NIH Policy on Enhancing Security Measures for Human Biospecimens

Issuing agencies

Abstract

This Policy establishes expectations for ensuring the security of human biospecimens whose collection, obtainment, storage, use, or distribution are supported by NIH funds. The policy ensures protections for human participants and vital national security interests, consistent with Executive Order 14117 (see: https://www.govinfo.gov/ content/pkg/FR-2024-03-01/pdf/2024-04573.pdf) and 28 CFR 202 "Preventing Access to U.S. Sensitive Personal Data and Government- Related Data by Countries of Concern or Covered Persons" (see: https:/ /www.federalregister.gov/documents/2025/01/08/2024-31486/preventing- access-to-us-sensitive-personal-data-and-government-related-data-by- countries-of-concern).

Full Text

<html>
<head>
<title>Federal Register, Volume 90 Issue 237 (Friday, December 12, 2025)</title>
</head>
<body><pre>
[Federal Register Volume 90, Number 237 (Friday, December 12, 2025)]
[Notices]
[Pages 57772-57773]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2025-22618]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

National Institutes of Health


NIH Policy on Enhancing Security Measures for Human Biospecimens

AGENCY: National Institutes of Health, HHS.

ACTION: Notice of policy.

-----------------------------------------------------------------------

SUMMARY: This Policy establishes expectations for ensuring the security 
of human biospecimens whose collection, obtainment, storage, use, or 
distribution are supported by NIH funds. The policy ensures protections 
for human participants and vital national security interests, 
consistent with Executive Order 14117 (see: <a href="https://www.govinfo.gov/content/pkg/FR-2024-03-01/pdf/2024-04573.pdf">https://www.govinfo.gov/content/pkg/FR-2024-03-01/pdf/2024-04573.pdf</a>) and 28 CFR 202 
``Preventing Access to U.S. Sensitive Personal Data and Government-
Related Data by Countries of Concern or Covered Persons'' (see: <a href="https://www.federalregister.gov/documents/2025/01/08/2024-31486/preventing-access-to-us-sensitive-personal-data-and-government-related-data-by-countries-of-concern">https://www.federalregister.gov/documents/2025/01/08/2024-31486/preventing-access-to-us-sensitive-personal-data-and-government-related-data-by-countries-of-concern</a>).

DATES: This policy became effective as of October 24, 2025.

FOR FURTHER INFORMATION CONTACT: Further information about this policy 
notice may be directed to Dr. Adam Berger at 301-496-9838 or 
<a href="/cdn-cgi/l/email-protection#7526363c303b3630253a393c362c353a315b3b3c3d5b323a23"><span class="__cf_email__" data-cfemail="a9faeae0ece7eaecf9e6e5e0eaf0e9e6ed87e7e0e187eee6ff">[email&#160;protected]</span></a>.

SUPPLEMENTARY INFORMATION: On April 8, 2025, the Department of Justice 
(DoJ) implemented a final rule (28 CFR 202) to ``address a national 
emergency declared by the President in Executive Order 13873 (see: 
<a href="https://www.federalregister.gov/documents/2019/05/17/2019-10538/securing-the-information-and-communications-technology-and-services-supply-chain">https://www.federalregister.gov/documents/2019/05/17/2019-10538/securing-the-information-and-communications-technology-and-services-supply-chain</a>) of May 15, 2019, to deal with the `unusual and 
extraordinary threat . . . to the national security and foreign policy 
of the United States' posed by foreign adversaries' access to 
Americans' ``vast amounts of sensitive information.'' 28 CFR 202 
specifically exempts transactions that are for the conduct of the 
official business of the United States Government by its employees, 
grantees, or contractors, any authorized activity of any United States 
Government department or agency, or transactions conducted pursuant to 
a grant, contract, or other agreement entered into with the United 
States Government. Recognizing the need for Departments and Agencies to 
implement appropriate security policies tailored to the risks posed by 
their supported or conducted activities, E.O. 14117 (see: <a href="https://www.govinfo.gov/content/pkg/FR-2024-03-01/pdf/2024-04573.pdf">https://www.govinfo.gov/content/pkg/FR-2024-03-01/pdf/2024-04573.pdf</a>) directs 
the Secretary of Health and Human Services to ``consider taking steps . 
. . to prohibit the provision of assistance that enables access by 
countries of concern or covered persons to United States [U.S.] 
persons' bulk sensitive personal data, including personal health data 
and human genomic data, . . . on the recipients of Federal assistance 
to address this threat.''

NIH Policy on Enhancing Security Measures for Human Biospecimens

Purpose

    NIH is implementing additional policies and standard practices to 
protect Americans' sensitive and personal health-related data from 
foreign adversary misuse. This NIH Policy on Enhancing Security 
Measures for Human Biospecimens (herein referred to as NIH Biospecimens 
Security Policy) establishes expectations for ensuring the security of 
human biospecimens whose collection, obtainment, storage, use, or 
distribution are supported by NIH funds. The policy ensures protections 
for human participants and vital national security interests, 
consistent with E.O. 14117 (see: <a href="https://www.govinfo.gov/content/pkg/FR-2024-03-01/pdf/2024-04573.pdf">https://www.govinfo.gov/content/pkg/FR-2024-03-01/pdf/2024-04573.pdf</a>) and 28 CFR 202 ``Preventing Access to 
U.S. Sensitive Personal Data and Government-Related Data by Countries 
of Concern or Covered Persons'' (see: <a href="https://www.federalregister.gov/documents/2025/01/08/2024-31486/preventing-access-to-us-sensitive-personal-data-and-government-related-data-by-countries-of-concern">https://www.federalregister.gov/documents/2025/01/08/2024-31486/preventing-access-to-us-sensitive-personal-data-and-government-related-data-by-countries-of-concern</a>).
    NIH funds and supports the collection, obtainment, storage, use, or 
distribution of a wide variety of human biospecimens of U.S. persons 
and is therefore accountable to those individuals from whom the 
biospecimens were obtained. NIH takes seriously the privacy and 
security of these individuals and recognizes that human biospecimens 
may be used to derive sensitive information, such as an individuals' 
genome sequence.
    On April 8, 2025, the Department of Justice (DoJ) implemented a 
final rule (28 CFR 202) to address a national emergency declared by the 
President in Executive Order 13873 (see: <a href="https://www.federalregister.gov/documents/2019/05/17/2019-10538/securing-the-information-and-communications-technology-and-services-supply-chain">https://www.federalregister.gov/documents/2019/05/17/2019-10538/securing-the-information-and-communications-technology-and-services-supply-chain</a>) of 
May 15, 2019 to deal with the `unusual and extraordinary threat . . . 
to the national security and foreign policy of the United States' posed 
by foreign adversaries' access to Americans' ``vast amounts of 
sensitive information.'' The final rule exempts specific types of 
transactions conducted and authorized by United States Government 
employees, grantees, or contractors, acknowledging the need for 
Departments and Agencies to implement appropriate security policies 
tailored to the risks posed by their supported or conducted activities. 
Additionally, E.O. 14117 (see: <a href="https://www.govinfo.gov/content/pkg/FR-2024-03-01/pdf/2024-04573.pdf">https://www.govinfo.gov/content/pkg/FR-2024-03-01/pdf/2024-04573.pdf</a>) directs the Secretary of Health and 
Human Services to ``consider taking steps . . . to prohibit the 
provision of assistance that enables access by countries of concern or 
covered persons to United States [U.S.] persons' bulk sensitive 
personal data, including personal health data and human genomic data, . 
. . on the recipients of Federal assistance to address this threat.''
    Recent security directives, including E.O. 14117 (<a href="https://www.govinfo.gov/content/pkg/FR-2024-03-01/pdf/2024-04573.pdf">https://www.govinfo.gov/content/pkg/FR-2024-03-01/pdf/2024-04573.pdf</a>) and 28 
CFR 202 ``Preventing Access to U.S. Sensitive Personal Data and 
Government-Related Data by Countries of Concern or Covered Persons'' 
(see: <a href="https://www.federalregister.gov/documents/2025/01/08/2024-31486/preventing-access-to-us-sensitive-personal-data-and-government-related-data-by-countries-of-concern">https://www.federalregister.gov/documents/2025/01/08/2024-31486/preventing-access-to-us-sensitive-personal-data-and-government-related-data-by-countries-of-concern</a>), have increased the need to set 
expectations for securing human biospecimens to address national 
security and related concerns. NIH is enacting the NIH Biospecimens 
Security Policy in support of these directives to secure Americans' 
sensitive personal health-related data from exploitation, ensure 
America's leadership in scientific research and technology development, 
and protect the privacy and rights of Americans.

Effective Date

    This policy became effective as of October 24, 2025.

Definitions

    The following definitions are used for the purpose of the NIH 
Biospecimens Security Policy:
    Countries of concern--Those countries as determined under 28 CFR 
202.601 (Subpart F: Determination of Countries of Concern)(see: https:/
/

[[Page 57773]]

www.federalregister.gov/documents/2025/01/08/2024-31486/preventing-
access-to-us-sensitive-personal-data-and-government-related-data-by-
countries-of-concern#sectno-reference-202.601).
    Human biospecimens--A quantity of tissue, blood, urine, or other 
human-derived material. A single biopsy may generate several human 
biospecimens, including multiple paraffin blocks or frozen sample. A 
human biospecimen can comprise subcellular structures, cells, tissue 
(e.g., bone, muscle, connective tissue, and skin), organs (e.g., liver, 
bladder, heart, and kidney), blood, gametes (sperm and ova), embryos, 
fetal tissue, and waste (urine, feces, sweat, hair and nail clippings, 
shed epithelial cells, and placenta). Human biospecimens include those 
that are isolated and propagated into new cell lines. The term also 
includes cell lines for which an agreement is in place to commercially 
or publicly make them available, but for which the cell lines have not 
yet been made commercially or publicly available on or after the 
effective date of this policy.
    U.S. person--As defined under 28 CFR 202.256 (see: <a href="https://www.ecfr.gov/current/title-28/section-202.256">https://www.ecfr.gov/current/title-28/section-202.256</a>) any United States 
citizen, national, or lawful permanent resident; any individual 
admitted to the United States as a refugee under 8 U.S.C. 1157 (see: 
<a href="https://www.govinfo.gov/link/uscode/8/1157">https://www.govinfo.gov/link/uscode/8/1157</a>) or granted asylum under 8 
U.S.C. 1158; (see: <a href="https://www.govinfo.gov/link/uscode/8/1158">https://www.govinfo.gov/link/uscode/8/1158</a>) any 
entity organized solely under the laws of the United States or any 
jurisdiction within the United States (including foreign branches); or 
any person in the United States.

Scope and Applicability

    The NIH Biospecimens Security Policy applies to all human clinical 
and research biospecimens obtained from U.S. persons (regardless of 
identifiability) that are collected, obtained, stored, used, or 
distributed and that are supported or funded by any on-going or new NIH 
funding mechanisms (grants, cooperative agreements, contracts, Other 
Transactions, and intramural support) regardless of NIH funding level.
    This Policy does not apply to cell derivative products or cell 
lines derived from human biospecimens of U.S. persons collected, 
obtained, stored, used, or distributed using on-going or new NIH funds 
that are commercially or publicly available prior to the effective date 
of this policy.

Requirements

    NIH expects the research community to recognize the risks posed by 
the sharing or distribution of U.S. persons biospecimens that were 
collected, obtained, stored, used, or distributed with previous NIH 
funds or support with countries of concern.
    The entity (e.g., biorepository, institution, investigator) that 
holds human biospecimens of U.S. persons collected, obtained, stored, 
used, or distributed using on-going or new NIH funds are prohibited 
from directly or indirectly distributing the human biospecimens to 
institutions or parties located in countries of concern (see: <a href="https://www.federalregister.gov/documents/2025/01/08/2024-31486/preventing-access-to-us-sensitive-personal-data-and-government-related-data-by-countries-of-concern#sectno-reference-202.601">https://www.federalregister.gov/documents/2025/01/08/2024-31486/preventing-access-to-us-sensitive-personal-data-and-government-related-data-by-countries-of-concern#sectno-reference-202.601</a>).
    In limited circumstances, the human biospecimens may be shared or 
distributed to countries of concern only if use of the human 
biospecimens is:
    1. to meet transactions required or authorized by Federal law or 
international agreements, (see: <a href="https://www.federalregister.gov/documents/2025/01/08/2024-31486/preventing-access-to-us-sensitive-personal-data-and-government-related-data-by-countries-of-concern#sectno-reference-202.507">https://www.federalregister.gov/documents/2025/01/08/2024-31486/preventing-access-to-us-sensitive-personal-data-and-government-related-data-by-countries-of-concern#sectno-reference-202.507</a>) including Global health, or necessary 
for compliance with Federal law; or
    2. needed in rare and compelling circumstances where the facility 
and personnel in the country of concern possess needed capabilities 
and/or expertise not available elsewhere, the use of the biospecimen 
cannot be delayed to a time when capability and/or expertise is 
available elsewhere, and done with the consent of the individual from 
whom the biospecimen was collected; or
    3. at the request of the individual whose biospecimen was 
collected, obtained, or stored using NIH-funds; for purposes of 
diagnosis, prevention or treatment of that individual; and in 
compliance with applicable Federal laws, regulations, and policies.
    As a reminder, the export of human biospecimens must follow all 
applicable export administration regulations (see: <a href="https://www.ecfr.gov/current/title-15/subtitle-B/chapter-VII/subchapter-C">https://www.ecfr.gov/current/title-15/subtitle-B/chapter-VII/subchapter-C</a>).
    NIH requires all entities retain documentation related to sharing 
or distributing biospecimens to countries of concern under one of the 
allowable limited circumstances and further document the quantity and 
content of the biospecimen material that was shared or distributed. 
Documentation must be retained and provided to NIH upon request.

Matthew J. Memoli,
Principal Deputy Director, National Institutes of Health.
[FR Doc. 2025-22618 Filed 12-11-25; 8:45 am]
BILLING CODE 4140-01-P


</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>