On September 7, 2017, the National Institutes of Health (“NIH”) released a Notice of Changes to NIH Policy for Issuing Certificates of Confidentiality (NOT-OD-17-109) (“the Policy”). This Policy flows from the Cures Act’s changes to when and how a Certificate of Confidentiality (“Certificate”) is issued, see Pub. Law 114-255, Section 2012 (December 13, 2016), and applies to research “in which identifiable, sensitive information is collected.” The Policy goes into effect on October 1, 2017, with retroactive implications; all NIH-funded research that was “commenced or ongoing on or after December 13, 2016” will be deemed to have been issued a Certificate pursuant to the Policy. NIH has indicated that guidance on the Policy is imminent; when issued, it will likely appear on the NIH’s Certificates of Confidentiality (CoC) Kiosk.
We have identified the following preliminary questions and concerns with the Policy and will be monitoring the forthcoming guidance to see whether and how it addresses them. Institutions also may want to assess the guidance against these concerns to formulate further questions to NIH to the extent troubling aspects of the Policy remain unclear.
- The Policy appears to equate “sensitive” with “identifiable” (whereas the Cures Act still seems to consider sensitive information to be a subset of other identifiable information, referencing “mental health” and drug/alcohol research as examples of research involving sensitive information). As such, the concept of “sensitive” may no longer serve to further narrow the scope of research for which a Certificate is required. Additionally, as further noted below, the concept of “identifiable” used in the Policy is more expansive than what would be required to trigger human subjects or other privacy protections. The combination of these two changes (plus the shift required by the Cures Act to mandatory, as opposed to voluntary, Certificates for NIH-funded research) results in a significantly broadened universe of research subject to Certificates.
- The Policy and the Cures Act consider data and specimens “identifiable” using a broader and ambiguous standard that does not key to identifiability as defined under the Common Rule or even under the HIPAA Privacy Rule. (Under HIPAA, information that a statistical expert determines carries a very small risk of being able to be used to identify someone is actually considered de-identified.) What is a “very small risk” that someone can be identified for purposes of applying the Policy? Who determines that? Under the Policy, a Certificate will issue for all NIH-funded research; as such, it will be up to investigators and institutions to determine whether particular research falls within the scope of the Policy. Institutions may want to consider the benefits of developing categories of data that they think would trigger the “very small risk” standard, or types of data protections that are deemed to remove such risk, to reduce the need for per-project analysis. The Policy also does not cover how institutions should address projects that evolve from being outside the scope of the Policy to within the scope, whether through amendments or shifts in understanding about the identification risk presented by certain technologies. Institutions may want to consider periodic re-evaluation for NIH-funded research determined not to trigger the requirements of the Policy (i.e., because the information collected is considered at the start not to include “identifiable, sensitive information”). Alternatively, institutions may decide it is easier to assume all NIH-funded research is covered.
- The buckets of research deemed by the Policy to constitute research involving “identifiable, sensitive” information provide further insight into how the NIH interprets these concepts. The buckets are broader than what the Cures Act contemplates on its face and include most categories of research exempt under the Common Rule. As such, research that would not require IRB oversight may nonetheless have a mandatory Certificate associated with it. This raises an additional question regarding secondary research using data that may be collected or otherwise developed under a Certificate. The Policy permits disclosure of information subject to a Certificate “for the purposes of other scientific research that is in compliance with applicable Federal regulations governing the protection of human subjects in research.” However, it is unclear whether Certificate recipients are obligated to take any confirmatory steps that downstream research using information subject to the Certificate is in compliance with any applicable requirements. If read to include such a requirement, this would effectively add a layer of institutional oversight – even if not IRB oversight – to research that historically has not been tracked following an exemption determination.
- The Policy now imposes disclosure restrictions for biospecimens that may be non-identifiable under the Common Rule and the HIPAA Privacy Rule (moving towards the imposition of requirements for a category of NIH funded research that the revised Final Common Rule declined to regulate).
- The Policy loops genomic data (whether or not identifiable under Common Rule standards) into the bucket of identifiable, sensitive information (again, going beyond the face of the Cures Act and imposing restrictions on the disclosure of such information, ahead of any anticipated determination under the revised Common Rule that such technology should be deemed to generate individually identifiable information).
- The restrictions on the Certificate holder reach to data and specimens that were “created or compiled” for purpose of the research. It is unclear how far that reaches. If patient medical records or other existing independent data/data sources are compiled, would that bring the entire medical record within the protection of the Certificate? That seems like an inappropriate and unlikely result; however, the language is broad and ambiguous.
- The permission to disclose the information does not extend to other uses that would be allowed under HIPAA without specific permission. For example, under HIPAA, identifiable information (including information from research) can be disclosed for operations or treatment purposes without individual authorization. Under the Policy, it appears consent would be needed to disclose research information for such purposes (such as to a Business Associate performing a data storage service in support of a study). This is a significant new requirement to impose on investigators and institutions and may have multiple implications, including with respect to the inclusion of research information in individuals’ medical records.
- It is unclear how NIH grantees can simultaneously comply with this Policy and the NIH data sharing policies, in particular the genomic data sharing policy. Arguably those policies are not covered by the exception in the Policy allowing disclosures as required by Federal, State, or local laws; such policies are not Federal laws. Even though the NIH data sharing policy requires that identifiers be stripped, it is currently unclear whether that standard aligns with the Policy’s new concept of what qualifies as de-identified.
- It is unclear how the Policy can be fully implemented retroactively. For example, disclosures now prohibited will have likely already occurred in the covered research. Furthermore, it is unclear whether on-going NIH-funded research being conducted under an existing Certificate (as opposed to projects currently lacking a Certificate for which one will be deemed to exist as of October 1) will be similarly deemed to incorporate the same definitions and scope of restrictions as are outlined in the Policy. If so, that would effectively amount to a retroactive and unilateral amendment of the terms of such prior Certificates by the NIH.
On a positive note, the Policy now clearly says that NIH expects consents in Certificate studies to inform participants of the limits to the Certificate’s protections, including disclosures required by state laws. This appears to settle tensions that have long existed with various NIH Institutes with respect to whether such disclosures (for example, to fulfill practitioners’ mandatory reporting duties) should be described to participants as voluntary or required.