Certificates of Confidentiality: Background Information
Certificates of Confidentiality are issued by the National Institutes of Health (NIH) to protect the privacy of research subjects by protecting investigators and institutions from being compelled to release information that could be used to identify subjects with a research project. Certificates of Confidentiality are issued to institutions or universities where the research is conducted. They allow the investigator and others who have access to research records to refuse to disclose identifying information in any civil, criminal, administrative, legislative, or other proceeding, whether at the federal, state, or local level.
Identifying information is broadly defined as any item or combination of items in the research data that could lead directly or indirectly to the identification of a research subject.
By protecting researchers and institutions from being compelled to disclose information that would identify research participants, Certificates of Confidentiality help achieve the research objectives and promote participation in studies by assuring privacy to subjects.
Under section 301(d) of the Public Health Service Act (42 U.S.C. 241(d)) the Secretary of Health and Human Services may authorize persons engaged in biomedical, behavioral, clinical, or other research to protect the privacy of individuals who are the subjects of that research. This authority has been delegated to the National Institutes of Health (NIH).
Persons authorized by the NIH to protect the privacy of research subjects may not be compelled in any Federal, State, or local civil, criminal, administrative, legislative, or other proceedings to identify them by name or other identifying characteristic.
Extent and Limitations of Coverage
Certificates can be used for biomedical, behavioral, clinical or other types of research that is sensitive. By sensitive, we mean that disclosure of identifying information could have adverse consequences for subjects or damage their financial standing, employability, insurability, or reputation.
Examples of sensitive research activities include but are not limited to the following:
- Collecting genetic information;
- Collecting information on psychological well-being of subjects;
- Collecting information on subjects' sexual attitudes, preferences or practices;
- Collecting data on substance abuse or other illegal risk behaviors;
- Studies where subjects may be involved in litigation related to exposures under study (e.g., breast implants, environmental or occupational exposures).
In general, certificates are issued for single, well-defined research projects rather than groups or classes of projects. In some instances, they can be issued for cooperative multi-site projects. A coordinating center or "lead" institution designated by the NIH program officer can apply on behalf of all institutions associated with the multi-site project. The lead institution must ensure that all participating institutions conform to the application assurances and inform participants appropriately about the Certificate, its protections, and the circumstances in which voluntary disclosures would be made.
A Certificate of Confidentiality protects personally identifiable information about subjects in the research project while the Certificate is in effect. Generally, Certificates are effective on the date of issuance or upon commencement of the research project if that occurs after the date of issuance. The expiration date should correspond to the completion of the study. The Certificate will state the date upon which it becomes effective and the date upon which it expires. A Certificate of Confidentiality protects all information identifiable to any individual who participates as a research subject (i.e., about whom the investigator maintains identifying information) during any time the Certificate is in effect. An extension of coverage must be requested if the research extends beyond the expiration date of the original Certificate. However, the protection afforded by the Certificate is permanent. All personally identifiable information maintained about participants in the project while the Certificate is in effect is protected in perpetuity.
Some projects are ineligible for a Certificate of Confidentiality. Not eligible for a Certificate are projects that are:
- not research,
- not collecting personally identifiable information,
- not reviewed and approved by the IRB as required by these guidelines, or
- collecting information that if disclosed would not significantly harm or damage the participant.
While Certificates protect against involuntary disclosure, investigators should note that research subjects might voluntarily disclose their research data or information. Subjects may disclose information to physicians or other third parties. They may also authorize in writing the investigator to release the information to insurers, employers, or other third parties. In such cases, researchers may not use the Certificate to refuse disclosure. Moreover, researchers are not prevented from the voluntary disclosure of matters such as child abuse, reportable communicable diseases, or subject's threatened violence to self or others. (For information on communicable disease reporting policy, see Communicable Diseases Policy. However, if the researcher intends to make any voluntary disclosures, the consent form must specify such disclosure.
Certificates do not authorize researchers to refuse to disclose information about subjects if authorized DHHS personnel request such information for an audit or program evaluation. Neither can researchers refuse to disclose such information if it is required to be disclosed by the Federal Food, Drug, and Cosmetic Act.
In the informed consent form, investigators should tell research subjects that a Certificate is in effect. Subjects should be given a fair and clear explanation of the protection that it affords, including the limitations and exceptions noted above. Every research project that includes human research subjects should explain how identifiable information will be used or disclosed, regardless of whether or not a Certificate is in effect. The Office of Human Subjects Protection (OHRP) provides guidance on the content of informed consent documents.
An Important Caveat
Certificates of Confidentiality do not take the place of good data security or clear policies and procedures for data protection, which are essential to the protection of research participants' privacy. Researchers should take appropriate steps to safeguard research data and findings. Unauthorized individuals must not access the research data or learn the identity of research participants.