INTEGRITY VS. COMPLIANCE May 4, 2026

Two Complimentary Regulatory Systems: 42 CFR Part 93 and 21 CFR

Regulatory frameworks in life sciences are too often treated as separate conversations with research oversight on one side, product regulation on the other. A closer look at 42 CFR Part 93 and 21 CFR reveals something more important: a continuum that runs from scientific discovery through to commercialized medical products, and a set of obligations that are more interconnected than most organizations acknowledge.

1. Purpose and Scope

The two frameworks govern distinct domains but they share a common foundation in the reliability of evidence.

42 CFR Part 93 governs research misconduct in Public Health Service (PHS)-funded research. It defines misconduct as fabrication, falsification, or plagiarism (FFP) in proposing, performing, reviewing, or reporting research. It establishes institutional responsibilities for investigating allegations, and its underlying purpose is to protect the credibility of the scientific record.¹

21 CFR is the FDA’s regulatory framework for medical devices, drugs, and biologics. It governs design, manufacturing, clinical studies, labeling, and post-market surveillance across the full product lifecycle. Relevant parts include:

• 21 CFR Part 820: Quality System Regulation (QSR) / Quality Management Systems Regulation (QMSR)²
• 21 CFR Part 812: Investigational Device Exemptions (IDE)³
• 21 CFR Part 803: Medical Device Reporting (MDR)⁴

The core distinction is this: 42 CFR Part 93 governs the integrity of knowledge generation. 21 CFR governs the control of the product lifecycle and patient safety. One asks whether the data is true. The other asks whether the system produces consistent, controlled outputs. Both questions matter and neither substitutes for the other.

2. Risk Focus

Dimension	42 CFR Part 93	21 CFR
Primary Risk	Invalid or falsified science	Unsafe or ineffective products
Impact	Misleading scientific conclusions	Patient harm, regulatory action
Enforcement Trigger	Allegations of misconduct	Inspection findings, adverse events
Governing Authority	HHS Office of Research Integrity (ORI)¹	FDA, CDRH, CDER, CBER⁵

The risk profiles are structurally different.

Research misconduct risk is triggered by conduct. This happens when a person or team makes a deliberate choice to fabricate, falsify, or misrepresent.

Regulatory compliance risk under 21 CFR is systemic. It surfaces through process failures, documentation gaps, and quality system breakdowns, regardless of individual intent.

3. System Design Philosophy

42 CFR Part 93 and 21 CFR are not competing philosophies. They are complementary. One governs the conduct of individuals generating scientific knowledge. The other governs the systems organizations use to translate that knowledge into products. The failure of either creates risk that the other cannot absorb.

• 42 CFR Part 93 is investigative and case-based. When an allegation of misconduct arises, the institution conducts a structured inquiry and, if warranted, a formal investigation. The framework emphasizes intent, evidence, and due process. It relies on institutional self-governance with federal oversight through the HHS Office of Research Integrity.¹ Research institutions are expected to maintain their own research integrity programs.
• 21 CFR is preventive and system-based. Rather than responding to individual failures, the framework requires organizations to build and maintain quality systems that prevent failures from reaching patients in the first place. Compliance is demonstrated through documented procedures, design controls, validation records, and corrective action systems which are verified through FDA inspections.² The design philosophy assumes that if the system is sound, the outputs will be reliable.

4. Data Integrity vs. Process Compliance

This is the point at which the two frameworks notably converge, and it is also where organizations frequently misalign their risk models.

• 42 CFR Part 93 addresses whether data is truthful and original at the source. It governs scientific validity before the data enters any downstream system.
• 21 CFR addresses whether processes produce consistent, controlled outputs. It governs reliability and reproducibility in manufacturing, clinical validation, and post-market surveillance.

The critical insight is this: a compliant system under 21 CFR cannot compensate for compromised data integrity under 42 CFR. If foundational research data is fabricated, falsified, or misrepresented, and that data forms the basis of a regulatory submission, a clinical trial design, or a product performance claim, then the compliance structure built around it becomes performative rather than protective. The SOPs, the design history files, the quality records: all of them accurately document a process built on a flawed foundation.

FDA has addressed data integrity directly in its own guidance, noting that complete, consistent, and accurate data are prerequisites for meaningful regulatory review.⁶ The Agency has taken enforcement action in cases where data integrity failures undermined the validity of submissions even when the broader quality system appeared otherwise functional.

5. Enforcement and Outcomes

• 42 CFR Part 93 enforcement is administered by the HHS Office of Research Integrity and results in:
  • Debarment from federal funding eligibility
  • Required supervision of future research activities
  • Certification requirements attached to future grant applications
  • Correction or retraction of the scientific record
  • Reputational and career consequences for individuals and institutions¹
• 21 CFR enforcement is administered by FDA and results in:
  • Form FDA 483 inspectional observations
  • Warning letters
  • Mandatory recalls and corrections
  • Injunctions and consent decrees
  • Civil monetary penalties
  • Loss of market access and export certification⁵

The enforcement mechanisms reflect the different risk orientations of the two frameworks. Research misconduct enforcement focuses on restoring the integrity of the scientific record and preventing recurrence. The FDA’s enforcement focuses on protecting public health by removing unsafe products from commerce and requiring systemic correction.

6. Where the Two Frameworks Converge

Despite their structural differences, 42 CFR Part 93 and 21 CFR intersect in ways that are increasingly difficult to ignore.

• Clinical research data supports regulatory submissions. Performance data for 510(k), De Novo, or PMA applications is generated under research integrity standards; compromised data affects submissions despite quality documentation.
• Data integrity failures lead to enforcement under both frameworks. Fabricated clinical data for diagnostic devices can prompt ORI investigation (42 CFR Part 93) and FDA action (21 CFR Parts 820, 803), which may proceed independently and simultaneously.
• Both frameworks emphasize data traceability, transparency, and lifecycle accountability. The FDA’s focus on data integrity shows that process compliance means little if the data itself is unreliable.⁶

Key Takeaway

The distinction between research integrity (42 CFR Part 93) and regulatory compliance (21 CFR) is real but it is narrowing in practice. As life science research becomes more data-intensive, globally distributed, and directly tied to regulatory decision-making, organizations that treat these frameworks as separate concerns are carrying risk they may not have measured.

Integrity has become an essential consideration not only for research institutions but for all organizations whose products rely on scientific evidence. For biotechnology, diagnostics, and medical device companies, maintaining integrity is now a regulatory obligation.

Conclusion

Within a regulatory environment where evidence informs decision-making across all phases, data integrity is not merely a preliminary aspect of compliance; it forms its essential foundation.

An organization may possess impeccable standard operating procedures, a robust quality management system, and an audit-ready design history file. However, if the data recorded within these systems lacks reliability, the resulting compliance is rendered superficial. These two frameworks serve to mitigate such risks from distinct perspectives. When integrated and regarded as a unified continuum rather than isolated entities, they more accurately reflect the requirements for sound governance in the life sciences sector.

References:

• U.S. Department of Health and Human Services. 42 CFR Part 93 — Public Health Service Policies on Research Misconduct. Office of Research Integrity. ecfr.gov/current/title-42/chapter-I/subchapter-H/part-93
• U.S. Food and Drug Administration. 21 CFR Part 820 — Quality System Regulation / Quality Management System Regulation. ecfr.gov/current/title-21/chapter-I/subchapter-H/part-820
• U.S. Food and Drug Administration. 21 CFR Part 812 — Investigational Device Exemptions. ecfr.gov/current/title-21/chapter-I/subchapter-H/part-812
• U.S. Food and Drug Administration. 21 CFR Part 803 — Medical Device Reporting. ecfr.gov/current/title-21/chapter-I/subchapter-H/part-803
• U.S. Food and Drug Administration. Inspections, Compliance, Enforcement, and Criminal Investigations. fda.gov/inspections-compliance-enforcement-and-criminal-investigations
• U.S. Food and Drug Administration. Data Integrity and Compliance With Drug CGMP — Questions and Answers: Guidance for Industry. December 2018. fda.gov/media/119267/download