Changes to NIH Policy for Issuing Certificates of Confidentiality: What You Need to Know
On October 1, 2017, NIH’s policy for certificates of confidentiality (CoCs) changed so that CoCs are now automatically issued for all NIH-funded research that collects or uses identifiable, sensitive information. Previously, CoCs were issued by NIH on request and only for research that involved information that, if disclosed, could have adverse consequences for subjects or damage their financial standing, employability, insurability, or reputation. The categories of covered research have been expanded and applicability now depends on the potential for participants to be identified rather than on the nature of the research.
This change to the NIH policy complies with the requirements of Section 2012 of the 21st Century Cures Act and applies to all research that was commenced or ongoing on or after December 13, 2016.
If you’re not already familiar with CoCs, here’s a quick explanation: A CoC helps to protect the private information of research subjects by prohibiting researchers from disclosing identifiable, sensitive information unless:
- Required by federal, state, or local laws (such as communicable disease reporting);
- The subject consents to the disclosure; or
- The disclosure is made for the purposes of scientific research that is in compliance with human subject regulations.
Importantly, this means that the CoC prohibits disclosure in response to legal demands, such as subpoenas. Its protections go beyond the standard confidentiality safeguards found in the regulations.
A CoC applies not only to the researcher conducting the NIH-funded study but also any subawardees as well as anyone who receives a copy of the information protected by the CoC policy, even if they do not directly receive the NIH funds.
So what does this mean for researchers? Let’s look at some key impacts:
Informed Consent Forms and Participant Notification
CoCs previously were issued by NIH only upon receipt and approval of a CoC application, so only informed consent forms (ICFs) for these studies included information about the CoC’s protections.
Now that CoCs are issued for all new and ongoing NIH-funded research that collects or uses identifiable, sensitive information, researchers must include the CoC information in these ICFs. For ongoing studies that did not have a CoC but now qualify for one and are open to enrollment, this will require a revised ICF for prospective participants to sign. However, re-consent of subjects who signed the previous consent form does not appear to be required by NIH. Advarra will generally not require re-consent in these situations but will assess the investigator’s proposed plan for participant notification on a study-by-study basis.
NIH has developed suggested ICF language describing the CoC protections, available here.
Determining Whether a CoC Has Been Issued for an NIH-Funded Study
Because NIH is now issuing CoCs as described above, it will no longer provide researchers with a physical certificate and generally will not indicate whether a specific study is subject to a CoC. Instead, NIH advises that the Notice of Award, the NIH CoC Policy, and the NIH Grants Policy Statement will serve as documentation of the CoC. Therefore, investigators and institutions will be responsible for determining whether their study is subject to a CoC. This determination is to be based on whether the NIH-funded research collects or uses “identifiable, sensitive information.” This is a new standard and it does not appear to limit the categories of covered research to information traditionally considered sensitive, such as that obtained during mental health or drug use research. Instead, the policy defines, “identifiable, sensitive information” as:
“[I]nformation about an individual that is gathered or used during the course of biomedical, behavioral, clinical, or other research, where the following may occur:
- An individual is identified; or
- For which there is at least a very small risk, that some combination of the information, a request for the information, and other available data sources could be used to deduce the identity of an individual.”
The second part of the definition – “at least a very small risk” that an individual’s identity could be deduced- is new for the research community. Importantly, it does not align with either the Common Rule or HIPAA definitions. As a result, there are lingering questions regarding what this definitional phrase means and exactly at what point of identifiability the CoC protections kick in.
Questions and Challenges
- How Will Ongoing Research be Impacted?
The new CoC protections apply to all research ongoing as of December 13, 2016, and this includes research that was previously issued a CoC by NIH. Guidance will be needed regarding how to manage these studies, including any prior disclosures or ongoing use of the information that was previously acceptable but will now be prohibited. This is further complicated by the fact that secondary researchers receiving information protected by a CoC must also uphold the protections of the CoC.
2. Who Will Provide Oversight?
Who decides whether information is “identifiable, sensitive information” triggering CoC protections? Under what specific criteria? How are ongoing studies now subject to CoCs managed? How are impacted studies tracked?
One of the major changes under the policy is that responsibilities are now shifted to the investigator. Especially in light of the many outstanding questions (some of which have been raised here), this will require a proactive and systematic approach at the institutional level.
Need more information on CoCs? Review NIH’s FAQ page on CoCs.
Need assistance implementing these changes at your organization? Advarra Consulting can help.