MSU HRPP Manual Section 2-2-H

Certificate of Confidentiality

Certificates of Confidentiality (CoC) protect the privacy of research subjects by prohibiting disclosure of identifiable, sensitive research information to anyone not connected to the research with limited exceptions.

All recipients of a CoC shall not:

  • Disclose or provide to any other person not connected with the research the name of such an individual or any information, document, or biospecimen that contains identifiable, sensitive information about such an individual and that was created or compiled for purposes of the research [except  in  the  circumstances  described  below] 42 USC 241(d)(1)(B)
  • In  any  Federal,  State,  or  local  civil, criminal,  administrative,  legislative,  or  other proceeding, disclose or provide the name of such individual  or  any  such  information,  document, or  biospecimen  that  contains  identifiable,  sensitive information about the individual and that was  created  or  compiled  for  purposes  of  the  research [except  in  the  circumstances  described  below] 42 USC 241(d)(1)(D)

Disclosure or use is permitted only when:

  • Required by Federal, State, or local laws [e.g., as required by the Federal Food, Drug, and Cosmetic Act, or state laws requiring the reporting of communicable diseases to State and local health departments], excluding instances [of disclosure in any Federal, State, or local civil, criminal, administrative, legislative, or other proceeding]; 42 USC 241(d)(1)(C)(i)
  • Necessary  for  the  medical  treatment  of the individual to whom the information, document,  or  biospecimen  pertains  and  made  with the consent of such individual 42 USC 241(d)(1)(C)(ii)
  • Made with the consent of the individual to whom the information, document, or bio-specimen pertains; or 42 USC 241(d)(1)(C)(iii)
  • Made for the purposes of other scientific research that is in compliance with applicable Federal regulations governing the protection of human subjects in research. 42 USC 241(d)(1)(C)(iv)

Identifiable,   sensitive   information   protected  under  a CoC  and  all  copies thereof, shall be immune from the legal process, and  shall  not,  without  the  consent  of  the  individual to whom the information pertains, be admissible  as  evidence  or  used  for  any  purpose  in any action, suit, or other judicial, legislative, or administrative proceeding. 42 USC 241(d)(1)(E)

Nothing  in  the CoC statute (42 USC 241(d)) shall  be  construed  to  limit  the  access  of  an  individual  who is  a  subject  of  research  to  information  about themselves collected during such individual’s participation in the research. 42 USC 241(d)(3)

Identifiable, sensitive information collected by a person to whom a CoC has been issued and all copies are subject the protections afforded by the CoC for perpetuity. 42 USC 241(d)(1)(F) However, if a CoC is no longer in effect (e.g., NIH funding has ended, CoC expiration has not been extended), the CoC would not protect research subjects who begin their participation as research subjects after the CoC protection ended.

The Michigan State University (MSU) Principal Investigator (PI) of a study that is protected by a CoC is responsible for assuring that CoC requirements are followed and for assuring that all study team members are aware of and are trained on the CoC protections.

Definitions

Identifiable, Sensitive Information

“Identifiable, sensitive information” means information that is about an individual and that is gathered or used during the course of research and—

(A) through which an individual is identified; or

(B)  for which there is at least a very small risk, as determined by current scientific practices or statistical methods, that some combination of the information, a request for the information, and other available data sources could be used to deduce the identity of an individual.”  42 USC 241 (d)(4)

Research in which identifiable, sensitive information is collected or used, includes research that:

  • Meets the definition of human subjects’ research, including exempt research in which subjects can be identified
  • Is collecting or using human biospecimens that are identifiable or that have a risk of being identifiable
  • Involves the generation of individual level human genomic data, or 
  • Involves any other information that might identify a person

Identifiable, sensitive information includes names or any information, documents, or biospecimens containing identifiable, sensitive information, such as names, address, social security or other identifying number, fingerprints, voiceprints, photographs, genetic information, tissue samples or any other item or combination of data about a research subject which could reasonably lead directly or indirectly by reference to other information to identification of that research subject.

How a CoC is Obtained

“If a person is engaged in biomedical, behavioral, clinical, or other research, in which identifiable, sensitive information is collected (including research on mental health and research on the use and effect of alcohol and other psychoactive drugs), the Secretary [HHS], in coordination with other agencies, as applicable-

(i) shall issue to such person a certificate of confidentiality to protect the privacy of individuals who are the subjects of such research if the research is funded wholly or in part by the Federal Government; and

(ii) may, upon application by a person engaged in research, issue to such person a certificate of confidentiality to protect the privacy of such individuals if the research is not so funded. 42 USC 241d(1)(a) [added]

The CoC process depends upon the funding of the research study. A CoC may be automatically issued or an application may be submitted to a U.S. Department of Health and Human Services (HHS) federal agency to apply for a CoC.

HHS National Institutes of Health

As a term and condition of award, a CoC is automatically issued to all ongoing or new research funded by U.S. Department of Health and Human Services (HHS) National Institutes of Health (NIH) as of December 13, 2016 that is collecting or using identifiable, sensitive information with limited exceptions (e.g., T awards). See NIH Policy, Notice of Changes to NIH Policy for Issuing Certificates of Confidentiality (NOT-OD-17-109).

Examples of research automatically covered by a CoC include:

  • Biomedical, behavioral, clinical or other research, including exempt research, except where the information obtained is recorded in such a manner that human participants cannot be identified or the identity of the human participants cannot readily be ascertained, directly or through identifiers linked to the participants.
  • The collection or use of biospecimens that are identifiable to an individual or for which there is at least a very small risk that some combination of the biospecimen, a request for the biospecimen, and other available data sources could be used to deduce the identity of an individual.
  • The generation of individual level, human genomic data from biospecimens, or the use of such data, regardless of whether the data is recorded in such a manner that human participants can be identified or the identity of the human participants can readily be ascertained.
  • Any other research that involves information about an individual for which there is at least a very small risk, as determined by current scientific practices or statistical methods, that some combination of the information, a request for the information, and other available data sources could be used to deduce the identity of an individual

HHS Centers for Disease Control and Prevention

As a term and condition of award, a CoC is automatically issued to all ongoing or new research funded by the Centers for Disease Control and Prevention (CDC) that is collecting or using identifiable, sensitive information.

HHS Agency for Healthcare Research and Quality

The Agency for Healthcare Research and Quality (AHRQ) has its own confidentiality requirements which may apply. If research is funded by AHRQ or is operating under the authority of the AHRQ, that agency’s procedures are followed.  Given the scope of the statute’s protections, AHRQ has stated that it is unnecessary for AHRQ recipients to hold a CoC for research projects.  See 42 USC Section299c-3. Dissemination of information and NOT-HS-18-012 Confidentiality in AHRQ-Supported Research.

HHS Food and Drug Administration

The Food and Drug Administration (FDA) issues CoCs related to the study of products subject to FDA jurisdiction and to which FDA regulations apply. For non-federally funded research, the FDA may issue discretionary CoCs on a case-by-case basis upon application to the FDA. See the FDA Certificate of Confidentiality Guidance for Sponsors, Sponsor-Investigators, Researchers, Industry, and Food and Drug Administration staff for guidance on the process.  

Other HHS Agencies (excluding NIH, CDC, AHRQ, FDA)

Other HHS agencies, including Health Resource & Services Administration (HRSA),  Substance Abuse and Mental Health Service Administration (SAMHSA), and Indian Health Service (IHS), issue CoCs. If research is funded by one of these agencies, that agency’s procedures are followed to obtain a CoC.   

If research is funded by an HHS agency, other than NIH, CDC, FDA, HRSA, SAMHSA, or IHS that do not issue CoCs, NIH issues CoCs on behalf of these HHS agencies for specific health-related projects using sensitive, identifiable information.

Department of Justice

The NIH does not issue CoCs for research funded by the U.S. Department of Justice (DOJ) because the DOJ has its own privacy regulations.  See HRPP Manual 2-2-C, U.S. Department of Justice.

Non-HHS Federal Agencies, Non-Federal Funders, or Internally Sponsored Research

A CoC may be requested from NIH for health-related research in which identifiable, sensitive information is collected or used. Issuance of a CoC continues to be at the discretion of NIH.

For these types of studies, a CoC is only issued for research projects that are:

  • Collecting or using identifiable, sensitive information
  • On a topic that is within the HHS health related research mission
  • Storing the research information collected or used in the US

MSU Human Research Protection Program CoC Process

When an Institutional Review Board (IRB) submission is received that may involve a CoC, the Human Research Protection Program (HRPP) manager or designee is assigned to obtain information from the Principal Investigator (PI) of the study regarding the CoC requirements, including informed consent. This includes requests to use of an External IRB.

When a CoC is applied for, it must be applied for by the PI. The HRPP manager or designee will work with the PI to help facilitate the CoC application process.  However, only the MSU Institutional Official, the Assistant Vice President for Regulatory Affairs, or their designee may submit or sign any Institutional Assurances required as part of the CoC application process. Once the CoC application is submitted, the PI will submit a copy of the  CoC application to the HRPP. The PI will notify the HRPP of the status of the CoC (issued, not issued). If the CoC is issued, the PI will submit a copy of the CoC through an IRB submission (e.g., as part of the new study submission or as a modification).

The IRB may also request that the PI apply for a CoC.

Informed Consent

When a researcher is issued a CoC, consent will be obtained, subjects must be informed about the protections provided by the CoC and any exceptions to those protections (e.g., public health reporting as required by Federal, State, or local laws, or requirements for child or elder abuse reporting). Sample informed consent language may be made available by federal agencies (e.g., NIH, CDC).

Participants consented prior to change in the CoC authority or the issuance of a CoC are not expected to be notified that the protections afforded by the CoC have changed, or that participants who were previously consented to be re-contacted to be informed of the CoC, although the IRB may determine whether it is appropriate to inform participants.

Research participant entering the project after expiration or termination of the CoC will be informed that the protection afforded by the CoC does not apply to them.

CoC informed consent requirements apply to both exempt and non-exempt research. Informed consent for exempt research must include the CoC information for the entire period where a CoC is in effect for the study.

If the status of the CoC is pending at the time of the MSU IRB submission (e.g., funding is pending, CoC application is pending), the IRB may determine that enrollment of subjects cannot begin until the status of the CoC is verified.

Significant Changes

If significant changes are proposed to a research study, the requirements of the federal agency issuing the CoC must be followed. If a significant change is proposed to the study, the PI must notify the HRPP so they may assist with the CoC requirements.

NIH Issued CoC For a Study Not Funded by NIH

If NIH has issued a CoC for a study not funded by NIH through its application process, the protection afforded by a CoC does not extend to significant changes in the research project. Significant changes include changes in the personnel having major responsibilities in the research project, major changes in the scope or direction of the research protocol, or changes in the drugs to be administered and the persons who will administer them. If there is a significant change in the research project after a CoC is issued, a new CoC request must be submitted to NIH.

Other HHS Agencies that Issue Their Own Certificates

For other HHS agencies that issue their own certificates, the requirements related to significant changes will follow the procedure set forth by the issuing agency.

Subrecipients or Secondary Researchers

Identifiable, sensitive information collected by a person to whom a CoC has been issued and all copies are subject the protections afforded by the CoC for perpetuity.

Recipients of CoCs are required to ensure that any investigator or institution who receives a copy of identifiable, sensitive information protected by a CoC understand they are also subject to the requirements of the CoC (42 USC 241(d) and for ensuring that collaborators that are carrying out part of the research involving a copy of identifiable, sensitive information protected by a CoC understand they are also subject to the CoC requirements. This means that subrecipients who receive funds to carry out part of the award for which a CoC is issued are also protected by the CoC and subject to its requirements.  Recipients are expected to inform subrecipients of the CoC protections and ensure that the subrecipients comply with the requirements. If MSU is a subrecipient of an award for which a CoC has been issued, MSU must also comply with the CoC requirements if engaged in research with identifiable, sensitive information.

If a secondary researcher receives information protected by a CoC, the secondary researcher is required to uphold the protection of the CoC. Recipients of a CoC are expected to inform secondary researchers when information disclosed to them is protected by a CoC.

Multi-Site Studies

NIH Issued CoC For a Study Not Funded by NIH

For multi-site projects, a coordinating center or lead institution can request for and receive a CoC on behalf of all member institutions. This is for studies in which the same protocol, or aspects of the same protocol are being conducted at multiple sites.

The lead site:

  • Is expected to maintain a list of all performance sites, including addresses and project direct names.
  • Should obtain signed assurances from each participating institution. These should be kept by the lead institution and made available to NIH by request.
  • Is responsible for ensuring that each site’s consent forms contain appropriate language describing the CoC and should work with the IRB to review consent form language.
  • Should provide a copy of the CoC to each participating institution after the CoC has been issued.
  • Should develop appropriate agreements with the participating institutions to implement the CoC requirements.

Researchers do not need to amend or request a new CoC when a performance site is added to a multi-site research project. The lead site should maintain a current list of all performance sites, addresses and project director names.

If MSU is requested to serve as the lead site for a CoC application, MSU has the discretion to decline to submit the CoC on behalf of all institutions.

Other HHS Agencies that Issue Their Own Certificates

For other HHS agencies that issue their own certificates, the requirements related to multi-site studies will follow the procedure set forth by the issuing agency.

International Research

NIH or CDC Funded

A CoC is automatically issued, regardless of where the research is occurring or where the data is being maintained. However, if the data is held in a foreign country, the CoC may not be effective.

NIH Issued CoC For a Study Not Funded by NIH

If data is being collected from subjects in a foreign country, a CoC may be issued if the data are maintained within the U.S. If the data are maintained only in the foreign country, a CoC may not be effective and will generally not be issued.

Other HHS Agencies that Issue Their Own Certificates

For other HHS agencies that issue their own certificates, the requirements related to international research will follow the procedure set forth by the issuing agency.

CoC Expiration Date

A CoC protects the information that was collected or used during the period for which the CoC was in effect. The PI is responsible for tracking the expiration of the CoC and any requests to update or file a new CoC should be submitted by the PI to allow adequate time to receive an updated or new CoC prior to the expiration of the current CoC.

If the CoC will be expiring (e.g., funding ends, CoC application end date occurs) and the PI plans to collect new data from research participants after the expiration, the PI will need to determine whether to extend the CoC or request a new CoC (e.g., funding ends).  A Report of New Information should be submitted for a project requesting a new or updated CoC prior to submission of the CoC so the HRPP can facilitate the CoC request process. If the PI decides not to extend or request a new CoC, the study will need to be modified, the consent form will need to be changed, and the IRB may need to consider how already enrolled subjects are notified. 

NIH Funded Research

For NIH funded research, a CoC protects the information that was collected or used during the period in which the research is funded by NIH. If a research project was issued a CoC and continues under a no-cost extension, the research is covered by the CoC for the duration of the no-cost extension.

If the study continues after the NIH funding ends and the researcher wants CoC protection for new information that will be collected, a CoC should be requested following the process for non-NIH funded research.

CDC Funded Research

If CDC funding will or has ended but the collection of new data from research participants will continue without CDC funding, the study will lose the CoC protection for new data collected from research participants. In this case, the PI will want to consider applying for a CoC.

For All Other Issued CoCs

For NIH issued CoC for a study not funded by NIH and for other HHS agencies that issue their own certificates, the expiration date will follow the procedure set forth by the issuing agency.

CoC Issued Prior to 21st Century Cures Act

All CoCs issued prior to December 13, 2016 (date that the 21st Century Cures Act was signed into law) or prior to the October 1st, 2017 effective date of the NIH Policy are also subject to the protections and requirements of 42 USC 241(d). The updated protections and requirements apply to all CoC issued by NIH, including those issued prior to the law’s enactment.

Requests to Release Sensitive Identifiable Information

If a researcher receives a request to release sensitive identifiable information that is not permitted under the CoC or if the researcher is unsure whether a release is permitted, please contact the MSU Human Research Protection Program (HRPP). The HRPP will consult with the Office of the General Counsel.

Approved By

Vice President for Research and Innovation on 11-3-2021.

This policy and procedure supersedes those previously drafted.

Related HRPP Manual Sections

  • None