425. Certificates of Confidentiality
Updated July 1, 2019
Certificates of Confidentiality (CoC), protect against compulsory legal demands for identifying information or identifying characteristics of a research participant. Effective October 1, 2017, certificates of confidentiality will issue automatically for applicable NIH awards as part of the award terms and conditions. If research is funded by an HHS agency other than NIH or non-federally funded, the investigator may request a CoC for specific health-related projects using sensitive, identifiable information, using the NIH online application system.
A CoC protects the privacy of research participants enrolled in biomedical, behavioral, clinical or other research. With limited exceptions, researchers may not disclose names or any information, documents or biospecimens containing identifiable, sensitive information. CoC protect names or any information, documents, or biospecimens containing identifiable, sensitive information related to a research participant. Identifiable, sensitive information includes but is not limited to name, address, social security or other identifying number; and fingerprints, voiceprints, photographs, genetic information, tissue samples, or data fields that when used in combination with other information may lead to identification of an individual. A CoC allows researchers to avoid compelled involuntary disclosure (e.g., subpoenas) of names and other identifying information about any individual who participates as a research participant during any time the CoC is in effect. The CoC prohibits disclosure in response to legal demands, such as a subpoena.
CoCs do NOT take precedence over the following disclosures:
- Voluntary disclosure of information by study participants or disclosure the study participant has consented to in writing, such as to insurers, employers, or other third parties;
- Voluntary disclosure by the researcher of information related to possible threat to self or others, or other voluntary disclosures;
- Researcher compliance with reporting requirements of state laws related to child or elder abuse (see IRB policy for Nevada State Laws related to human research);
- Researcher compliance with reporting requirements of state laws related to reportable communicable diseases (see NIH Reporting of Communicable Diseases Policy); or
- Release of information by researchers to DHHS as required for program evaluation or audits of research records, or to the FDA as required under the federal Food, Drug, and Cosmetic Act (21 U.S.C. 301 et seq.)
NOTE: Voluntary disclosures, and disclosures resulting from researcher compliance with state laws or DHHS or FDA requests must be specified in informed consent documents.
Ideally, CoCs are approved prior to the enrollment of participants into research studies for which a CoC will be obtained. However, individuals who participate in a specified research project during any time the CoC is in effect are permanently protected, even if the subject provided data to the researcher before the CoC was issued.
NOTE: CoCs do not take the place of good data security procedures to safeguard research data against access by unauthorized individuals.
Assessing the Need for a Certificate of Confidentiality
A CoC may be warranted when it is necessary to protect participants' privacy and ensure the confidentiality of their study participation and research data. Specifically, when research involves the collection and retention of Protected Personally Identifiable Information (PPII) along with sensitive information at risk of judicial subpoena, the PI and IRB should consider a CoC. Note that Federal funding is not a prerequisite for a CoC, but the subject matter must fall within a mission area of the National Institutes of Health for the study to be eligible for CoC.
Research approved by the University IRB that involves the collection of personally identifiable, sensitive information is eligible for a CoC.
Applying for a Certificate of Confidentiality
The agencies issuing CoCs require IRB approval of all aspects of the research (except the CoC) before approving a CoC application.
Instructions for applying for A CoC can be found online at the NIH Certificates of Confidentiality Kiosk and the Frequently Asked Questions.
Information about other agencies offering CoCs (e.g., CDC, FDA, HRSA, IHS, and SAMHSA) may be found online at Certificates of Confidentiality Contacts at NIH and Other DHHS Agencies that issue Certificates.
Additional requirements apply to CoCs for multi-site research. These can be found in the CoC Frequently Asked Questions.
The PI and the University Institutional Official (i.e., the VPRI or designee) must sign the CoC application.
Informing Subjects of Certificate of Confidentiality
The research plan must include information about when and how investigators will inform participants that a CoC has been requested or obtained, and describe
- the protections offered by the CoC, and
- conditions or limitations for these protections.
Consent Form Language
The following suggested content for consent documents may be adapted to reflect the proposed research.
Most people outside the research team will not see your name on your research information. This includes people who try to get your information using a court order. One exception is if you agree that we can give out research information with your name on it. Another is when the US government inspects or evaluates federally-funded studies. Other exceptions are information about child abuse or neglect and harm to yourself or others. We might use your research data and your biological samples in future studies. These future studies might be done by us or by other investigators. Before we use your data or samples, we will remove any information that shows your identity. There still may be a chance that someone could figure out that the information is about you.
IRB Consideration and Acknowledgement of CoC
The IRB applications include a question for PIs to indicate if they are planning to obtain a CoC. In cases where the PI does not indicate she/he plans to request one, the IRB may require one be obtained.
RI staff will add a statement to the Project Notes field in the IRBNet project detail screen specifying a CoC is pending and will be obtained before the IRB renewal date.
Researchers may submit documentation of the CoC upon receipt or at the time of continuing review.
The IRB will include the expiration date of the CoC in the written acknowledgement or continuing review approval letter.
Amendments to Research with Approved Certificate of Confidentiality
When a significant change in a research project is proposed after a CoC is issued, the PI must obtain IRB approval for the change and inform the CoC Coordinator of the institute or agency issuing the CoC of the amendments. The PI must submit the amended CoC to the IRB for acknowledgement.
Expiration of Certificates of Confidentiality
Most CoCs specify an expiration date except FDA CoCs for IND studies. The latter remain valid as long as the IND is in effect. It is the responsibility of the researcher to ensure that the CoC remains valid as long as PPII can be linked to participant information.
If the retention or collection of PPII will continue past the expiration date of the CoC, the researcher must submit a written request to the appropriate agency for an extension. Requests to extend CoC expiration dates must be submitted at least three months before the CoC expires.
Information about extension requests can be found on the CoC Frequently Asked Questions.
Upon receipt, the PI must submit a copy of the approved CoC extension to the IRB for acknowledgement.
If PPII can be linked to research data when the CoC expires and no extension is obtained, the researchers must submit a project amendment to notify the IRB of the CoC expiration and address the following changes to the consent process and documents:
- consent forms used to enroll new participants must be amended to remove mention of the CoC, and
- a revised consent document or consent addendum must be used to notify enrolled subjects of the expiration of the CoC.