Certificates and Assurances of Confidentiality
Certificates of Confidentiality are issued by the Centers for Disease Control and Prevention (CDC) to protect the privacy of research subjects by protecting investigators and institutions from being compelled to release information that could be used to identify subjects with a research project. Certificates of Confidentiality are issued to institutions or universities where the research is conducted. They allow the investigator and others who have access to research records to refuse to disclose identifying information in any civil, criminal, administrative, legislative, or other proceeding, whether at the federal, state, or local level.
Identifying information is broadly defined as any item or combination of items in the research data that could lead directly or indirectly to the identification of a research subject.
By protecting researchers and institutions from being compelled to disclose information that would identify research participants, Certificates of Confidentiality help achieve the research objectives and promote participation in studies by assuring privacy to subjects.
Under section 301(d) of the Public Health Service Act (42 U.S.C. 241(d)) the Secretary of Health and Human Services may authorize persons engaged in biomedical, behavioral, clinical, or other research to protect the privacy of individuals who are the subjects of that research. This authority has been delegated to the Centers for Disease Control and Prevention (CDC).
Persons authorized by the CDC to protect the privacy of research subjects may not be compelled in any federal, state, or local civil, criminal, administrative, legislative, or other proceedings to identify them by name or other identifying characteristic.
Extent and Limitations of Coverage
Certificates can be used for biomedical, behavioral, clinical or other types of research that is sensitive. Research data is sensitive when disclosure of identifying information could have adverse consequences for subjects or damage their financial standing, employability, insurability, or reputation.
Examples of sensitive research activities include but are not limited to the following:
- Collecting genetic information;
- Collecting information on psychological well-being of subjects;
- Collecting information on subjects’ sexual attitudes, preferences or practices;
- Collecting data on substance abuse or other illegal risk behaviors;
- Studies where subjects may be involved in litigation related to exposures under study (e.g., environmental or occupational exposures).
In general, certificates are issued for single, well-defined research projects rather than groups or classes of projects.
A Certificate of Confidentiality protects personally identifiable information about subjects in the research project while the Certificate is in effect. Generally, Certificates are effective on the date of issuance or upon commencement of the research project if that occurs after the date of issuance. The expiration date should correspond to the completion of the study. The Certificate will state the date upon which it becomes effective and the date upon which it expires. A Certificate of Confidentiality protects all information identifiable to any individual who participates as a research subject (i.e., about whom the investigator maintains identifying information) during any time the Certificate is in effect. An extension of coverage must be requested if the research extends beyond the expiration date of the original Certificate. However, the protection afforded by the Certificate is permanent. All personally identifiable information maintained about participants in the project while the Certificate is in effect is protected in perpetuity. Some projects are ineligible for a Certificate of Confidentiality. To be eligible for a CDC Certificate, a project must be: (1) research, (2) funded by CDC, (3) collecting personally identifiable information that is sensitive and, if disclosed, could significantly harm or damage the participant, and (4) reviewed and approved by IRB(s).
While Certificates protect against involuntary disclosure, investigators should note that research subjects might voluntarily disclose their research data or information. Subjects may disclose information to physicians or other third parties. They may also authorize in writing the investigator to release the information to insurers, employers, or other third parties. In such cases, researchers may not use the Certificate to refuse disclosure. Moreover, researchers are not prevented from the voluntary disclosure of matters such as child abuse, reportable communicable diseases, or subject’s threatened violence to self or others. (For information on communicable disease reporting policy, see Notifiable Disease Reporting with Confidentiality Certificates). However, if the researcher intends to make any voluntary disclosures, the consent form must specify such disclosure.
Certificates do not authorize researchers to refuse to disclose information about subjects if authorized DHHS personnel request such information for an audit or program evaluation. Neither can researchers refuse to disclose such information if it is required to be disclosed by the Federal Food, Drug, and Cosmetic Act.
In the informed consent form, investigators should tell research subjects that a Certificate is in effect. Subjects should be given a fair and clear explanation of the protection that it affords, including the limitations and exceptions noted above. Every research project that includes human research subjects should explain how identifiable information will be used or disclosed, regardless of whether or not a Certificate is in effect. The Office of Human Subjects Protection (OHRP) provides guidance on the content of informed consent documents. For additional information, see http://www.hhs.gov/ohrp/irb/irb_chapter3.htm
An Assurance of Confidentiality is a formal confidentiality protection authorized under Section 308(d) of the Public Health Service Act. It is used for projects conducted by CDC staff or contractors that involve the collection or maintenance of sensitive identifiable or potentially identifiable information. This protection allows CDC programs to assure individuals and institutions involved in research or non-research projects that those conducting the project will protect the confidentiality of the data collected. The legislation states that no identifiable information may be used for any purpose other than the purpose for which it was supplied unless such institution or individual has consented to that disclosure.
Under section 308(d) of the Public Health Service Act surveys conducted by the National Center for Health Statistics (NCHS) as part of their authorizing legislation are automatically protected by an Assurance of Confidentiality. In addition, Assurances of Confidentiality may be issued to projects conducted by all other CDC components, after formal application to and approval by the CDC Confidentiality Review Group has been obtained.
Information about institutions and/or individuals of research or non-research projects that involve the collection or maintenance of sensitive identifiable or potentially identifiable information and for which an Assurance of Confidentiality has been approved is protected. At CDC, the 308(d) assurance has most often been used to protect sensitive identifiable data for non-research projects, but has also been used for research studies collecting sensitive identifiable data.
Extent and Limitations of Coverage
Protected information includes identifiable or potentially identifiable information on institutions or individuals who are the subjects of research or non-research studies with an approved Assurance of Confidentiality.
Disclosures can be made without individual authorization only for purposes stated at the time of data collection or specifically consented to thereafter by each of the parties who were provided the promise of confidentiality.
Certificates and Assurances of Confidentiality do not take the place of good data security or clear policies and procedures for data protection, which are essential to the protection of participants’ privacy. Investigators should take appropriate steps to safeguard data and findings. Unauthorized individuals must not access the data or learn the identity of participants.
Certificates and Assurances of Confidentiality Contact
- Page last reviewed: October 11, 2017
- Page last updated: April 10, 2015
- Content source:
- Office of the Associate Director for Science