentiality Guidance makes clear that institutions "must provide unredacted documents when the institutional record is transmitted to ORI."¹⁶ This requirement is consistent with Section 93.106(a), which obligates institutions to disclose to ORI the identity of respondents, complainants and other relevant persons in connection with an ORI review.¹⁷

The Confidentiality Guidance also notes that ORI itself retains broad authority under Section 93.401(a) to "notify and consult with other entities, including government funding agencies, institutions, journals, publishers, and editors, at any time if those entities have a need to know about or have information relevant to a research misconduct proceeding."¹⁸

6. Secure Handling and Sequestration of Records

The Confidentiality Guidance reiterates the requirement under Section 93.305(a) that all research records and evidence related to a misconduct proceeding must be "sequestered in a secure manner."¹⁹ Confidentiality must be maintained for any records or evidence from which research subjects might be identified, except as otherwise prescribed by applicable law, with disclosure limited to those with a need to know to conduct the research misconduct proceeding. ²⁰

The Confidentiality Guidance further encourages institutions to coordinate with IRBs, institutional animal care and use committees (IACUCs) and other compliance units to ensure compliance with overlapping regulatory requirements, such as 45 C.F.R. Part 46 (protection of human subjects), the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), import/export controls, biosafety regulations, and applicable intellectual property or data sharing agreements.²¹

Practical Takeaways: What Institutions Should Do Now

The Confidentiality Guidance is nonbinding, but institutions would be wise to treat it as a road map for revising policies and procedures, particularly with the fast-approaching April 30, 2026, deadline to submit updated assurance policies and procedures to ORI as part of the 2025 Annual Report.²²

We recommend the following steps:

• Update Research Misconduct Policies. Institutions should review and, where necessary, revise their research misconduct policies and procedures to reflect the expanded scope of confidentiality protections, particularly the addition of witnesses, and incorporate clear procedures for making "need to know" determinations.
• Build a Playbook for Corrections. The explicit authorization to correct the scientific record before a final determination is a meaningful development. Institutions should develop or update internal protocols for engaging with funders, journals, publishers and collaborators about data integrity concerns during ongoing proceedings and documenting those determinations and communications to demonstrate compliance with the need-to-know standard.
• Begin Intracompany Dialogue. Research misconduct investigations are rarely confined to a single regulatory lane. Institutions should begin consulting with their various compliance units to ensure a consistent and compliant approach to sequestration, record-handling, and disclosure policies and procedures to account for overlapping requirements under applicable laws and data sharing agreements. Coordination among RIOs, IRBs, IACUCs, privacy officers and institutional counsel remains essential.
• Lean on Your Counsel. Holland & Knight's Healthcare Team continues to monitor ORI's phased rollout of guidance documents. If you have any questions about the guidance or need assistance, contact the authors or another member of the team.

Notes

¹ Public Health Service Policies on Research Misconduct, 89 Fed. Reg. 76,280 (Sept. 17, 2024).

² Id.

³ Id. at 3.

⁴ See 42 C.F.R. § 93.108 (2005).

⁵ 42 C.F.R. § 93.106(a) (2024); Off. of Rsch. Integrity, supra note 4, at 3.

⁶ See 42 C.F.R. § 93.300(d) (2024) (requiring institutions to "protect the positions and reputations of good faith complainants, witnesses, and committee members" and protect them from retaliation).

⁷ 42 C.F.R. § 93.106(a) (2024); Off. of Rsch. Integrity, supra note 4, at 3, 4.

⁸ Id.

⁹ Id.

¹⁰ Off. of Rsch. Integrity, supra note 4, at 4.

¹¹ 42 C.F.R. § 93.106(a) (2024); Off. of Rsch. Integrity, supra note 4, at 4.

¹² Off. of Rsch. Integrity, supra note 4, at 3.

¹³ Id.

¹⁴ Id.

¹⁵ Id.

¹⁶ Id. at 4-5.

¹⁷ 42 C.F.R. § 93.106(a) (2024).

¹⁸ Off. of Rsch. Integrity, supra note 4, at 5. See also 42 C.F.R. § 93.401(a) (2024).

¹⁹ 42 C.F.R. § 93.305(a) (2024).

²⁰ 42 C.F.R. § 93.106(b) (2024).

²¹ Off. of Rsch. Integrity, supra note 4, at 4.

²² 89 Fed. Reg. at 76,289.

Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.