Effective October 1, 2017 Certificates of Confidentiality (CoCs) are automatically deemed to be issued for any NIH-funded research that collects or uses identifiable, sensitive information that was on-going on or after December 13, 2016.
For these projects:
- The CoC is issued as a term and condition of the award
- NIH does not issue a physical certificate
The NIH will continue to consider requests for Certificates of Confidentiality for specific projects that are not funded by NIH. For information regarding CoCs for non-NIH funded research, see the CoCs for Research Not Funded by NIH page.
NIH Recipients Do Not Need to Request a Certificate of Confidentiality
Per Section 2012 of the 21st Century Cures Act as implemented in the 2017 NIH Certificates of Confidentiality Policy, all ongoing or new research funded wholly or in part by NIH as of December 13, 2016 that is collecting or using identifiable, sensitive information is automatically deemed to be issued a CoC. Compliance requirements are outlined in the NIH Grants Policy Statement and the NIH DGS Contract Handbook- Special Contracts Requirements, which is a term and condition of all NIH grant awards and contract solicitations, respectively.
The CoC policy applies to NIH funded:
- Grants
- Cooperative Agreements
- R&D Contracts
- Other Transaction Awards
- NIH's own intramural research
Determining if NIH-Funded Research is Covered by a CoC
Institutions and their investigators are responsible for making the appropriate determination as to whether the research they are conducting involves the collection or use of identifiable, sensitive information and is subject to the CoC Policy and therefore deemed to be issued a Certificate.
The CoC policy and 42 U.S. Code §241(d) defines identifiable, sensitive information as information that is about an individual and that is gathered or used during the course of research where the following may occur:
- Through which an individual is identified; or
- For which there is at least a very small risk, that some combination of the information, a request for the information, and other available data sources could be used to deduce the identify of an individual.
Research in which identifiable, sensitive information is collected or used includes research that:
- Meets the definition of human subjects' research, including exempt research in which participants can be identified;
- Is collecting or using human biospecimens that are identifiable or that have even a small risk of being identifiable;
- Involves the generation or use of individual level human genomic data; or
- Involves any other information that might identify a person
Research that meets any of the above criteria is deemed to be issued a Certificate.
Additional CoC Responsibilities for NIH Investigators
Institutions and investigators are required to inform anyone that receives a copy of information protected by the CoC about the CoC protections and disclosure restrictions. Note that the recipients of this information must comply with the CoC protections and disclosure restrictions, even if they are not receiving any support or funding from NIH. NIH expects investigators and institutions to ensure that the sub-recipients who are conducting research with any information protected by a CoC understand that they are subject to the CoC requirements.
Awardee institutions are required to establish and maintain effective internal controls (e.g., policies and procedures) that provide reasonable assurance that the award is managed in compliance with Federal statutes, regulations, and the terms and conditions of award. This includes establishing policies and procedures to ensure that the awardee is in compliance with CoC protections and disclosure restrictions.
CoC Documentation for NIH-Funded Research
NIH does not issue a physical certificate for NIH-funded research projects. The NIH CoC Policy, Notice of Award, the NIH Grants Policy Statement for grant awards, and the NIH DGS Contract Handbook- Special Contracts Requirements for R&D Contracts, provides documentation of the CoC protection.
Extending or Amending CoCs for NIH-Funded Research
CoCs automatically cover research activities and do not need to be extended or amended while the research remains funded by NIH. If there is a lapse in funding for any reason, the COC protections might not apply to information collected during that time period. However, CoC protections continue for the duration of a no-cost extension. All identifiable, sensitive information (e.g., data, biospecimens) collected or used for research are protected by the CoC in perpetuity. These permanent CoC protections also extend to all copies of this information.
If the NIH funding ends, the study will no longer be deemed issued a CoC. While CoC protections remain in perpetuity for already collected or used information, a new CoC will need to be obtained in order to cover any new data collected from already enrolled participants or any new participants. See the CoCs for Research Not Funded by NIH page for additional information on requesting a non-NIH funded CoC through the online NIH CoC System. If NIH funding will or has ended and enrollment and data collection are complete, there is no need to request a new CoC.