425. Certificates of Confidentiality

Updated July 13, 2021

A certificate of confidentiality (CoC) provides additional protections against compulsory disclosure of identifying information about participants enrolled in research that collects identifiable, sensitive information. A CoC protects against compulsory legal demands for identifying information or identifying characteristics of a research participant.

When research is covered by a certificate of confidentiality, researchers:

  1. May not disclose or provide, in any Federal, State, or local civil, criminal, administrative, legislative, or other proceeding, the name of such individual or any such information, document, or biospecimen that contains identifiable, sensitive information about the individual and that was created or compiled for purposes of the research, unless such disclosure or use is made with the consent of the individual to whom the information, document, or biospecimen pertains; or
  2. May not disclose or provide to any other person not connected with the research the name of such an individual or any information, document, or biospecimen that contains identifiable, sensitive information about such an individual and that was created or compiled for purposes of the research.
  3. May disclose information only when:
    1. Required by Federal, State, or local laws (e.g., as required by the Federal Food, Drug, and Cosmetic Act, or state laws requiring the reporting of communicable diseases to State and local health departments), excluding instances of disclosure in any Federal, State, or local civil, criminal, administrative, legislative, or other proceeding.
    2. Necessary for the medical treatment of the individual to whom the information, document, or biospecimen pertains and made with the consent of such individual;
    3. Made with the consent of the individual to whom the information, document, or biospecimen pertains; or
    4. Made for the purposes of other scientific research that is in compliance with applicable Federal regulations governing the protection of human participants in research.

A CoC protects the privacy of research participants enrolled in biomedical, behavioral, clinical or other research. With limited exceptions, researchers may not disclose names or any information, documents or biospecimens containing identifiable, sensitive information. CoC protect names or any information, documents, or biospecimens containing identifiable, sensitive information related to a research participant. Identifiable, sensitive information includes but is not limited to name, address, social security or other identifying number; and fingerprints, voiceprints, photographs, genetic information, tissue samples, or data fields that when used in combination with other information may lead to identification of an individual. A CoC allows researchers to avoid compelled involuntary disclosure (e.g., subpoenas) of names and other identifying information about any individual who participates as a research participant during any time the CoC is in effect. The CoC prohibits disclosure in response to legal demands, such as a subpoena.

CoCs do NOT take precedence over the following disclosures:

  • Voluntary disclosure of information by study participants or disclosure the study participant has consented to in writing, such as to insurers, employers, or other third parties;
  • Voluntary disclosure by the researcher of information related to possible threat to self or others, or other voluntary disclosures;
  • Researcher compliance with reporting requirements of state laws related to child or elder abuse (see IRB policy for Nevada State Laws related to human research);
  • Researcher compliance with reporting requirements of state laws related to reportable communicable diseases (see NIH Reporting of Communicable Diseases Policy); or
  • Release of information by researchers to DHHS as required for program evaluation or audits of research records, or to the FDA as required under the federal Food, Drug, and Cosmetic Act (21 U.S.C. 301 et seq.)
  • Necessary for the medical treatment of the individual to whom the information, document, or biospecimen pertains and made with the consent of such individual;

NOTE: Voluntary disclosures, and disclosures resulting from researcher compliance with state laws or DHHS or FDA requests must be specified in informed consent documents.

Ideally, CoCs are approved prior to the enrollment of participants into research studies for which a CoC will be obtained. However, individuals who participate in a specified research project during any time the CoC is in effect are permanently protected, even if the participant provided data to the researcher before the CoC was issued.

NOTE: CoCs do not take the place of good data security procedures to safeguard research data against access by unauthorized individuals.

NIH Funded Research

  • Research funded wholly or in part by the National Institutes of Health (NIH) that was commenced or ongoing on or after December 13, 2016 and collects or uses identifiable, sensitive information, is automatically issued a CoC by NIH. For the purposes of the NIH policy, “identifiable, sensitive information” means information about an individual that is gathered or used during biomedical, behavioral, clinical, or other research (including exempt research), where an individual is identified; or
  • for which there is at least a very small risk that some combination of the information, a request for the information, and other available data sources could be used to deduce the identity of the individual.

Examples of research automatically covered by a certificate of confidentiality include:

  1. Biomedical, behavioral, clinical or other research, including exempt research, except where the information obtained is recorded in such a manner that human participants cannot be identified or the identity of the human participants cannot readily be ascertained, directly or through identifiers linked to the participants.
  2. The collection or use of biospecimens that are identifiable to an individual or for which there is at least a very small risk that some combination of the biospecimen, a request for the biospecimen, and other available data sources could be used to deduce the identity of an individual.
  3. The generation of individual level, human genomic data from biospecimens, or the use of such data, regardless of whether the data is recorded in such a manner that human participants can be identified or the identity of the human participants can readily be ascertained.
  4. Any other research that involves information about an individual for which there is at least a very small risk, as determined by current scientific practices or statistical methods, that some combination of the information, a request for the information, and other available data sources could be used to deduce the identity of an individual.

If NIH funding for a study has ended but the collection of new data from research participants will continue, the investigator must apply for an additional CoC for continuity of protections. If NIH funding has ended and all enrollment and data collection is complete, the data that was collected is permanently protected under the original CoC.

Non NIH Funded Research

For research not funded by the NIH, the Principal Investigator (PI) must make the initial determination regarding the appropriateness of obtaining a CoC for the protocol. As part of the review process, the IRB Primary Reviewer will make an independent assessment of the need for a CoC for the protocol. The IRB will make the final determination regarding the requirement for a CoC, and approval for the study will not be issued until the requirement has been met by the Principal Investigator.

The IRB will consider the following parameters in making its determination of the need for a CoC: nature of the research activities, characterization of the disease/disorder, age/gender/ethnicity of the subject population, social/legal implications of the results of the research, effect of the results of the research on the individual subject, his/her/their family, and the local community, and the risks to the subject and his/her/their family regarding the possibility of loss of confidentiality regarding the research and its results.

Investigators for studies which are not funded by NIH may apply for a CoC via the NIH website.

Investigators conducting research covered by a certificate of confidentiality, regardless of federal funding, must ensure that if identifiable, sensitive information is provided to other researchers or organizations, the other researcher or organization complies with applicable requirements.

Assessing the Need for a Certificate of Confidentiality

A CoC may be warranted when it is necessary to protect participants' privacy and ensure the confidentiality of their study participation and research data. Specifically, when research involves the collection and retention of Protected Personally Identifiable Information (PPII) along with sensitive information at risk of judicial subpoena, the PI and IRB should consider a CoC. Note that Federal funding is not a prerequisite for a CoC, but the subject matter must fall within a mission area of the National Institutes of Health for the study to be eligible for CoC.

Research approved by the University IRB that involves the collection of personally identifiable, sensitive information is eligible for a CoC.

For more information about when a CoC should be requested, visit the NIH Certificates of Confidentiality Kiosk and CoC Frequently Asked Questions.

Applying for a Certificate of Confidentiality

The agencies issuing CoCs require IRB approval of all aspects of the research (except the CoC) before approving a CoC application.

Instructions for applying for A CoC can be found online on the NIH website. Information about other agencies offering CoCs (e.g., CDC, FDA, HRSA, IHS, and SAMHSA), as well as additional requirements that apply to CoCs for multi-site research, can also be found online.

The PI and the University Institutional Official (i.e., the VPRI or designee) must sign the CoC application.

Informing Participants of Certificate of Confidentiality

The research plan must include information about when and how investigators will inform participants that a CoC has been requested or obtained, and describe:

  • the protections offered by the CoC, and
  • conditions or limitations for these protections.

For studies that were previously issued a Certificate, and notified participants of the protections provided by that Certificate, NIH does not expect participants to be notified that the protections afforded by the Certificate have changed, although the IRB may determine whether it is appropriate to inform participants.

If part of the study cohort was recruited prior to issuance of the Certificate, but are no longer activity participating in the study, NIH does not expect participants consented prior to the change in authority, or prior to the issuance of a Certificate, to be notified that the protections afforded by the Certificate have changed, or that participants who were previously consented to be re-contacted to be informed of the Certificate, although the IRB may determine whether it is appropriate to inform participants.

Consent Form Language

The following suggested content for consent documents may be adapted to reflect the proposed research:

“Most people outside the research team will not see your name on your research information. This includes people who try to get your information using a court order. One exception is if you agree that we can give out research information with your name on it. Another is when the US government inspects or evaluates federally-funded studies. Other exceptions are information about child abuse or neglect and harm to yourself or others. We might use your research data and your biological samples in future studies. These future studies might be done by us or by other investigators. Before we use your data or samples, we will remove any information that shows your identity. There still may be a chance that someone could figure out that the information is about you.”

IRB Consideration of CoC

The IRB applications include a question for PIs to indicate if they are planning to obtain a CoC. In cases where the PI does not indicate she/he/they plans to request one, the IRB may require one be obtained. An investigator and institution issued a CoC must:

  • Abide by the disclosure requirements of the CoC;
  • If there are any sub-awardees, inform them that a CoC is in place;
  • Inform others who receive a copy of protected information in the conduct of the research of the requirements of the CoC;
  • Inform research participants about the protections and limits to the CoC, using language approved by the IRB.

Amendments to Research with Approved Certificate of Confidentiality

When a significant change in a research project is proposed after a CoC is issued, the PI must obtain IRB approval for the change and inform the CoC Coordinator of the institute or agency issuing the CoC of the amendments. The PI must submit the amended CoC to the IRB for acknowledgement.

Expiration of Certificates of Confidentiality

It is the responsibility of the Principal Investigator to ensure that the CoC is always valid during the study. If, at any time during the study, the CoC expires or is terminated, the Principal Investigator must immediately file an amendment with the IRB to remove the CoC wording from the consent form. Most CoCs specify an expiration date except FDA CoCs for IND studies. The latter remain valid if the IND is in effect. It is the responsibility of the researcher to ensure that the CoC remains valid if PPII can be linked to participant information.

If the retention or collection of PPII will continue past the expiration date of the CoC, the researcher must submit a written request to the appropriate agency for an extension. Requests to extend CoC expiration dates must be submitted at least three months before the CoC expires.

Upon receipt, the PI must submit a copy of the approved CoC extension to the IRB for acknowledgement.

If PPII can be linked to research data when the CoC expires and no extension is obtained, the researchers must submit a project amendment to notify the IRB of the CoC expiration and address the following changes to the consent process and documents:

  • consent forms used to enroll new participants must be amended to remove mention of the CoC, and
  • revised consent document or consent addendum must be used to notify enrolled participants of the expiration of the CoC.