Certificates of Confidentiality
- What is a Certificate of Confidentiality?
- Are there any limitations to the protections afforded by a Certificate of Confidentiality?
- Do the laws of the State of Maryland impose any additional limitations on Certificate of Confidentiality Protections?
- When should an investigator seek a Certificate of Confidentiality for a study?
- If my study is federally funded, do I need to seek a Certificate of Confidentiality?
- Which Federal agencies currently issue a CoC automatically upon award of funding?
- Will an IRB ever require an investigator to obtain a Certificate of Confidentiality?
- How does an investigator apply for a Certificate of Confidentiality when one has not been automatically issued when funding was awarded?
- What is the IRB process for the consent form when a Johns Hopkins investigator is applying for a Certificate of Confidentiality?
- Will the IRB accept alternative Certificate of Confidentiality consent form language from a sponsor or from an external IRB?
- Does an investigator still need a HIPAA-compliant privacy authorization form if the investigator also has a Certificate of Confidentiality?
- Is the Certificate of Confidentiality still valid if the original Certificate holder is replaced?
- Does the Certificate of Confidentiality have an expiration date?
- Should the PI notify the issuing federal agency of any changes made to the protocol?
- What should I do if I receive a subpoena requesting access to research records?
- How do I update my eIRB application to reflect the fact that my study has been granted a Certificate of Confidentiality (either automatically via funding or by application to a federal agency)?
- What if I am unsure of how to secure a CoC for my study or how to describe the CoC in my eIRB application?
1. What is a Certificate of Confidentiality?
A federal law allows the NIH and other federal agencies to issue Certificates of Confidentiality (CoCs) to persons engaged in sensitive biomedical, behavioral, clinical, or other research, for the purpose of protecting the privacy of research subjects. The authorizing federal law states that anyone who receives a CoC may not be compelled in any federal, state, or local civil, criminal, administrative, legislative, or other proceedings to identify the subjects of research covered by the CoC. Thus, the CoCs help to minimize risks to subjects by adding an additional level of protection for maintaining confidentiality of private information.
This protection is not limited to federally funded research; CoCs may be issued to cover any study that the issuing federal agency deems to be appropriate. Generally, research will be considered "sensitive" and eligible for CoC protection if the study involves the collection of identifying information, which, if revealed, could harm the financial standing, employability, insurability, or reputation of a research subject. Such information includes data about sexual attitudes and behavior, substance abuse, illegal conduct, psychiatric or genetic information, and much medical information. However, for the purposes of research funded by the NIH, the NIH has issued a policy which will apply CoC protections to all “identifiable, sensitive information.” This means information about a research subject gathered or used during the course of the research where:
- An individual is identified; or,
- For which there is at least a very small risk that some combination of the information, a request for the information, and other available data sources could be used to deduce the identity of an individual.
(See NIH Policy for Issuing Certificates of Confidentiality and item 3 below)
2. Are there any limitations to the protections afforded by a Certificate of Confidentiality?
There are exceptions to the scope of protection afforded by a Certificate of Confidentiality. CoCs do not protect research subjects against the voluntary disclosure by the investigator of identifying information. For example, a CoC does not prevent an investigator from notifying the authorities if he or she obtains evidence of child abuse or a subject's threatened violence to self or others. In fact, JHM policies require investigators to comply with all such mandatory disclosure laws. CoCs also do not protect against voluntary disclosures made by the research subjects themselves, including any disclosures to which they have agreed in the consent form. Also, certain NIH institutes insist that federal agency rights to audit research records are not eliminated by CoCs. The consent form for a research study must inform study subjects that even when a CoC has been obtained, the investigator will make certain disclosures (see language in the JHM template informed consent form).
3. Do the laws of the State of Maryland impose any additional limitations on Certificate of Confidentiality Protections?
Maryland law requires certain disclosures and reports to authorities. For example, a health care provider (or the employee of a hospital or other provider) who is presented with lawful compulsory process (e.g., a valid subpoena) must disclose information meeting the definition of a "medical record", without a patient's authorization for "purposes of investigation or treatment in a case of suspected abuse or neglect of a child or an adult..." (Md. Health-General Code Ann. Section 4-306 (2002)). Various provisions of state law also require hospitals, laboratory directors, and others to report to State authorities information about an infectious or contagious diseases (Md. Health-General Code Ann. 18-201, 18-205). Maryland law requires any person to report evidence of suspected child abuse or neglect to authorities. (Md. Code Ann. Fam. Law 5-705(a)(2), (a)(3)).
Whether an investigator is required under Maryland law to make a mandatory report or disclosure may depend upon the particular circumstances. Investigators should consult the Office of the Vice President and General Counsel (OGC) for additional guidance on specific cases involving mandatory reports as advised item 1 above.
A CoC might appear to override these state law reporting requirements, but at this time it is unclear whether a Maryland court would agree. We have resolved this uncertainty by voluntarily complying with Maryland disclosure and reporting laws as a matter of Organization policy. CoCs do not preclude our voluntary compliance with state laws requiring reports of suspected abuse, infectious disease, or other events, provided that we disclose this in study consent forms.
4. When should an investigator seek a Certificate of Confidentiality for a study?
Before submitting a new application to the IRB, investigators should consider whether a CoC would be an added protection for study data. If the investigator seeks to obtain identifying information of a sensitive nature from research subjects, and the disclosure of such information could harm the subjects as described above, the PI may wish to apply to the government for a CoC. The investigator should indicate in the application to the IRB that he or she will seek a CoC after the IRB has approved the application.
5. If my study is federally funded, do I need to seek a Certificate of Confidentiality?
Effective on October 1, 2017, the NIH issued a policy pursuant to the federal 21st Century Cures Act by which all ongoing or new research it funds or has funded as of December 13, 2016 that is collecting or using identifiable, sensitive information is automatically issued a CoC as a term and condition of its grant awards. Other DHHS entities funding research, including the Centers for Disease Control, have implemented this approach as well. If you are uncertain whether your funding agency will automatically issue the CoC at the time of award, please consult with your Project Officer or other authority there.
For federally funded research where a CoC is issued as a term of the award the following is true:
- CoCs will no longer be issued in a separate document. The Notice of Award and the NIH Grants Policy Statement will serve as documentation of the CoC protection.
- Researchers are required to determine whether their research records generated with NIH funding are covered by a CoC.
- The scope of research protected by CoCs extends beyond “human subjects research” and includes research: 1) in which identifiable, sensitive information is collected or used, 2) that collects or uses human biospecimens that are identifiable or that have a risk of being identifiable; 3) that involves the generation of individual level human genomic data; and 4) that involves any other information that might identify a person.
- CoCs will be issued to recipients for applicable research regardless of the country where the investigator or the protected information resides. However, CoCs may not be effective for data held in foreign countries.
- Information protected by a CoC and all copies are subject to the protections of the CoC in perpetuity. Therefore, if a secondary researcher receives information protected by a CoC, the secondary researcher is required to uphold the protections of the CoC.
6. Which Federal agencies currently issue a CoC automatically upon award of funding?
A. National Institute of Health (NIH): Please click here for more information on NIH’s CoC policy
B. Center for Disease Control (CDC): Please click here for more information on CDC's CoC policy
7. Will an IRB ever require an investigator to obtain a Certificate of Confidentiality?
When a CoC has not automatically been issued by the funding agency or applied for by an investigator, the IRB may also request that an investigator apply for a CoC if the IRB determines that the data collected from subjects should have the protections provided.
8. How does an investigator apply for a Certificate of Confidentiality when one has not been automatically issued when funding was awarded?
PLEASE NOTE: Not all federal agencies issue a COC automatically upon the award of the funding.
Many agencies still offer a process through which a CoC may be obtained through an application.
To apply for a CoC through these agencies you must contact the funding agency's designated CoC coordinator for further guidance on the process and requirements for obtaining a CoC from the agency. Please see below for guidance on how to apply for a CoC from select agencies:
- FDA: https://www.fda.gov/regulatory-information/search-fda-guidance-documents/certificates-confidentiality
- HRSA (proof of IRB approval required*): https://www.hrsa.gov/sites/default/files/hrsa/publichealth/clinical/human-subjects/certificates-confidentiality-application-instructions.pd
- SAMHSA (proof of IRB approval required*): https://www.samhsa.gov/grants/gpra-measurement-tools/certificate-confidentiality
If your study is not federally funded or is funded by an agency that does not have a specific CoC process, you may still seek a CoC through the NIH online CoC system.
*Select agencies will require that your application for a CoC includes documentation of IRB approval. The IRB can grant approval while the CoC application is pending but a CIR is needed to update your application once the CoC has been issued. See Question #16 below for further guidance.
9. What is the IRB process for issuing a final consent form when a Johns Hopkins investigator is applying for a Certificate of Confidentiality when not automatically issued with a funding award?
The consent form or consent script should have the IRB standard CoC language. This is provided in the JHM IRB Informed Consent Template. If the investigator does not include this language in the submitted informed consent, it will be inserted by the Consent Form Specialist. When the study is approved, the IRB will release a No Logo (unstamped) consent form to the investigator with the wording in the header “Do not use this form for consenting research subjects.”
The investigator must use this approved consent form as part of the application to the granting agency for the CoC. The reason for this process is that the investigator cannot apply for the CoC until he/she has an IRB approved study and consent form with CoC language included. When the investigator receives the CoC from the granting agency, a Change in Research application must be submitted to the IRB which includes a copy of the CoC. The IRB will then approve the Change in Research application and release the approved Logo consent form for use with human subjects.
[top]
10. Will the IRB accept alternative Certificate of Confidentiality consent form language from a sponsor or from an external IRB?
Many of the protocols submitted to the IRB that include a CoC are studies with a federal, commercial, or cooperative group sponsor for which the sponsor has already applied for and received the CoC or it has automatically issued with an award. The JHM IRB will accept the CoC language in the consent form, since it has prior approval from the granting agency for that Certificate holder. If the Johns Hopkins investigator has a copy of the sponsor’s CoC, it should be included in the application to the IRB. (This is applicable only to those CoCs which are not automatically issued at the time funding is awarded).
In studies for which JHM is relying on an external IRB, another institution’s alternative language will generally be deemed appropriate.
[top]
11. Does an investigator still need a HIPAA-compliant privacy authorization if the investigator also has a Certificate of Confidentiality?
Yes. HIPAA and the federal statutes pertaining to CoCs are different laws. The HIPAA Privacy Rule applies to any health information collected or used by employees of JHM, and requires that "authorization" (permission) of a specific form be obtained before a person's health information may be collected, used, or disclosed for research. Use of the Johns Hopkins Medicine combined consent/authorization template is typically the mechanism to follow in obtaining written authorization.
12. Is the Certificate of Confidentiality still valid if the original Certificate holder is replaced?
For studies in which the CoC has not issued automatically at award, the CoC is issued to an individual PI or sponsor. If the PI or sponsor of a study is replaced by another investigator or sponsor, the CoC must be amended to reflect that change.
For NIH-funded studies for which the CoC has automatically issued at the time of award, the protections extend in perpetuity for data collected during the period of funding.
13. Does the Certificate of Confidentiality have an expiration date?
For studies in which the CoC has not issued automatically at award, the CoC is issued for a defined period of time. Once it expires, any study information collected after that expiration is not protected. The PI must renew the CoC, well in advance of its expiration, so that the entire period of data collection is protected.
For NIH-funded studies for which the CoC has automatically issued at the time of award, the protections extend in perpetuity for data collected during the period of funding.
14. Should the PI notify the issuing federal agency of any changes made to the protocol?
Yes, most CoCs specify that the holder must notify the issuing agency of any changes to the protocol. For questions about whether this will be required you should contact the issuing agency.
15. What should I do if I receive a subpoena requesting access to research records?
Should you ever receive a subpoena or other legal process seeking disclosure of research records, please contact the Johns Hopkins University Office of the Vice President and General Counsel (OGC) immediately, and prior to disclosing any records or information. OGC will assist researchers with responding to the legal request for records, and with enforcing the privacy protections of Certificates of Confidentiality. OGC contact information may be found on the OGC website at: http://web.jhu.edu/administration/general_counsel/contact.html
16. How do I update my eIRB application to reflect the fact that my study has been granted a Certificate of Confidentiality (either automatically via funding or by application to a federal agency)?
If you now have funding from NIH, or CDC that automatically includes issuance of a CoC as a term of the funding, OR you were issued a CoC by submitting an application, you will need to submit a Change in Research to update your application to reflect the CoC. Please follow these steps when submitting your CIR:
- Revise eIRB section 36 (Data Confidentiality) Item 6 to reflect that there is a CoC by responding “Yes”;
- Respond to Item 7 by selecting the appropriate CoC holder (this corresponds with the recipient of the award); and
- If you were issued a CoC automatically, leave Items 8 and 9 blank as there will be no issuance document or expiration date in this circumstance. If you were issued a CoC with a definitive expiration date, upload a copy of the CoC in item 8, and indicate the expiration data in item 9.
You will also need to revise the informed consent document(s) for your study (if any) to include language informing subjects of the CoC protections and their limitations (The current language will be found in the JHM IRB’s most recently issues informed consent template).Please note that while these consent form changes are important to make for prospective subjects, you will not be required to obtain re-consent from previously enrolled subjects strictly for this purpose.
17. What if I am unsure of how to secure a CoC for my study or how to describe the CoC in my eIRB application?
If you are unsure of how to secure a CoC or update your eIRB application with newly secured CoC information, please contact any member of the Compliance Team at the JHM Office of Human Subject Research. Please click here for the list of staff contact information.