Skip to Content
Cancer Diagnosis Program
Contact NExT
Show menu
Search this site
Last Updated: 09/26/17

Privacy and Confidentiality

Human specimen collections often contain links to patient identities and other personal information. The privacy and confidentiality of personal information associated with human specimens, including electronic medical records and genomic data, raise important ethical and regulatory considerations.

Under the federal Common Rule (45 CFR46)1, if an individual's identity cannot "readily be ascertained or associated" with biospecimens or information that are obtained, used, studied, analyzed, or generated by researchers, then the research does not meet the regulatory definition of "human subject" or require IRB review or informed consent. And under the federal Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA), researchers can access and share data without authorization so long as 18 specified identifiers (such as name, SSN, medical record number, dates, etc.) are removed.

Yet, even when individual identifiers are removed from specimens or associated data, the accessibility of linkable data in today's highly networked culture can be ethically problematic. There is growing concern about the ability to identify individuals from information stored in pooled group level databases, and from matched samples. As next generation sequencing technologies such as whole genome and whole exome sequencing are increasingly employed in cancer research, the accumulation of "-omic" data from research participants creates added privacy risks. At a Think Tank on Identifiability of Biospecimens and " -Omic" Data, the NCI gathered multidisciplinary experts to deliberate consent policy development, data access and security policies, best practices and opportunities for empirical research in this challenging area. The workshop summary can be found here.

To promote robust sharing of genomic data while simultaneously providing both transparency and appropriate protections to individuals whose data is collected, stored, and disseminated to researchers, the NIH implemented a Genome Data Sharing Policy effective January 15, 2015. The GDS Policy applies to all NIH-funded research that generates large-scale human or nonhuman genomic data as well as the use of these data for subsequent research. NIH expects all funded investigators to adhere to the GDS Policy, and compliance with this Policy will become a special term and condition in the Notice of Award or the Contract Award.

For more information about this policy and to download and informational card, please visit the links below:

The NIH has also made changes to its policy for issuing Certificates of Confidentiality, effective October 1st, 2017. Details of the policy change can be found at the link below:

Respect for and protection of the interests of research participants are fundamental to NIH's stewardship of human genomic data. The informed consent under which the data or samples were collected is the basis for the submitting institution to determine the appropriateness of data submission to NIH-designated data repositories, and whether the data should be available through unrestricted or controlled access. Controlled-access data in NIH-designated data repositories are made available for secondary research only after investigators have obtained approval from NIH to use the requested data for a particular project. Data in unrestricted-access repositories are publicly available to anyone.