Grants and Funding

  Public FAQs  Public FAQs
  NIH Staff FAQs  NIH Staff FAQs
Frequently Asked Questions
Certificates of Confidentiality
Last Revised: June 20, 2011

  A. General Information on Certificates and the Protections Provided

  1. What is a Certificate of Confidentiality?
  2. What is the effect of a Certificate? What protection does it afford?
  3. How long does a Certificate's protection last?
  4. In what situations may personally identifiable information protected by a Certificate be disclosed?

  B. Definitions

  1. What is meant by sensitive information?
  2. What does identifying characteristic mean?
  3. You indicate that both the PI and the Institutional Official must sign the application for a Certificate. What do you mean by "Institutional Official"?

  C. Eligibility for a Certificate

  1. Who may apply for a Certificate of Confidentiality?
  2. What kind of research is eligible for a Certificate?
  3. Can you give some examples of research projects that are eligible for a Certificate?
  4. What studies would NOT be eligible?
  5. I am planning two different studies that will involve human subjects from two different populations. Both studies will collect sensitive information. Can I apply for one Certificate to cover both projects?
  6. I am planning a multi-site trial to study the efficacy of a new intervention. Does each site need a separate Certificate of Confidentiality?
  7. I am collecting data from subjects recruited in a foreign country. Can I get a Certificate of Confidentiality?
  8. I am an intramural scientist working on a clinical HIV study at the NIH. If the Federal Privacy Act applies to my research, do I still need a Certificate of Confidentiality?
  9. Can non-faculty members (students or pre-, post-doctoral fellows) apply for a certificate for their research?

  D. Certificate Application Process

  1. Who may apply for a Certificate of Confidentiality?
  2. Is NIH required to give all who apply a Certificate of Confidentiality?
  3. To whom should I apply for a Certificate of Confidentiality?
  4. What if I am not sure to which NIH Institute I should apply?
  5. May I apply for a Certificate if the Federal government does not fund my research project?
  6. Can I apply online?
  7. When should I apply for a Certificate?
  8. You indicate that both the PI and the Institutional Official must sign the application for a Certificate. What do you mean by "Institutional Official"?

  E. For Studies That Have a Certificate

  1. What is the researcher's responsibility to participants regarding a Certificate of Confidentiality?
  2. What if there is a significant change in my research project after a Certificate is issued?
  3. What do you mean by significant changes?
  4. What happens once I submit an amended application?
  5. What if my research project extends beyond the expiration date on the Certificate?
  6. I'm conducting a longitudinal study. I just got a Certificate of Confidentiality. Part of my cohort was recruited prior to issuance of the Certificate, but they are no longer actively participating in the study. What do I do?
  7. In what situations may personally identifiable information protected by a Certificate be disclosed?

  F. Legal Considerations

  1. Has the legality of Certificates been challenged?
  2. What should an investigator do if legal action is brought to release personally identifying information protected by a certificate?

  G. Certificate of Confidentiality vs Other Privacy and Data Protections

  1. Does the Privacy Rule preclude the need for Certificates of Confidentiality?
  2. If I am conducting a sensitive research project that is covered by the AHRQ confidentiality statute (42 U.S.C. section299a-1(c) entitled “limitation on use of certain information”) or the Department of Justice confidentiality statute (42USC section 3789g), should I also apply to the NIH for a Certificate of Confidentiality?
  3. Does the Patriot Act affect the Certificate of Confidentiality protections?
Back to Top

  A. General Information on Certificates and the Protections Provided

  1. What is a Certificate of Confidentiality?
    A Certificate of Confidentiality helps researchers protect the privacy of human research participants enrolled in biomedical, behavioral, clinical and other forms of sensitive research. Certificates protect against compulsory legal demands, such as court orders and subpoenas, for identifying information or identifying characteristics of a research participant.
  2. What is the effect of a Certificate? What protection does it afford?
    Researchers can use a Certificate to avoid compelled "involuntary disclosure" (e.g., subpoenas) of names and other identifying information about any individual who participates as a research subject (i.e., about whom the investigator maintains identifying information) during any time the Certificate is in effect. It does not protect against voluntary disclosures by the researcher, but those disclosures must be specified in the informed consent form. A researcher may not rely on the Certificate to withhold data if the participant consents in writing to the disclosure.
  3. How long does a Certificate's protection last?
    Individuals who participate as research subjects (i.e., about whom the investigator maintains identifying information) in the specified research project during any time the Certificate is in effect are protected permanently- even if the subject gave the researcher data before the Certificate is issued.
  4. In what situations may personally identifiable information protected by a Certificate be disclosed?
    Personally identifiable information protected by a Certificate may be disclosed under the following circumstances:
    • Voluntary disclosure of information by study participants themselves or any disclosure that the study participant has consented to in writing, such as to insurers, employers, or other third parties;

    • Voluntary disclosure by the researcher of information on such things as child abuse, reportable communicable diseases (http://grants.nih.gov/grants/policy/coc/cd_policy.htm);, possible threat to self or others, or other voluntary disclosures provided that such disclosures are spelled out in the informed consent form;

    • Voluntary compliance by the researcher with reporting requirements of state laws, such as knowledge of communicable disease, provided such intention to report is specified in the informed consent form (see Attachment D, which sets forth PHS policy on reporting of communicable diseases); or

    • Release of information by researchers to DHHS as required for program evaluation or audits of research records or to the FDA as required under the federal Food, Drug, and Cosmetic Act (21 U.S.C. 301 et seq.)



Back to Top

  B. Definitions

  1. What is meant by sensitive information?
    Sensitive information includes (but is not limited to) information relating to sexual attitudes, preferences, or practices; information relating to the use of alcohol, drugs, or other addictive products; information pertaining to illegal conduct; information that, if released, might be damaging to an individual's financial standing, employability, or reputation within the community or might lead to social stigmatization or discrimination; information pertaining to an individual's psychological well-being or mental health; and genetic information or tissue samples.
  2. What does identifying characteristic mean?
    Identifying characteristics include things such as: name, address, social security or other identifying number, fingerprints, voiceprints, photographs, genetic information or tissue samples, or any other item or combination of data about a research participant which could reasonably lead, directly or indirectly by reference to other information, to identification of that research subject.
  3. You indicate that both the PI and the Institutional Official must sign the application for a Certificate. What do you mean by "Institutional Official"?
    The authorized institutional official is the individual named by the applicant organization who is authorized to act for that organization and assumes on behalf of the institution the obligations imposed by assurances as well as obligations imposed by the Federal laws, regulations, requirements and other conditions that apply to grant applications and awards.
Back to Top

  C. Eligibility for a Certificate

  1. Who may apply for a Certificate of Confidentiality?
    Any person engaged in research in which sensitive information is gathered from human research participants (or any person who intends to engage in such research) may apply for a Certificate of Confidentiality.
  2. What kind of research is eligible for a Certificate?
    Generally, any research project that collects personally identifiable, sensitive information and that has been approved by an IRB operating under either an approved Federal-Wide Assurance issued by the Office of Human Research Protections or the approval of the Food and Drug Administration is eligible for a Certificate. Federal funding is not a prerequisite for an NIH-issued Certificate, but the subject matter of the study must fall within a mission area of the National Institutes of Health, including its Institutes, Centers and the National Library of Medicine.
  3. Can you give some examples of research projects that are eligible for a Certificate?
    Certainly. The following is an illustrative but not exhaustive list of research areas eligible for a Certificate:
    • Research on HIV, AIDS, and other STDs;
    • Studies that collect information on sexual attitudes, preferences, or practices;
    • Studies on the use of alcohol, drugs, or other addictive products;
    • Studies that collect information on illegal conduct;
    • Studies that gather information that if released could be damaging to a participant's financial standing, employability, or reputation within the community;
    • Research involving information that might lead to social stigmatization or discrimination if it were disclosed;
    • Research on participants' psychological well being or mental health;
    • Genetic studies, including those that collect and store biological samples for future use;
    • Research on behavioral interventions and epidemiologic studies.
  4. What studies would NOT be eligible?
    Ineligible studies include projects that are
    • not research based,
    • not approved by an IRB operating under either an approved Federal-Wide Assurance issued by the Office of Human Research Protections or the approval of the Food and Drug Administration,
    • not collecting sensitive information or information that, if released publicly, might harm the research participants,
    • not collecting personally identifiable information, or
    • not involving a subject matter that is within a mission area of the National Institutes of Health.
  5. I am planning two different studies that will involve human subjects from two different populations. Both studies will collect sensitive information. Can I apply for one Certificate to cover both projects?
    A separate application is required for each research project for which a Certificate is desired. A certificate is generally issued to a research institution for a single project (not broad groups or classes of projects). However, projects that use the same sample of subjects but have different protocols may file for one Certificate since the subjects, whose identities the investigator wishes to protect, are the same.
  6. I am planning a multi-site trial to study the efficacy of a new intervention. Does each site need a separate Certificate of Confidentiality?
     No, for multi-site projects, a coordinating center or lead institution can apply for and receive a Certificate on behalf of all member institutions.  In general, the information provided in the application for a Certificate for a multi-site study, is specific to the lead institution.  However, the lead site is expected to maintain a current listing of all the participating sites, including addresses and project directors.   In addition, the lead site should obtain signed assurances from each participating institution, as well as their FWA numbers and  copies of their IRB approvals (http://grants.nih.gov/grants/policy/coc/appl_extramural.htm).  These should be kept in the lead institutions' files, to be made available to the NIH upon request.  The lead site is also responsible for ensuring that each site's IRB-approved consent forms contain appropriate language describing the Certificate of Confidentiality and should work with the appropriate NIH coordinator to review consent form language.  To avoid confusion, all study specific documents across all sites should use a consistent project title.  After the Certificate has been issued, the lead institution should provide a copy of the Certificate of Confidentiality to each participating institution.  The lead site should also develop appropriate agreements, with the participating institutions, to implement the assurances.

     

  7. I am collecting data from subjects recruited in a foreign country. Can I get a Certificate of Confidentiality?
    Yes, if the data are maintained within the U.S. If the data are maintained only in the foreign country, a Certificate of Confidentiality would not be effective.
  8. I am an intramural scientist working on a clinical HIV study at the NIH. If the Federal Privacy Act applies to my research, do I still need a Certificate of Confidentiality?
    Yes, because the Federal Privacy Act does not protect identifying information if disclosure is ordered by a court of competent jurisdiction. Moreover, there are other exceptions to the protection afforded by the Privacy Act.
  9. Can non-faculty members (students or pre-, post-doctoral fellows) apply for a certificate for their research?
    Yes, although there are some additional application requirements for such research projects:  The letter of application must be submitted on institutional stationery and signed by three people: the student, the student's advisor or other appropriate faculty member, and the Institutional Official. Also, NIH prefers that the faculty sponsor be designated as the PI on such applications instead of the student; this is a requirement for some IC's. A post-doctoral student can be listed as the co-PI.  Moreover, the IRB approval for a student research project must be issued jointly to the student and the advisor or to the advisor with a copy to the student.
Back to Top

  D. Certificate Application Process

  1. Who may apply for a Certificate of Confidentiality?
    Any person engaged in research in which sensitive information is gathered from human research participants (or any person who intends to engage in such research) may apply for a Certificate of Confidentiality.
  2. Is NIH required to give all who apply a Certificate of Confidentiality?
    No. No project is entitled to a Certificate; its issuance is discretionary.
  3. To whom should I apply for a Certificate of Confidentiality?
    If NIH funds the research project for which you would like to request a Certificate, you should apply through the funding Institute or Center (IC). If your research is not supported with NIH funding, you may apply for a Certificate through the NIH IC that supports research in a scientific area similar to your project. Please note that NIH is authorized to issue Certificates only for important research within its mission areas. Contact information is available on the NIH website at the Certificates of Confidentiality Kiosk.
  4. What if I am not sure to which NIH Institute I should apply?
    If you are uncertain which Institute or Center you should contact for a Certificate of Confidentiality, you can contact one of the Central Certificate resources listed on the NIH website at the Certificates of Confidentiality Kiosk.
  5. May I apply for a Certificate if the Federal government does not fund my research project?
    Yes. A Certificate of Confidentiality can be awarded whether or not a research project is federally funded.
  6. Can I apply online?
    Some NIH Institutes/Centers (IC's) use an online application process for requests for new Certificates of Confidentiality.  The  list of Certificate  of Confidentiality Coordinators for each IC will indicate if the IC has an online application process (http://grants.nih.gov/grants/policy/coc/contacts.htm).   Also, the kiosk home page provides an updated list of the IC's that are using the on-line system.  Contact the IC coordinator if you are unsure about the application process.
  7. When should I apply for a Certificate?
    Generally, an application for a Certificate of Confidentiality is submitted after the Institutional Review Board (IRB) responsible for its review approves the research project (because IRB approval or approval conditioned upon issuance of a Certificate of Confidentiality is a prerequisite for issuance of a Certificate). Since the informed consent form should include language describing the Certificate and any voluntary disclosures specified by the investigator, the Applicant could tell the IRB that they are applying for a Certificate of Confidentiality and have included appropriate language in the informed consent form. Applications for Certificates should be submitted at least three months prior to the date on which enrollment of research subjects is expected to begin.
  8. You indicate that both the PI and the Institutional Official must sign the application for a Certificate. What do you mean by "Institutional Official"?
    The authorized institutional official is the individual named by the applicant organization who is authorized to act for that organization and assumes on behalf of the institution the obligations imposed by assurances as well as obligations imposed by the Federal laws, regulations, requirements and other conditions that apply to grant applications and awards.
Back to Top

  E. For Studies That Have a Certificate

  1. What is the researcher's responsibility to participants regarding a Certificate of Confidentiality?
    When a researcher obtains a Certificate of Confidentiality, the subjects must be told about protections afforded by the Certificate and any exceptions to those protections - i.e., the circumstances in which the investigators plan to disclose, voluntarily, identifying information about research participants (e.g., child abuse, harm to self or others, etc.). This information should be included in the informed consent form unless a research subject is no longer actively participating in the project so amendment of the informed consent would be impractical The researchers should eliminate provisions in consent form templates that may be inconsistent with the Certificate protections (such as references to disclosures required by law, since the Certificate enables researchers to resist disclosures that would otherwise be compelled by law). In addition, researchers may not represent the Certificate as an endorsement of the research project by the DHHS or use it in a coercive manner when recruiting subjects.
  2. What if there is a significant change in my research project after a Certificate is issued?
    If a significant change in your research project is proposed after a Certificate is issued, you must inform the Certificate Coordinator of the Institute issuing the certificate by submitting an amended application for a Certificate of Confidentiality (in the same form and manner as your original application for a Certificate).  Please include your current address (VERY important if this has changed since your initial application).
  3. What do you mean by significant changes?
    Significant changes include: major changes in the scope or direction of the research protocol, changes in personnel having major responsibilities in the project, or changes in the drugs to be administered (if any) and the persons who will administer them.
  4. What happens once I submit an amended application?
    Amended applications will be reviewed by the NIH Institute issuing the certificate and either approved or disapproved. If an amended application is approved, an amended Certificate of Confidentiality will be issued. If an amended application is disapproved, you will be notified that adoption of the proposed significant change(s) will result in prospective termination of the original Certificate. Any termination of a Certificate of Confidentiality is operative only with respect to the identifying characteristics of individuals who began their participation as research subjects after the effective date of such termination.
  5. What if my research project extends beyond the expiration date on the Certificate?
    If you determine that the research project for which you have received a Certificate of Confidentiality will extend beyond the expiration date on the Certificate, you may submit a written request for extension of the date. This request should be submitted to the NIH Institute issuing the certificate at least three months prior to the Certificate's expiration. It must include an explanation of the reasons for requesting an extension (e.g., new subjects continue to be enrolled in the project), a revised estimate of the date for completion of the project, documentation of the Institutional Review Board's most recent approval for the project, and a copy of the consent form which should include language explaining the Certificate's protections, specify any voluntary disclosures, and clearly state any other limitations.  Please include your current address (VERY important if this has changed since your initial application).  If your request is approved, an amended Certificate will be issued.
  6. I'm conducting a longitudinal study. I just got a Certificate of Confidentiality. Part of my cohort was recruited prior to issuance of the Certificate, but they are no longer actively participating in the study. What do I do?
    In the informed consent form, you should tell subjects who are still actively involved in your study that the Certificate is in effect. If subjects are no longer actively participating in the project, an amendment to the informed consent form would be impractical.
  7. In what situations may personally identifiable information protected by a Certificate be disclosed?
    Personally identifiable information protected by a Certificate may be disclosed under the following circumstances:
    • Voluntary disclosure of information by study participants themselves or any disclosure that the study participant has consented to in writing, such as to insurers, employers, or other third parties;

    • Voluntary disclosure by the researcher of information on such things as child abuse, reportable communicable diseases (http://grants.nih.gov/grants/policy/coc/cd_policy.htm);, possible threat to self or others, or other voluntary disclosures provided that such disclosures are spelled out in the informed consent form;

    • Voluntary compliance by the researcher with reporting requirements of state laws, such as knowledge of communicable disease, provided such intention to report is specified in the informed consent form (see Attachment D, which sets forth PHS policy on reporting of communicable diseases); or

    • Release of information by researchers to DHHS as required for program evaluation or audits of research records or to the FDA as required under the federal Food, Drug, and Cosmetic Act (21 U.S.C. 301 et seq.)



Back to Top

  F. Legal Considerations

  1. Has the legality of Certificates been challenged?
    There have been very few reported court cases. In 1973, the certificate's authority was upheld in the New York Court of Appeals. The U.S. Supreme Court declined to hear the case.
  2. What should an investigator do if legal action is brought to release personally identifying information protected by a certificate?
    The researcher should immediately inform the Certificate Coordinator who issued the Certificate and seek legal counsel from his or her institution. The Office of the NIH Legal Advisor is willing to discuss the regulations with the researcher's attorney.
Back to Top

  G. Certificate of Confidentiality vs Other Privacy and Data Protections

  1. Does the Privacy Rule preclude the need for Certificates of Confidentiality?
    No. Certificates of Confidentiality offer an important protection for the privacy of research study participants by protecting identifiable health information from forced disclosure (e.g., by court order). While the Privacy Rule does establish protections for covered entities’ use and disclosure of PHI, it permits use or disclosure in response to certain judicial or administrative orders. Therefore, researchers/contractors may obtain Certificates of Confidentiality to protect them from being forced to disclose information that would have to be disclosed under the Privacy Rule.
  2. If I am conducting a sensitive research project that is covered by the AHRQ confidentiality statute (42 U.S.C. section299a-1(c) entitled “limitation on use of certain information”) or the Department of Justice confidentiality statute (42USC section 3789g), should I also apply to the NIH for a Certificate of Confidentiality?
    No. You should not apply for an NIH Certificate if your study is covered by AHRQ or the DOJ statute.
  3. Does the Patriot Act affect the Certificate of Confidentiality protections?
    No, a Certificate of Confidentiality protects investigators and institutions from being compelled to release information that could be used to identify study participants in any civil, criminal, administrative, legislative, or other proceeding, whether at the federal, state, or local level. The Patriot Act does not affect those protections.

Back to Top

Go to Certificates of Confidentiality Page





This page last updated on June 20, 2011
Content Manager: hardyan@mail.nih.gov 
Technical Issues: E-mail OER Webmaster