Certificates of Confidentiality: NIGMS Procedures

Purpose

Certificates of Confidentiality allow researchers to avoid the involuntary release of any portion of research records containing information that could be used to identify study participants. A Certificate of Confidentiality protects the investigator and anyone else who has access to research records from being compelled to disclose identifying information in any civil, criminal, administrative, legislative, or other proceedings, whether federal, state, or local. Identifying information is broadly defined as any item or combination of data about a research subject that could reasonably lead directly, or indirectly by reference to other information, to the identification of a research subject.

Certificates can be used to promote participation in studies by assuring anonymity to participants. Certificates will be issued only when the research is of a sensitive nature, where protection is judged necessary to achieve the research objectives. For instance, a Certificate of Confidentiality may be granted if disclosure could have adverse legal consequences or damage the financial standing, employability, insurability, or reputation of the participant. The Certificate will help researchers avoid involuntary disclosure that could expose subjects and their families to adverse economic, psychological, and social consequences.

History

Certificates of Confidentiality were originally authorized by a 1970 amendment to the Public Health Service Act to protect participants in research on substance abuse. The authority to award Certificates was vested with the secretary of the Department of Health and Human Services (DHHS). In 1988, the statute was broadened such that Certificates could be sought to protect individuals participating in biomedical, behavioral, clinical, and other research, and the authority to issue Certificates was delegated to the Office of the Assistant Secretary for Health (OASH). With the reorganization of the OASH in 1996, its Certificate authority was decentralized to the NIH institutes, and the NIH director further delegated this authority to certain NIH officials (institute and center [IC] directors, deputy IC directors, and executive officers). Each IC now has the option of issuing its own Certificates.

Types of Projects Covered

NIGMS issues Certificates for single, well-defined projects rather than for groups or classes of projects. An exception is for cooperative multi-site projects, in which a coordinating center or "lead" institution designated by the government program director can apply on behalf of all member institutions, and a single Certificate providing protection to all participating sites is issued. In this case, the application must list each participating unit, its address, and the project director of the participating unit on the first page of the application. The lead institution must assure that all participating institutions conform to the application assurances and inform subjects appropriately about the Certificate, its protections, and the circumstances in which voluntary disclosures would be made.

Extent and Limitations of Coverage

Certificates of Confidentiality can be used to cover biomedical, behavioral, clinical, or other research. Refer to the Frequently Asked Questions below for more details.

Certificates of Confidentiality do not obviate the need for data security, however. Researchers should take appropriate steps to safeguard research results so that individuals having access to medical records (including those who may access the records with the subject’s consent) cannot access the research results or learn the identity of research participants.

Certificates protect against involuntary disclosure; however, information may be voluntarily released under certain circumstances. For example, research subjects may disclose or consent to the disclosure of information (including research information) in their medical records to an insurer, and researchers may not use the Certificate to refuse disclosure under this circumstance. In addition, researchers are expected to make arrangements with local and state authorities to satisfy communicable disease reporting requirements, and subjects should be informed of this possibility in the informed consent document. Moreover, Certificates do not authorize researchers to refuse to disclose information about subjects if authorized DHHS personnel request such information for an audit or program evaluation or if such information is required by the Federal Food, Drug, and Cosmetic Act.

With the exceptions noted above, it is important to keep in mind that the authority to resist compulsory disclosure provided by a Certificate supersedes any federal, state, or local laws that require such disclosure. Although there are few court decisions involving challenges to Certificates of Confidentiality, their authority has been upheld in New York State Court of Appeals.

Period of Coverage

Certificates are issued for a specific time period and protect all information that would identify research subjects who participate in the project during that period. Data collected while a Certificate is in effect remain protected after the Certificate expires and in perpetuity. The time period begins on the date of issuance of the Certificate or the commencement of the research, whichever is later. Generally, Certificates are effective on the date of issuance or upon commencement of the research project if that occurs after the date of issuance. The expiration date should correspond to the completion of the study. It is advised that applicants select a period of coverage that may overestimate, rather than underestimate, the time required to complete the project. Requests for extensions of Certificate coverage should be made 3 months prior to the expiration date. They should be accompanied by a justification, documentation of the most recent Institutional Review Board (IRB) approval, and the new expected completion date for the research project.

Eligibility Criteria

Certificates are appropriate when the research information gathered is of a sensitive nature and protection is deemed necessary in order to achieve the research objectives while protecting the study participants’ confidentiality and privacy. Studies gathering information, the disclosure of which could reasonably be expected to lead to social stigmatization or job or medical/life insurance discrimination, would qualify for a Certificate. Projects eligible for Certificates must involve the collection of sensitive information that, if disclosed, could be damaging to an individual’s financial standing, reputation, insurability, or employability. Examples of research projects relevant to the mission of NIGMS that would be eligible include, but are not limited to, the following:

• Projects involving genetic testing for disease predisposition.
• Studies involving the collection and storage of biological samples for use in subsequent research could be eligible if the scope and purposes of such research can be adequately specified.
• Studies involving the collection or storage of clinical and epidemiologic data.
• Pharmacogenetic studies that involve human subjects.

Projects that are not research-based or research-related are ineligible for a Certificate of Confidentiality, as are projects that have not received IRB review and final approval. Projects collecting information that is not deemed to involve significant harm or damage to the subject if disclosed are not eligible.

Application for Certificate of Confidentiality for NIGMS-Funded Projects

Applicants should submit a letter to the NIGMS Certificate Coordinator (address below) that contains the following information, presented in the format shown using letterhead from the grantee institution. Note that the assurances should be entered into the letter exactly as they are written below. Also note that the principal investigator (PI) for the project as well as the institutional official who has signatory authority must sign this letter.

1. Name and address of grantee institution.
2. Sites where the research will be conducted and a description of the facilities available for the conduct of the research.
3. Title of the research project.
4. Source of support for this project and the identification number (e.g., NIH grant number).
5. Documentation of IRB approval (attach letter or form signed by authorized IRB representative). Approval must be current, unconditional, or conditioned only upon the issuance of a Certificate of Confidentiality and documented by a letter or form signed by an authorized IRB representative.
6. Name, title, mailing and e-mail addresses, telephone and fax numbers of the PI as well as name and title of other key personnel. Also include a summary of the scientific training of the PI and key personnel. Off-site collaborators should provide a letter acknowledging that they are aware of the certificate and its provisions.
7. Beginning date and expected end date of the project.
8. Concise description of project aims and research methods (1-2 paragraphs, omit background).
9. A description of means used to protect subjects’ identities (i.e., "All subjects will be assigned a coded number, and identifying information and records will be kept in locked files at this institution, etc.").
10. Justification for request for Certificate of Confidentiality (i.e., "A Certificate is needed because sensitive genetic information will be generated. The Certificate will help researchers avoid involuntary disclosure that could expose subjects and their families to adverse economic, psychological, and social consequences.").
11. Informed consent/assent forms for research subjects who will be participating in the study, as approved by the IRB (attach a copy of the form).

Applicants must insert the following assurances into the letter:

• This institution agrees to use the Certificate of Confidentiality to protect against the compelled disclosure of personally identifiable information and to support and defend the authority of the Certificate against legal challenges.
• Personnel involved in the conduct of the research will comply with all the requirements of 45 CFR Part 46 "Protection of Human Subjects."
• This Certificate of Confidentiality will not be represented as an endorsement of the project by the DHHS or NIH or used to coerce individuals to participate in the research project.
• All subjects will be informed that a Certificate has been issued, and they will be provided with a description of the protection covered by the Certificate.
• Any subjects entering the project after expiration or cancellation of the Certificate will be informed that the protection afforded by the Certificate does not apply to them.
• We understand that if this project is not completed by the expiration date and/or an amendment is necessary, we must submit a written request for an extension of the Certificate 3 months prior to the expiration date. Any such request must include a justification for the extension, documentation of the most recent IRB approval, and the expected date for completion of the research project.

Review Procedures

Applications are reviewed and recommended for approval by the involved NIGMS program director and the staff review committee. Applications so recommended are forwarded to the director, NIGMS, for final approval and signature. Certificate requests that are not approved will be returned to the applicant with an explanation for the decision.

Modifications to Projects and Changes in Participating Institution

Requests for modifications or amendments should be made 3 months prior to the needed date. These requests should be accompanied by a justification and documentation of the most recent IRB approval. An amendment to an existing Certificate should be requested when a principal investigator relocates to a new institution.

Agency Contacts

To obtain further information about Certificates of Confidentiality, to submit an application, or to request an extension or amendment for an existing Certificate awarded by NIGMS, contact:

Paul A. Sheehy, Ph.D.
Certificate Coordinator
National Institute of General Medical Sciences
45 Center Drive, Rm. 2AN.24G, MSC 6200
Bethesda, MD 20892-6200
Telephone: 301-594-4499
Fax: 301-480-1852
E-mail: sheehyp@nigms.nih.gov

To submit a Certificate request or to obtain an extension or amendment for an existing Certificate awarded by an NIH institute or center other than NIGMS, contact that IC's coordinator or:

Ms. Olga Boikess
National Institute of Mental Health
6100 Executive Boulevard, Rm. 8102
Bethesda, MD 20892-9653
Telephone: 301-443-3877
Fax: 301-443-7840
E-mail: oboikess@ngmsmtp.nimh.nih.gov

Note to applicants: The Certificate of Confidentiality protects against the involuntary disclosure of information that could identify subjects. It does not govern the voluntary disclosure of identifying characteristics of research subjects. Researchers are not prevented from the voluntary disclosure of matters such as child abuse or a subject’s threatened violence to self or others. However, if a researcher intends to make such voluntary disclosures, the consent form should clearly indicate this.

The Certificate of Confidentiality does not protect you from being compelled to make disclosures that: 1) have been consented to in writing by the research subject or the subject’s legally authorized representative; 2) are required by the Federal Food, Drug, and Cosmetic Act (21 U.S.C. 301 et seq.) or regulations issued under that Act; or 3) have been requested from a research project funded by NIH or DHHS by authorized representatives of those agencies for the purpose of audit or program review.

If you determine that the research project will not be completed by the expiration date or if you modify the research protocol, you must submit a written request for an amendment of the Certificate 3 months prior to the expiration date. Any such request must include the justification for the amendment or the extension as well as the revised expected date for completion of the research project.

Frequently Asked Questions

What are Certificates of Confidentiality?

The Certificate of Confidentiality protects the privacy of subjects in biomedical, behavioral, clinical, or other research projects against compulsory legal demands (e.g., court orders and subpoenas that seek the names or other identifying characteristics of a research participant) made of the investigator.

What is the purpose of the Certificate?

The Certificate was developed to protect against the involuntary release of personally identified research information of a sensitive nature sought through any federal, state, or local civil, criminal, administrative, legislative, or other proceedings.

Certificates of Confidentiality were first issued by the U.S. Department of Health and Human Services as a means of enabling substance abuse-related research projects where, in the course of the research, the study participants may be providing legally incriminating or sensitive personal information. The authority was granted under the Comprehensive Drug Abuse Prevention and Control Act of 1970, Public Law No. 91-513, Section 3(a). In 1974 and 1988, the law was amended to broaden the use of Certificates to safeguard individuals participating in biomedical, behavioral, clinical, and other research.

What protection does a Certificate of Confidentiality afford?

Certificates of Confidentiality are issued by the Department of Health and Human Services pursuant to Section 301(d) of the Public Health Service Act (42 U.S.C. Section 241(d)) to afford special privacy protection to research subjects. Investigators can interpose a Certificate to avoid being required to release personally identifiable research information about individual study participants. A Certificate can be used by the researcher to avoid compelled "involuntary disclosure" (e.g., subpoenas) of identifying information about a research subject. It does not prevent voluntary disclosures such as limited disclosure to protect the subject or others from serious harm, as in cases of child abuse. Also, a researcher may not rely on a Certificate to withhold data if the subject consents to the disclosure.

The Certificate covers the collection of sensitive research information for a defined time period (the term of the project); however, personally identifiable information obtained about subjects enrolled while the Certificate is in effect is protected in perpetuity.

Federal funding is not a prerequisite.

This special privacy protection can be granted only to research, i.e., a systematic investigation designed to develop or contribute to generalizable knowledge. It is granted only when the research is of a sensitive nature where the protection is judged necessary to achieve the research objectives.

What types of projects are eligible for a Certificate?

Projects eligible for Certificates must involve the collection of sensitive information that, if disclosed, could have adverse legal consequences or be damaging to an individual's financial standing, reputation, insurability, or employability. Research funded by NIGMS can be considered sensitive if it involves the collection of information in any of the following categories:

• Projects involving genetic testing for disease predisposition.
• Projects on understanding individual variations in drug responses.
• Studies linking phenotype to genotype.
• Studies involving the collection and storage of biological samples for incompletely specified future uses; this would include genetic studies.
• Studies involving the collection of information on patient responses to studies in clinical pharmacology and anesthesiology, including the effects of drugs on the body and the body's effects on drugs.
• Studies directed toward understanding human patient responses to traumatic injury and post-traumatic sepsis.
• Studies collecting information on an individual’s psychological well-being or mental health, or that include psychiatric conditions as entry criteria or confounding variables.
• Studies of disease risk related to substance abuse or research involving other illegal risk behaviors (e. g., purchase of tobacco products or alcohol by minors).
• Research in which participants may be involved in class action litigation related to exposures under study (e. g., medications, environmental or occupational exposures).

What projects are NOT eligible for a certificate?

• Projects that are not research-based or research-related.
• Projects that have not been reviewed by an Institutional Review Board.
• Projects collecting information that, if disclosed, would not involve significant harm or damage to the subject.
• Projects that do not collect personally identifiable information.

What is the researcher's responsibility to participants in a study for which a Certificate has been granted?

When a researcher obtains a Certificate of Confidentiality, the subjects must be told about the protections afforded by the Certificate and about any exceptions to that protection. This information is usually included in the informed consent document. Researchers should also review the language about confidentiality that is routinely included in consent forms to be sure that it is consistent with Certificate of Confidentiality protections. For example, consent forms sometimes refer to state law reporting requirements. The DHHS General Counsel advises, however, that such a disclosure would be considered voluntary because the Certificate protects the researcher from the compulsion of that law.

Research subjects vary widely in their cultural and educational backgrounds. The Certificate of Confidentiality description should cover the basic points. Privacy protection means that the subject will not be identified as participating in the study unless the subject consents or a disclosure is made to protect the subject or another person from serious harm. Researchers may adapt the example to the special needs of the participants in their research and to the subject matter of the study.

Researchers should be careful not to represent the issuance of a Certificate to potential participants as an endorsement of the research project by DHHS or NIH or to use it in a coercive manner for the recruitment of participants.

Finally, the researcher must be prepared to use the authority of the Certificate to resist compulsory disclosure of individually identifiable research data.

In what situations may data protected by a Certificate be disclosed?

Data that are protected by a Certificate may be disclosed under the following circumstances:

• Voluntary disclosure of information by study participants themselves to physicians or other third parties, or authorization by study participants of release of information to insurers, employers, or other third parties.
• Voluntary reporting by the investigator of information, such as child abuse or threat of potential violence to self or others, provided such intention is specified in the informed consent document.
• Voluntary compliance by the researcher with reporting requirements of other state laws such as knowledge of a communicable disease, provided such intention is specified in the informed consent document.
• Release of information by investigators to DHHS as required for audits of research records or to the Food and Drug Administration as required under the federal Food, Drug, and Cosmetic Act (21 U.S.C. § 301 et seq.).

What is the process for applying to NIGMS for a Certificate of Confidentiality?

The issuance of Certificates of Confidentiality is discretionary. Projects are not eligible for a Certificate unless they have been reviewed and approved by an IRB. Investigators must submit an application as outlined in the format shown. This solicits information about the project and the investigator, along with IRB review documentation and a copy of the informed consent/assent forms (describing the Certificate of Confidentiality protections) to be used in the study, to the NIGMS Certificate Coordinator. Since a certificate is generally issued to a sponsoring research institution, the application and its assurances must be signed by a faculty member or a senior official.

Ordinarily, a Certificate is issued for a single project (not broad groups or classes of projects). However, for cooperative multi-site projects, a coordinating center or "lead" institution can apply for, and receive, a Certificate on behalf of all member institutions. However, that lead institution must agree to be sure that all participating institutions conform to the application assurances and inform their subjects, appropriately, about the Certificate, its protections, and the circumstances in which voluntary disclosures would be made.

To obtain more information, to submit a completed application, or to request an extension or amendment to an existing Certificate, the NIGMS-funded principal investigator should contact:

Paul A. Sheehy, Ph.D.
Certificate Coordinator
National Institute of General Medical Sciences
45 Center Drive, Rm. 2AN.24G, MSC 6200
Bethesda, MD 20892-6200
Telephone: 301-594-4499
Fax: 301-480-1852
E-mail: sheehyp@nigms.nih.gov

How are extensions or amendments to existing Certificates obtained?

If the research scope of a project covered by a Certificate should change substantially, the PI should request an amendment to the Certificate. An extension must be requested if the research extends beyond the expiration date of the original Certificate and coverage for subjects recruited after the expiration of a Certificate is necessary.

Requests for extensions of an expiration date for a Certificate or for other amendments should be made 3 months prior to the needed date. These requests should be accompanied by a justification, documentation of the most recent IRB approval, a copy of an informed consent describing the Certificate of Confidentiality protections and the circumstances in which voluntary disclosures might be made, and the new expected completion date for the research project. They should be directed to the NIGMS Certificate Coordinator at the address above.

Does the PI need a new Certificate of Confidentiality each time the grant is renewed?

No, but there needs to be "paper trail continuity." In each extension, the previous number, certificate, principal investigator, etc. should be referenced to show that the renewal is a continuation of the previous work and that all is covered.

Does each project (within a larger program) require a Certificate of Confidentiality?

It depends. If a central database exists that has a Certificate of Confidentiality and someone is using those data, the individual identities are already protected, and there would not need to be an additional Certificate of Confidentiality. If someone wants to expand on the existing project--e.g., add a new subproject--this should be an add-on to the existing Certificate of Confidentiality. Reference the original Certificate and explain what is being changed or expanded. This is necessary in order to keep the "paper trail continuity" so that if this were called into court, there could be no question that these projects are related and covered by the Certificate of Confidentiality and its addendum.

If a research project has already started, can one obtain a Certificate of Confidentiality that will cover subjects already enrolled?

Assuming that the project meets the eligibility criteria for the Certificate and that subjects are actively being recruited, previously enrolled subjects will be covered. The applicant should indicate the entire length of the study to be covered (start to finish) in the application letter. The Certificate issued should indicate that the research is already underway and that it will end on the stated date. The applicant should also take the Consent Form, revised according to suggested wording, to the IRB for approval prior to requesting the Certificate.

Has the legality of Certificates been challenged?

There have been court challenges to the confidentiality protections afforded by a Certificate. In 1973, the Certificate's authority was upheld in the New York Court of Appeals. The U.S. Supreme Court declined to hear the case.

What should an investigator do if legal action is brought to release personally identifying information protected by a certificate?

A Certificate of Confidentiality is a legal defense against a subpoena or court order to be used by the researcher to resist disclosure. The researcher should seek legal counsel from his or her institution. The Office of General Counsel for DHHS is willing to discuss the regulations with the researcher's attorney. In addition, NIGMS-funded researchers should notify Dr. Hagan (see address above).

What is the researcher’s responsibility to participants in a study for which a Certificate has been granted?

The investigator may not represent the issuance of a Certificate to potential participants as an endorsement of the research project by DHHS or NIH or use it in a coercive manner for the recruitment of participants. The investigator must use the authority of the Certificate to resist compulsory disclosure of individually identifiable research data.

The study participants must be informed that a Certificate is in effect and be given a fair and clear explanation of the protection it affords. This must include an explanation of the limitations and exceptions. This information may be provided in the informed consent document or in an additional information page. An example of suggested wording might be:

Study participants may also be given a copy of the Certificate, although this is not necessary if it would impede the research. Study participants should be notified that a Certificate has expired if they are recruited to the study after the expiration date of the Certificate and an extension of the Certificate’s coverage has not been granted.