AAU sent a comment letter to the National Institutes of Health (NIH) in response to their Request for Information (RFI) on Draft Controlled-Access Data (CAD) policy and Proposed Revisions to NIH Genomic Data Sharing (GDS) policy.
The Association of American Universities (AAU) appreciates the opportunity to respond to the Request for Information on Draft Controlled-Access Data (CAD) policy and Proposed Revisions to NIH Genomic Data Sharing (GDS) Policy.
Founded in 1900, AAU is composed of America’s leading research universities. AAU’s 69 research universities in the United States transform lives through education, research, and innovation. Research universities, including AAU’s member institutions, have a long-standing partnership with the federal government to advance science and technology in the national interest. This partnership, which has roots going back to World War II, has been central to facilitating U.S. global leadership in science and technology.
AAU and its member institutions are committed to responsible data stewardship and share the National Institutes of Health’s (NIH) goal of balancing data security with appropriate data access. We take seriously our obligation to safeguard research and the data that underpins it. We understand the landscape of economic and national security threats, and universities have implemented a range of staff and resource-intensive measures to strengthen the protection of data and research.1
In addition to this memo, AAU supports the Request for Information (RFI) responses submitted by the University of Pittsburgh, and by colleagues at COGR, the Association of Public and Land-grant Universities (APLU), and the Association of American Medical Colleges (AAMC). AAU’s feedback on specific questions is provided below.
1. Feedback on any aspect of the Draft NIH Controlled-Access Data Policy
Simply put, the draft policy’s scale and complexity will significantly affect institutional compliance with existing research policies. The draft policy is not consistent with NIH’s goal of improving data access to enhance scientific rigor and reproducibility, because it would restrict an unprecedented amount of data and does not appear to be calibrated to actual privacy and security risks. The policy is challenging to implement without first resolving how it integrates with existing, interlocking federal data privacy standards — such as the Department of Justice (DOJ)’s “Rule Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons” — and without clearly defining ambiguous terms in the policy. AAU requests definitions of key terms in the RFI, including: “data lifecycle,” “Controlled-Access Data Repository (CADR),” and “equivalent security standards.” For example, is the data lifecycle meant to include early-stage institution-level Institutional Review Board (IRB) oversight and approval, as well as collection prior to its validation? Is a Controlled-Access Data Repository considered a federal or institutional repository?
It is unclear what NIH means by “equivalent security standards” with respect to the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. Clinical research data systems and electronic record formats are widely used by institutions for research documentation. As the University of Pittsburgh stated, neither system type was designed to meet NIST SP 800-171 requirements, “and vendors of clinical research data and electronic health records have no regulatory obligation or commercial incentive to modify them to do so. If the CAD Policy is to be interpreted to reach these systems, compliance may be technically impossible, not merely expensive.” This raises substantial concerns about feasibility and the potential for unintended impacts on essential research infrastructure.
2. Feedback on the availability of established repositories for implementing the proposed controlled-access data policy (CAD).
In AAU’s view, as more data is regarded as “controlled, unclassified,” the greater the friction will be in fulfilling NIH’s goal of improving data access and use. The proposed CAD requirements are a significant expansion of current institutional practice and other established federal requirements. This expansion may be inconsistent with NIH’s goal to “improve overall performance” of NIH-funded research.
Please clarify whether the NIST SP 800-171 requirements apply only to CAD repositories or also to repositories that facilitate direct sharing between investigator teams, cloud spaces that temporarily store data, data coordinating centers, and similar activities. Under NOT-OD-25-159, such repositories and centers are not currently subject to CAD requirements. Expansion of NIST requirements to all sharing mechanisms, such as intra-laboratory team members working on the same project, would require considerable funding support for institutions to implement.
The CAD policy is not harmonized with existing federal regulations governing consent and re-consent for data use. The RFI states, “NIH accepts data when collected under informed consent for research use…consistent with the Common Rule, 45 CFR 46, if the “consent meets other expectations of the GDS policy.” However, 45 CFR 46 is not applicable to the use of decedent data. Research with deidentified decedent information is allowable under the HIPAA Privacy Rule (45 CFR Part 160 and Subparts A and E of Part 164).
AAU requests that NIH, working with research community stakeholders, the Department of Health and Human Services the DOJ, and other federal agencies, determine how to navigate interlocking federal privacy policies that balance security with scientific access.
3. Feedback on the appropriateness of the protected data types designated for controlled access.
The proposed scope of the applicable protected data types represents a substantial expansion and diverges from traditional concepts of human genomic data. As AAU’s colleagues at COGR have previously stated, “Various categories of ‘omic data encompass a wide set of measurements related to human physiological, pathological, or genetic measurements that are used to help understand basic mechanisms or functions of human health states and that do not contain identifiable information.” The policy fails to describe how these types of ‘omic data pose national security risks.
The RFI states that data collected from NIH-funded research in amounts below the threshold will still be subject to the “expectations of the Data Management and Sharing (DMS) Policy and proposed NIH CAD policy.” In essence, all listed participant data, regardless of amount, would be affected by the draft policy. Requiring CAD “equivalent” storage for all data volumes will greatly restrict, if not prohibit, the use of legacy datasets and disrupt research already in progress, as existing institutional repositories may lack sufficient resources to comply with the proposed CAD standards.
4. Feedback on any aspect of the proposed Revisions to the NIH Genomic Data Sharing Policy
The complexity of working within the constraints of the new GDS Policy may discourage researchers from engaging with NIH data. The proposed threshold of “100 individuals” to be defined as “large scale” and therefore subject to GDS Policy’s consent and data sharing requirements is simply too low, given the staffing and financial demands of data stewardship. We request that NIH consider increasing the threshold for large-scale data sharing. At a minimum, NIH should harmonize its proposed threshold to match 28 CFR Part 202, from the Department of Justice’s “Rule Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons,” in effect since April 8, 2025.
Institutional concerns about applicable federal consent regulations may also limit data sharing and hamper research that relies on data access, diluting the impact and quality of previously collected critical datasets containing deidentified genomic information. AAU urges NIH to clarify whether the proposed policy will apply only to data collected after 2015, rather than to legacy datasets, or whether it is prospective upon final policy implementation. NIH should also clarify whether the agency will allow compliance costs to be included in grant awards.
There may be unintentional disruptions to research, scientific development, and innovation due to the compliance costs institutions must bear. Higher data protection thresholds may have the unintended consequence of slowing the pace of research and reducing institutional capacity for collaboration. These factors, outlined in COGR’s May 11, 2023 blog on compliance costs,2 will most acutely burden smaller institutions, potentially exacerbating existing disparities in health research throughout the United States. Additionally, there is no clear policy roadmap for researchers to follow in contexts where data sharing with researchers in countries of concern may be scientifically or legally necessary. This was recognized in the DOJ rule and included in specific exemptions in 28 CFR §§ 202.510 and 202.511 for drug, biological product, and medical device authorizations, as well as other clinical investigations.
Recommendations
AAU supports APLU’s recommendation for NIH to create an active advisory group comprising representatives from federal agencies, industry, and academic research institutions to ensure a full understanding of potential national security risks and the unknown implications of enhanced regulatory restrictions. AAU requests that the group:
- Clarify operational terms including “data lifecycle,” “Controlled-Access Data Policy,” and “equivalent security standards,” and that the proposed CAD policy is prospective and specifically allows safe harbor for the use of legacy datasets.
- Examine the operational balance of risk-based data management and scientific access, including the expansion of NIH-supported data repositories.
- Resolve interlocking NIH data policies and existing regulations, including required IRB review of data management and sharing plans, and Health Insurance Portability and Accountability Act (HIPAA) requirements that impact data security.
- Develop consistent controlled access requirements for human research data across federal research agencies to avoid duplicative federal regulation and to examine the appropriateness of integrating existing mechanisms.
AAU looks forward to our continued engagement with NIH on these issues. Should you have questions about these comments, please contact me at: [email protected].
1 Actions Taken to Address Foreign Security Threats, Undue Foreign Interference, and Protect Research Integrity at U.S. Universities, February 2026
2 https://www.cogr.edu/blog/cost-compliance-results-cogr-survey-cost-complying-new-nih-dms-policy