This section of the Investigator Manual provides information relevant to protecting participant privacy and confidentiality.

Protecting Participant Privacy & Confidentiality

You are required to ensure human research includes adequate provisions to protect the privacy of participants and confidentiality of data, as required by federal regulations.

  • Privacy refers to a person’s desire to control the access of others to themselves. For example, research participants may not want to be seen entering a place that might stigmatize them, such as a pregnancy counseling center that is clearly identified as such by signs on the front of the building.
  • Confidentiality refers to the researcher’s agreement with the participant about how the research participant’s identifiable private information will be handled, managed, and disseminated.

For the IRB to assess privacy and confidentiality protections, you must describe how you will protect participant privacy and data confidentiality in your protocol or application. The IRB will assess whether the participants’ privacy interests and confidentiality of data are protected in ways commensurate with the benefits to participants and the risks of everyday life.

For more information, refer to HRP 314-WORKSHEEET-Criteria for Approval.

Certificates of Confidentiality

A Certificate of Confidentiality (COC) protects the privacy of research participants by prohibiting disclosure of their name or any information, document, or biospecimen that contains individually identifiable, sensitive research information to anyone not associated with the research, except when the participant consents to such disclosures or in other limited specific situations. The term “identifiable, sensitive information” means information about an individual gathered or used during the research through which an individual is identified or for which there is a very small risk that some combination of information could identify an individual.

Effective October 1, 2017, all ongoing or new research as of December 13, 2016 that is

  • funded wholly or in part by the NIH, AND
  • collects or uses identifiable, sensitive information

is automatically issued a CoC as a term and condition of the NIH grant award. Certificates will no longer be issued in a separate document. The Notice of Award and the NIH Grants Policy Statement will serve as documentation of the Certificate protection. This automatic issuance of CoC protections also applies to research that receives re-distributed NIH funds. There are several campus institutes, programs, and research centers that provide pilot, new-investigator, or other smaller awards using NIH funds. Research conducted under these types of awards are also automatically issued a CoC.

The following HHS agencies and units also automatically issue CoCs as a term and condition of their grant awards: Centers for Disease Control (CDC), Health Resources and Services Administration (HRSA), Food & Drug Administration (FDA)*, and Biomedical Advanced Research and Development Authority (BARDA). Questions about whether your grant includes an automatic CoC should be directed to your program officer.

*Applies only for FDA funded research, not just research subject to FDA regulations.

You are required to determine whether your research records are covered by a COC. See HRP 333-Worksheet-Certificate of Confidentiality for details on evaluating whether a non-NIH-funded research study should be covered by a COC.

When a COC covers the research records, and informed consent will be obtained from participants, the participants must be told about the protections afforded by the COC and any limitations to those protections. Available consent form templates have been revised to include language that addresses COC protections. This language must be included in consent forms to be used in studies to which the COC policy applies.

A number of other HHS agencies also issue COCs upon application. For information and instructions go to: Information and templates for requesting a COC when the funding source is not an HHS agency, or when the funding source is not federal can also be found at the link provided above. Researchers conducting a non-federally funded study who are applying for a COC should draft the COC assurance template according to language provided at the link provided above. For assistance in obtaining the institutional officials’ signature, review the CoC Application Help guidance or email for signature routing.

Researchers must be aware that:

  • Information protected by a COC and all copies are subject to the protections of the COC in perpetuity.
  • Information may be shared with those with a need to know in order to conduct the study (e.g., individuals who perform study activities, monitor the study, conduct billing).
  • There is a statutory exception to the CoC for disclosures made for scientific research that complies with the Common Rule. If a secondary researcher receives information protected by a COC, either with consent of participants or through a waiver of consent, the secondary researcher is required to uphold the protections. Researchers who provide a secondary researcher with data protected by a COC should inform the secondary researcher of the continuing obligation to protect the data.
  • If there is a desire to share any information related to study participation, including research results, with someone other than the participant (e.g., participant’s spouse or family after participant loses capacity or after death), researchers should obtain consent for the sharing from the participant during enrollment.
  • If the study continues to enroll additional participants after your NIH, CDC, HRSA, FDA, or BARDA funding ends, those participants will not be protected by the Certificate unless you apply for a Certificate following the process for non-federally funded research.
  • Certificates will be issued for applicable research regardless of the country where the investigator or the protected information resides though a COC may not be effective for data held in foreign countries.
  • Should the researcher ever receive a subpoena, or any other legal process request seeking disclosure of research records, the researcher should not release any records or information and should immediately contact the IRB office and the Office of Legal Affairs.

For complete information about the applicable policies and guidance, including FAQs, please visit: NIH Policy, CDC Policy, HRSA Policy, FDA Guidance, BARDA Policy.