David Kosub: Hello and welcome to another edition of NIH’s All About Grants podcast. I’m your host, David Kosub, with the NIH’s Office of Extramural Research. And today we’ll be talking about an important issue for the protection of human participants in our NIH-funded clinical research, and that’s related to certificates of confidentiality. We have with us Lyndi Lahl, she is a human subjects officer within OER’s division of human subjects research. Thanks for being with us.
Lyndi Lahl: Thank you.
David Kosub: So the first question I’d like to start off with is: what is a certificate of confidentiality?
Lyndi Lahl: So, certificates of confidentiality are issued by NIH and a few other HHS other agencies. They help minimize the risk to participants who are enrolled in research, such as biomedical, behavioral, or clinical research, by adding an additional layer of protection for maintaining confidentiality of private information. And the certificate actually legally prohibits disclosure of identifiable research information except under limited circumstances.
David Kosub: So could we actually get into that a little bit more? What do you mean by “legally prohibiting disclosure”?
Lyndi Lahl: Yeah, so, with limited exception, researchers are not allowed to disclose the name or any information, documents, or biospecimens that contain identifiable, sensitive information for participants enrolled in a research study that is covered by a certificate.
It prohibits disclosure in response to legal demands, such as a subpoena, and it protects information even if that information is disclosed elsewhere.
David Kosub: So, let’s get into some nuts and bolts questions. How does somebody actually obtain a certificate of confidentiality?
Lyndi Lahl: Yeah, that’s a great question. So for researchers that have NIH funding, there is no separate application process needed. Many of the research studies that NIH funds, that are either partially or fully funded by NIH, are automatically deemed “issued a certificate” underneath the certificate policy. And when there is this deemed “issued a certificate,” the investigators and institutions must comply with the disclosure requirements under the certificate.
David Kosub: Where can someone find the certificate that might be associated with their study, is it a term and condition of award?
Lyndi Lahl: Well, it is a term and condition of the award. So, NIH used to provide physical certificates, but we no longer provide those physical certificates that a specific NIH-funded study is covered by a certificate. So, awardees are automatically deemed to have been issued a certificate.
The certificate is not a physical document, like I said before, and it is an automatic process that they get a certificate. So, an investigator would want to look at their terms and conditions of the award, their NIH grants policy statement, and the NIH certificate of confidentiality policy to serve as documentation for that specific study.
David Kosub: Well, what about when the project stops and the funding stops, what happens to the protections afforded under the certificate?
Lyndi Lahl: Yeah, that’s a great question. The data that is collected under an active certificate is protected indefinitely. However, data may not be protected if it’s collected after the certificate expires or after NIH funding ends.
David Kosub: Can certificate protections be continued after funding stops?
Lyndi Lahl: Yes, they can. So, investigators can apply for a certificate on the NIH certificate website. The website has specific instructions and frequently asked questions to assist investigators and their institutions who are interested in applying for a certificate.
David Kosub: What about for those who are not NIH-funded, can they get a certificate?
Lyndi Lahl: They can. NIH funding is not required to issue a certificate. Investigators who are conducting human subjects research can apply for a certificate on the NIH certificates of confidentiality website, and that’s regardless of their funding source.
David Kosub: So, earlier you mentioned that certificates have been deemed to be issued to most NIH-funded studies, how does one know if theirs is one of them?
Lyndi Lahl: Yeah, so, it’s up to the institution and the investigator to determine if that certificate policy applies to their study, and then would therefore be deemed issued a certificate. So, they have to ask a series of questions, and the first question is that, is there activity, biomedical, behavioral, clinical, or other research? If the answer is no to that question, then we know that there is no certificate that’s been deemed issued.
David Kosub: What about on the flip side, what if it is considered research?
Lyndi Lahl: Yeah, so there are other questions then that the investigator and institution would want to ask, and if the answer to any of those questions is yes, then they would be deemed issued.
So, the first question is “does the research involve human subjects, as defined by the Revised Common Rule?”
The second would be “is the investigator collecting or using biospecimens that are identifiable to an individual as part of the research?”
The third question: “if collecting or using biospecimens as part of the research, is there some risk that some combination of the biospecimen or request for the biospecimen, or other available data sources could be used to deduce the identity of the individual?”
And then the fourth question is “does the research involve the generation of the individual-level human genomic data?”
David Kosub: So, moving on to a slightly different topic, do the certificate protections apply to the data collected from a sub-recipient?
Lyndi Lahl: Yeah, the sub-recipients are also protected by the certificate and they also need to comply with the certificate requirements. So, the protections of the certificate apply to all copies of information that’s collected or used by the investigator, including those copies that are shared for other research, such as secondary research activities.
So, NIH expects investigators to inform sub-recipients or anyone else who receives a copy of the data, of those certificate protections. And in addition, the investigator is expected to ensure that the subrecipients comply with certificate requirements.
David Kosub: At the very beginning, you mentioned some disclosure requirements. Can we jump back to that and have you tell us a bit more about that?
Lyndi Lahl: So, disclosure is not allowed except under limited circumstances. So, an investigator is not allowed to disclose identifiable research information in any federal, state, or local civil, criminal, administrative, legislative, or other proceeding. And in addition, the investigator is not allowed to disclose identifiable research information to any other person who is not connected with the research.
David Kosub: So, when might disclosure be allowed?
Lyndi Lahl: Yep, that’s important to know. There are three circumstances when disclosure is allowed.
So, first, if the participant gives permission to disclose, then that would be allowed. And then an instance would be when a participant asks an investigator to send research results to their primary doctor.
The second time when disclosure is allowed: if a federal, state, or local law requires reporting of certain activities such as child abuse or elder abuse, or reporting certain infectious diseases such as tuberculosis, salmonella, food poisoning. So, we really encourage investigators and institutions to familiarize themselves with laws in their area that would require these mandatory disclosure reportings.
And then the third disclosure that’s allowed is for a different research project, as long as the other research is compliant with the applicable federal human subjects regulations. So, an example of this is when an investigator provides a sample of participant stored blood to a colleague who is conducting research on blood, and they’ve already received IRB approval for the research activity.
David Kosub: And, going back to the subpoena issue, what happens if someone does receive a subpoena requesting the data that might be protected under a certificate?
Lyndi Lahl: Yeah, so in most cases the certificate is going to prevent disclosure of information by a subpoena. However, NIH recommends that the investigator immediately seek legal counsel from his or her institution if they do receive a subpoena. And in addition, we would recommend that the investigator always check with their legal counsel at their institution whenever there’s a question about what the certificate would and would not cover.
David Kosub: Well, what about in a situation where personally identifiable sensitive information on participants may have been disclosed without their consent?
Lyndi Lahl: Yeah, NIH considers this a very serious offense and it’s in violation of the certificate policy and it would be considered noncompliance with the terms and conditions of their NIH award. So, enforcement actions may include some really bad things, such as disallowing costs, withholding of further award, or suspending or terminating their grant.
David Kosub: Definitely important information to know. Any final thoughts you’d like to leave with our audience related to certificates?
Lyndi Lahl: Yeah, I just want to reiterate the importance of the certificate of confidentiality, the protections that it provides, and to make sure that everyone is aware that NIH is interested and willing to work with investigators to help answer questions and to protect the human participants in their studies.
David Kosub: Wonderful. Thank you very much, Lyndi, for this opportunity to hear more about the certificates of confidentiality. For those who want more information, please do visit our NIH grants page on certificates of confidentiality, and you’re also welcome to send an email directly to firstname.lastname@example.org.
This has been David Kosub with NIH’s All About Grants. Thank you.