NIH Updates Policy for Issuing Certificates of Confidentiality

September 28, 2017 Alerts and Newsletters

On September 7, 2017, the National Institutes of Health ("NIH") released a Notice of Changes to NIH Policy for Issuing Certificates of Confidentiality (NOT-OD-17-109) ("the Policy"). This Policy flows from the Cures Act's changes to when and how a Certificate of Confidentiality ("Certificate") is issued, see Pub. Law 114-255, Section 2012 (December 13, 2016), and applies to research "in which identifiable, sensitive information is collected." The Policy goes into effect on October 1, 2017, with retroactive implications; all NIH-funded research that was "commenced or ongoing on or after December 13, 2016" will be deemed to have been issued a Certificate pursuant to the Policy. NIH has indicated that guidance on the Policy is imminent; when issued, it will likely appear on the NIH's Certificates of Confidentiality (CoC) Kiosk.

We have identified the following preliminary questions and concerns with the Policy and will be monitoring the forthcoming guidance to see whether and how it addresses them. Institutions also may want to assess the guidance against these concerns to formulate further questions to NIH to the extent troubling aspects of the Policy remain unclear.

  • The Policy appears to equate "sensitive" with "identifiable" (whereas the Cures Act still seems to consider sensitive information to be a subset of other identifiable information, referencing "mental health" and drug/alcohol research as examples of research involving sensitive information). As such, the concept of "sensitive" may no longer serve to further narrow the scope of research for which a Certificate is required. Additionally, as further noted below, the concept of "identifiable" used in the Policy is more expansive than what would be required to trigger human subjects or other privacy protections. The combination of these two changes (plus the shift required by the Cures Act to mandatory, as opposed to voluntary, Certificates for NIH-funded research) results in a significantly broadened universe of research subject to Certificates.
  • The Policy and the Cures Act consider data and specimens "identifiable" using a broader and ambiguous standard that does not key to identifiability as defined under the Common Rule or even under the HIPAA Privacy Rule. (Under HIPAA, information that a statistical expert determines carries a very small risk of being able to be used to identify someone is actually considered de-identified.) What is a "very small risk" that someone can be identified for purposes of applying the Policy? Who determines that? Under the Policy, a Certificate will issue for all NIH-funded research; as such, it will be up to investigators and institutions to determine whether particular research falls within the scope of the Policy. Institutions may want to consider the benefits of developing categories of data that they think would trigger the "very small risk" standard, or types of data protections that are deemed to remove such risk, to reduce the need for per-project analysis. The Policy also does not cover how institutions should address projects that evolve from being outside the scope of the Policy to within the scope, whether through amendments or shifts in understanding about the identification risk presented by certain technologies. Institutions may want to consider periodic re-evaluation for NIH-funded research determined not to trigger the requirements of the Policy (i.e., because the information collected is considered at the start not to include "identifiable, sensitive information"). Alternatively, institutions may decide it is easier to assume all NIH-funded research is covered.
  • The buckets of research deemed by the Policy to constitute research involving "identifiable, sensitive" information provide further insight into how the NIH interprets these concepts. The buckets are broader than what the Cures Act contemplates on its face and include most categories of research exempt under the Common Rule. As such, research that would not require IRB oversight may nonetheless have a mandatory Certificate associated with it. This raises an additional question regarding secondary research using data that may be collected or otherwise developed under a Certificate. The Policy permits disclosure of information subject to a Certificate "for the purposes of other scientific research that is in compliance with applicable Federal regulations governing the protection of human subjects in research." However, it is unclear whether Certificate recipients are obligated to take any confirmatory steps that downstream research using information subject to the Certificate is in compliance with any applicable requirements. If read to include such a requirement, this would effectively add a layer of institutional oversight – even if not IRB oversight – to research that historically has not been tracked following an exemption determination.
  • The Policy now imposes disclosure restrictions for biospecimens that may be non-identifiable under the Common Rule and the HIPAA Privacy Rule (moving towards the imposition of requirements for a category of NIH funded research that the revised Final Common Rule declined to regulate).
  • The Policy loops genomic data (whether or not identifiable under Common Rule standards) into the bucket of identifiable, sensitive information (again, going beyond the face of the Cures Act and imposing restrictions on the disclosure of such information, ahead of any anticipated determination under the revised Common Rule that such technology should be deemed to generate individually identifiable information).
  • The restrictions on the Certificate holder reach to data and specimens that were "created or compiled" for purpose of the research. It is unclear how far that reaches. If patient medical records or other existing independent data/data sources are compiled, would that bring the entire medical record within the protection of the Certificate? That seems like an inappropriate and unlikely result; however, the language is broad and ambiguous.
  • The permission to disclose the information does not extend to other uses that would be allowed under HIPAA without specific permission. For example, under HIPAA, identifiable information (including information from research) can be disclosed for operations or treatment purposes without individual authorization. Under the Policy, it appears consent would be needed to disclose research information for such purposes (such as to a Business Associate performing a data storage service in support of a study). This is a significant new requirement to impose on investigators and institutions and may have multiple implications, including with respect to the inclusion of research information in individuals' medical records.
  • It is unclear how NIH grantees can simultaneously comply with this Policy and the NIH data sharing policies, in particular the genomic data sharing policy. Arguably those policies are not covered by the exception in the Policy allowing disclosures as required by Federal, State, or local laws; such policies are not Federal laws. Even though the NIH data sharing policy requires that identifiers be stripped, it is currently unclear whether that standard aligns with the Policy's new concept of what qualifies as de-identified.
  • It is unclear how the Policy can be fully implemented retroactively. For example, disclosures now prohibited will have likely already occurred in the covered research. Furthermore, it is unclear whether on-going NIH-funded research being conducted under an existing Certificate (as opposed to projects currently lacking a Certificate for which one will be deemed to exist as of October 1) will be similarly deemed to incorporate the same definitions and scope of restrictions as are outlined in the Policy. If so, that would effectively amount to a retroactive and unilateral amendment of the terms of such prior Certificates by the NIH.

On a positive note, the Policy now clearly says that NIH expects consents in Certificate studies to inform participants of the limits to the Certificate's protections, including disclosures required by state laws. This appears to settle tensions that have long existed with various NIH Institutes with respect to whether such disclosures (for example, to fulfill practitioners' mandatory reporting duties) should be described to participants as voluntary or required.

Additional commentary on the Policy from Verrill Dana's Academic and Clinical Research Group (ACRG) will be forthcoming. Be sure to follow the ACRG on our blog, Endpoints (, and on Twitter (@clinicalreslaw) for additional updates.

This communication is intended for general information purposes and as a service to clients and friends of Verrill Dana, LLP. This publication, which may be considered advertising under the ethical rules of certain jurisdictions, should not be construed as legal advice or a legal opinion on any specific facts or circumstances, nor does it create attorney-client privilege.

Firm Highlights


65 Verrill Attorneys Recognized by Best Lawyers® 2022, Including Eight Named Lawyers of the Year

(August 31, 2021) – 65 Verrill attorneys were recognized as "Best Lawyers" by Best Lawyers® 2022 , including 8 attorneys named “Lawyer of the Year,” a distinguished recognition for only a single lawyer in...


The Boston Globe on Federal Prosecutor Joining Verrill


Verrill's Strategic Growth in Key Areas Shared in Mainebiz

On Monday, November 15th Verrill was listed as a Maine law firm who is innovating ways to hire talent in the Mainebiz article "Remote Work Changes Hiring Strategies for Some Maine Law Firms." The...


The Regulatory Sprint is Over - What’s at the Finish Line Under the New Stark and AKS Final Rules?

The U.S. Department of Health and Human Services (HHS) completed its “Regulatory Sprint” by finalizing changes to regulations pertaining to two federal fraud and abuse laws. On December 2, 2020, the Centers for Medicare...


Fraud and Abuse Investigations Handbook for the Health Care Industry, Second Edition.

Health care attorney Paul Shaw co-authored Fraud and Abuse Investigations Handbook for the Health Care Industry, Second Edition with Robert Griffith, published by the American Health Law Association (AHLA). Paul and Robert provide legal...


High-Profile Former U.S. Department of Justice Prosecutor, David Lazarus, Joins Verrill’s Health Care and Life Sciences Practice

(November 29, 2021) – Verrill is pleased to welcome David Lazarus to the firm’s Boston office as a Partner in its nationally recognized Health Care & Life Sciences Group. Lazarus is a former Department...


340B Providers Get Partial Relief from New Dispute Resolution Regulation

1. 340B ADR Process Established At long last, more than ten years after Congress directed it to do so, HHS has finalized an alternative dispute resolution (“ADR”) process for both providers and pharmaceutical manufacturers...


Massachusetts Health Care Bill Makes Several Significant Changes

While you were celebrating the New Year, Governor Baker signed Chapter 260 of the Acts of 2020, an “Act promoting a resilient health care system that puts patients first,” the result of the Legislature’s...


HHS Confirms Providers’ Right to 340B Discount Pricing for Contract Pharmacies

As a holiday gift to providers, the U.S. Department of Health and Human Services (HHS) General Counsel recently issued a strongly worded Advisory Opinion indicating that federal law requires drug manufacturers to deliver covered...

Contact Verrill at (855) 307 0700