Notice Number: NOT-OD-17-109
Release Date: September 7, 2017
Effective Date: October 1, 2017
National Institutes of Health (NIH)
The purpose of this guide notice is to inform the research community that NIH is updating its policy for issuing Certificates of Confidentiality (Certificates) for NIH-funded and conducted research. The update of this Policy comes as a result of the need to implement Section 2012 of the 21st Century Cures Act, P.L. 114-255, which states that the Secretary, HHS shall issue Certificates of Confidentiality to persons engaged in biomedical, behavioral, clinical or other research, in which identifiable, sensitive information is collected. These Certificates protect the privacy of subjects by limiting the disclosure of identifiable, sensitive information.
Section 2012 of the 21st Century Cures Act, enacted December 13, 2016, enacts new provisions governing the authority of the Secretary of Health and Human Services (Secretary) to protect the privacy of individuals who are the subjects of research, including significant amendments to the previous statutory authority for such protections, under subsection 301(d) of the Public Health Service Act. Specifically, the amended authority requires the Secretary to issue to investigators or institutions engaged in biomedical, behavioral, clinical, or other research in which identifiable, sensitive information is collected (“Covered Information”), a Certificate to protect the privacy of individuals who are subjects of such research, if the research is funded wholly or in part by the Federal Government. The authority also specifies the prohibitions on disclosure of the names of research participants or any information, documents, or biospecimens that contain identifiable, sensitive information collected or used in research by an investigator or institution with a Certificate. If the research is not federally funded, the Secretary may issue a Certificate to an investigator or institution engaged in such research, upon application.
Scope and Applicability
This Policy applies to all biomedical, behavioral, clinical, or other research funded wholly or in part by the NIH, whether supported through grants, cooperative agreements, contracts, other transaction awards, or conducted by the NIH Intramural Research Program, that collects or uses identifiable, sensitive information. For the purposes of this Policy, consistent with subsection 301(d) of the Public Health Service Act (42 U.S.C 241), the term “identifiable, sensitive information” means information about an individual that is gathered or used during the course of biomedical, behavioral, clinical, or other research, where the following may occur:
This Policy also acknowledges that the NIH will continue to consider request for Certificates for non-federally funded research in which identifiable, sensitive information is collected or used.
Effective October 1, 2017, all research that was commenced or ongoing on or after December 13, 2016 and is within the scope of this Policy is deemed to be issued a Certificate through this Policy and is therefore required to protect the privacy of individuals who are subjects of such research in accordance with subsection 301(d) of the Public Health Service Act. This Policy will be included in the NIH Grants Policy statement as a standard term and condition of award effective October 1, 2017 for new and non-competing awards. Institutions and their investigators are responsible for determining whether research they conduct is subject to this Policy and therefore issued a Certificate. Certificates issued in this manner will not be issued as a separate document.
Previously, NIH provided these protections through the issuance of Certificates only upon receipt and approval of an application. However, in order to comply with the requirement in subsection 301(d) of the Public Health Service Act to minimize the burden to researchers, streamline the process, and reduce the time it takes to comply with the requirements associated with applying for a Certificate, NIH will now provide Certificates automatically to any NIH-funded recipients conducting research applicable to this Policy.
For the purposes of this Policy, NIH considers research in which identifiable, sensitive information is collected or used, to include:
To determine if this Policy applies to research conducted or supported by NIH, investigators will need to ask, and answer the following question:
If the answer to this question is no, then the activity is not issued a Certificate. If the answer is yes, then investigators will need to answer the following questions:
If the answer to any one of these questions is yes, then this Policy will apply to the research and therefore, in accordance with subsection 301(d) of the Public Health Service Act, the recipient of the Certificate shall not:
Disclosure is permitted only when:
As set forth in 45 CFR Part 75.303(a) and NIHGPS Chapter 8.3, recipients conducting NIH supported research applicable to this Policy are required to establish and maintain effective internal controls (e.g., policies and procedures) that provide reasonable assurance that the award is managed in compliance with Federal statutes, regulations, and the terms and conditions of award.
Recipients of Certificates are required to ensure that any investigator or institution not funded by NIH who receives a copy of identifiable, sensitive information protected by a Certificate issued by this Policy, understand they are also subject to the requirements of subsection 301(d) of the Public Health Service Act. In accordance with NIHGPS Chapter 15.2.1, recipients are also responsible for ensuring that any subrecipient that receives funds to carry out part of the NIH award involving a copy of identifiable, sensitive information protected by a Certificate issued by this Policy understand they are also subject to subsection 301(d) of the Public Health Service Act.
For studies in which informed consent is sought, NIH expects investigators to inform research participants of the protections and the limits to protections provided by a Certificate issued by this Policy.
As noted within the “Scope and Applicability” section of this guide notice, for non-federally funded research, the NIH will continue to consider requests for Certificates for specific projects in accordance with the current NIH policy for issuing Certificates.
Additional information such as FAQs will be available at the NIH Certificates of Confidentiality website at https://humansubjects.nih.gov/coc/index.
Please direct all inquiries to:
Office of Extramural Research