Certificates of Confidentiality: Background Information
Certificates of Confidentiality are issued by the National Institutes of
Health (NIH) to protect the privacy of research subjects by protecting
investigators and institutions from being compelled to release information that
could be used to identify subjects with a research project. Certificates of
Confidentiality are issued to institutions or universities where the research is
conducted. They allow the investigator and others who have access to research
records to refuse to disclose identifying information in any civil, criminal,
administrative, legislative, or other proceeding, whether at the federal, state,
or local level.
Identifying information is broadly defined as any item or combination of
items in the research data that could lead directly or indirectly to the
identification of a research subject.
By protecting researchers and institutions from being compelled to disclose
information that would identify research participants, Certificates of
Confidentiality help achieve the research objectives and promote participation
in studies by assuring privacy to subjects.
Under section 301(d) of the Public Health Service Act (42 U.S.C. 241(d)) the
Secretary of Health and Human Services may authorize persons engaged in
biomedical, behavioral, clinical, or other research to protect the privacy of
individuals who are the subjects of that research. This authority has been
delegated to the National Institutes of Health (NIH).
Persons authorized by the NIH to protect the privacy of research subjects may
not be compelled in any Federal, State, or local civil, criminal,
administrative, legislative, or other proceedings to identify them by name or
other identifying characteristic.
Extent and Limitations of Coverage
Certificates can be used for biomedical, behavioral, clinical or other types
of research that is sensitive. By sensitive, we mean that disclosure of
identifying information could have adverse consequences for subjects or damage
their financial standing, employability, insurability, or reputation.
Examples of sensitive research activities include but are not limited to the
- Collecting genetic information;
- Collecting information on psychological well-being of subjects;
- Collecting information on subjects' sexual attitudes, preferences or
- Collecting data on substance abuse or other illegal risk behaviors;
- Studies where subjects may be involved in litigation related to exposures
under study (e.g., breast implants, environmental or occupational exposures).
In general, certificates are issued for single, well-defined research
projects rather than groups or classes of projects. In some instances, they can
be issued for cooperative multi-site projects. A coordinating center or "lead"
institution designated by the NIH program officer can apply on behalf of all
institutions associated with the multi-site project. The lead institution must
ensure that all participating institutions conform to the application assurances
and inform participants appropriately about the Certificate, its protections,
and the circumstances in which voluntary disclosures would be made.
A Certificate of Confidentiality protects personally identifiable information
about subjects in the research project while the Certificate is in effect.
Generally, Certificates are effective on the date of issuance or upon
commencement of the research project if that occurs after the date of issuance.
The expiration date should correspond to the completion of the study. The
Certificate will state the date upon which it becomes effective and the date
upon which it expires. A Certificate of Confidentiality protects all information
identifiable to any individual who participates as a research subject (i.e.,
about whom the investigator maintains identifying information) during any time
the Certificate is in effect. An extension of coverage must be requested if the
research extends beyond the expiration date of the original Certificate.
However, the protection afforded by the Certificate is permanent. All personally
identifiable information maintained about participants in the project while the
Certificate is in effect is protected in perpetuity.
Some projects are ineligible for a Certificate of Confidentiality. Not
eligible for a Certificate are projects that are:
- not research,
- not collecting personally identifiable information,
- not reviewed and approved by the IRB as required by these guidelines, or
- collecting information that if disclosed would not significantly harm or
damage the participant.
While Certificates protect against involuntary disclosure, investigators
should note that research subjects might voluntarily disclose their research
data or information. Subjects may disclose information to physicians or other
third parties. They may also authorize in writing the investigator to release
the information to insurers, employers, or other third parties. In such cases,
researchers may not use the Certificate to refuse disclosure. Moreover,
researchers are not prevented from the voluntary disclosure of matters such as
child abuse, reportable communicable diseases, or subject's threatened violence
to self or others. (For information on communicable disease reporting policy,
Diseases Policy. However, if the researcher intends to make any voluntary
disclosures, the consent form must specify such disclosure.
Certificates do not authorize researchers to refuse to disclose information
about subjects if authorized DHHS personnel request such information for an
audit or program evaluation. Neither can researchers refuse to disclose such
information if it is required to be disclosed by the Federal Food, Drug, and
In the informed consent form, investigators should tell research subjects
that a Certificate is in effect. Subjects should be given a fair and clear
explanation of the protection that it affords, including the limitations and
exceptions noted above. Every research project that includes human research
subjects should explain how identifiable information will be used or disclosed,
regardless of whether or not a Certificate is in effect. The Office of Human
Subjects Protection (OHRP) provides guidance on the content of informed consent
documents. For additional information, see http://www.hhs.gov/ohrp/archive/irb/irb_chapter3.htm
An Important Caveat
Certificates of Confidentiality do not take the place of good data
security or clear policies and procedures for data protection, which are
essential to the protection of research participants' privacy. Researchers
should take appropriate steps to safeguard research data and findings.
Unauthorized individuals must not access the research data or learn the identity
of research participants.
Instructions for Applicants
Any person engaged in research collecting sensitive information from human
research subjects may apply for a Certificate of Confidentiality. NIH is authorized to issue this privacy protection, in its discretion, for important research within its mission areas. The purpose of this statutory authorization is, in part, to reduce impediments to biomedical/bio-behavioral research subject recruitment. NIH provides
detailed instructions for investigators wishing to make an application. Detailed
application instructions for extramural scientists can be found at http://grants.nih.gov/grants/policy/coc/appl_extramural.htm.
Detailed application instructions for intramural scientists can be found at http://grants.nih.gov/grants/policy/coc/appl_intramural.htm.
Additional information is available on the Frequently Asked
The application, which should be submitted on the research institution's
letterhead, requires information about the PI, the grantee institution, and the
project. However, on a case-by-case basis, some NIH Institutes and Centers (ICs)
may require additional information in order to assist them in carrying out their
discretionary authority to issue Certificates of Confidentiality. Therefore, it
is important that applicants consult their funding IC prior to submitting an
application for a Certificate of Confidentiality. Investigators conducting
sensitive research that is not supported with NIH funds may apply for a
certificate through the NIH. They should contact the NIH IC that supports work
in the same substantive area. Alternatively, they can contact one of the ICs
serving as a Central Certificate Resource. For a list of Certificate contacts,
In addition to the completed form, the Principal Investigator (PI) will be required to provide documentation of Institutional Review Board (IRB) approval
and a copy of the informed consent forms as it would read if a Certificate of Confidentiality is obtained – explaining the Certificate, its protections and the circumstances in which voluntary disclosures might be made, i.e. to protect the subject or others from serious harm. The completed package should be sent to the Certificate Coordinator at the appropriate NIH IC.
In cases where a Certificate of Confidentiality is sought for a student
research project, the letter of application must be submitted on institutional
stationery and signed by three people: the student, the student's advisor or
other appropriate faculty member, and the Institutional Official. Also, NIH prefers that the faculty sponsor be designated as the PI on such applications instead of the student; a post-doctoral student can be listed as the co-PI. Moreover, the
IRB approval for a student research project must be issued jointly to the
student and the advisor or to the advisor with a copy to the student.
The Certificate is issued by the NIH based on the application from the PI for
a specific research project. The Certificate is granted to the investigator's
institution. If more than one institution is participating in a multi-site
project, the PI at the coordinating center or "lead" institution applies for the
Certificate on behalf of all sites, listing each participating unit, its address
and project director in the application. A single Certificate for such
multi-site projects is issued, and the lead institution is responsible for
distributing copies of the Certificate to each participating unit or site.
If the PI relocates to a new institution during the course of the project, he
or she should apply for an amendment to the existing Certificate. If there are
significant modifications to the project or the informed consent form, the PI
should contact the Certificate Coordinator that issued the Certificate.
Significant changes to the project may require a modification to the existing
Certificate or an application for a new Certificate if there is substantial
change in the scope of research. If the project is not completed in the time
specified in the application for the Certificate, the PI should apply for an
extension to the expected date of completion of the project. Requests for
modifications, amendments, and extensions should be submitted three months prior
to the date needed and should be accompanied by a reason for requesting it and
documentation of the most recent IRB approval.
Both the PI and the Institutional Official are required to sign the Certificate application. In doing so, they are agreeing to the assurances as stated in the application form. (See http://grants.nih.gov/grants/policy/coc/appl_extramural.htm.) The name, title, and address of the Institutional Official should be typed below the signature.
NIH Intramural Investigators may also apply for Certificates of
Confidentiality. Detailed instructions for Intramural investigators are
available at http://grants.nih.gov/grants/policy/coc/appl_intramural.htm.
When possible, an application for a Certificate should be made in conjunction
with initial or annual IRB review of research proposals. Intramural PIs should
complete the application form and attach a concise description of project aims
and research methods (this can be met by attaching a copy of the protocol), IRB
approval (memo signed by the IRB Chair), and a copy of the informed consent form
to be used in the study, as approved by the IRB. Completed packages should be
sent to the Certificate Coordinator at the appropriate NIH IC.