Search Fred Hutch Extranet

Certificates of Confidentiality

+

Definitions

Identifiable, sensitive information:

Information about an individual that is gathered or used during the course of biomedical, behavioral, clinical, or other research, where the following may occur:

  • An individual is identified; or
  • For which there is at least a very small risk, that some combination of the information, a request for the information, and other available data sources could be used to deduce the identity of an individual.
Covered Information:

Names or any information, documents, or biospecimens containing identifiable, sensitive information related to a research participant.
 

A Certificate of Confidentiality (CoC) is a legal protection that agencies within the federal Department of Health and Human Services can issue to researchers to protect covered information collected as part of a study. A CoC restricts when covered information may be disclosed.

A CoC will be issued automatically for any research using identifiable, sensitive information and that is funded by the National Institutes of Health (NIH), the Centers for Disease Control and Prevention (CDC), and the Food and Drug Administration (FDA)*.

  • The CoC will be issued as a term and condition of award
  • There will be no physical certificate issued

*Note:  FDA here refers only to funding or other support, not to whether the FDA has oversight of the research. Research subject to FDA oversight but not funded by FDA does not automatically receive a Certificate of Confidentiality.

For projects not funded by NIH, CDC, or FDA, researchers can apply for CoCs to protect participants’ information that, if disclosed, could have significant negative consequences to the participants such as damage to their financial standing, employability, insurability or reputation (e.g., research about: HIV, AIDS, other STDs; use of alcohol, drugs, or other addictive products; illegal behaviors; etc.).

CoCs are issued upon request by most agencies of the federal Department of Health and Human Services:

  • National Institutes of Health (NIH)
  • Food and Drug Administration (FDA)
  • Centers for Disease Control (CDC)
  • Health Resources and Services Administration (HRSA)
  • Substance Abuse and Mental Health Services Administration (SAMHSA)

All CoCs issued in the past or in the future, regardless of funding sources, must comply with the requirements of the NIH CoC policy, especially the disclosure requirements and restrictions.

The new disclosure requirements prohibit disclosure of the name of research participants or any identifiable research information, document, or biospecimen to anyone not connected with the research except under very specific circumstances as detailed below and in the NIH CoC policy.

Data collected from participants recruited in another country are protected by the CoC, if the data are maintained within the United States. The protections provided by a CoC may not extend to individually identifiable participant information or biospecimens collected or maintained in research conducted outside the United States. Please contact the Fred Hutch Office of the General Counsel (206-667-1224) for assistance in determining the application of a CoC to your research.

Broad Definition of “Identifiable, Sensitive Information”

The 21st Century Cures Act, passed on December 13, 2016, significantly broadened the type of information that is protected by a CoC, by essentially interpreting “sensitive” to mean “identifiable or possibly identifiable.” 

The NIH considers the following types of research to include identifiable, sensitive information:

  • All human subjects research, including exempt research (except category 4 exempt research on de-identified information or biospecimens); OR
  • Research involving the collection or use of biospecimens that are identifiable to an individual OR for which there is at least a very small risk that some combination of the biospecimen, a request for the biospecimen, and other available data sources could be used to deduce the identity of an individual; OR
  • Research that involves the generation of individual level, human genomic data from biospecimens, or the use of such data, regardless of whether the data is recorded in such a manner that human subjects can be identified or the identity of the human subjects can readily be ascertained; OR
  • Any other research that involves information about an individual for which there is at least a very small risk, as determined by current scientific practices or statistical methods, that some combination of the information, a request for the information, and other available data sources could be used to deduce the identity of an individual.
     

Obtaining a CoC

There are two ways to obtain a CoC.

  1. Research funded by the NIH, CDC, or FDA.  All research funded wholly or in part by NIH, CDC, or FDA is issued a CoC as a term of the grant or contract, if the research involves identifiable, sensitive information as defined above. In other words, researchers are no longer required to specifically apply for a CoC. This policy was implemented on October 1, 2017. It is retroactive – that is, it applies to all applicable research that was commenced or ongoing on or after December 13, 2016.
  2. All other research. The researcher must apply to the appropriate federal agency for a CoC, depending on the study’s funding source(s). Apply to the federal agency at least 3 months prior to the date on which participant enrollment is expected to begin. The agency will provide documentation of the CoC when it has been granted. Note that issuance of CoCs is at the discretion of the agency, if the research is not funded by the issuing agency.

Multisite studies: A coordinating center or lead institution can apply for a CoC on behalf of all participating sites.
 

CoCs and Consent Forms

For all studies that will obtain informed consent, participants must be told about the protections provided by the Certificate, and any exceptions to those protections (such as state mandatory reporting).  The Fred Hutch IRB has standardized language that can be used for this purpose; see the model consent templates.

Fred Hutch IRB Review

For research that is not automatically issued a CoC, the Fred Hutch IRB may require the researcher to obtain a CoC as a condition for IRB approval if the study will collect information that, if disclosed, could have significant negative consequences to the participants such as damage to their financial standing, employability, insurability or reputation (e.g., HIV, AIDS, other STDs; use of alcohol, drugs, or other addictive products; illegal behaviors; etc.).

If the coverage of a CoC changes during the study, such as if the research was NIH funded and the NIH funding ends (meaning new data collected or used are not automatically protected by a CoC), the IRB may require (a) that the researcher request an extension of protections for the remainder of the study (preferred)or (b) the consent form to be updated accordingly and participants re-consented. 
 

Duration of CoC protections

The protection that the CoC provides is permanent for all covered information collected or used during the period covered by the CoC. Each CoC has an expiration date, which indicates the date through which data collected is covered by the CoC.

  • Data collected while the CoC is active are permanently protected.
  • Data collected after the expiration date are not protected.

For research automatically issued a CoC, the Certificate expires when funding ends (note, CoC coverage continues under a no-cost extension, if applicable). For all other research, the expiration date is stated on the CoC document issued by the Federal agency.
 

Extending CoCs beyond expiration

The CoC can be extended, by specific request of the researcher to the agency that issued the CoC. See https://humansubjects.nih.gov/coc/extend-amend for information about the online process for extending the expiration date.

If the research data collection will continue beyond the expiration date on the Certificate, the investigator should request an extension from the federal agency who issued the Certificate at least 3 months prior to the expiration date.

Modifying a CoC

If a researcher applied for and was issued a CoC, the researcher must amend (modify) the CoC any time a significant change is being made to a research project. Significant changes include, but are not limited to:

  • Major changes in the scope or direction of the research protocol
  • Changes in personnel having major responsibilities in the project (such as the PI)
  • Changes in the drugs to be administered (if any) and the persons who will administer them

The process for obtaining an amendment is described at https://humansubjects.nih.gov/coc/extend-amend.
 

Researcher Responsibilities

A – Do not disclose or provide covered information:

  • In any Federal, State, or local civil, criminal, administrative, legislative, or other proceeding; or
  • To any other person not connected with the research.

B – Disclosure of covered information is allowed ONLY:

  • If required by other Federal, State, or local laws, such as for reporting of communicable diseases;
  • If the participant consents; or
  • For the purposes of scientific research that is compliant with human subjects regulations.

C – Inform the study participants about the CoC, as described above in CoCs and Consent Forms.

D – Inform recipients of information covered by the CoC that they are also subject to the requirements of the CoC (for example, transfers of identifiable data or biospecimens to other researchers). Contact the Office of General Counsel for guidance with respect to data and material transfer and use agreements.

E – CoC does not protect disclosure of information to other individuals or institutions when the participant has requested it and provided authorization for the release (though other legal constraints may apply).
 

Responding to Requests for Protected Data

Researchers who receive court orders, subpoenas, or other legal processes mandating disclosure of information covered by a CoC should immediately contact the Fred Hutch Office of the General Counsel.
 

Other Data Protections

DOJ Privacy Certificate

Research that is covered by a Department of Justice (DOJ) Privacy Certificate does not need to apply for a CoC. The DOJ Certificate provides essentially the same protections.

AHRQ Confidentiality Statute 

Research funded by the federal Agency for Healthcare Research and Quality (AHRQ) does not need to apply for a CoC. An AHRQ confidentiality statute provides similar protections.
 

References

National Institutes of Health, “Notice of Changes to NIH Policy for Issuing Certificates of Confidentiality”. https://grants.nih.gov/grants/guide/notice-files/NOT-OD-17-109.html
Notice Number: NOT-OD-17-109, released September 7, 2017.

National Institutes of Health, Certificates of Confidentiality, main page. https://humansubjects.nih.gov/coc/index

National Institutes of Health, Certificates of Confidentiality, FAQ page.  https://humansubjects.nih.gov/coc/faqs

Centers for Disease Control and Prevention (CDC): https://www.cdc.gov/od/science/integrity/confidentiality/applinst.htm

Food and Drug Administration (FDA): https://grants.nih.gov/grants/guide/notice-files/NOT-FD-19-002.html