|Policy & Guidance|
|Compliance & Oversight|
|Research Involving Human Subjects|
|Office of Laboratory Animal Welfare (OLAW)|
|Animals in Research|
|Peer Review Policies & Practices|
|Intellectual Property Policy|
|Acknowledging NIH Funding|
|Invention Reporting (iEdison)|
|NIH Public Access|
Certificates of Confidentiality are issued by the National Institutes of Health (NIH) to protect the privacy of research subjects by protecting investigators and institutions from being compelled to release information that could be used to identify subjects with a research project. Certificates of Confidentiality are issued to institutions or universities where the research is conducted. They allow the investigator and others who have access to research records to refuse to disclose identifying information in any civil, criminal, administrative, legislative, or other proceeding, whether at the federal, state, or local level.
Identifying information is broadly defined as any item or combination of items in the research data that could lead directly or indirectly to the identification of a research subject.
By protecting researchers and institutions from being compelled to disclose information that would identify research participants, Certificates of Confidentiality help achieve the research objectives and promote participation in studies by assuring privacy to subjects.
Under section 301(d) of the Public Health Service Act (42 U.S.C. 241(d)) the Secretary of Health and Human Services may authorize persons engaged in biomedical, behavioral, clinical, or other research to protect the privacy of individuals who are the subjects of that research. This authority has been delegated to the National Institutes of Health (NIH).
Persons authorized by the NIH to protect the privacy of research subjects may not be compelled in any Federal, State, or local civil, criminal, administrative, legislative, or other proceedings to identify them by name or other identifying characteristic.
Certificates can be used for biomedical, behavioral, clinical or other types of research that is sensitive. By sensitive, we mean that disclosure of identifying information could have adverse consequences for subjects or damage their financial standing, employability, insurability, or reputation.
Examples of sensitive research activities include but are not limited to the following:
In general, certificates are issued for single, well-defined research projects rather than groups or classes of projects. In some instances, they can be issued for cooperative multi-site projects. A coordinating center or "lead" institution designated by the NIH program officer can apply on behalf of all institutions associated with the multi-site project. The lead institution must ensure that all participating institutions conform to the application assurances and inform participants appropriately about the Certificate, its protections, and the circumstances in which voluntary disclosures would be made.
A Certificate of Confidentiality protects personally identifiable information about subjects in the research project while the Certificate is in effect. Generally, Certificates are effective on the date of issuance or upon commencement of the research project if that occurs after the date of issuance. The expiration date should correspond to the completion of the study. The Certificate will state the date upon which it becomes effective and the date upon which it expires. A Certificate of Confidentiality protects all information identifiable to any individual who participates as a research subject (i.e., about whom the investigator maintains identifying information) during any time the Certificate is in effect. An extension of coverage must be requested if the research extends beyond the expiration date of the original Certificate. However, the protection afforded by the Certificate is permanent. All personally identifiable information maintained about participants in the project while the Certificate is in effect is protected in perpetuity.
Some projects are ineligible for a Certificate of Confidentiality. Not eligible for a Certificate are projects that are:
While Certificates protect against involuntary disclosure, investigators should note that research subjects might voluntarily disclose their research data or information. Subjects may disclose information to physicians or other third parties. They may also authorize in writing the investigator to release the information to insurers, employers, or other third parties. In such cases, researchers may not use the Certificate to refuse disclosure. Moreover, researchers are not prevented from the voluntary disclosure of matters such as child abuse, reportable communicable diseases, or subject's threatened violence to self or others. (For information on communicable disease reporting policy, see Communicable Diseases Policy. However, if the researcher intends to make any voluntary disclosures, the consent form must specify such disclosure.
Certificates do not authorize researchers to refuse to disclose information about subjects if authorized DHHS personnel request such information for an audit or program evaluation. Neither can researchers refuse to disclose such information if it is required to be disclosed by the Federal Food, Drug, and Cosmetic Act.
In the informed consent form, investigators should tell research subjects that a Certificate is in effect. Subjects should be given a fair and clear explanation of the protection that it affords, including the limitations and exceptions noted above. Every research project that includes human research subjects should explain how identifiable information will be used or disclosed, regardless of whether or not a Certificate is in effect. The Office of Human Subjects Protection (OHRP) provides guidance on the content of informed consent documents. For additional information, see http://www.hhs.gov/ohrp/archive/irb/irb_chapter3.htm
Certificates of Confidentiality do not take the place of good data security or clear policies and procedures for data protection, which are essential to the protection of research participants' privacy. Researchers should take appropriate steps to safeguard research data and findings. Unauthorized individuals must not access the research data or learn the identity of research participants.
Any person engaged in research collecting sensitive information from human research subjects may apply for a Certificate of Confidentiality. NIH is authorized to issue this privacy protection, in its discretion, for important research within its mission areas. The purpose of this statutory authorization is, in part, to reduce impediments to biomedical/bio-behavioral research subject recruitment. NIH provides detailed instructions for investigators wishing to make an application. Detailed application instructions for extramural scientists can be found at http://grants.nih.gov/grants/policy/coc/appl_extramural.htm. Detailed application instructions for intramural scientists can be found at http://grants.nih.gov/grants/policy/coc/appl_intramural.htm. Additional information is available on the Frequently Asked Questions page.
The application, which should be submitted on the research institution's letterhead, requires information about the PI, the grantee institution, and the project. However, on a case-by-case basis, some NIH Institutes and Centers (ICs) may require additional information in order to assist them in carrying out their discretionary authority to issue Certificates of Confidentiality. Therefore, it is important that applicants consult their funding IC prior to submitting an application for a Certificate of Confidentiality. Investigators conducting sensitive research that is not supported with NIH funds may apply for a certificate through the NIH. They should contact the NIH IC that supports work in the same substantive area. Alternatively, they can contact one of the ICs serving as a Central Certificate Resource. For a list of Certificate contacts, see http://grants.nih.gov/grants/policy/coc/contacts.htm.
In addition to the completed form, the Principal Investigator (PI) will be required to provide documentation of Institutional Review Board (IRB) approval and a copy of the informed consent forms as it would read if a Certificate of Confidentiality is obtained – explaining the Certificate, its protections and the circumstances in which voluntary disclosures might be made, i.e. to protect the subject or others from serious harm. The completed package should be sent to the Certificate Coordinator at the appropriate NIH IC.
In cases where a Certificate of Confidentiality is sought for a student research project, the letter of application must be submitted on institutional stationery and signed by three people: the student, the student's advisor or other appropriate faculty member, and the Institutional Official. Also, NIH prefers that the faculty sponsor be designated as the PI on such applications instead of the student; a post-doctoral student can be listed as the co-PI. Moreover, the IRB approval for a student research project must be issued jointly to the student and the advisor or to the advisor with a copy to the student.
The Certificate is issued by the NIH based on the application from the PI for a specific research project. The Certificate is granted to the investigator's institution. If more than one institution is participating in a multi-site project, the PI at the coordinating center or "lead" institution applies for the Certificate on behalf of all sites, listing each participating unit, its address and project director in the application. A single Certificate for such multi-site projects is issued, and the lead institution is responsible for distributing copies of the Certificate to each participating unit or site.
If the PI relocates to a new institution during the course of the project, he or she should apply for an amendment to the existing Certificate. If there are significant modifications to the project or the informed consent form, the PI should contact the Certificate Coordinator that issued the Certificate. Significant changes to the project may require a modification to the existing Certificate or an application for a new Certificate if there is substantial change in the scope of research. If the project is not completed in the time specified in the application for the Certificate, the PI should apply for an extension to the expected date of completion of the project. Requests for modifications, amendments, and extensions should be submitted three months prior to the date needed and should be accompanied by a reason for requesting it and documentation of the most recent IRB approval.
Both the PI and the Institutional Official are required to sign the Certificate application. In doing so, they are agreeing to the assurances as stated in the application form. (See http://grants.nih.gov/grants/policy/coc/appl_extramural.htm.) The name, title, and address of the Institutional Official should be typed below the signature.
NIH Intramural Investigators may also apply for Certificates of Confidentiality. Detailed instructions for Intramural investigators are available at http://grants.nih.gov/grants/policy/coc/appl_intramural.htm. When possible, an application for a Certificate should be made in conjunction with initial or annual IRB review of research proposals. Intramural PIs should complete the application form and attach a concise description of project aims and research methods (this can be met by attaching a copy of the protocol), IRB approval (memo signed by the IRB Chair), and a copy of the informed consent form to be used in the study, as approved by the IRB. Completed packages should be sent to the Certificate Coordinator at the appropriate NIH IC.