- What is a Certificate of Confidentiality?
- State of Maryland Limitation on Certificate of Confidentiality
- When should an investigator seek a Certificate of Confidentiality for a study?
- Will an IRB require an investigator to obtain a Certificate of Confidentiality
- Will a federal funding agency stipulate when a Certificate of Confidentiality is required for a project?
- How does an investigator apply for a Certificate of Confidentiality?
- What is the IRB process for the consent form when a Johns Hopkins investigator is applying for a Certificate of Confidentiality?
- What is the IRB process for the consent form when the sponsor of the research is the entity applying for the Certificate of Confidentiality?
- Does an investigator still need a HIPAA compliant privacy authorization form if the investigator also has a Certificate of Confidentiality?
- Is the Certificate still valid if the original Principal Investigator is replaced by another investigator?
- Does the Certificate have an expiration date?
- Should the PI notify the issuing federal agency of any changes made to the protocol?
A federal law allows the NIH and other federal agencies to issue Certificates of Confidentiality to persons engaged in sensitive biomedical, behavioral, clinical or other research, for the purpose of protecting the privacy of research subjects. The authorizing federal law states that anyone who receives a Certificate of Confidentiality may not be compelled in any federal, state, or local civil, criminal, administrative, legislative, or other proceedings to identify the subjects of research covered by the Certificate.Thus, the Certificates help minimize risks to subjects by adding an additional level of protection for maintaining confidentiality of private information.
This protection is not limited to federally funded research; Certificates may be issued to cover any study that the issuing federal agency deems to be appropriate. Generally, research will be considered "sensitive" and eligible for Certificate protection if the study involves the collection of identifying information which, if revealed, could harm the financial standing, employability, insurability, or reputation of a research subject. Such information includes data about sexual attitudes and behavior, substance abuse, illegal conduct, psychiatric or genetic information, and much medical information.
Importantly, however, there are exceptions to the scope of protection afforded by a Certificate of Confidentiality. Certificates do not protect research subjects against the voluntary disclosure by the investigator of identifying information. For example, a Certificate does not prevent an investigator from notifying the authorities if he or she obtains evidence of child abuse or a subject's threatened violence to self or others. In fact, JHM policies require investigators to comply with all such mandatory disclosure laws. Also, certain NIH institutes insist that federal agency rights to audit research records are not eliminated by Certificates of Confidentiality. The consent form for a research study must inform study subjects that even when a Certificate has been obtained, the investigator will make certain disclosures (see language in the JHM template informed consent form).
Decisions about how to respond to subpoenas and other demands for research information or medical records are made by JHM's legal advisors. If you do receive a subpoena or any request or demand for records or information, contact the General Counsel's Office for the Johns Hopkins Health System and the General Counsel's Office for the University.
See also, OHRP Guidance on Certificates of Confidentiality
February 25, 2003
Maryland law requires certain disclosures and reports to authorities. For example, a health care provider (or the employee of a hospital or other provider) who is presented with lawful compulsory process (e.g., a valid subpoena) must disclose information meeting the definition of a "medical record", without a patient's authorization for "purposes of investigation or treatment in a case of suspected abuse or neglect of a child or an adult..." (Md. Health-General Code Ann. Section 4-306 (2002)). Various provisions of state law also require hospitals, laboratory directors, and others to report to State authorities information about an infectious or contagious diseases (Md. Health-General Code Ann. 18-201, 18-205). Maryland law requires any person to report evidence of suspected child abuse or neglect to authorities. (Md. Code Ann. Fam. Law 5-705(a)(2), (a)(3)).
Whether an investigator is required under Maryland law to make a mandatory report or disclosure may depend upon the particular circumstances. Investigators should consult the OHSR or legal counsel for additional guidance on specific cases involving mandatory reports.
A Certificate of Confidentiality might appear to override these state law reporting requirements, but at this time it is unclear whether a Maryland court would agree. We have resolved this uncertainty by voluntarily complying with Maryland disclosure and reporting laws as a matter of Organization policy. Certificates of Confidentiality do not preclude our voluntary compliance with state laws requiring reports of suspected abuse, infectious disease, or other events, provided that we disclose this in study consent forms.
Before submitting a new application to the IRB, investigators should consider whether a Certificate of Confidentiality would be an added protection for study data. If the investigator seeks to obtain identifying information of a sensitive nature from research participants, and the disclosure of such information could harm the participants as described above, the PI may wish to apply to the government for a Certificate of Confidentiality. The investigator should state in the application to the IRB that he or she will seek a Certificate of Confidentiality after the IRB has reviewed the application. Certificates are most important for grant-funded and investigator-initiated research (see question 5).
The IRB may also request that an investigator apply for a Certificate of Confidentiality if the IRB determines that the data collected from participants should have the protections provided by a Certificate.
There are funding agencies that mandate use of a Certificate of Confidentiality during the conduct of a project. Frequently, cooperative group projects require Certificates of Confidentiality.
6. How does an investigator apply for a Certificate of Confidentiality?
To apply for a Certificate, an investigator should submit an application letter to the IRB, with the information required by the specific federal agency. Detailed instructions for applying for a NIH Certificate of Confidentiality are available at the following website: http://grants1.nih.gov/grants/policy/coc/appl_extramural.htm. Studies funded by the National Institute of Justice must follow its guidelines at http://www.ojp.gov. Applications for a Certificate of Confidentiality require Institutional Signature before submission. The application should be sent to the IRB office for signature by the Assistant Dean for Human Subjects Compliance, the Director of OHSR, or the Vice Dean for Clinical Investigation. It is important to obtain the assurance language for the COC application directly from OHSR, because our language differs slightly from agency boilerplate.
The consent form should have the IRB standard Certificate of Confidentiality language. This is provided in the JHMIRB Informed Consent Template. If the investigator does not include this language in the submitted informed consent, it will be inserted by the Consent Form Specialist.
When the study is approved, the IRB will release a No Logo document to the investigator with the wording in the header “Do not use this form for consenting research participants.”
The investigator must use this approved consent form as part of the application to the granting agency for the Certificate.
The reason for this process is that the investigator cannot apply for the Certificate until he/she has an IRB approved study and an IRB approved consent form with the Certificate language included. Most of the Certificates of Confidentiality obtained by investigators from Johns Hopkins are from the National Institutes of Health (NIH). The language in our informed consent template has been approved by NIH.
When the investigator receives the Certificate of Confidentiality, a Change in Research must be submitted to IRB that includes a copy of the Certificate of Confidentiality. If the Certificate seems in order, the IRB will release the approved Logo consent form.
Many of the protocols submitted to the IRB that include a Certificate of Confidentiality are studies with a federal, commercial or cooperative group sponsor where the sponsor has already applied for and received the Certificate of Confidentiality.
The JHMIRB will accept the Certificate language in the consent form, since it has prior approval from the granting agency for that Certificate holder.
If the Johns Hopkins investigator has a copy of the sponsor’s Certificate of Confidentiality, it should be included in the application to IRB.
Yes. HIPAA and the federal Certificate of Confidentiality statute are two different laws. The HIPAA Privacy Rule applies to any health information collected or used by employees of JHM, and requires that "authorization" (permission) of a specific form be obtained before a person's health information may be collected, used, or disclosed for research. Use of the Johns Hopkins Medicine combined consent/authorization template is the mechanism to follow in obtaining written authorization.
NO. The Certificate is issued to an individual PI or sponsor. If the PI of a study is replaced by another investigator, the Certificate must be amended to reflect that change.
Yes. The Certificate is issued for an explicit period of time. Once it expires, any study information collected after that expiration is not protected. The PI must renew the Certificate of Confidentiality, well in advance of its expiration, so that the entire period of data collection is protected.
Yes, most Certificates of Confidentiality specify that the holder of the Certificate must notify the issuing agency of any changes to the protocol.