Certificate of Confidentiality Guidance

A Certificate of Confidentiality (CoC) provides additional privacy protections to research participants enrolled in biomedical, behavioral, clinical, or other research that collects or uses identifiable, sensitive information. “Identifiable, sensitive information” is information about an individual gathered during the course of research where the individual is identified or there is at least a very small risk that available data sources could be used to deduce the identity of an individual.  When a CoC is in place, researchers may not disclose in any Federal, State, or local civil, criminal, administrative, legislative, or other proceedings the names or any information, documents, or biospecimens containing identifiable, sensitive information about the individual that was created or compiled for purpose of research.  A CoC also restricts disclosure to any other person not connected to the research team.

 

When to obtain a Certificate of Confidentiality

The need to obtain a CoC may be identified by the researcher, the sponsor, or the IRB in order to further protect participant identifying information. Many federal agencies automatically issue CoCs as a term of the grant or contract. Additional information on the process to obtain a CoC is below.  A CoC should be obtained before the collection of “identifiable, sensitive information” in order to ensure protection of the data.  For studies where a CoC is not automatically issued, researchers need to be mindful of the expiration date of the CoC and ensure extension/renewal well in advance so that there is no lapse in CoC protection for data collected after expiration.  CoCs are study specific so researchers need to apply for a CoC for each specific study where the protections of a CoC are sought. 

 

How to obtain a Certificate of Confidentiality

To ensure the most up to date information, researchers should confirm information for each agency using the links below.

Sponsor

Requirements

NIH

  • A CoC is included as a term and condition of award if funded by the NIH. No application is required.
  • CoC is only active for the term of the award; if the research project extends beyond the award end date and additional identifiable, sensitive information may be collected after the award end date, a request for extension must be submitted.
  • Protections flow down to sub-awardees, sub-contractors, and upon sharing identifiable datasets. Primary awardees must inform sub-awardees, sub-contractors, and any recipients of identifiable datasets about CoC limitations and protections.

CDC

  • Requires CoC application process where investigators must contact the CDC Privacy and Confidentiality Unit (PCU) for preliminary screening and further instructions on the required application process.
  • CoC is only active for the term of the award; if covered data collection will extend beyond the term of the project a request for extension must be submitted to the PCU at least three months prior to the CoC expiration date.
  • Protections flow down to sub-awardees, sub-contractors, and upon sharing identifiable datasets. Primary awardees should inform sub-awardees, sub-contractors, and any recipients of identifiable datasets about CoC limitations and protections.
  • The CoC application process timeline varies but generally takes 2 to 3 months and should be initiated at least 3 months before the project is set to begin.

FDA

  • CoCs are issued automatically to FDA awardees (“mandatory” CoC) or upon application for non-federally funded researchers (“discretionary” CoC).
  • For FDA-regulated research for which FDA is not the sponsor, CoCs are not automatically issued, but can be issued at the FDA’s discretion if the research involves the use or study of a product subject to FDA’s jurisdiction and subject to FDA regulatory authority.
  • Protections flow down when sharing identifiable datasets; researchers must inform any recipients about CoC limitations and protections.

SAMHSA

  • CoCs are for SAMHSA awardees only and the awardee must apply to SAMHSA to obtain documentation of the CoC.
  • Collaborator/multi-site and sub-contractor researchers without SAMHSA funding should apply to NIH for a CoC.
  • Protections flow down when sharing identifiable datasets; researchers must inform any recipients about the CoC limitations and protections.
  • The CoC is effective from the start date to the estimated end date of the project.
  • CoC protections do not extend to participants who join a project after the CoC has expired or to projects that have changed significantly since SAMHSA issued the original CoC.

HRSA

  • CoCs are issued automatically.  No application is required.
  • Protections flow down when sharing identifiable datasets; researchers must inform any recipients about the CoC limitations and protections.
  • Coverage under the CoC is effective from the start date to the estimated end date of the project. Reapplication for extension is necessary for any new data or participants involved in the study after the expiration of the original CoC.
  • A new CoC is required for each project or grant. Multiple projects cannot be covered under the same CoC.

Other HHS Agency Funding

  • Researchers may apply to the NIH for a CoC if the research falls within the NIH CoC Policy and Mission.

Non-federally funded research

  • Researcher must apply directly to the NIH (or FDA if relevant).

Investigators whose research is funded by the Centers for Disease Control and Prevention (CDC), Health Resources and Services Administration (HRSA), Indian Health Service (IHS), and Substance Abuse and Mental Health Services Administration (SAMHSA), or is under the authority of the Food and Drug Administration (FDA) should contact the CoC Coordinator at their funding agency for questions on how to obtain a CoC. CoC coordinator information is available here. NIH will not issue a CoC for Agency for Healthcare Research & Quality- (AHRQ) or Department of Justice- (DoJ) funded research.   AHRQ and DoJ must be contacted directly. 

For all other federally funded research or non-federally funded research, NIH will consider requests for CoC for specific research projects and in doing so, takes into consideration if the research project is: 

Instructions on requesting a CoC through NIH are available here. CoC requests that utilize the online CoC request system will need to identify the designated institutional official, who will also need to sign the Certificate of Confidentiality Assurance for all CoC requests:

  • For research managed under the Duke University Health System Human Research Protection Program, this is Geeta Swamy (geeta.swamy@duke.edu).
  • For research managed under the Campus Institutional Review Board (IRB), please contact the Campus IRB at campusIRB@duke.edu.

Review the following policy (as applicable to your project oversight) for additional information:

 

Researcher responsibilities when a Certificate of Confidentiality is in place

Should you receive a request to disclose information that you believe may be protected by a CoC, please contact Duke’s Office of Counsel

Do not disclose or provide protected information, documents, or specimens: (1) in any Federal, State, or local civil, administrative, legislative, or other proceeding; or (2) to any person not connected with the research. Disclosure of protected information is allowed only in the following circumstances: (1) if required by other Federal, State, or local laws, such as for reporting communicable diseases or child abuse and neglect; (2) if the participant consents; or (3) for the purposes of scientific research that is compliant with human subjects protections.

All participants should be informed about the presence of a CoC. The Duke University Health System and Duke Campus Institutional Review boards provide guidance on how to incorporate information about the existence of a CoC into consent forms.

Inform investigators, institutions, or repositories receiving any protected information (e.g., when sending biospecimens to another investigator for a different study) that they are also subject to the requirements of the CoC. Inform subrecipients of any study funding whose study responsibilities involve using the protected information that they are also subject to the requirements of the CoC.

Researchers may release information when the participant has given permission. For example, the participant may give their permission to release information to insurers, medical providers or other persons not connected with the research. In addition, the certificate does not prevent the participant from having access to their own information, although there may be other reasons not to share certain information with the participant.