Public FAQs  Public FAQs
  NIH Staff FAQs  NIH Staff FAQs
Frequently Asked Questions
Human Subjects
Last Revised: January 9, 2019




    I. General Questions about Human Subjects
    1. Am I proposing Human Subjects Research?

      Research involving a living individual about whom data or biospecimens are obtained, used, studied or analyzed through interaction/intervention, or where identifiable, private information is used, studied, analyzed, or generated is considered to involve human subjects (45 CFR 46). Exit Disclaimer

      If your research meets this definition, indicate “Yes” for involvement of human subjects on your application and complete the Human Subjects and Clinical Trials Information form as indicated in the application guide.

    2. Am I proposing human subjects research if my studies will use only cadaver samples?
      No. According to the definition of human subject, research is only considered to involve human subjects if the data/samples are from living individuals. If the data or samples you propose to use in your research are not from living individuals, indicate “No” for the involvement of human subjects in your application. You may wish to make it clear in the Research Strategy portion of your application that none of your data/samples are from living individuals. See the application guide for further instructions.
    3. Who is considered to be an "investigator" when conducting human subjects research?

      The Principal Investigator is the specific investigator with the authority and responsibility to direct the project or program to be supported by an award. For human subjects research, the definition of an "investigator" reaches beyond the Principal Investigator to individuals with other levels of involvement in the research. The Office of Human Research Protections (OHRP) considers an investigator to be anyone who is involved in the conduct of human subjects research studies. Additional guidance is available in OHRP's Investigator Responsibilities FAQsExit Disclaimer

    4. When does my institution need an Institutional Assurance?
      An institution needs an Institutional Assurance whenever that institution is engaged in non-exempt human subjects research. OHRP provides Guidance on Engagement of Institutions in Human Subjects ResearchExit Disclaimer
    5. What is the process for institutions to obtain an Assurance and how can my institution register an IRB?
      Institutions can apply for a Federalwide Assurance (FWA) from the Office of Human Research Protections (OHRP), not from NIH. Applying for an FWA involves filling out an electronic application and registering an Institutional Review Board that has agreed to review the human subjects research of that institution or for that research study.

      Instructions, including application forms, can be found on the OHRP Federalwide Assurance webpage. Exit Disclaimer
    6. How is the Protection of Human Subjects section of the NIH grant application reviewed during peer review?

      The Protection of Human Subjects section is reviewed for both scientific merit and ethical consideration.

      If the Scientific Review Group (SRG) has concerns or finds the human subjects protection information incomplete, the application will be rated as “unacceptable” and be given a Code 48. You may receive a request before award for Just-in-Time (JIT) to provide this information.

    Back to Top


    II. Exemptions
    1. Who is responsible for determining whether my proposed human subjects research meets the criteria for one or more exemptions from regulatory requirements?

      The Office of Human Research Protections (OHRP) recommends that institutions adopt clear procedures under which the IRB (or some authority other than the investigator) determines whether proposed research is exempt from the human subjects regulations (see 45 CFR 46 Exit Disclaimer). Documentation should include the specific category justifying the exemption. OHRP provides guidance regarding exempt research determinations on their Frequently Asked Questions websiteExit Disclaimer

      Because NIH does not require IRB approval at time of application, claimed exemptions often represent the opinion of the PI, and justification provided for the exemption(s) by the Principal Investigator is evaluated during the peer review process. For funded research, NIH uses the final determination of the IRB and applies terms and conditions of the award based on this determination. Documentation of IRB determination and/or approval of research as exempt or non-exempt human subjects research is required before any human subjects work can be initiated.

    2. Is there guidance available to assist investigators in understanding if their research may qualify for exemptions?

      The Humans Subject Regulations Decision Charts  Exit Disclaimerfrom the Office of Human Research Protection (OHRP) will help you to see whether your research may fall under the human subjects regulations and if so, whether it meets the criteria for any exemptions. You may also use infographics provided on our Resources page. OHRP also has a FAQ site Exit Disclaimer for questions about exemptions as they relate to the Revised Common Rule.


      Please note: OHRP advises that investigators should not have the authority to make an independent final determination that research involving human subjects is exempt. See OHRP guidance Exit Disclaimer for additional information. Because NIH does not require IRB approval at time of application, the exemptions designated often represent the opinion of the Principal Investigator, and the justification(s) provided by the Principal Investigator for the exemption(s) is/are evaluated during peer review. For funded research, NIH uses the final determination of the IRB and applies terms and conditions of the award based on this determination.  

    3. Is research that meets the criteria for the exemptions in 45 CFR 46 still considered human subjects research?

      Yes. Research that meets the criteria for exemptions are exempt human subjects research.

      45 CFR 46 outines the criteria for this type of human subjects research. When completing an NIH funding application, applicants should identify research as human subjects research, and indicate the applicable exemption in the fields provided on the forms. See the application guide for more details.

    4. My proposed research meets the criteria for Exemption 4. What information about the study population is required in the Human Subjects and Clinical Trials Information form?
      Human subjects research that meets the criteria for Exemption 4 is not considered clinical research as defined by NIH; therefore, the NIH policies for addressing inclusion of women, minorities and children do not apply to research that is determined to meet the criteria for Exemption 4. Please see the application guide to understand which sections of the PHS Human Subjects and Clinical Trial Information form should be completed for research meeting the criteria for Exemption 4.
    5. Why do some NIH documents show human subject exemption code numbers with a preceding “E” (e.g., E4) and others show them with a preceding “X” (e.g., X4)?

      NIH displays human subject exemption information in the cover sheet prepended to submitted applications, in summary statements, progress reports, and various other documents. In December 2018, eRA systems were modified to prepend an X instead of an E to the human subject exemption code number received on grant applications. This was done as part of our implementation of the Final Rule amending the Federal Policy for the Protection of Human Subjects (Common Rule) as described in NOT-OD-19-050. The Exempt Human Subjects Research Infographic summarizes exemption categories in effect for applications with due dates on or after January 25, 2019.

      This change from E to X codes only impacts the display of the human subject exemption code numbers in NIH documents. Applicants complete the human subject exemption code questions in our FORMS-E application packages and, upon submission, eRA systems do the translation (e.g., E4 becomes X4).

    Back to Top


    III. Human Specimens and Cell Lines
    1. When does research with human specimens, cells, cell lines, or data involve human subjects?

      1. The specimens, cells, or data: 

      • Must be or must have been obtained from individuals who are alive; AND
      • Must be or must have been obtained by an investigator conducting research

      AND


      2. The investigator EITHER:

      • Must be obtaining or must have obtained specimens, cells, or data through interaction or intervention with living individuals; OR
      • Must be obtaining or have obtained individually identifiable private information.

      IF providers of coded human specimen, cells, cell lines or data:

      • Obtained or will obtain the specimens or data, AND
      • Can link the specimens or data to living individuals, AND
      • Will also collaborate on other activities related to the conduct of a proposed research project with the investigators who obtain the specimens or data;

      THEN both the providers and recipients will be considered to be involved in the conduct of the research and are conducting human subjects research.

      Such research may be exempt from human subjects research regulations if specific criteria are met. See 45 CFR 46 Exit Disclaimer for more details. Information about exemptions can also be found in our FAQs and the Office of Human Research Protections (OHRP) decision chartsExit Disclaimer

    2. What are examples of research involving human specimens and data that would not be considered human subjects research?
      Research that involves only coded human biological specimens or coded private information/data from living individuals is not human subjects research under the HHS human subjects regulations (45 CFR Part 46 Exit Disclaimer) if:
      1. the specimens, cells, cell lines or private information/data were not collected specifically for the currently proposed research project through an interaction or intervention with living individuals; and
      2. the investigator(s) cannot readily ascertain the identity of the individual(s) to whom the coded private information or specimens pertain because, for example:
        • the key to decipher the code is destroyed before the research begins;
        • the investigators and the holder of the key enter into an agreement prohibiting the release of the key to the investigators under any circumstances, until the individuals are deceased (note that the HHS regulations do not require the IRB to review and approve this agreement);
        • there are IRB-approved written policies and operating procedures for a repository or data management center that prohibit the release of the key to the investigators under any circumstances, until the individuals are deceased; or
        • there are other legal requirements prohibiting the release of the key to the investigators, until the individuals are deceased.

      Refer to the following guidance from the Office for Human Research Protections (OHRP) for additional information and examples: http://www.hhs.gov/ohrp/policy/cdebiol.pdfExit Disclaimer

    3. Am I proposing human subjects research if I obtain specimens/data from a repository or database?

      Studies using specimens/data from a repository/database are not human subjects research if a study meets one or more of the following criteria:

      • the repository/database obtains the specimens/data without identifiers, OR
      • the repository/database obtains the specimens/data with identifiers but is prevented, by law, from providing identifiers that link to living individuals and the repository/database plays no collaborative role in the proposed research, OR
      • the investigators and the repository that holds the key that links coded specimens/data to living, identifiable, individuals enter into an agreement prohibiting the release of the key to the investigators under any circumstances, until the specimen/data donors are deceased, OR
      • there are IRB-approved written policies and operating procedures for a repository or data management center that prohibit the release of the key to the investigators under any circumstances, until the specimen/data donors are deceased.
      If your proposed studies using specimens/data from a repository/database meet one or more of the above criteria, you should indicate “No” for Human Subjects in your application. You may wish to clearly indicate the source of the specimen/data in the Research Strategy section to support your claim that no human subjects are involved.

      However, if your proposed studies do not meet any of these criteria, you may be proposing human subjects research.
    Back to Top


    IV. Data and Safety Monitoring
    1. Does my research need a Data and Safety Monitoring Plan (DSMP)?
      The NIH Policy for Data and Safety Monitoring states that all NIH funded clinical trials require a Data and Safety Monitoring Plan and that monitoring should be commensurate with risk.

      Most NIH Institutes/Centers have individual Data and Safety Monitoring policies. Click here for the links to NIH Institute and Center-specific policies.
    2. Does my research need a Data and Safety Monitoring Board (DSMB)?

      Further Guidance on a Data and Safety Monitoring Board for Phase I and Phase II Trials states the following:

      • Data and Safety Monitoring Boards (DSMBs) are specifically required for multi-site clinical trials with interventions that entail risk(s) to participants
      • DSMBs are generally required for Phase III clinical trials
      • A DSMB may be required for Phase I, Phase II or Phase III clinical trials if:
        • The clinical trial is blinded
        • The clinical trial involves high risk intervention(s), or
        • The clinical trial includes vulnerable population(s)
    3. How should multi-site studies with a Data and Safety Monitoring Board (DSMB) report summary reports of adverse events when there is a single IRB of record?
      NIH Guidance on Reporting Adverse Events to Institutional Review Boards for NIH-Supported Multicenter Clinical Trials sets the expectation that multi-site studies with a Data Safety Monitoring Board (DSMB) report summary reports of adverse events to each IRB involved in the study.  Multi-site studies using a single IRB of record shouldensure that summary reports of adverse events are transmitted to the single IRB of record, and in accordance with the reliance or authorization agreement.  Transmitting the summary report in no way reduces the responsibility of each site to report individual adverse events in compliance with applicable reporting requirements and regulations.
    Back to Top


    V. Informed Consent, Incidental Findings, and Resolving Concerns
    1. How can my institution and I resolve a designation of “Unacceptable” Protection of Human Subjects shown on the Summary Statement?

      Concerns identified during peer review are considered resolved upon receipt of the date in which the IRB approved the human subjects protocol, or the IRB determined that the research does not involve human subjects or is considered exempt human subjects research. 

    2. If investigators can anticipate that their proposed studies could reveal incidental findings that may have potential clinical significance, how should they address the possibility of incidental findings in their applications?

      Incidental findings are apparent medical abnormalities that may have clinical implications and are observed in the course of research studies but are unrelated to the topic under study.

      Examples might include:

      • A study involving fractionation of normal human blood suggests a potential infection;
      • A baseline study of mental status indicates a psychiatric condition;
      • A screening protocol for an exercise intervention identifies a cardiac insufficiency
      NIH policies/guidance do not specifically address incidental findings; however, reviewers may consider incidental findings when evaluating a funding application. Investigators may want to consider describing plans to address incidental findings in the Protection of Human Subjects section of the Human Subjects and Clinical Trials Information form.
    Back to Top


    VI. Human Subjects Education

      A. Who Must Comply with the Human Subjects Education Policy?

    1. Who is required to receive education on the protection of human subjects?

      Individuals who will be involved in the design or conduct of NIH-funded human subjects research must fulfill the education requirement. These individuals are considered to be "Key Personnel" on NIH awards and contracts that include research involving human subjects. Such individuals include the Principal Investigator(s), all individuals responsible for the design or conduct of the study, key personnel at foreign sites or institutions, and those individuals identified as key personnel of consortium participants, alternate performance sites, or subcontracts.

      NIH expects that all Key Personnel will receive the required education before beginning research involving human subjects. If Key Personnel are added to an award in a non-competing year, documentation that they have received the required education should be included in the non-competing Progress Report.

    2. Does the human subjects education requirement apply to awards that do not involve human subjects?
      No, but it is important for all investigators, even those working with tissues or specimens derived from human sources to understand when proposed research triggers regulatory and policy requirements.
    3. Are investigators involved in human subjects research that is described by one or more of the exemptions in 45 CFR 46 required to comply with the education requirement?
      Yes. Investigators who conduct human subjects research that is exempt from Institutional Review Board (IRB) review and approval (categories defined in 45 CFR 46 Exit Disclaimer) must comply with the education requirement.

      B. Human Subjects Protections Education Programs

    1. Does NIH specify which educational programs should be used to fulfill the protection of human subjects education requirement?
      No. The NIH does not endorse any specific educational programs. We believe that institutions are in the best position to determine what programs are appropriate for fulfilling the education requirement. Institutions may require a particular program or may choose to develop a program to meet the requirement.
    2. How often do investigators involved in the design and conduct of human subjects research need to complete the education?

      The NIH policy is silent on the frequency of education. The intent of the education requirement is for investigators to keep abreast of development in human subjects protection. We believe that institutions are in the best position to determine when renewed or additional education is warranted.

      Also see the NIH Guide Notice of June 5, 2000 and September 5, 2001 for additional information on the Requirement for Education on the Protection of Human Subjects.

    3. Does NIH have a training that will satisfy the requirement for human subject protections education?
      Unfortunately, as of Sept 26, 2018 NIH is no longer able to offer its Protecting Human Research Participants course and we do not plan not plan to provide an alternative course (see announcement).

      Institutions seeking to fulfill the requirement for education in the protection of human research will need to use another training program or develop a program to meet the requirement. NIH does not specify or endorse any specific educational programs.

      Archived course content will be available for download on the NIH Research Involving Human Subjects website. Note that this content will no longer be maintained or updated as of September 26, 2018 but will be available as a reference.
    4. Will Protecting Human Research Participants (PHRP) course content be made available once the course is no longer offered?

      Archived course content will be available for download on the NIH Research Involving Human Subjects website. Note that this content will no longer be maintained or updated as of September 26, 2018 but will be available as a reference.

    5. What are the minimum requirements for the NIH human research education training requirement?

      The NIH policy for required education on the protection of human subjects is silent on minimum requirements. The DHHS Secretary's Directive which preceded this policy calls for "appropriate research bioethics training and human subjects research training.” It is up to the recipient institution to determine which programs are appropriate for fulfilling this requirement.


      C. Award Mechanisms

    1. Does the education requirement apply to Research and Development contract awards?

      Yes. The education requirement applies to Research and Development Contract awards that include human subjects research. The contracting officer will request documentation that all Key Personnel involved in human subjects research have received the required education prior to the award of a new contract.

    2. Does the education requirement apply to NRSA research fellowship awards?

      Yes. The education requirement applies to individual fellowship applications that describe human subjects research. For individual fellows, the Institute/Center that will be funding the fellowship application will request the necessary information prior to issuing the award (Just-In-Time).

    3. Does the education requirement apply to NRSA training grants?

      Trainees on NRSA training grants are required to receive training in the responsible conduct of research (RCR), which may include the protection of human subjects as a topic. Trainees involved in the design or conduct of human subjects research only need to provide additional documentation of having received the required human subjects education if their required RCR training does not include the protection of human subjects as a topic.

    4. Does the education requirement apply to responses to RFPs, RFAs and PAs as well as to investigator initiated grant applications?

      Yes. The education requirement applies to all NIH awards that include human subjects research.


      D. Documentation of Human Subjects Education

    1. When, in the award process, should documentation of the required human subjects education be provided to NIH?

      The Institute/Center that would be funding the project will request documentation that all Key Personnel have received the required education prior to issuing the award. The information should be submitted to your Grants Management Official with other Just-In-Time requirements and must contain the signature of an authorized institutional official.

    2. Will an award be delayed until documentation of completion of the required education is provided?

      Yes. The award may be delayed in its entirety or NIH Staff may choose to issue an award restricting all human subjects research until documentation of completion of the education requirement has been received. If problems are encountered investigators should contact the program official or grants management specialist. Contractors and prospective contractors should consult with the project officer or contract officer.

    3. Does the documentation that the required education has been received need to be a part of the document signed by an institutional official?

      Yes. The documentation must be signed by an institutional official. It is, however, not required that the Principal Investigator also sign the documentation (see the September 5, 2001 NIH Guide Notice).

    4. Do Key Personnel who have already submitted documentation of having received the required education for one award need to re-submit the documentation when involved in human subjects research supported by another award?

      Yes. Individuals involved in the design and conduct of human subjects research supported by more than one award must provide certification that they have received the required education once for each award.

    5. Can the same certificate of completion of the human subjects education be used on more than one application or contract proposal?

      Yes. The same certificate may be submitted to NIH to fulfill the human subjects education requirement for multiple applications and proposals.

    6. How frequently do Key Personnel need to provide documentation of having received the required education?

      Key Personnel only need to provide this documentation once for each competing award.

    7. If new Key Personnel involved in human subjects research are included in a non-competing Progress Report, does documentation of their compliance with the education requirement need to be provided?

      Yes. Documentation of compliance with the education requirement must be provided for all Key Personnel involved in human subjects research once for each competing award. If Key Personnel are added to an award in a non-competing year, documentation that they have received the required education should be included in the next non-competing Progress Report.

    Back to Top


    VII. Certificates of Confidentiality (CoCs)

      A. General information about Certificates

    1. What is a Certificate of Confidentiality?
      A Certificate of Confidentiality (Certificate) protects the privacy of research participants enrolled in biomedical, behavioral, clinical or other research. With limited exceptions, researchers may not disclose names or any information, documents or biospecimens containing identifiable, sensitive information. The Certificate prohibits disclosure in response to legal demands, such as a subpoena.
    2. What information is protected by a Certificate?

      Certificates protect names or any information, documents, or biospecimens containing identifiable, sensitive information related to a research participant. This is defined as "covered information" in the policy. In addition, if there is at least a very small risk that information, documents, or biospecimens can be combined with other available data sources to determine the identity of an individual, then they are protected by the certificate.

    3. Do the requirements of a Certificate apply to copies of information shared for other research?

      Yes. The protection covers all copies of information collected or used by the investigator in the research covered by the Certificate, even those copies that are shared for other research.

    4. How long does a Certificate’s protection last?

      The protection of the certificate lasts in perpetuity. However, data collected after a certificate expires, or NIH funding ends, may not be protected. (See Question B8).

    5. In what situations may covered information be disclosed?

      Disclosure of information, physical documents, or biospecimens protected by a Certificate is permitted only when:

      • Required by other Federal, State, or local laws, such as for reporting of communicable diseases;
      • Made with consent of the subject; or
      • Made for the purposes of scientific research that is compliant with human subjects regulations.
    6. What is meant by identifiable, sensitive information?

      The new statute that governs Certificates of Confidentiality broadened the meaning of sensitive, identifiable information and focuses more directly on identifiability. Identifiable, sensitive information is information about an individual, gathered or used during biomedical, behavioral, clinical or other research, through which the individual is identified, or there is at least a very small risk that some combination of the information, a request for the information, and other available data sources could be used to determine the identity of an individual. The NIH CoC policy defines this as "covered information."

      Identifiable, sensitive information includes but is not limited to name, address, social security or other identifying number; and fingerprints, voiceprints, photographs, genetic information, tissue samples, or data fields that when used in combination with other information may lead to identification of an individual.
    7. What are the recipient’s responsibilities under a Certificate?

      Any investigator or institution issued a Certificate shall not:

      • Disclose or provide covered information, in any Federal, State, or local civil, criminal, administrative, legislative, or other proceeding; or
      • Disclose or provide covered information to any other person not connected with the research.

      Researchers with a CoC many ONLY disclose identifiable, sensitive information in the following circumstances:

      • If required by other Federal, State, or local laws, such as for reporting of communicable diseases
      • If the subject consents; or
      • for the purposes of scientific research that is compliant with human subjects’ regulations
    8. What is the researcher's responsibility to inform participants of a Certificate?

      When a researcher is issued a Certificate and the researcher will be obtaining informed consent from participants, NIH expects that the subjects will be told about protections afforded by the Certificate and any exceptions to those protections.   The NIH Human Subjects website has suggested consent language that investigators may refer to.

      For studies that were previously issued a Certificate and notified participants of the protections provided by that Certificate, NIH does not expect participants to be notified that the protections afforded by the Certificate have changed, although IRBs may determine whether it is appropriate to inform participants.
    9. May I alter or edit the suggested Certificate consent language to better fit my study design or population?

      Yes, NIH provides suggested consent language which can be altered or edited as needed for the research design and/or the population being studied and must be approved by the IRB of record. However, any edited versions of the suggested consent language should still address the main points of Section 301(d) of the Public Health Service Act and the NIH Policy regarding the protections and limitations to the protections of a Certificate, specifically when researchers are and are not permitted to make disclosures of identifiable, sensitive information collected or used in the research.

    10. If part of my cohort was recruited prior to issuance of the Certificate, but they are no longer actively participating in the study, do I need to re-consent them?

      Neither the NIH Policy on Certificates of Confidentiality nor subsection 301(d) expect participants consented prior to the change in authority, or prior to the issuance of a Certificate, to be notified that the protections afforded by the Certificate have changed, or that participants who were previously consented to be re-contacted to be informed of the Certificate, although IRBs may determine whether it is appropriate to inform participants.

    11. Are summary results of research prohibited from disclosure by Certificates?
      NIH generally does not consider summary research results, such as genomic summary results or summary results of clinical trials, to be identifiable, sensitive information as summary results are not “about an individual,” but rather, are about a group of individuals. Moreover, summary results generally pose less than a very small risk that individuals could be re-identified, even when used in conjunction with other available data sources.
    12. Is it possible to share information protected by a Certificate with other researchers? Can such information be shared openly (e.g., on a public website without any requirements for download)?

      Information protected by a Certificate can be shared openly on a public website only where otherwise authorized to be disclosed by the statute, for example, if participants have consented to such sharing. The NIH Policy on Certificates of Confidentiality expects that the recipient of a Certificate shall ensure that an investigator or institution who receives a copy of information protected by a Certificate understands that they are also subject to the requirements of subsection 301(d) of the Public Health Service Act.

    13. May identifiable, sensitive information protected by a Certificate of Confidentiality be placed in a subject’s medical record? If identifiable, sensitive information protected by a Certificate is placed in a subject’s medical record, is it still protected?

      In general, placing research information protected by a Certificate of Confidentiality into a subject’s medical record would require the subject’s consent unless such disclosure is required by law.  NIH encourages institutions and investigators who wish to include identifiable, sensitive information protected by a Certificate in a medical record, to work with their institutional counsel to determine how to do so in accordance with subsection 301(d) of the Public Health Service Act and other relevant laws.

      Section 301(d) of the Public Health Services Act protects identifiable, sensitive information and all copies thereof. Accordingly, if identifiable, sensitive information protected by a Certificate is placed in a subject’s medical record, the protections of the Certificate and prohibitions on further disclosure of the information may apply. Investigators should also work with their institutional counsel to ensure that proper consent is obtained for all potential disclosures from medical records.

      Note that a Certificate is not intended to limit the access of research participants to research information about themselves.

    14. Does the NIH Policy on Certificates of Confidentiality and subsection 301(d) of the Public Health Service Act (42 U.S.C. 241(d)) permit HHS auditing and other regulatory compliance monitoring of NIH-funded projects?

      Yes, NIH considers auditing and regulatory compliance monitoring to be activities connected with the research and thus does not consider disclosure of information to, for example, members of relevant Institutional Review Boards or individuals within the HHS Office of Inspector General to violate the statute or the Policy if used for HHS auditing or regulatory compliance.

    15. If a study does not require consent, does the investigator or institution have a responsibility to inform participants of CoC protections?

      If the IRB has approved a waiver of consent or consent will otherwise not be obtained for the research, then the NIH does not expect investigators or institutions conducting research for which a Certificate has been issued to inform participants about the protections and limitations of the Certificate.

    16. As with many pragmatic trials, my study is fully integrated with clinical care, such that for research purposes we will extract information from the medical records and for clinical care we intend to incorporate research data into the medical records. Must we have the participants’ consent to put research data in the medical records?

      The policies for handling research data and medical records can differ with each institution. For this reason, NIH suggests that investigators who intend to include research data in subjects’ medical records work with their own institutional counsel and IRB to ensure that all documents are handled appropriately and in line with the institution’s own policies.


      B. Certificates for NIH-Funded Research

    1. If the study is funded by NIH, do I need to request for a Certificate?

      No, eligible research studies that are funded by NIH are automatically issued a certificate under the NIH Policy on Certificates of Confidentiality.

    2. What NIH-funded research is issued a Certificate?

      Effective October 1, 2017, certificates are automatically issued by NIH for all research covered by the policy that was commenced or ongoing on or after December 13, 2016.

      To determine if this Policy applies to research conducted or supported by NIH, investigators will need to ask, and answer the following question:

      • Is the activity biomedical, behavioral, clinical, or other research?

      If the answer to this question is no, then the activity is not issued a Certificate. If the answer is yes, then investigators will need to answer the following questions:

      • Does the research involve Human Subjects as defined by 45 CFR Part 46?
      • Are you collecting or using biospecimens that are identifiable to an individual as part of the research?
      • If collecting or using biospecimens as part of the research, is there a small risk that some combination of the biospecimen, a request for the biospecimen, and other available data sources could be used to deduce the identity of an individual?
      • Does the research involve the generation of individual level, human genomic data?

      If the answer to any one of these questions is yes, then this Policy will apply.

    3. Will NIH indicate which specific NIH-funded studies are issued a Certificate?
      In general, no. It is the responsibility of recipients and their investigators to determine if their research is collecting or using covered information.
    4. Will NIH provide a paper or digital document to indicate an NIH-funded study is protected by a Certificate?
      No, NIH will not provide documentation that specific NIH-funded studies are covered by a Certificate after the effective date of the policy. Documentation of NIH funding or support, the NIH CoC Policy (NOT-OD-17-109), the NIH Grants Policy Statement (See 4.1.4.1) subsection 301(d) of the Public Health Service Act, and any additional future guidance issued by NIH, will serve as documentation of the issuance of a Certificate for a specific study.
    5. Does the Policy issue certificates to NIH-funded research that began after the enactment of section 2012 of the 21st Century Cures Act on December 13, 2016? What about research that was ongoing at the time of the law’s enactment?

      Section 2012 of the 21st Century Cures Act covers all research begun on or after December 13, 2016, and all research ongoing as of that date. Therefore, all NIH research within the scope of the policy, that was ongoing on December 13, 2016, or initiated on or after that date, is issued a certificate.

      Note that research that was previously issued a Certificate by NIH (regardless of the funding source) is also subject to the new protections and requirements put in place by the 21st Century Cures Act.
    6. Does the policy issue Certificates to studies covered by a Certificate issued prior to October 1, 2017?
      The NIH policy issues Certificates for NIH-funded research that was ongoing on December 13, 2016 or initiated on or after that date. For certificates issued prior to December 13, 2016, for research that no longer has NIH funding, a new certificate will not be issued. However, the new protections and requirements enacted by the 21st Century Cures Act apply to all certificates previously issued by NIH, regardless of the funding source.
    7. Does the protection afforded by a Certificate change if the Certificate was issued prior to the date of enactment of section 2012 of the 21st Century Cures Act (Pub.L. 114 – 255) and has expired?
      No.  NIH has long interpreted the protection afforded by Certificates to be permanent, even after a Certificate expires. Information protected by a Certificate that was issued or expired prior to the enactment of section 2012 of the 21st Century Cures Act will be subject to the requirements of the statute, which protects all copies of the information in perpetuity.
    8. Does a Certificate protect all identifiable, sensitive information collected or used during the duration of a research project?
      For NIH funded research, a Certificate protects the information that was collected or used during the period in which the research is funded by NIH. If the study continues after your NIH funding ends and you need continued protection of a Certificate for new information, you should request a Certificate following the process for non-federally funded research. You may want continued protection, for example, if you were collecting new information from participants or enrolling new participants after the period in which the research was funded by NIH.   Note that information protected by a Certificate, and all copies thereof, is protected by a Certificate in perpetuity, even after the research is no longer funded by NIH.
      If a research project was issued a Certificate and continues under a no-cost extension, the research is considered to continue to be covered by the Certificate for the duration of the no-cost extension.
    9. Are investigators who conduct secondary research with information protected by a Certificate required to obtain a Certificate?
      No.  Certificates will be issued automatically to recipients for NIH-funded research that meets the scope of the NIH Policy. Certificates may be issued for non-federally funded research upon request but are not mandatory.  Information protected by a Certificate and all copies are subject to the protections of the Certificate in perpetuity. Therefore, if a secondary researcher receives information protected by a Certificate the secondary researcher is required to uphold the protections of the Certificates.  NIH expects that recipients of a Certificate will inform secondary researchers when information disclosed to them is protected by a Certificate.
    10. Are subrecipients protected by a Certificate issued to the pass-through entity?
      Yes, subrecipients who receive funds to carry out part of the Federal award for which a Certificate is issued are also protected by the Certificate and subject to its requirements.  NIH expects recipients to inform subrecipients of the protections of a Certificate, as well as ensure that the subrecipients comply with the requirements.
    11. I am collecting data from subjects in a foreign country. Will my research be issued a Certificate of Confidentiality?
      Certificates will be issued to recipients for applicable research regardless of the country where the investigator or the protected information resides.  However, Certificates may not be effective for data held in foreign countries.
    12. I am an intramural scientist working on a clinical HIV study at the NIH. If the Federal Privacy Act applies to my research, will I still be issued a Certificate?
      Yes. Subsection 301(d) of the Public Health Service Act requires that Certificates be issued for all applicable research, both intramural and extramural. The Federal Privacy Act does not protect identifying information if disclosure is ordered by a court of competent jurisdiction.
    13. Does the NIH CoC Policy apply to training awards include F, K, and T awards?
      CoCs are issued for applicable NIH funded research. In F and K awards, NIH is funding the research by providing direct support to the Principal Investigator (PI) to conduct a specific research project and a CoC would be automatically issued. In general, most T awards are not providing funding for a research project but instead are providing funding to allow trainees to work for a short time period on a mentor’s project that has a separate source of funding. Thus, the T award would not provide CoC protection for the mentors’ projects. Note that the mentor projects may have CoC protection if they are funded by NIH under another mechanism (such as an R01 award). In a minority of T awards, the trainees conduct their own unique research project; in such cases where the award is supporting the conduct of the research, the CoC would be issued automatically through this award. But most T awards simply provide a training opportunity by allowing trainees to work for a short time period on a mentor’s project that has another separate source of funding (not through the T award).
    14. Can the institution and/or PI decline the Certificate protection for a study if the institution or PI does not believe it to be necessary?
      No. Section 2012 of the 21st Century Cures Act requires all federally funded research in which identifiable, sensitive information is collected or used, be issued a Certificate. Compliance with NIH’s policy (NOT-OD-17-109), which implements this statue, will be included as a standard term and condition of award for all new and non-competing awards made on or after October 1, 2017 and is not optional. Compliance with the law is mandatory for any award made on or after December 13, 2016.
    15. What happens if an institution and/or PI discloses identifiable, sensitive information protected by a Certificate in response to a subpoena or without the subject’s consent in violation of Section 2012 and the NIH Policy?
      Compliance with NIH’s Policy for Issuing Certificates of Confidentiality (NOT-OD-17-109), will be included as a standard term and condition of award for all new and non-competing awards made on or after October 1, 2017. Because the requirement to protect the privacy of subjects in applicable NIH-funded research is now a term and condition of award, disclosure that is not allowed would be considered an instance of non-compliance and would be subject to the remedies for noncompliance and enforcement actions described in the NIH Grants Policy Statement, sections 8.5.2 and 8.5.3. This may include, but is not limited to, disallowing costs, withholding of further awards, or suspending or terminating the grant. In addition, disclosures in violation of the statute may expose institutions to legal liability separate from any actions taken by NIH.
    16. I am conducting research funded by the NIH. Under the NIH Policy on Certificates of Confidentiality, my study is automatically issued a Certificate of Confidentiality. Am I required to inform participants about the protections and limitations of the Certificate during the consent process?
      In general, NIH expects investigators and institutions issued a Certificate to inform participants about the protections and limitations of the Certificate for any research in which informed consent is sought, including when documentation of consent has been waived, such as oral consent or opt in/out methods. We recommend working with your IRB to determine the appropriate language concerning Certificates.
    17. My institution has a general consent/authorization form for all clinical research. Must this form be amended to include CoC protections?
      If the study is funded wholly or in part by the NIH, the investigator should work with their institutional counsel and IRB to determine whether the general consent document needs to be amended to include language about the Certificate.

      C. Certificates for Research Funded by Other HHS (Non-NIH) and non-HHS Federal Agencies

    1. Will NIH continue to issue certificates for research involving identifiable, sensitive information funded by another HHS Operating Division?

      Several non-NIH HHS agencies, including CDC, FDA, HRSA, SAMHSA issue Certificates of Confidentiality (CoCs). If your research is funded by one of these agencies or is operating under the authority of the FDA, please contact the Certificate Coordinators at the funding agency to determine how to obtain a CoC.  

      If your research is funded by an HHS agency other than NIH, CDC, FDA, HRSA or SAMHSA, that does not issue CoCs Health-related research you may request a Certificate of Confidentiality for specific health-related projects using sensitive, identifiable information, using the online system. NIH issues CoCs on behalf of these agencies.

    2. Will NIH continue to issue certificates for research involving identifiable, sensitive information funded by a non-HHS Federal Agency?

      Yes. If your health-related research is funded by a non-HHS Federal Agency other than HHS, you may request a Certificate of Confidentiality for a specific project that involves sensitive, identifiable information, using the online system.

      Please direct your CoC request to the NIH Office of the Director (OD). Please contact the NIH Central Coordinator at NIH-COC-Coordinator@mail.nih.gov. Issuance of a CoC is at the discretion of NIH.
    3. How do I get a Certificate?
      NIH issues Certificates through the Office of the Director. If your research is funded by a non-NIH HHS agency, you should request a Certificate through the online NIH CoC system. Detailed information is available on the NIH Certificates of Confidentiality website.
    4. When should I request a Certificate?
      Requests for Certificates should be submitted at least three months prior to the date on which enrollment of research subjects is expected to begin.
    5. What if my non-NIH-funded research is covered by a Certificate issued prior to the law’s enactment or prior to the October 1st, 2017 effective date of the NIH Policy?
      All Certificates issued prior to the law’s enactment or to the October 1st, 2017 effective date of the Policy are also subject to the protections and requirements of subsection 301(d) of the Public Health Service Act (42 U.S.C. 241(d)), including the disclosure requirements.

      D. Certificates for Non-Federally Funded Research

    1. Will NIH continue to issue certificates for research involving identifiable, sensitive information that does not have Federal funding?

      Yes. For health-related research that is not federally funded, in which identifiable, sensitive information is collected or used, you may request a Certificate of Confidentiality (CoC) for specific projects using the online application system.

    2. If the study is not funded by the federal government, do I need to obtain a Certificate?
      Investigators and/or institutions engaged in non-federally funded research, in which identifiable, sensitive information is collected or used, are not required to obtain a Certificate. Investigators and/or institutions conducting biomedical, behavioral, clinical or other research within the NIH mission in which identifiable, sensitive information is collected or used (or any investigator who intends to engage in such research) may request a Certificate of Confidentiality from NIH. Note there are other eligibility requirements.
    3. What do you mean by significant changes?
      Significant changes include: major changes in the scope or direction of the research protocol, changes in personnel having major responsibilities in the project, or changes in the drugs to be administered (if any) and the persons who will administer them.
    4. What kind of non-NIH-funded research is eligible for a Certificate?
      Generally, any research project on a sensitive health-related topic that collects names or other identifiable, sensitive information pertaining to subjects, and that has been approved by an IRB operating under either an approved Federal-Wide Assurance issued by the Office of Human Research Protections or the approval of the Food and Drug Administration (or other documentation of institutional approval), and that is in compliance with the Federal Policy for the Protection of Human Subjects at 45 CFR 46 (the Common Rule) or follows relevant provisions of the Common Rule relating to consent, may be eligible for a Certificate. The subject matter of the study must fall within a mission area of the National Institutes of Health or the Department of Health and Human Services. Issuance of Certificates is discretionary.
    5. Is NIH required to give all non-federally funded applicants who request a Certificate?
      No, a non-federally funded research project is not entitled to a Certificate. Issuance of a Certificate for non-federally funded research is discretionary.
    6. What studies would NOT be eligible?

      Examples of research that would be ineligible to receive a Certificate include:

      • not research based,
      • not collecting or using identifiable, sensitive information pertaining to research participants,
      not involving a subject matter that is within a mission area of the National Institutes of Health or the Department of Health and Human Services.
    7. I am planning two different non-NIH-funded studies that will involve human subjects from two different populations. Both studies will collect sensitive data and identifiable information. Can I obtain one Certificate to cover both projects?
      A separate application is required for each non-NIH-funded research project for which a Certificate is desired. A Certificate is generally issued to a research institution for a single project (not broad groups or classes of projects). However, projects that use the same sample of subjects but have different protocols may apply for one Certificate since the subjects, whose identities the investigator wishes to protect, are the same. Additionally, a project that is being conducted at multiple sites can request one Certificate to cover all sites.
    8. I am planning a non-federally funded multi-site trial to study the efficacy of a new intervention. Does each site need a separate Certificate?
      No, for a multi-site project, a coordinating center or lead institution can request for and receive a Certificate on behalf of all member institutions. This option is only for a study in which the same protocol, or aspects of the same protocol are being conducted at multiple sites, for example a large clinical trial with 10 clinical sites that will enroll subjects, a central coordinating site, and a genetic testing and tissue repository site. In general, the information provided in the request for a Certificate for a multi-site study, is specific to the lead institution. However, the lead site is expected to maintain a current listing of all the participating sites, including addresses and project directors. In addition, the lead site should obtain signed assurances from each participating institution. These should be kept in the lead institutions' files, to be made available to the NIH upon request. The lead site is also responsible for ensuring that each site's consent forms contain appropriate language describing the Certificate of Confidentiality and should work with the IRB to review consent form language. To avoid confusion, all study specific documents across all sites should use a consistent project title. After the Certificate has been issued, the lead institution should provide a copy of the Certificate of Confidentiality to each participating institution. The lead site should also develop appropriate agreements, with the participating institutions, to implement the assurances.
    9. I am collecting data from subjects recruited in a foreign country. Will my research be issued a Certificate of Confidentiality?
      Yes, if the data are maintained within the U.S. If the data are maintained only in the foreign country, a Certificate of Confidentiality may not be effective and will generally not be issued.
    10. Is research conducted by non-faculty members (students or pre-, post-doctoral fellows) eligible for a Certificate for their research?
      Yes, although there are some additional application requirements for such research projects: NIH prefers that the faculty sponsor be designated as the PI on such applications instead of the student; the student or fellow should be listed as a key personnel for the study. Moreover, the IRB approval for a student research project that is submitted with the Certificate application must be issued jointly to the student/fellow and the faculty sponsor or to the sponsor with a copy to the student/fellow.
    11. How do I get a Certificate?
      If your research is not supported by NIH, you should apply for a Certificate through the NIH Office of the Director. Please note that NIH is authorized to issue Certificates only for research within HHS mission areas. Detailed information is available at the Certificates of Confidentiality website.
    12. When should I request a Certificate?
      Requests for Certificates should be submitted at least three months prior to the date on which enrollment of research subjects is expected to begin.
    13. You indicate that for non-federally-funded research, both the PI and the Institutional Official must sign the application for a Certificate. What do you mean by “Institutional Official”?
      For studies that are not funded by NIH, the Institutional Official must sign the application. The authorized institutional official is the individual named by the applicant organization who is authorized to act for that organization and assumes on behalf of the institution the obligations imposed by assurances as well as obligations imposed by the Federal laws, regulations, requirements and other conditions that apply to grant applications and awards.
    14. What if there is a significant change in my research project after a Certificate has been issued?

      If a significant change in your research project is proposed after a Certificate is issued, you must inform the NIH Certificate of Confidentiality Coordinator by sending an email request to NIH-CoC-Coordinator@mail.nih.gov for an amendment that describes the proposed changes in your project. Your request will be reviewed and will either be approved or disapproved. If your request for an amendment is approved, an amended Certificate of Confidentiality will be issued. If your request is disapproved, you will be notified that adoption of the proposed significant change(s) will result in prospective termination of the original Certificate.

      Significant changes in a research project include, but are not limited to:

      • Major changes in the scope or direction of the research protocol
      • Changes in personnel having major responsibilities in the project
      Changes in the drugs to be administered (if any) and the persons who will administer them.
    15. What if my non-federally-funded research is covered by a Certificate issued prior to the law’s enactment or prior to the October 1st, 2017 effective date of the NIH Policy?
      All Certificates issued prior to the law’s enactment or to the October 1st, 2017 effective date of the Policy are also subject to the protections and requirements of subsection 301(d) of the Public Health Service Act (42 U.S.C. 241(d)), including the disclosure requirements.

      E. Existing Certificates of Confidentiality

    1. How do the changes enacted in the 21st Century Cures Act affect my existing Certificate?
      All certificates issued prior to the law’s enactment or prior to the October 1st, 2017 effective date of the Policy are also subject to the protections and requirements of subsection 301(d) of the Public Health Service Act (42 U.S.C. 241(d)), including the disclosure requirements.
    2. Can I still extend or amend my existing certificate?
      If your research is funded by NIH, your certificate will automatically extend until the end of the project period, including any no-cost extensions. For non-NIH funded research, you may request to extend or amend existing certificates as needed; please contact the NIH CoC Coordinator at NIH-CoC-Coordinator@mail.nih.gov.
    3. I have an expired Certificate for research that has ended. Does the 21st Century Cures Act impact me?
      Yes. The updated protections and requirements apply to all Certificates issued by NIH, including those issued prior to the law’s enactment.

      F. Legal Considerations

    1. Has the legality of Certificates been challenged?

      There have been a few reported court cases. In a 1973 case, People v Newman, the Certificate's authority was upheld in the New York Court of Appeals; the U.S. Supreme Court declined to hear the case.

    2. What should an investigator do if legal action is brought to release personally identifying information protected by a Certificate?
      The researcher should immediately seek legal counsel from his or her institution. If the research was issued a Certificate through an application, such as for Certificates issued prior to October 1st, 2017, or for research not funded by NIH, the investigator should also inform the Certificate Coordinator.
    3. What constitutes a proceeding for which disclosure or use of identifiable, sensitive information collected or used in research, would be prohibited? At what point does a proceeding commence?
      A proceeding includes any action or procedure before a body that conducts a legal, administrative, legislative, or other hearing or investigation, including courts of law, commissions, or other tribunals. A proceeding encompasses all phases of existing actions, hearings or investigations including pre-trial and post-trial stages of litigation. Formal requests by attorneys or others involved in legal proceedings are included in the definition of a proceeding. Examples of actions in which disclosure or use of identifiable, sensitive information protected by a Certificate would be prohibited from being disclosed or used, excluding instances where the disclosure or use is made with the consent of the individual to whom the information pertains, include arbitration, a grand jury investigation or hearing, or a subpoena compelling the production of documents or testimony.

      G. Certificate of Confidentiality Vs. Other Privacy and Data Protections

    1. Does the HIPAA Privacy Rule preclude the need for a Certificate?

      No. Certificates of Confidentiality offer an important protection for the privacy of research participants by protecting identifiable health information from compelled disclosure (e.g., by court order). While the Privacy Rule does establish protections for covered entities’ use and disclosure of PHI, it permits use or disclosure in response to certain judicial or administrative orders. Therefore, Certificates protect investigators from being forced to disclose identifiable, sensitive information collected or used in research that might otherwise have to be disclosed under the Privacy Rule.

    2. If I am conducting a sensitive research project that is covered by the AHRQ confidentiality statute (42 U.S.C. section299a-1(c) entitled “limitation on use of certain information”) or the Department of Justice confidentiality statute (42USC section 3789g), should I also request a Certificate from NIH?
      No. You should not request an NIH Certificate if your study is covered by AHRQ or the DOJ statute.  However, you should contact AHRQ or the DOJ to determine whether you should apply for a Certificate pursuant to their policies.
    3. What is the applicability Title 42 Part 2a – Protection of Identity - Research Subjects following the enactment of this policy?
      Title 42 Part 2a – Protection of Identity - Research Subjects was promulgated in 1979 to establish procedures for issuing certificates upon application to the Secretary of Health and Human Services.  Title 42 Part 2a was authorized under subsection 301(d) of the Public Health Service Act (42 U.S.C. §241(d)) prior to the statute’s amendment by section 2012 of the 21st Century Cures Act. Because these regulations govern the process for issuing certificates upon application, and NIH’s implementation of the amended subsection 301(d) of the Public Health Service Act (42 U.S.C. §241(d)) automatically issues certificates for research involving the collection or use of identifiable, sensitive information, Title 42 Part 2a is only applicable to the issuance of certificates upon request for non-federally-funded research, and only to the extent that the regulations do not conflict with the amended statute. Individuals and institutions engaged in this category of non-federally-funded research may continue to request a certificate from the NIH. Where there exists a contradiction between Title 42 Part 2a and subsection 301(d) of the Public Health Service Act (42 U.S.C. §241(d)), the statute will prevail.

Back to Top




Note: For help accessing PDF, RTF, MS Word, Excel, PowerPoint, Audio or Video files, see Help Downloading Files.



Technical Issues: E-mail OER Webmaster