What is a Certificate of Confidentiality and Does My Research Need One?

Author: Dr. Ann Hardy and Dr. Sherry Mills

Date: May 3, 2023

Protecting the privacy of research participants and maintaining the confidentiality of their data is an important aspect of ensuring adequate protections in human subjects research. For most investigators, this means having strong physical and electronic methods to protect research information. However, for research that collects sensitive information where release to those outside of the research might cause harm to participants, investigators also need to consider additional protections against legal and other demands for research information. For example:

An investigator is conducting a research study on anger management. A lawyer for the ex-spouse of one of the participants subpoenas the research information as it is deemed relevant to a legal custody proceeding. Is the investigator required to comply with this request? What can investigators do to protect their research information from this type of demand?

This is where a federal Certificate of Confidentiality (CoC) can be very useful.

WHAT IS A CERTIFICATE OF CONFIDENTIALITY?

CoCs provide an additional layer of protection for research participants by prohibiting the release of identifiable, sensitive research information, except in very limited circumstances. This includes research records, associated documents, recordings, and biosamples. Furthermore, the protection covers the original research information as well as all copies, including copies that are shared for other research activities.

BACKGROUND:

– In 1970, in response to concerns expressed by those studying drug abuse and its treatment, Congress passed legislation enabling the Secretary of the Department of Health, Education, and Welfare (now the Department of Health and Human Services or DHHS) to authorize researchers to refuse to disclose identifiable research information for drug abuse research.

– The types of research eligible for CoC protection broadened over time and by 1988, CoCs could be issued for all biomedical, behavioral, clinical, and other research.

– CoCs protected investigators from forced disclosure of research information but did not prevent them from voluntarily disclosing such information.

– CoCs were issued for specific research projects upon application, initially to DHHS and after 1997, directly to DHHS agencies with the National Institutes of Health (NIH) and the Food and Drug Administration (FDA) authorized to issue CoCs for non-DHHS funded research.

– In 2016, The 21st Centuries Cure Act amended the CoC Authority to:

o Direct DHHS to issue CoCs for all federally funded research in which identifiable, sensitive information was collected.

o Permit DHHS to issue CoCs for non-funded research upon request.

o Specifically prohibit any release of identifiable, sensitive research information to anyone outside of the research except in limited instances (see below)

WHAT RESEARCH INFORMATION IS PROTECTED?

The COC regulations protect information about an individual that is gathered or used during research that can identify an individual, including information for which there is at least a very small risk that it could be used alone or in combination with other available data sources, to deduce a participant’s identity. Note that this definition is broader than the definition of identifiable information in the Protection of Human Subjects Regulations (section 46.102 of the Common Rule). This means that CoCs can be used to protect research information in studies that may not meet the current Common Rule definition of human subjects research.

WHAT DISCLOSURE OF RESEARCH INFORMATION IS PROHIBITED?

The current CoC regulations specifically make identifiable research information immune from the legal process and do not allow such information to be disclosed, even voluntarily, as evidence or for any other purpose in any Federal, State or local civil, criminal or other proceeding.

Disclosure is only permitted in these limited circumstances:

o When the participant consents to such release, for example, to a health care provider

o If necessary to comply with specific regulations outside of legal proceedings, for example, for communicable disease or child abuse reporting

o For other research in compliance with applicable Federal regulations governing the protection of human subjects in research

Moreover, CoCs are not meant to limit a participant’s access to their own research information.

HOW LONG DOES THE COC PROTECTION LAST?

The CoC protection lasts in perpetuity for any information existing or collected under a CoC. Studies that continue to collect new research information should continue to request CoC protection but all research information in studies that have a CoC when the study ends are permanently protected.

HOW CAN INVESTIGATORS GET A COC FOR THEIR RESEARCH?

– For DHHS Funded Research

o Research supported by the Agency for Healthcare Research and Quality (AHRQ) is covered by longstanding AHRQ privacy regulations making it unnecessary for such projects to receive a CoC.

o Both the NIH and the Centers for Disease Control and Prevention (CDC) automatically issue CoCs in awards for applicable research that they fund. For such funded research, no request for a CoC is needed. See the NIH CoC website or the CDC CoC website for more information, including what types of research information are protected by a CoC.

o For research funded by other DHHS agencies, including the Health Services Research Administration, the Substance Abuse and Mental Health Services Administration, and the Indian Health Service, investigators should contact the funding agencies directly about obtaining a CoC.

– Other Research

o The Department of Justice (DOJ) has its own privacy regulations that provide protection that is like CoCs but is specific for DOJ funded research. CoCs are NOT issued for DOJ-funded research. See the DOJ website for more information about their research privacy protections.

o The FDA will consider requests for CoCs for research that fall under their purview, for example, for clinical investigations requesting an IND or IDE; see FDA guidance on CoCs.

o For other applicable research, investigators can apply to NIH for a CoC. Note that issuance of CoCs by NIH is discretionary and is limited to research that falls within the DHHS research mission. NIH has an online application system to request CoCs.

NOW THAT MY RESEARCH HAS A COC, WHAT ARE MY RESPONSIBILITIES?

– While the CoC regulations are silent on the issue of informing participants about the CoC protection, for NIH-issued CoCs, NIH expects investigators to inform research participants of the protections and the limits to CoC protections. Sample consent language is on the NIH website.

– Those involved in the research cannot disclose research information without a participant’s consent, even for legal proceedings, except for limited situations.

– Because the CoC protection also applies to all copies of research information, investigators and/or institutions with whom copies of research information protected by a CoC are shared for other research, must be made aware that they are also subject to the disclosure restrictions.

Download our COC Resource page by clicking here!

The authors of this blog, Drs. Ann Hardy and Sherry Mills, directed the NIH Certificates of Confidentiality Program for eight years.

What is a Certificate of Confidentiality and Does My Research Need One?

Other Posts

Considerations for Design of Virtual Focus Groups

Unique Challenges of Conducting Population-based Surveys in Low- and Middle-Income Countries

Learn eCORE Presents a Free Research Compliance Webinar Hosted by VA BIO

Tips for Achieving Clinical Trials Success through Lean Six Sigma and Stakeholder Collaboration

The Key Information Section in Consent – Why, What, and How

The Clinical Project Manager’s Role in Ensuring Success in Clinical Trials

An Interview with Dr. Stephen Rosenfeld

Is Deception in Research Ethical?