Certificates of confidentiality

Guidance

Certificates of Confidentiality (CoC) are issued by the National Institutes of Health (NIH) to protect identifiable research information from forced disclosure. A CoC allows the investigator and others who have access to research records to refuse to disclose identifying information on research participants in any civil, criminal, administrative, legislative, or other proceeding whether at the federal, state, or local level. A project does not have to receive NIH funding to request a CoC.

All NIH funding effective October 7, 2017, will automatically be issued a CoC as part of the grant award terms. A CoC was always intended to prohibit disclosure of sensitive, identifiable information in response to legal demands, but the applicability has been broadened to include:

• Human subjects research as defined in the Federal Policy for the Protection of Human Subjects (45 CFR 46), including exempt research except for human subjects research that is determined to be exempt from all or some of the requirements of 45 CFR 46 if the information obtained is recorded in such a manner that human subjects cannot be identified or the identity of the human subjects cannot readily be ascertained, directly or through identifiers linked to the subjects;
• Research involving the collection or use of biospecimens that are identifiable to an individual or for which there is at least a very small risk that some combination of the biospecimen, a request for the biospecimen, and other available data sources could be used to deduce the identity of an individual;
• Research that involves the generation of individual level, human genomic data from biospecimens, or the use of such data, regardless of whether the data is recorded in such a manner that human subjects can be identified or the identity of the human subjects can readily be ascertained as defined in the Federal Policy for the Protection of Human Subjects (45 CFR 46); or
• Any other research that involves information about an individual for which there is at least a very small risk, as determined by current scientific practices or statistical methods, that some combination of the information, a request for the information, and other available data sources could be used to deduce the identity of an individual, as defined in subsection 301(d) of the Public Health Service Act.

This policy applies to all NIH research commenced or ongoing on or after December 13, 2016. Projects that previously did not have a CoC will now be obligated to the protections of a CoC. At continuing review, projects now subject to this policy will be required to include the appropriate CoC language in the informed consent document. NIH does not expect subjects to be notified that the protections afforded by the CoC have changed, however; the IRB may require reconsent in some cases.

What is protected?

A CoC protects names or any information, documents, or biospecimens containing identifiable sensitive information known as ‘covered information.’ Identifiable, sensitive information is defined as:

Information about an individual, gathered or used during the course of biomedical, behavioral, clinical or other research, through which the individual is identified, or there is at least a very small risk that some combination of the information, a request for the information, and other available data sources could be used to determine the identity of an individual. The policy defines this as “covered information.”

Identifiable, sensitive information includes but is not limited to name, address, social security or other identifying number; and fingerprints, voiceprints, photographs, genetic information, tissue samples, or data fields that when used in combination with other information may lead to identification of an individual.

What are the recipient’s responsibilities?

Any investigator or institution issued a Certificate shall not:

• Disclose or provide covered information, in any Federal, State, or local civil, criminal, administrative, legislative, or other proceeding; or
• Disclose or provide covered information to any other person not connected with the research.

Researchers with a CoC may ONLY disclose identifiable, sensitive information in the following circumstances:

• If required by other Federal, State, or local laws, such as for reporting of communicable diseases
• If the subject consents; or
• for the purposes of scientific research that is compliant with human subjects regulations

Informed Consent Requirements for CoCs:

The informed consent must include language that explains to potential research subjects that a CoC is part of the research study, and the scope and limits to which the CoC applies.

Example CoC language:

To help us protect your privacy, we have obtained a Certificate of Confidentiality (CoC) issued by the National Institutes of Health (NIH). The CoC is issued to protect the investigators on this study from being forced to tell anyone about your participation in this study, even under a subpoena. The information will be used by the sponsor, the University, and regulatory agencies that support or oversee the research.

Even when a CoC is in place, you and your family members must continue to actively protect your own privacy. If you voluntarily give your written consent for an insurer, employer, or lawyer to receive information about your participation in the research, then we may not use the CoC to withhold this information.

The Certificate of Confidentiality will not be used to prevent disclosure to state or local authorities for reporting of child abuse or neglect, or as required by law to prevent harm to self or others.

Resources

The NIH maintains a web Kiosk with all the necessary information to obtain a CoC: https://humansubjects.nih.gov/coc/index.

For questions on the terms and use of a CoC see the NIH FAQ page: https://humansubjects.nih.gov/coc/faqs.

Version 2019-8