NIH Certificate of Confidentiality


Background and Purpose:

Effective October 1, 2017, NIH has updated its policy for issuing Certificates of Confidentiality (CoC) for NIH-funded and conducted research, as a result of the need to implement Section 2012 of the 21st Century Cures Act, P.L. 114-255, which states that the Secretary, HHS shall issue Certificates of Confidentiality to persons engaged in biomedical, behavioral, clinical or other research, in which identifiable, sensitive information is collected.  This means that, unlike before where CoC’s were granted upon request, they are now automatic and trigger several new requirements for the handling of potentially identifiable patient information.

CoCs protect the privacy of research subjects by prohibiting disclosure of identifiable, sensitive research information to anyone not connected to the research except when the subject consents or in a few other specific situations.

Is my research covered by the policy?

Effective October 1, 2017, certificates are automatically issued by NIH for all research covered by the policy that was commenced or ongoing on or after December 13, 2016. 

To determine if this Policy applies to research conducted or supported by NIH, investigators will need to ask, and answer the following question:

  • Is the activity biomedical, behavioral, clinical, or other research?

If the answer to this question is no, then the activity is not issued a Certificate. If the answer is yes, then investigators will need to answer the following questions:

  • Does the research involve Human Subjects as defined by 45 CFR Part 46?
  • Is the research operating under an exemption from 45 CFR 46?
  • Are you collecting or using biospecimens that are identifiable to an individual as part of the research?
  • If collecting or using de-identified biospecimens as part of the research, is there a very small risk that some combination of the biospecimen, a request for the biospecimen, and other available data sources could be used to deduce the identity of an individual?
  • Does the research involve the generation or use of individual level, human genomic data?
  • Does the research involve information about individuals where there is a very small risk (determined by current scientific practices or statistical methods) that some combination of the information, a request for the information, and other available data sources could be used to deduce the identity of the individual?

If the answer to any one of these questions is yes, then this Policy will apply To learn more here is a link to the new NIH Policy in full:

What does having a CoC mean you need to do?

1. Researchers with a CoC may ONLY disclose identifiable, sensitive information in the following circumstances:

  • if required by other Federal, State, or local laws, such as for reporting of communicable diseases (but not in legal proceedings)
  • if the subject consents; or
  • for the purposes of scientific research that is compliant with human subjects regulations.

2. AND you must ensure that anyone who is conducting research as a subawardee or receives a copy of identifiable sensitive information protected by the policy understand they are they are also subject to the disclosure restrictions, even if they are not funded directly by NIH.

3. Identifiable sensitive information means information that identifies an individual orif there is a very small risk that some combination of the information, a request for the information, and other available data sources could be used to deduce the identity of the individual.

Any investigator or institution issued a Certificate shall not:

  • Disclose or provide identifiable sensitive information, in any Federal, State, or local civil, criminal, administrative, legislative, or other proceeding; or
  • Disclose or provide identifiable sensitive information to any other person not connected with the research.
Do I have to re-consent participants?
  • Neither the NIH Policy on Certificates of Confidentiality nor subsection 301(d) expect participants consented prior to the change in authority, or prior to the issuance of a Certificate, to be notified that the protections afforded by the Certificate have changed, or that participants who were previously consented to be re-contacted to be informed of the Certificate, although IRBs may determine whether it is appropriate to inform participants.
  • However, the investigator is obligated to follow all other elements of the Certificate of Confidentiality. If disclosures of identifiable sensitive information will be necessary to conduct the research going forward, that is not permitted under the new NIH policy, re-consenting might be required if participants were not previously consented in compliance with this policy.

If you have any questions, please contact us at 2-2918.