Certificates of Confidentiality
What is a Certificate of Confidentiality?
A Certificate of Confidentiality (CoC) adds a layer of privacy protection for participants enrolled in sensitive research. A CoC primarily protects against compulsory legal demands, such as court orders and subpoenas, for identifying information or identifying characteristics of a research participant. Though granted by the NIH, they are available even to non-NIH-funded studies (even studies that are not federally funded at all). CoC’s are appropriate for research studies that gather information about subjects that might be damaging, and which will only exist in the research study records (that is, the information isn’t already in other records that are subject to subpoena).
How can I get one?
To apply for a CoC, please take the following steps:
- Go to the NIH’s CoC Kiosk and complete the steps to submit your application electronically. After it is received, the NIH will provide you with a form that must be signed by the PI and the Emory Institutional Official.
- Once you have the form ready to be signed, DO NOT send the form directly to the Emory Institutional Official. Instead, email the IRB analyst who is responsible for your study. If you are unsure who the analyst is, you may call us to find out, or you can send the CoC application directly to our main email address (email@example.com).
In your email, please include the following:
- The full CoC application, as an attachment, along with the “Assurances” form that needs to be signed;
- The nature of the sensitive data to be generated during the research study;
- How that data will be identifiable/linked to the subject;
- Whether that sensitive information also exists somewhere outside the research record (e.g. HIV diagnosis already present in subjects’ medical record - either at EHC or elsewhere - before the study begins). If the sensitive information is already present in another location that could be subpoenaed, then we may not sign off on the CoC application; we do not want subjects to have a false sense of security.
How should research subjects be informed about the CoC? Can I tell them I am applying for the CoC but haven’t received it yet?
The CoC’s protections – and limitations – must be stated in the Informed Consent form once the CoC is granted, and the language is dictated by the NIH. The consent templates posted on the Emory IRB website contain the required language.
The NIH prefers that you NOT state in the consent form that you are applying for a CoC. Only after the CoC is actualy obtained should subjects be enrolled via a consent form that references the CoC. If the IRB agrees that enrollment prior to obtaining the CoC is acceptable, the IRB can approve a no-CoC version of the conesnt form, along with a CoC version that you can submit to the NIH with your CoC application - but which cannot be used to enroll until the CoC is granted.
What should I do if I obtain a CoC after the study has been approved?
If you are granted a CoC for a study that has already been approved, you should submit an amendment in eIRB to do the following:
- Upload the approved CoC into the eIRB system under the "Miscellaneous Documents" section.
- Add the required language in the ICF to note the CoC (refer to the most recent ICF template).
How does CoC compare with “Sensitive Study Status”?
Finally, it is important to be aware of the differences between a CoC and "senstitive study status." When a study is declared to have "sensitive status," steps are taken to limit the amount of information that is put into the medical record. A CoC, however, doesn't limit the information put into the record but instead it covers that information with privacy protections. In other words, determining that a protocol has "sensitive study status" alone does not protect research data from subpoena, therefore a CoC may be recommended or even required in addition to the sensitive status determination.