certificates of confidentiality, CoC, sensitive information, confidential, confidentiality of alcohol and drug abuse patient records, section 543, confidentiality of patient records, health insurance portability and accountability act, standards for privacy of individually identifiable health information, the privacy rule, HIPPA

4.1.4 Confidentiality

4.1.4.1 Certificates of Confidentiality

In keeping with Section 301(d) of the PHS Act, as amended by Section 2012 of the 21st Century Cures Act, P.L. 114-255, and as enacted December 13, 2016 Certificates of Confidentiality (Certificates) are issued automatically to any NIH funded investigators or institutions engaged in biomedical, behavioral, clinical, or other research activities in which identifiable, sensitive information is collected.

At the time of enactment, all NIH-funded and conducted research that was commenced or ongoing on or after December 13, 2016 was deemed to be issued a Certificate and was therefore required to protect the privacy of individuals who are subjects of such research in accordance with subsection 301(d) of the Public Health Service Act. Per the PHS Act, subsection 301(d)(1), the Certificates protect identifiable, sensitive information collected and all copies, in perpetuity.

Institutions and their investigators are responsible for determining whether research they conduct is subject to the requirement and therefore issued a Certificate. Certificates issued in this manner will not be issued as a separate document.

For the purposes of this Policy, NIH considers research in which identifiable, sensitive information is collected or used, to include:

  • Human subjects research as defined in the Federal Policy for the Protection of Human Subjects (45 CFR Part 46), including exempt research except for human subjects research that is determined to be exempt from all or some of the requirements of 45 CFR Part 46 if the information obtained is recorded in such a manner that human subjects cannot be identified or the identity of the human subjects cannot readily be ascertained, directly or through identifiers linked to the subjects;
  • Research involving the collection or use of biospecimens that are identifiable to an individual or for which there is at least a very small risk that some combination of the biospecimen, a request for the biospecimen, and other available data sources could be used to deduce the identity of an individual;
  • Research that involves the generation of individual level, human genomic data from biospecimens, or the use of such data, regardless of whether the data is recorded in such a manner that human subjects can be identified or the identity of the human subjects can readily be ascertained as defined in the Federal Policy for the Protection of Human Subjects (45 CFR Part 46); or
  • Any other research that involves information about an individual for which there is at least a very small risk, as determined by current scientific practices or statistical methods, that some combination of the information, a request for the information, and other available data sources could be used to deduce the identity of an individual, as defined in subsection 301(d) of the Public Health Service Act.

Recipient Responsibilities

To determine if the requirement applies to research conducted or supported by NIH, investigators will need to ask, and answer the following question:

  • Is the activity biomedical, behavioral, clinical, or other research?

If the answer to this question is no, then the activity is not issued a Certificate. If the answer is yes, then investigators will need to answer the following questions:

  • Does the research involve Human Subjects as defined by 45 CFR Part 46?
  • Are you collecting or using biospecimens that are identifiable to an individual as part of the research?
  • If collecting or using biospecimens as part of the research, is there a small risk that some combination of the biospecimen, a request for the biospecimen, and other available data sources could be used to deduce the identity of an individual?
  • Does the research involve the generation of individual level, human genomic data?

If the answer to any one of these questions is yes, then the requirement will apply to the research and therefore, in accordance with subsection 301(d) of the Public Health Service Act, the recipient of the Certificate shall not:

  • Disclose or provide, in any Federal, State, or local civil, criminal, administrative, legislative, or other proceeding, the name of such individual or any such information, document, or biospecimen that contains identifiable, sensitive information about the individual and that was created or compiled for purposes of the research, unless such disclosure or use is made with the consent of the individual to whom the information, document, or biospecimen pertains; or
  • Disclose or provide to any other person not connected with the research the name of such an individual or any information, document, or biospecimen that contains identifiable, sensitive information about such an individual and that was created or compiled for purposes of the research.

Disclosure is permitted only when:

  • Required by Federal, State, or local laws (e.g., as required by the Federal Food, Drug, and Cosmetic Act, or state laws requiring the reporting of communicable diseases to State and local health departments), excluding instances of disclosure in any Federal, State, or local civil, criminal, administrative, legislative, or other proceeding;
  • Necessary for the medical treatment of the individual to whom the information, document, or biospecimen pertains and made with the consent of such individual;
  • Made with the consent of the individual to whom the information, document, or biospecimen pertains; or
  • Made for the purposes of other scientific research that is in compliance with applicable Federal regulations governing the protection of human subjects in research.

As set forth in NIHGPS Chapter 8.3, recipients conducting NIH supported research applicable to the Policy are required to establish and maintain effective internal controls (e.g., policies and procedures) that provide reasonable assurance that the award is managed in compliance with Federal statutes, regulations, and the terms and conditions of award.

Recipients of Certificates are required to ensure that any investigator or institution not funded by NIH who receives a copy of identifiable, sensitive information protected by a Certificate issued by the Policy, understand they are also subject to the requirements of subsection 301(d) of the Public Health Service Act. In accordance with NIHGPS Chapter 15.2.1, recipients are also responsible for ensuring that any subrecipient that receives funds to carry out part of the NIH award involving a copy of identifiable, sensitive information protected by a Certificate issued by the Policy understand they are also subject to subsection 301(d) of the Public Health Service Act.

For studies in which informed consent is sought, NIH expects investigators to inform research participants of the protections and the limits to protections provided by a Certificate issued by the Policy.

Information on CoCs is available on the NIH Web site at Certificates of Confidentiality (CoC) - Human Subjects.

4.1.4.2 Confidentiality of Alcohol and Substance Use Patient Records

Section 543 of the PHS Act, as implemented in 42 CFR Part 2, requires that records of substance abuse patients be kept confidential except under specific circumstances and purposes. These protections differ from those available to patients under HIPAA and are intended to ensure that a patient in a substance or alcohol use program is not made more vulnerable than a similar patient who does not seek treatment. The covered records are any information, written or not, of a patient who has applied for or been given diagnosis or treatment for substance or drug use at a federally assisted program and includes any individual who, after arrest on a criminal charge, is identified as an substance or drug user in order to determine that individual's eligibility to participate in a program. This includes records of the identity, diagnosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance abuse education, training, treatment, rehabilitation, or research, which is conducted under an NIH grant. Except as authorized under a court order, no patient record may be used to initiate or substantiate any criminal charges against a patient or to conduct any investigation of a patient. The regulations also describe procedures to allow for nonvoluntary disclosure of certain information by persons engaged in research on mental health, including research on the use and effect of alcohol and other psychoactive substances.

4.1.4.3 Confidentiality of Patient Records: Health Insurance Portability and Accountability Act

HHS issued the final version of the "Standards for Privacy of Individually Identifiable Health Information"-the Privacy Rule-on August 14, 2002. The Privacy Rule is a Federal regulation under the Health Insurance Portability and Accountability Act (HIPAA) of 1996 that governs the protection of individually identifiable health information. It is administered and enforced by OCR, HHS.

Decisions about applicability and implementation of the Privacy Rule reside with the researcher and the recipient organization. The OCR web site provides information on the Privacy Rule, including the complete text of the regulation and a set of decision tools for determining whether a particular entity is subject to the rule. An educational booklet, Protecting Heath Information in Research: Understanding the HIPAA Privacy Rule, is available through OCR's web site. That web site also includes other educational materials including information specific to grants.