⏴back to Guidance Series

Certificates of Confidentiality

Version: April 26, 2024

Guidance

Certificates of Confidentiality (CoCs) are intended to protect the privacy of research subjects by prohibiting disclosure of identifiable, sensitive information to anyone not connected to the research except when the subject consents, or in a few other specific situations. CoCs are issued by the National Institutes of Health (NIH) and other Health and Human Services agencies. All ongoing or new research funded by NIH (as of December 13, 2016), that collects or uses identifiable, sensitive information is automatically issued a Certificate of Confidentiality.

CoC policy and 42 U.S. Code 241(d) defines identifiable, sensitive information as information about an individual, gathered or used during research, through which the individual is identified, or there is at least a very small risk that some combination of the information, a request for the information, and other available data sources could be used to determine the identity of an individual. Note that the law focuses on the identifiability of the information, and not the sensitivity of the information.

Identifiable, sensitive information includes but is not limited to name, address, social security or other identifying number; and fingerprints, voiceprints, photographs, genetic information, tissue samples, or data fields that when used in combination with other information may lead to identification of an individual.

If your research is funded by NIH and meets any of the following criteria, then the research data or information is automatically protected by a CoC from NIH:

  • Meets the definition of human subjects’ research, including exempt research in which subjects can be identified
  • Is collecting or using human biospecimens that are identifiable or that have a risk1 of being identifiable
  • Involves the generation of individual level human genomic data
  • Involves any other information2 that identify a person

Health-related research that is not funded by the NIH in which identifiable, sensitive information is collected or used, may request a CoC but in such situations the CoC is granted at the discretion of the issuing agency.

A CoC provides protection for the Investigator and the participants against compelled disclosure of identifying information about participants of biomedical, behavioral, clinical, and other research. This means that Investigators may not be compelled in Federal, State, or local civil, criminal, administrative, legislative, or other proceedings to identify their participants.

Research Information in Medical Records

It should be noted that at University of Utah Health, information associated with clinical research may be included within the medical record of the research participant. Investigators may request an exception to this general rule (see IRB SOP 505: Research Materials in Participants’ Medical Records). As part of the informed consent process, research participants consent to the inclusion of research-related data within their medical record. For VA research, medical information generated from research may be placed in the medical record when the research can impact the medical care of the participant. To the extent research information is included in the medical record of a research participant, the CoC will not operate with respect to such information.

Standard Confidentiality Protections

CoCs do not take the place of good data security or clear policies and procedures for data protection, which are essential to the protection of research participants’ privacy. Researchers should take appropriate steps to safeguard research data and findings. Unauthorized individuals must not access the research data or learn the identity of research participants.

Voluntarily Disclosed Information

CoCs do not protect information voluntarily disclosed or information that must be disclosed under mandatory reporting laws. Examples include voluntary disclosures by the participant themselves or disclosures to which the participant has consented. Mandatory disclosures include disclosures on matters such as child abuse, reportable communicable diseases, or possible threat to self or others.

Documents and References

Certificates of Confidentiality: https://grants.nih.gov/policy/humansubjects/coc.htm

Frequently Asked Questions (FAQs) – Certificates of Confidentiality: https://grants.nih.gov/policy/hs/faqs.htm#VII

Who Can Get a Certificate of Confidentiality: https://grants.nih.gov/policy/humansubjects/coc/who-can.htm

 

Points to Consider

New Study Application

  1. Data Monitoring Page, Confidentiality Precautions: Please select “A Certificate of Confidentiality (from the NIH) will be used”.

Consent Document

  1. Confidentiality: If a Certificate of Confidentiality is valid for your study, briefly provide participants with a clear explanation of the protection that the Certificate of Confidentiality affords, including the limitations and exceptions. Also, ensure that an explanation of how identifiable information will be used or disclosed is provided.Sample language:
    We will do everything we can to keep your participation in this study private and confidential. To further help us protect your privacy, the study is covered by a Certificate of Confidentiality from the National Institutes of Health (NIH). This means the study doctors may not disclose study information that may identify you in any Federal, State, or local civil, criminal, administrative, legislative, or other proceedings, or be used as evidence, for example, if there is a court subpoena.However, this Certificate cannot protect your information in all circumstances.  Some laws require disclosure, for example, laws to report child abuse or communicable diseases. Additionally, the Certificate cannot protect your information if you have consented to its disclosure for your medical treatment or the study information is used for other scientific research. The study information may still be protected by other federal regulations, but this Certificate will not be able to provide additional protection in situations such as these. If an audit or program evaluation from the funding agency or the Food and Drug Administration (FDA) is requested, disclosure of your information is required.  Furthermore, protected health information collected for research purposes that is added to the [University of Utah or VA] medical record may not be protected under this Certificate of Confidentiality.

    You should understand that a Confidentiality Certificate does not prevent you or a member of your family from voluntarily releasing information about yourself or your involvement in this study. If you want your study information released to an insurance provider, medical care provider, or any other person not connected with the study, you must provide consent to allow the study doctors to release it. This means that you and your family must also actively protect your own privacy.

    Finally, you should understand that the study doctor is not prevented from taking steps, including reporting to authorities, to prevent serious harm to yourself or others.

Footnotes

1 At least a very small risk that some combination of the biospecimen, a request for the biospecimens, and other available data sources could be used to deduce the identity of an individual.
2 Information about an individual for which there is at least a very small risk, as determined by current scientific practice or statistical methods, that some combination of the information, a request for the information, and other available data sources could be used to deduce the identity of the individual.

Please contact the IRB Office at (801) 581-3655 or irb@hsc.utah.edu for additional guidance.