Fred Hutch Cancer Center
Contact Information

206.667.5900

Mailing address:
Fred Hutch Cancer Center
Institutional Review Office
1100 Fairview Ave. N.
Mail Stop J2-100
Seattle, WA 98109

Contact Information

Last Modified: 11-07-24

Certificates of Confidentiality

On this page

Purpose and Applicability

This guidance provides researchers with a summary of how federal Certificates of Confidentiality (CoC) are issued and the protections they afford. The most complete and detailed information can be found on the websites of the agencies that issue the Certificates, particularly the National Institutes of Health (NIH) CoC webpage.

 

What is a CoC?

A Certificate of Confidentiality (CoC) is a legal protection that some federal agencies can issue to researchers to protect identifiable sensitive information collected as part of a study. A CoC restricts when such information may be disclosed. It allows researchers to refuse to disclose the name or any information, documents, or biospecimens containing identifiable information about the research subjects. The Certificate specifically prohibits disclosure of the information in response to legal demands, such as a subpoena.

 

What information is protected?

The 21st Century Cures Act, passed on December 13, 2016, significantly broadened the type of information that is protected by a CoC, by essentially interpreting “sensitive” to mean “identifiable or possibly identifiable.” This broad definition applies to all current, future, and past CoCs because the 21st Century Cures Act was explicitly written by Congress to be retroactive. The following types of research should be considered to include identifiable, sensitive information:

  • All human subjects research, including exempt research (except category 4 exempt research on de-identified information or biospecimens). 
  • Research involving the collection or use of biospecimens that are identifiable to an individual OR for which there is at least a very small risk that some combination of the biospecimen, a request for the biospecimen, and other available data sources could be used to deduce the identity of an individual.
  • Research that involves the generation of individual-level, human genomic data from biospecimens, or the use of such data, regardless of whether the data are identifiable or whether the identity of the human subjects can readily be ascertained.
  • Any other research that involves information about an individual for which there is at least a very small risk, as determined by current scientific practices or statistical methods, that some combination of the information, a request for the information, and other available data sources could be used to deduce the identity of an individual.

NOTE:  If a Fred Hutch researcher receives a subpoena for data, whether that data is protected by a CoC or not, you should always consult with the Fred Hutch Office of General Counsel immediately.

Return to top

 

How do I know if I need a CoC?

Many federal agencies automatically issue CoCs as a term of the grant or contract (see below).

Additionally, a need to obtain a non-automatic CoC may be identified by the researcher, the sponsor, or the IRB in order to protect subject confidentiality. Researchers should consider applying for a CoC to protect participants’ information that, if disclosed, could have significant negative consequences to the participants such as damage to their financial standing, employability, insurability or reputation (e.g., research about HIV, AIDS, other STDs; use of alcohol, drugs, or other addictive products; illegal behaviors; etc.).  The IRB may require a researcher to apply for a CoC in this context.

Return to top

 

Who issues CoCs and how do I get one? How do I know if one is automatically issued based on my funding?

CoCs are issued by the Department of Defense (DoD) and agencies of the Department of Health and Human Services (HHS), including NIH. The table below provides agency-specific information about how CoCs are granted.

For multi-site studies, a coordinating center or lead institution can apply for a CoC on behalf of all participating sites.

AgencyProcess for Obtaining a CoCOther Information
National Institutes of Health (NIH)

Automatically issued as a term of the grant or contract for NIH-funded research that involves collection of sensitive identifiable information.

Researchers without NIH funding may submit an application for a NIH CoC. CoC requests for research not funded by NIH are issued at the discretion of NIH and will not be issued for a research “program” (i.e., research that involves multiple projects, studies or protocols.)

F and K training awards describe specific projects and are issued auto-CoCs.

In general, T awards fund a trainee to work for a short period on a mentor’s project and are not automatically issued CoCs.

Centers for Disease Control (CDC)Automatically issued as a term of the grant or contract for CDC-funded research that involves collection of sensitive identifiable information.CDC automatically issues CoCs for research with active CDC funding.
There is no application process to obtain a CoC from CDC.
Food & Drug Administration (FDA)*

Automatically issued as a term of the grant or contract for FDA-funded* research that involves collection of sensitive identifiable information.

*Note:  FDA here refers only to funding or other support, not to whether the FDA has oversight of the research. Research subject to FDA oversight but not funded by FDA does not automatically receive a Certificate of Confidentiality.

For non-federally funded research operating under an IDE or IND, the FDA will consider requests to issue a discretionary CoC.

Review this Guidance for instructions on requesting a discretionary CoC from the FDA.
Health Resources & Services Administration (HRSA)

Automatically issued as a term of the grant or contract for HRSA-funded research that involves collection of sensitive identifiable information.

-
Biomedical Advanced Research and Development (BARDA)Automatically issued as a term of the grant or contract for BARDA-funded research that involves collection of sensitive identifiable information.-
Substance Abuse & Mental Health Services Administration (SAMHSA)Can be requested for studies with a SAMHSA grant or contract and that involve collection of sensitive identifiable information.-
Department of DefenseContact the DoD Human Research Protection Office for information-
Other federal agencies and non-federally funded research

Contact the federal agency for information.

For non-federally funded research, apply for a NIH CoC.

For non-federally funded research, review the next section of this guidance, “How do I apply for a CoC if I don’t have an automatic CoC with my funding?”

Return to top

 

How do I apply for a CoC if I don’t have an automatic CoC with my funding?

To request a CoC from the NIH, follow the instructions below. If you prefer to request a CoC from a different federal agency, visit their website for instructions.

  1. Prepare the CoC application. Use the NIH Online Certificate of Confidentiality System. Relatively minimal information is provided by the applicant in short text fields. See the NIH Requesting a Certificate of Confidentiality for Non-NIH Funded Research webpage for details about what information is required.
  2. Institutional Assurance Statement. This is provided by the Fred Hutch Office of Sponsored Research (OSR). Review information on OSR’s webpage
  3. Send a copy of the agency’s response to the IRB with a modification.
  4. If the CoC is granted:  Subject recruiting can begin when the IRB acknowledges the CoC, any Conditional Approval requirements have been fulfilled and accepted by the IRB, and the approved consent form has been provided to the researcher.
  5. If the agency denies the CoC request:  Researchers should work with the Privacy Office, IT, and/or the IRB to determine how to manage or mitigate the confidentiality risks of the study.

Return to top

 

How long do the protections last and what is the meaning of the CoC expiration date?

Data collected under an active CoC are permanently protected. This includes any data collected prior to obtaining the CoC because protections are retroactive. Protection for the data collected under the active CoC continues even after study funding has ended and the study has been completed. The data remain protected even when shared with another researcher or institution, and you must communicate that protection when sharing the data (including specimens) with them.

Data collected after the CoC has expired are not protected, even if the data are being collected from subjects who were enrolled under an active CoC.

Expiration of CoC protections differs depending on the circumstances under which it was issued and the agency issuing the CoC.

  • CoCs issued as a term of the grant or contract:  The CoC expires when the funding expires, including any no-cost extensions.
  • CoCs granted by NIH through an application process:  CoCs granted prior to 01/12/2021 list an expiration date. CoCs granted after 01/12/2021 expire when collection or use of identifiable, sensitive information concludes (i.e., when the study ends).
  • Other CoCs:  Check with the issuing agency for information about expiration.
CoC Diagram
Visual of how CoC protections work

Return to top

 

Are there limitations to CoC protections?

The CoC does not prevent the subject, or members of their family, from sharing information about themselves or their part in the research.

The CoC does not prevent researchers from voluntarily providing information to:

  • Members of the federal government with regulatory oversight over the research (e.g., FDA), sponsoring agencies, or institution(s) conducting the research for purposes of auditing, evaluation, or ensuring ethical and compliant conduct of the research
  • An insurer, employer, or other person when the subject has given written consent to release the information
  • To individuals who want to conduct secondary research if allowed by federal regulations and when the subject has provided consent for future research
  • To the appropriate authorities if evidence of mandatory reporting is revealed during conduct of the research (e.g., child abuse, elder abuse, intent to harm self or others)

A CoC protects research records. When the subject has given consent to have their research information placed in a medical or other record, the CoC protections may not extend to those non-research records. Consult with OGC as needed.

Return to top

 

Can the expiration date be extended?

If a study team would like to collect data beyond the expiration of the CoC (or beyond the end of the funding for an automatically issued CoC), you must apply for a new CoC

The Fred Hutch IRB strongly recommends that you apply for a new CoC in order to cover any new data collected from already enrolled participants or any new participants.

Return to top

 

Under what circumstances does a CoC need to be amended?

A CoC must be amended (modified) if a significant change is being made to a research project. Significant changes include, but are not limited to:

  • Major changes in the scope or direction of the research protocol
  • Adding a new subject population
  • Adding the collection of additional types of identifiable sensitive data
  • Changes in personnel having major responsibilities for the project (e.g., PI)
  • Changes in the drugs to be administered

The NIH website and SAMHSA website have instructions for amending a CoC. The CDC website notes that their CoCs do not need to be amended. Consult directly with other agencies for information about amending their CoCs.

Return to top

 

What if I’m conducting research internationally?

Data collected from participants recruited in another country are protected by the CoC if the data are maintained within the U.S. If the data are maintained only in the foreign country, a CoC may not be effective. Please contact the Fred Hutch Office of the General Counsel for assistance in determining the application of a CoC to your research.


Return to top

 

How does obtaining a CoC involve the IRB?

IRB approval.  The IRB may require the researcher to obtain a CoC as a condition for IRB approval. The IRB may require this if the study will collect information that, if disclosed, could have significant negative consequences to the participants, such as damage to their financial standing, employability, insurability or reputation (e.g., HIV, AIDS, other STDs; use of alcohol, drugs, or other addictive products; illegal behaviors; etc.).

Studies that are automatically issued a CoC by the funding agency do not need to provide anything to the IRB. If a CoC is actively applied for, documentation of the issuance of the CoC should be submitted to the IRB via a Modification.

Informed consent. For studies that will obtain informed consent, participants must be told about the protections provided by the Certificate and any exceptions to those protections (e.g., state mandatory reporting). The Fred Hutch IRB has standardized language that can be used for this purpose; see the model consent templates.

If the coverage of a CoC changes during the study, such as if the research was NIH funded and the NIH funding ends (meaning new data collected or used are not automatically protected by a CoC), the IRB may require that:

  • the researcher apply for a new CoC to cover the remainder of the study data collection period (preferred), or
  • the consent form to be updated accordingly and participants either re-consented or at a minimum notified of the change in protections.

The notification process may not be required depending on the language that was originally included in the consent form. Consult with IRO@fredhutch.org with questions about this.

Return to top

 

What are the researcher responsibilities associated with having a CoC?

1.    Do not disclose or provide covered information:

  • In any Federal, State, or local civil, criminal, administrative, legislative, or other proceeding; or
  • To any other person not connected with the research.

2.    Disclosure of covered information is allowed ONLY:

  • If required by other federal, state, or local laws, such as for reporting of communicable diseases;
  • If the participant consents; 
  • If necessary for the medical treatment of the participant and made with the consent of the participant; or
  • For the purposes of scientific research that is compliant with human subjects regulations.

3.    Inform the study participants about the CoC, as described above.

4.    Inform recipients of information covered by the CoC that they are also subject to the requirements of the CoC (for example, transfers of identifiable data or biospecimens to other researchers). Contact the Office of General Counsel for guidance about CoCs and data and material transfer and use agreements.

5.    CoC does not protect disclosure of information to other individuals or institutions when the participant has requested it and provided authorization for the release (though other legal constraints may apply).

Return to top

 

What if there is a request to access CoC-protected data?

If any member of the study team at any site receives a request that they believe cannot be met because it is not a permitted disclosure, they should inform their division director, the Fred Hutch Office of General Counsel (legal@fredhutch.org), and the Privacy Office (privacy@fredhutch.org) immediately.

NOTE:  If a Fred Hutch researcher receives a subpoena for data, whether protected by a CoC or not, you should always contact the Fred Hutch Office of General Counsel and the Privacy Office to assist.

Return to top

 

How do CoC protections intersect with other privacy and data protections?

Department Of Justice (DoJ) Privacy Certificate. Research that is covered by a Department of Justice (DOJ) Privacy Certificate does not need to apply for a CoC. The DOJ Certificate provides essentially the same protections.

Agency for Healthcare Research & Quality (AHRQ) Confidentiality Statute. Research funded by the federal AHRQ does not need to apply for a CoC. An AHRQ confidentiality statute provides similar protections.

Return to top

 

References

Centers for Disease Control, “Certificates of Confidentiality for CDC Funded Research”

Department of Defense, “Directorate of Human Research Protections (DOHRP)”

Food & Drug Administration Guidance, “Certificates of Confidentiality”

Health Resources & Services Administration, “HRSA Policy Updates: Certificates of Confidentiality for HRSA-Supported Research”

National Institutes of Health, “Certificates of Confidentiality”

Substance Abuse & Mental Health Services Administration, “Certificate of Confidentiality”

Return to top