- Last updated:
Certificates of Confidentiality
Certificates of Confidentiality
- Guidance Contact:
IU Human Research Protection Program (HRPP)
A Certificate of Confidentiality (CoC) is designed to protect the privacy of research subjects by prohibiting disclosure of identifiable, sensitive information. It assures subjects that their identifiable, sensitive information will not be shared with anyone not connected to the research, even if that information is requested as part of a lawsuit or other legal proceeding. The 21st Century Cures Act (enacted in 2016) requires issuance of a CoC for federally-funded research in which identifiable, sensitive information is collected or used. However, a CoC may be requested for research that is not federally-funded.
How the CoC is conveyed or requested depends on the funding agency and may require additional action by you:
- For research funded by the NIH or CDC: Research commenced or ongoing on or after December 13th, 2016, is automatically issued a CoC as a term or condition of the award. No additional action or application is required for issuance of a CoC, and no physical or electronic document is issued. Click here for more information.
- For federally-funded research other than NIH or CDC: Researchers are responsible for determining whether their research is subject to the requirement to obtain a CoC and must prospectively request a CoC from the NIH or the funding agency. Click here for more information.
- For research that is not federally-funded: If your research is not federally-funded, but is collecting identifiable, sensitive information that might be damaging to subjects if it were to be disclosed, you may still wish to have the protections of a CoC. In addition, a provision of IRB approval may include obtaining a CoC for your research. You may request a CoC from the NIH (through the NIH Online Certificate of Confidentiality System) or another federal agency that issues CoCs. This request should be submitted at least three months before you expect to begin enrollment. Please note that issuance of a CoC is at the discretion of the NIH or other federal agency for studies that are not federally-funded.
- For a multi-site study, only the lead institution or coordinating center need request a CoC. The lead site should include the names and addresses of all other performance sites in the CoC request and should keep a list of all current performance sites throughout the study. The lead site is also responsible for obtaining signed Institutional Assurance Statements from each participating site and providing a copy of the CoC to each site. Click here for more information.
Information collected while a CoC is in place is protected from disclosure permanently, even after the funding ends or the CoC expires.
The requirements relating to issuing or obtaining CoCs apply even when the research will take place or the data will be stored in a foreign country. However, please note that the CoC most likely will not protect the data if there is a legal request for it in a foreign country. Suggested language is provided below for inclusion in consent documents that will be used outside of the US.
If a CoC applies to your research, there are responsibilities and restrictions regarding what you can do with covered information and responsibilities related to maintaining your CoC. Covered information is any information or biospecimen that would identify an individual or allow an individual’s identity to be readily ascertained or for which there is at least a very small risk that some combination of the information or biospecimen, a request for the information or biospecimen, and other available data sources could be used to deduce the identity of an individual. This includes everything from clear identifiers (e.g., name, MRN) to information that could be combined with other data sources to deduce the subject’s identity (such as coded spreadsheets).
The recipient of a CoC shall not:
- Disclose or provide covered information in any Federal, State, or local civil, criminal, administrative, legislative, or other proceeding; or
- Disclose or provide covered information to any other person not connected with the research.
Disclosure is permitted only when:
- Required by Federal, State, or local laws, such as mandatory reporting of child abuse to local authorities or reporting of communicable diseases to State and local health departments
- Necessary for the medical treatment of the individual and made with the consent of the individual
- Made with the consent of the individual
- Made for the purposes of other scientific research that is in compliance with applicable Federal human subjects regulations.
Nothing about the CoC prohibits disclosure when the subject consents to it. For studies that obtain informed consent or HIPAA authorization from subjects, covered information can be shared as specified with the appropriate entities listed on the Consent or Authorization form.
Generally, we expect research teams to continue to follow institutional policy regarding data sharing within each institution. For example, IU Health researchers may still enter study data into Cerner. Otherwise, covered information should not be shared with anyone outside of the research team without first consulting with the HRPP or Privacy Office.
If you receive a request for covered information, contact the HRPP before complying with the request. The HRPP will engage the appropriate resources at IU or the affiliated institution conducting the research:
- Privacy officials may need to consider requests to share covered information for research or clinical purposes with entities outside of the researcher’s institution
- For subpoenas or similar requests for covered information to be used in a legal proceeding, the IU Office of the Vice President & General Counsel, or the appropriate legal counsel, will determine how to respond.
Recipients of a CoC are also required to:
- Establish and maintain effective internal controls (e.g., policies and procedures) that ensure compliance with the CoC
- Ensure that any investigator or institution who receives covered information understands that they are also subject to the requirements of the CoC
- Submit a request for a new CoC if data or biospecimens will be collected beyond expiration of the initial CoC for studies that were not automatically issued a CoC (NOTE: For studies that are automatically issued a CoC, the protection afforded by the CoC covers data collection for as long as the award is in place. Data collected or specimens gathered after funding has ended will not be covered by the CoC, so investigators are encouraged to apply for a new CoC to protect any additional data or specimens that will be collected after the funding ends. However, any information collected while funding is in place is protected permanently, even after the funding ends.)
- Submit a request for a new CoC if there is a significant change to the research for studies that were not automatically issued a CoC. For example, a PI change or change in the primary institution where the research will be conducted would be considered a significant change requiring submission of a request for a new CoC (NOTE: For studies that are automatically issued a CoC, the CoC is a condition or term of the award and will follow the award for investigators leaving the institution.)
- Inform research participants of the protections and the limits to protections provided by a CoC. See “Informing Subjects” below or our Informed Consent Templates for suggested wording to use in your Informed Consent Document.
If your study is subject to a CoC, you are expected to inform subjects about the CoC and its protections. The following language should be added to your informed consent document or study information sheet. Please note that if your CoC is issued by another federal agency, such as the CDC, FDA, HRSA, or SAMHSA, that agency’s name should be entered in place of “National Institutes of Health.”
For US subjects
This research is covered by a Certificate of Confidentiality from the National Institutes of Health. This means that the researchers cannot release or use any information, documents, or specimens that could identify you in any legal action or lawsuit unless you say it is okay.
However, there are some types of sharing the Certificate does not apply to. The Certificate does not stop reporting required by federal, state, or local laws, such as reporting of child or elder abuse, some communicable diseases, and threats to harm yourself or others. The Certificate does not stop a government agency who is funding research from checking records or evaluating programs. The Certificate also does not prevent your information from being used for other research when allowed by federal regulations. [If FDA-regulated, insert: The Certificate also does not stop sharing of information required by the Food and Drug Administration (FDA).]
Researchers may release information about you when you say it is okay. For example, you may still give them permission to release information to insurers, medical providers, or others not connected with the research.
For transnational subjects
For the protection of your privacy, this research is covered by a Certificate of Confidentiality from the US National Institutes of Health. The Certificate protects your data from disclosure in US legal proceedings, but it may not protect your data in your country as different laws may apply.