Effective October 1, 2017, all ongoing or new research funded wholly or in part by NIH as of December 13, 2016 that is collecting or using identifiable, sensitive information is automatically issued a Certificate of Confidentiality (Certificate) as a term and condition of NIH grant awards. Identifiable, sensitive information is information about an individual, gathered or used during the course of biomedical, behavioral, clinical or other research, through which the individual is identified, or there is at least a very small risk that the identity of an individual could be identified.
Under the new Policy:
- Certificates will no longer be issued in a separate document. The Notice of Award and the NIH Grants Policy Statement will serve as documentation of the Certificate protection.
- Researchers are required to determine whether their research records generated with NIH funding are covered by a Certificate.
- The scope of research protected by Certificates extends beyond “human subjects research” and includes research: 1) in which identifiable, sensitive information is collected or used, 2) that collects or uses human biospecimens that are identifiable or that have a risk of being identifiable; 3) that involves the generation of individual level human genomic data; and 4) that involves any other information that might identify a person.
- Certificates will be issued to recipients for applicable research regardless of the country where the investigator or the protected information resides. However, Certificates may not be effective for data held in foreign countries.
- Information protected by a Certificate and all copies are subject to the protections of the Certificate in perpetuity. Therefore, if a secondary researcher receives information protected by a Certificate the secondary researcher is required to uphold the protections of the Certificates.
- When a researcher is issued a Certificate and the researcher will be obtaining informed consent from participants, subjects must be told about the protections afforded by the Certificate and any exceptions to those protections. The Homewood IRB, the School of Medicine IRB, and the Johns Hopkins School of Public Health IRB have developed template language to be used in consent forms to address the new policy.
The NIH has provided useful FAQs and information about the new Policy at: https://humansubjects.nih.gov/coc/NIH-funded.
Should you ever receive a subpoena or other legal process seeking disclosure of research records, please contact the Johns Hopkins University Office of the Vice President and General Counsel (OGC) immediately, and prior to disclosing any records or information. OGC will assist researchers with responding to the legal request for records, and with enforcing the privacy protections of Certificates of Confidentiality. OGC contact information may be found on the OGC website at: http://web.jhu.edu/administration/general_counsel/index.html .