NIH Human Genomic Data Sharing Policy FAQs

September 2020

1. When does the policy go into effect?  January 25, 2015.

2. What is the purpose of the policy?  To ensure the broad and responsible sharing of genomic research data generated from NIH-funded research.

3. What research is covered by the policy?  NIH-funded research that generates large-scale (defined as >100 individuals) human genomic data as well as the use of that data for subsequent research.  This includes genome-wide association studies, genome sequence, single nucleotide polymorphisms arrays, transcriptonic, metagenetic, epigenomic and gene expression data.  This policy applies to grants, contract and cooperative agreements funded by NIH.  Non-human genomic data is also covered by the policy, but is subject to different requirements (see Section IV.B of the policy and supplemental information; links at end of FAQs)

4. What are the investigator responsibilities when preparing a proposal for NIH funding and before award?

(a) NIH application:

  • Investigators seeking NIH funding should contact their NIH Institute or Center (IC) Program Official or Project Officer to discuss the project, data sharing plan and data certification process.  
  • Basic plans for following this policy should be included in the “Genomic Data Sharing Plan” located in the Resources Sharing Plan section of the grant application.  Data sharing plans should describe how the expectations of the policy will be met, including how data will be de-identified, how consent will be obtained and how the consent language will be written to specify broad data sharing.
  • Resources needed to support the Genomic Data Sharing Plan should be included in the budget.

              (b)  Just-in-Time:

  • A more detailed Genomic Data Sharing Plan must be provided to the funding IC prior to award.
  • The Institutional Certification for sharing human data must be provided to the funding IC prior to award.  The Institutional Certification will include IRB approval, limitations or restrictions to data sharing, and state that data are being submitted to a controlled-access database.

5. When is an IRB application required?

  • If the study has not already been submitted to and approved by the JHM IRB, an eIRB2 application should be submitted when the investigator has received a score that is in the fundable range. 
  • A planning phase application is acceptable if the complete study documents and details have not been developed; a Genomic Data Sharing IRB Form should be uploaded with the application (link at end of FAQs).

6. When must human data be submitted to an NIH repository?

  • Investigators should register all studies that will include human genomic data that fall within the scope of this policy in dbGaP by the time data clearing and quality control measures begin.  After registration, investigators should submit the data to the relevant NIH repository.
  • Large-scale human genomic data should be submitted to a repository in a timely manner, as described in the Supplemental Information to the NIH Genomic Data Sharing Policy.
    • Data should be de-identified according to standards set forth by DHHS in 45 CFR 46.102(f) and the HIPAA Privacy Rule.

7. What information regarding repository submission must be included in the consent form?

  • For studies initiated after January 25, 2015, the consent form should include a provision for genomic and phenotypic data to be used for future research and shared broadly, and a statement that a participant’s individual level data will be shared through a controlled-access repository.  Although NIH maintains both unrestricted and controlled- access repositories, the JHM IRB will certify for submission only to a controlled-access repository.
  • For studies using genomic data from cell lines or clinical specimens that were created or collected after January 25, 2015, informed consent for future research and broad data sharing must be obtained, even if the cell lines or clinical specimens are de-identified.
  • For studies conducted prior to January 25, 2015, the IRB will determine whether data submission is not inconsistent with the informed consent provided by the participant.

8. What is an Institutional Certification?

  • The Institutional Official is required to provide a certification to the IC prior to award consistent with the genomic data sharing plan submitted with the funding request.  The IRB will obtain this certification from the IO.
  • A request for Institutional Certification must be submitted to the JHM IRB (either in the initial application or as a change in research).
  • The IRB must review the data submission proposal and assure:  that collection of genomic and phenotypic data are consistent with 45 CFR 46; data submission and sharing are consistent with the informed consent; risks of data sharing to participants and their families were considered; risks of data sharing to groups or populations associated with the data were considered; the investigator’s plan for de-identification meets HIPAA and DHHS standards.

9. What are the steps for study registration and submission of data?

  • The NIH IC registers the study in the dbGaP registration system and the PI will then receive an email with instructions to complete registration.
  • The PI enters basic study information:  target delivery and release dates, number of participants, data type, secondary contact information, consent group.
  • The PI uploads a signed Institutional Certification.
  • The PI uploads the required data to dbGaP submission portal.
  • The PI receives a study accession number to review study prior to release.

10. Are there any exceptions to this policy?  There are limited exceptions, as described in the policy.


11. When JHM IRB serves as the single IRB [sIRB] or relies on external IRBs for multisite studies, who is responsible for meeting additional certification requirements?

While often the lead site in a multi-site NIH-funded effort will be depositing the data into dbGaP and certifying, this is variable. Investigators should check with the NIH project officer on the award in order to determine which institution will certify.

When JHM is designated to certify on behalf of other institutions, it will require that each of those sites in turn makes certifications in writing to JHM, documenting that their respective IRBs (if multiple) made the determinations required by the NIH's genomic data sharing policy. It is the responsibility of the JHM investigator in these cases to seek and obtain these inter-institutional certifications.

When another institution will certify on behalf of JHM, it is the responsibility of the JHM investigator to accurately convey the conditions for and limitations on access and use of data to be deposited, as detailed in the JHM informed consent document(s) implicated and/or the determinations of the JHM IRB.