Information about an individual that is gathered or used during the course of biomedical, behavioral, clinical, or other research, where the following may occur:
Names or any information, documents, or biospecimens containing identifiable, sensitive information related to a research participant.
A Certificate of Confidentiality (CoC) is a legal protection that agencies within the federal Department of Health and Human Services can issue to researchers to protect covered information collected as part of a study. A CoC restricts when covered information may be disclosed.
A CoC will be issued automatically for any research using identifiable, sensitive information and that is funded by the National Institutes of Health (NIH), the Centers for Disease Control and Prevention (CDC), and the Food and Drug Administration (FDA)*.
*Note: FDA here refers only to funding or other support, not to whether the FDA has oversight of the research. Research subject to FDA oversight but not funded by FDA does not automatically receive a Certificate of Confidentiality.
For projects not funded by NIH, CDC, or FDA, researchers can apply for CoCs to protect participants’ information that, if disclosed, could have significant negative consequences to the participants such as damage to their financial standing, employability, insurability or reputation (e.g., research about: HIV, AIDS, other STDs; use of alcohol, drugs, or other addictive products; illegal behaviors; etc.).
CoCs are issued upon request by most agencies of the federal Department of Health and Human Services:
All CoCs issued in the past or in the future, regardless of funding sources, must comply with the requirements of the NIH CoC policy, especially the disclosure requirements and restrictions.
The new disclosure requirements prohibit disclosure of the name of research participants or any identifiable research information, document, or biospecimen to anyone not connected with the research except under very specific circumstances as detailed below and in the NIH CoC policy.
Data collected from participants recruited in another country are protected by the CoC, if the data are maintained within the United States. The protections provided by a CoC may not extend to individually identifiable participant information or biospecimens collected or maintained in research conducted outside the United States. Please contact the Fred Hutch Office of the General Counsel (206-667-1224) for assistance in determining the application of a CoC to your research.
The 21st Century Cures Act, passed on December 13, 2016, significantly broadened the type of information that is protected by a CoC, by essentially interpreting “sensitive” to mean “identifiable or possibly identifiable.”
The NIH considers the following types of research to include identifiable, sensitive information:
There are two ways to obtain a CoC.
Multisite studies: A coordinating center or lead institution can apply for a CoC on behalf of all participating sites.
For all studies that will obtain informed consent, participants must be told about the protections provided by the Certificate, and any exceptions to those protections (such as state mandatory reporting). The Fred Hutch IRB has standardized language that can be used for this purpose; see the model consent templates.
For research that is not automatically issued a CoC, the Fred Hutch IRB may require the researcher to obtain a CoC as a condition for IRB approval if the study will collect information that, if disclosed, could have significant negative consequences to the participants such as damage to their financial standing, employability, insurability or reputation (e.g., HIV, AIDS, other STDs; use of alcohol, drugs, or other addictive products; illegal behaviors; etc.).
If the coverage of a CoC changes during the study, such as if the research was NIH funded and the NIH funding ends (meaning new data collected or used are not automatically protected by a CoC), the IRB may require (a) that the researcher request an extension of protections for the remainder of the study (preferred), or (b) the consent form to be updated accordingly and participants re-consented.
The protection that the CoC provides is permanent for all covered information collected or used during the period covered by the CoC. Each CoC has an expiration date, which indicates the date through which data collected is covered by the CoC.
For research automatically issued a CoC, the Certificate expires when funding ends (note, CoC coverage continues under a no-cost extension, if applicable). For all other research, the expiration date is stated on the CoC document issued by the Federal agency.
The CoC can be extended, by specific request of the researcher to the agency that issued the CoC. See https://humansubjects.nih.gov/coc/extend-amend for information about the online process for extending the expiration date.
If the research data collection will continue beyond the expiration date on the Certificate, the investigator should request an extension from the federal agency who issued the Certificate at least 3 months prior to the expiration date.
If a researcher applied for and was issued a CoC, the researcher must amend (modify) the CoC any time a significant change is being made to a research project. Significant changes include, but are not limited to:
The process for obtaining an amendment is described at https://humansubjects.nih.gov/coc/extend-amend.
A – Do not disclose or provide covered information:
B – Disclosure of covered information is allowed ONLY:
C – Inform the study participants about the CoC, as described above in CoCs and Consent Forms.
D – Inform recipients of information covered by the CoC that they are also subject to the requirements of the CoC (for example, transfers of identifiable data or biospecimens to other researchers). Contact the Office of General Counsel for guidance with respect to data and material transfer and use agreements.
E – CoC does not protect disclosure of information to other individuals or institutions when the participant has requested it and provided authorization for the release (though other legal constraints may apply).
Researchers who receive court orders, subpoenas, or other legal processes mandating disclosure of information covered by a CoC should immediately contact the Fred Hutch Office of the General Counsel.
Research that is covered by a Department of Justice (DOJ) Privacy Certificate does not need to apply for a CoC. The DOJ Certificate provides essentially the same protections.
Research funded by the federal Agency for Healthcare Research and Quality (AHRQ) does not need to apply for a CoC. An AHRQ confidentiality statute provides similar protections.
National Institutes of Health, “Notice of Changes to NIH Policy for Issuing Certificates of Confidentiality”. https://grants.nih.gov/grants/guide/notice-files/NOT-OD-17-109.html
Notice Number: NOT-OD-17-109, released September 7, 2017.
National Institutes of Health, Certificates of Confidentiality, main page. https://humansubjects.nih.gov/coc/index
National Institutes of Health, Certificates of Confidentiality, FAQ page. https://humansubjects.nih.gov/coc/faqs
Centers for Disease Control and Prevention (CDC): https://www.cdc.gov/od/science/integrity/confidentiality/applinst.htm
Food and Drug Administration (FDA): https://grants.nih.gov/grants/guide/notice-files/NOT-FD-19-002.html