Certificates of Confidentiality
What is a Certificate of Confidentiality?
A Certificate of Confidentiality (CoC) adds a layer of privacy protection for participants enrolled in sensitive research. A CoC primarily protects against compulsory legal demands, such as court orders and subpoenas, for identifying information or identifying characteristics of a research participant. Though granted by the NIH for all studies funded by NIH, CoCs are available even to non-NIH-funded studies (even studies that are not federally funded at all). CoC’s are appropriate for research studies that gather information about subjects that might be damaging, and which will only exist in the research study records (that is, the information isn’t already in other records that are subject to subpoena).
Update effective October 1, 2017:
All new and ongoing NIH-funded research meeting certain criteria is deemed to be issued a Certificate of Confidentiality (CoC) via a new NIH policy. (Previously, researchers had to proactively apply to the NIH for a CoC, and only if the study was collecting sensitive information from participants.) For more information about the change in policy, please see this notice.
What research is now covered automatically by a CoC?
Funded by NIH and was commenced or ongoing on or after December 13, 2016, and:
- Is “human subjects research” as defined by federal regulations, including exempt research where data is identifiable;
- Or, is research involving the collection or use of biospecimens that are individually identifiable or for which there is at least a very small risk that some there is some way to deduce the identity of an individual;
- Or, is research that generates individual level, human genomic data from biospecimens, or the use of such data, regardless of whether the data is “identifiable” per the Common Rule; or
- Or, is any other research that involves information about an individual for which there is at least a very small risk, as determined by current scientific practices or statistical methods, that the subject’s identity could be deduced
What does the research team have to do?
For studies that obtain informed consent, the human subjects must be informed that their information is protected by a CoC. The IRB provides language in its consent form (ICF) template to be used in all new submissions meeting the above criteria. The IRB has also provided an addendum to be used when consenting prospective subjects in ongoing research studies, until the study team updates the ICF to include the CoC language (more to come on when that will be required).
Will the CoC cover data already collected in our ongoing study?
Yes. Once in place, the CoC applies to all data collected in the study, including data collected before the CoC was issued.
How can I get a CoC for my study?
To apply for a CoC, please take the following steps:
- Go to the NIH’s CoC Kiosk and complete the steps to submit your application electronically. After it is received, the NIH will provide you with a form that must be signed by the PI and the Emory Institutional Official.
- Once you have the form ready to be signed, DO NOT send the form directly to the Emory Institutional Official. Instead, email the IRB analyst who is responsible for your study. If you are unsure who the analyst is, you may call us to find out, or you can send the CoC application directly to our main email address (firstname.lastname@example.org).
In your email, please include the following:
- The full CoC application, as an attachment, along with the “Assurances” form that needs to be signed;
- The nature of the sensitive data to be generated during the research study;
- How that data will be identifiable/linked to the subject;
- Whether that sensitive information also exists somewhere outside the research record (e.g. HIV diagnosis already present in subjects’ medical record - either at EHC or elsewhere - before the study begins). If the sensitive information is already present in another location that could be subpoenaed, then we may not sign off on the CoC application; we do not want subjects to have a false sense of security.
How should research subjects be informed about the CoC? Can I tell them I am applying for the CoC but haven’t received it yet?
The CoC’s protections – and limitations – must be stated in the Informed Consent form once the CoC is granted, and the language is dictated by the NIH. The consent templates posted on the Emory IRB website contain the required language.
The NIH prefers that you NOT state in the consent form that you are applying for a CoC. Only after the CoC is actualy obtained should subjects be enrolled via a consent form that references the CoC. If the IRB agrees that enrollment prior to obtaining the CoC is acceptable, the IRB can approve a no-CoC version of the conesnt form, along with a CoC version that you can submit to the NIH with your CoC application - but which cannot be used to enroll until the CoC is granted.
What should I do if I obtain a CoC after the study has been approved?
If you are granted a CoC for a study that has already been approved, you should submit an amendment in eIRB to do the following:
- Upload the approved CoC into the eIRB system under the "Miscellaneous Documents" section.
- Add the required language in the ICF to note the CoC (refer to the most recent ICF template).
How does CoC compare with “Sensitive Study Status”?
Finally, it is important to be aware of the differences between a CoC and "senstitive study status." When a study is declared to have "sensitive status," steps are taken to limit the amount of information that is put into the medical record. A CoC, however, doesn't limit the information put into the record but instead it covers that information with privacy protections. In other words, determining that a protocol has "sensitive study status" alone does not protect research data from subpoena, therefore a CoC may be recommended or even required in addition to the sensitive status determination.