Notice of Changes to NIH Policy for Issuing Certificates of Confidentiality

Notice Number: NOT-OD-17-109

Key Dates
Release Date: September 7, 2017
Effective Date: October 1, 2017

Related Announcements
NOT-HG-24-020 - NHGRIs Analysis, Visualization, and Informatics Lab-space (AnVIL) as an NIH-Designated Data Repository
NOT-OD-20-075

Issued by
National Institutes of Health (NIH)

Purpose

The purpose of this guide notice is to inform the research community that NIH is updating its policy for issuing Certificates of Confidentiality (Certificates) for NIH-funded and conducted research. The update of this Policy comes as a result of the need to implement Section 2012 of the 21st Century Cures Act, P.L. 114-255, which states that the Secretary, HHS shall issue Certificates of Confidentiality to persons engaged in biomedical, behavioral, clinical or other research, in which identifiable, sensitive information is collected. These Certificates protect the privacy of subjects by limiting the disclosure of identifiable, sensitive information.

Background

Section 2012 of the 21st Century Cures Act, enacted December 13, 2016, enacts new provisions governing the authority of the Secretary of Health and Human Services (Secretary) to protect the privacy of individuals who are the subjects of research, including significant amendments to the previous statutory authority for such protections, under subsection 301(d) of the Public Health Service Act. Specifically, the amended authority requires the Secretary to issue to investigators or institutions engaged in biomedical, behavioral, clinical, or other research in which identifiable, sensitive information is collected ( Covered Information ), a Certificate to protect the privacy of individuals who are subjects of such research, if the research is funded wholly or in part by the Federal Government. The authority also specifies the prohibitions on disclosure of the names of research participants or any information, documents, or biospecimens that contain identifiable, sensitive information collected or used in research by an investigator or institution with a Certificate. If the research is not federally funded, the Secretary may issue a Certificate to an investigator or institution engaged in such research, upon application.

Scope and Applicability

This Policy applies to all biomedical, behavioral, clinical, or other research funded wholly or in part by the NIH, whether supported through grants, cooperative agreements, contracts, other transaction awards, or conducted by the NIH Intramural Research Program, that collects or uses identifiable, sensitive information. For the purposes of this Policy, consistent with subsection 301(d) of the Public Health Service Act (42 U.S.C 241), the term identifiable, sensitive information means information about an individual that is gathered or used during the course of biomedical, behavioral, clinical, or other research, where the following may occur:

  • An individual is identified; or
  • For which there is at least a very small risk, that some combination of the information, a request for the information, and other available data sources could be used to deduce the identity of an individual.

This Policy also acknowledges that the NIH will continue to consider request for Certificates for non-federally funded research in which identifiable, sensitive information is collected or used.

Policy

Effective October 1, 2017, all research that was commenced or ongoing on or after December 13, 2016 and is within the scope of this Policy is deemed to be issued a Certificate through this Policy and is therefore required to protect the privacy of individuals who are subjects of such research in accordance with subsection 301(d) of the Public Health Service Act. This Policy will be included in the NIH Grants Policy statement as a standard term and condition of award effective October 1, 2017 for new and non-competing awards. Institutions and their investigators are responsible for determining whether research they conduct is subject to this Policy and therefore issued a Certificate. Certificates issued in this manner will not be issued as a separate document.

Previously, NIH provided these protections through the issuance of Certificates only upon receipt and approval of an application. However, in order to comply with the requirement in subsection 301(d) of the Public Health Service Act to minimize the burden to researchers, streamline the process, and reduce the time it takes to comply with the requirements associated with applying for a Certificate, NIH will now provide Certificates automatically to any NIH-funded recipients conducting research applicable to this Policy.

For the purposes of this Policy, NIH considers research in which identifiable, sensitive information is collected or used, to include:

  • Human subjects research as defined in the Federal Policy for the Protection of Human Subjects (45 CFR 46), including exempt research except for human subjects research that is determined to be exempt from all or some of the requirements of 45 CFR 46 if the information obtained is recorded in such a manner that human subjects cannot be identified or the identity of the human subjects cannot readily be ascertained, directly or through identifiers linked to the subjects;
  • Research involving the collection or use of biospecimens that are identifiable to an individual or for which there is at least a very small risk that some combination of the biospecimen, a request for the biospecimen, and other available data sources could be used to deduce the identity of an individual;
  • Research that involves the generation of individual level, human genomic data from biospecimens, or the use of such data, regardless of whether the data is recorded in such a manner that human subjects can be identified or the identity of the human subjects can readily be ascertained as defined in the Federal Policy for the Protection of Human Subjects (45 CFR 46); or
  • Any other research that involves information about an individual for which there is at least a very small risk, as determined by current scientific practices or statistical methods, that some combination of the information, a request for the information, and other available data sources could be used to deduce the identity of an individual, as defined in subsection 301(d) of the Public Health Service Act.

Recipient Responsibilities

To determine if this Policy applies to research conducted or supported by NIH, investigators will need to ask, and answer the following question:

  • Is the activity biomedical, behavioral, clinical, or other research?

If the answer to this question is no, then the activity is not issued a Certificate. If the answer is yes, then investigators will need to answer the following questions:

  • Does the research involve Human Subjects as defined by 45 CFR Part 46?
  • Are you collecting or using biospecimens that are identifiable to an individual as part of the research?
  • If collecting or using biospecimens as part of the research, is there a small risk that some combination of the biospecimen, a request for the biospecimen, and other available data sources could be used to deduce the identity of an individual?
  • Does the research involve the generation of individual level, human genomic data?

If the answer to any one of these questions is yes, then this Policy will apply to the research and therefore, in accordance with subsection 301(d) of the Public Health Service Act, the recipient of the Certificate shall not:

  • Disclose or provide, in any Federal, State, or local civil, criminal, administrative, legislative, or other proceeding, the name of such individual or any such information, document, or biospecimen that contains identifiable, sensitive information about the individual and that was created or compiled for purposes of the research, unless such disclosure or use is made with the consent of the individual to whom the information, document, or biospecimen pertains; or
  • Disclose or provide to any other person not connected with the research the name of such an individual or any information, document, or biospecimen that contains identifiable, sensitive information about such an individual and that was created or compiled for purposes of the research.

Disclosure is permitted only when:

  • Required by Federal, State, or local laws (e.g., as required by the Federal Food, Drug, and Cosmetic Act, or state laws requiring the reporting of communicable diseases to State and local health departments), excluding instances of disclosure in any Federal, State, or local civil, criminal, administrative, legislative, or other proceeding;
  • Necessary for the medical treatment of the individual to whom the information, document, or biospecimen pertains and made with the consent of such individual;
  • Made with the consent of the individual to whom the information, document, or biospecimen pertains; or
  • Made for the purposes of other scientific research that is in compliance with applicable Federal regulations governing the protection of human subjects in research.

As set forth in 45 CFR Part 75.303(a) and NIHGPS Chapter 8.3, recipients conducting NIH supported research applicable to this Policy are required to establish and maintain effective internal controls (e.g., policies and procedures) that provide reasonable assurance that the award is managed in compliance with Federal statutes, regulations, and the terms and conditions of award.

Recipients of Certificates are required to ensure that any investigator or institution not funded by NIH who receives a copy of identifiable, sensitive information protected by a Certificate issued by this Policy, understand they are also subject to the requirements of subsection 301(d) of the Public Health Service Act. In accordance with NIHGPS Chapter 15.2.1, recipients are also responsible for ensuring that any subrecipient that receives funds to carry out part of the NIH award involving a copy of identifiable, sensitive information protected by a Certificate issued by this Policy understand they are also subject to subsection 301(d) of the Public Health Service Act.

For studies in which informed consent is sought, NIH expects investigators to inform research participants of the protections and the limits to protections provided by a Certificate issued by this Policy.

Non-Federally Funded Research

As noted within the Scope and Applicability section of this guide notice, for non-federally funded research, the NIH will continue to consider requests for Certificates for specific projects in accordance with the current NIH policy for issuing Certificates.

Resources

Additional information such as FAQs will be available at the NIH Certificates of Confidentiality website at https://humansubjects.nih.gov/coc/index.

Inquiries

Please direct all inquiries to:

Office of Extramural Research
Email: NIH-CoC-Coordinator@mail.nih.gov