Certificate of Confidentiality (CoC) FAQs

Related Pages

General Information on Certificates of Confidentiality (CoC)

Certificate of Confidentiality Application Process

For Studies That Have a Certificate of Confidentiality

Legal Considerations

Certificate of Confidentiality vs Other Privacy and Data Protections

General Information on Certificates of Confidentiality (CoC)

What is a Certificate of Confidentiality (CoC)?
A Certificate of Confidentiality (CoC) is formal confidentiality protection authorized by the Public Health Service Act (PHSA) section 301(d) (42 U.S.C § 241(d)) to protect the privacy of human research participants enrolled in biomedical, behavioral, clinical and other forms of sensitive research by withholding identifying characteristics from those not connected to the research. Researchers may not be compelled in any Federal, State, or local civil, criminal, administrative, legislative, or other proceedings to identify participants.

What is the effect of a Certificate of Confidentiality (CoC)? What protection does it afford?
Researchers can use a CoC to avoid compelled disclosure (e.g., subpoenas) of names and other identifying information about any individual who participates as a research subject (i.e., about whom the investigator maintains identifying information) during any time the CoC is in effect. It does not protect against voluntary disclosures by the researcher. However, voluntary disclosures must be specified in the informed consent form. A researcher may not rely on the CoC to withhold data if the participant consents in writing to the disclosure.

 Top of Page

How long does a Certificate of Confidentiality (CoC) protection last?
Individuals who participate as research subjects (i.e., about whom the investigator maintains identifying information) in the specified research project during any time the CoC is in effect are protected permanently-even after death.

In what situations may personally identifiable information protected by a Certificate of Confidentiality (CoC) be disclosed?
Personally identifiable information protected by a CoC may be disclosed under the following circumstances:

  • Voluntary disclosure of information by study participants themselves or any disclosure that the study participant has consented to in writing, such as to insurers, employers, or other third parties;
  • Voluntary disclosure by the researcher of information on such things as, reportable communicable diseases, child abuse, elder abuse, possible threat to self or others, or other voluntary disclosures provided that such disclosures are specified in the informed consent form;
  • Voluntary compliance by the researcher with reporting requirements of state laws, such as knowledge of communicable disease, provided such intention to report is specified in the informed consent form. See Public Health Service (PHS) policy on reporting of communicable diseases: http://www.cdc.gov/od/science/integrity/confidentiality/disease.htm
  • Release of information by researchers to DHHS as required for program evaluation or audits of research records or to the FDA as required under the federal Food, Drug, and Cosmetic Act (21 U.S.C. 301 et seq.)

What is the difference between an Assurance of Confidentiality (AoC) and a Certificate of Confidentiality (CoC)?

CoC and AoC provide formal protection for highly sensitive data under the Public Health Service Act (PHSA). A CoC (PHSA § 301(d)) protects the identity of individuals who are subjects of research studies. The CoC is issued to institutions or universities where the research is conducted. It allows the investigator and research staff to refuse to disclose identifying information in any civil, criminal, administrative, legislative, or other proceeding, whether at the federal, state, or local level, and the protection lasts forever.

An AoC (PHSA § 308(d)) protects individuals and institutions involved in either research or non-research (e.g., surveillance). The legislation states that identifiable information may be used only for the purpose for which it was supplied unless such institution or individual has consented to its use for other purpose. The protection lasts forever.

What kind of research is eligible for a Certificate of Confidentiality (CoC)?
Generally, any research project that collects personally identifiable, sensitive information and that has been approved by an IRB operating under either an approved Federal-Wide Assurance issued by the Office of Human Research Protections or the approval of the Food and Drug Administration is eligible for a CoC. To be eligible for a CoC issued by the Centers for Disease Control and Prevention (CDC), CDC funding is required. If your research is not supported by CDC funding, you may apply for a Certificate through the NIH. Contact information is available on the NIH website at the Certificates of Confidentiality Kiosk.
 Top of Page

What is meant by sensitive information?
Sensitive information is information that must be protected because it might cause perceivable damage to someone or something if revealed to persons not entitled to it. Sensitive information includes (but is not limited to) information relating to sexual attitudes, preferences, or practices; information relating to the use of alcohol, drugs, or other addictive products; information pertaining to illegal conduct; information that, if released, might be damaging to an individual’s financial standing, employability, or reputation within the community or might lead to social stigmatization or discrimination; information pertaining to an individual’s psychological well-being or mental health; and genetic information or tissue samples.

What does identifying characteristic mean?
Identifying characteristics include things such as: name, address, social security or other identifying numbers, fingerprints, voiceprints, photographs, genetic information or tissue samples, or any other item or combination of data about a research participant which could reasonably lead, directly or indirectly by reference to other information, to identification of that research subject.

 Top of Page

Can you give some examples of research projects that may be eligible for a Certificate of Confidentiality (CoC)?
The following is an illustrative but not exhaustive list of research areas that may be eligible for a CoC:

  • Research on HIV, AIDS, and other STDs;
  • Studies that collect information on sexual attitudes, preferences, or practices;
  • Studies on the use of alcohol, drugs, or other addictive products;
  • Studies that collect information on illegal conduct;
  • Studies that gather information that if released could be damaging to a participant’s financial standing, employability, or reputation within the community;
  • Research involving information that might lead to social stigmatization or discrimination if it were disclosed;
  • Research on participants’ psychological well being or mental health;
  • Genetic studies, including those that collect and store biological samples for future use;
  • Research on behavioral interventions and epidemiologic studies.

 Top of Page

What studies would NOT be eligible for a CDC issued Certificate of Confidentiality (CoC)?
Ineligible studies include projects that are:

  • not research based,
  • not approved by an IRB operating under either an approved Federal-Wide Assurance issued by the Office of Human Research Protections or the approval of the Food and Drug Administration,
  • not collecting sensitive information or information that, if released publicly, might harm the research participants,
  • not collecting personally identifiable information, or
  • not CDC funded

I am planning two different studies that will involve human subjects from two different populations. Both studies will collect sensitive information. Can I apply for one Certificate of Confidentiality (CoC) to cover both projects?
A separate application is required for each research project for which a CoC is desired. A CoC is generally issued to a research institution for a single project (not broad groups or classes of projects). However, projects that use the same sample of subjects but have different protocols may file for one CoC since the subjects, whose identities the investigator wishes to protect, are the same.

 Top of Page

I am collecting data from subjects recruited in a foreign country. Can I get a Certificate of Confidentiality (CoC)?
Yes, if the data are maintained within the U.S. If the data are maintained only in the foreign country, a CoC would not be effective.

Certificate of Confidentiality Application Process

What is the application process for a Certificate of Confidentiality (CoC)?
This is a brief overview of the CoC application process:

  • o Project staff contacts the Privacy and Confidentiality Unit (PCU) staff for preliminary screening to discuss whether project is eligible for formal confidentiality protection by sending an email to cdccoc@cdc.gov
  • o If the project qualifies after initial screening, PCU staff will advise applicant to apply for an CoC following the instructions posted at: http://intranet.cdc.gov/od/oads/osi/confidentiality/certificate/application-instructions.htm
  • A draft application is submitted to the PCU
  • PCU and CIO collaborate to revise the application to ensure it is clear and contains required elements
  • When the application is finalized, PCU staff sends it to the Confidentiality Review Group (CRG) for review
  • When CRG members have concurred, PCU staff sends the application to the CDC Deputy Associate Director for Science (ADS) for review and signature
  • After CDC Deputy ADS signs off on the application, the CoC is issued for the project
  • PCU staff notifies Principal Investigator that the AoC has been issued

 Top of Page

How long does the Certificate of Confidentiality (CoC) application process take?
This varies, but is generally 2 to 3 months due to the number of applications to be processed, the amount of work the initial application needs before the application can be submitted to the Confidentiality Review Group (CRG), and the need for the applicant to provide a satisfactory response to any issues raised by CRG.

 Top of Page

When should I apply for a Certificate of Confidentiality (CoC)
The application process for a CoC should be started at least 3 months before the project is set to begin data collection.

Can I apply for a Certificate of Confidentiality (CoC) before Institutional Review Board (IRB) approval is granted?
Generally, an application for a CoC is submitted after the IRB approval is granted. However, the CoC application process may be started by completing the screening call and submitting a draft of the CoC application letter to PCU for review. The CoC application letter will not be sent to the Confidentiality Review Group (CRG) until IRB approval is granted and documentation is submitted to PCU. It is also advised that you include the CDC Preferred Confidentiality language in the consent form prior to IRB approval and indicate to the local IRB that you are applying for a CoC.

 Top of Page

Is CDC required to give all who apply a Certificate of Confidentiality (CoC)?
No. No project is entitled to a CoC; its issuance is discretionary.

For Studies That Have a Certificate of Confidentiality

What is the researcher’s responsibility to participants regarding a Certificate of Confidentiality (CoC)?
When a researcher obtains a CoC , the subjects must be told about protections afforded by the CoC and any exceptions to those protections – i.e., the circumstances in which the investigators plan to disclose, voluntarily, identifying information about research participants (e.g., child abuse, elder abuse, potential harm to self or others, etc.). In addition, researchers may not represent the CoC as an endorsement of the research project by the DHHS or use it in a coercive manner when recruiting subjects.

 Top of Page

What if there is a significant change to the research project after a Certificate of Confidentiality (CoC) is issued?
If a significant change in the research project is proposed after a CoC is issued, you must inform the Privacy and Confidentiality Unit (PCU) by submitting a Request for an Amendment of the Certificate of Confidentiality. Before implementing the change, please contact PCU at cdccoc@cdc.gov for additional information on the CoC amendment process.

What do you mean by significant change?
Significant changes include: major changes in the scope or direction of the research protocol, changes in personnel having major responsibilities in the project, or changes in the drugs to be administered (if any) and the persons who will administer them.

 Top of Page

What if my research project extends beyond the expiration date on the Certificate of Confidentiality (CoC)?
If you determine that the research project for which you have received a CoC will extend beyond the expiration date, you will need to submit a Request for an Extension of the Data Collection Expiration Date. This request should be submitted to Privacy and Confidentiality Unit (PCU) at least three months prior to the CoCs expiration. For instructions on how to submit a Request for an Extension of the Data Collection Expiration date please email PCU at cdccoc@cdc.gov

Are there situations where personally identifiable information (PII) protected by a Certificate of Confidentiality (CoC) may be disclosed?
PII protected by a CoC may be disclosed under the following circumstances:

  • Voluntary disclosure of information by study participants themselves or any disclosure that the study participant has consented to in writing, such as to insurers, employers, or other third parties;
  • Voluntary disclosure by the researcher of information on such things as reportable communicable diseases, child abuse, elder abuse, possible threat to self or others, or other voluntary disclosures provided that such disclosures are spelled out in the informed consent form;
  • Voluntary compliance by the researcher with reporting requirements of state laws, such as knowledge of communicable disease, provided such intention to report is specified in the informed consent form. See the Public Health Service (PHS) policy on reporting of communicable diseases: http://www.cdc.gov/od/science/integrity/confidentiality/disease.htm
  • Release of information by researchers to DHHS as required for program evaluation or audits of research records or to the FDA as required under the federal Food, Drug, and Cosmetic Act (21 U.S.C. 301 et seq.)

 Top of Page

Legal Considerations

Has the legality of a Certificate of Confidentiality (CoC) been challenged?
There have been very few reported court cases concerning the Certificate of Confidentiality. People v. Newman, 298 N.E.2d 651(N.Y. 1973) was the first known case to address the Certificate of Confidentiality statute. A Dr. Newman (director of a methadone clinic) was subpoenaed to provide clinic records (photographs) for use in a murder trial. Dr. Newman moved to quash the subpoena based on the CoC. The trial court denied the motion but the CoC’s authority was upheld in the New York Court of Appeals. The U.S. Supreme Court declined to hear the case.

What should an investigator do if legal action is brought to release personally identifying information protected by a Certificate of Confidentiality (CoC)?
The researcher should immediately seek legal counsel from the CDC Office of the General Counsel (OGC).

Certificate of Confidentiality vs Other Privacy and Data Protections

I am an intramural scientist working on an HIV study at CDC. If the federal Privacy Act applies to my research, do I still need a Certificate of Confidentiality (CoC)?
Maybe. If you are concerned about protecting sensitive, identifiable data on participants in the study, you may want to inquire about a CoC because the Privacy Act does not protect identifying information if disclosure is ordered by a court of competent jurisdiction. Moreover, there are other exceptions to the protection afforded by the Privacy Act.

 Top of Page

Does the HIPPA Privacy Rule preclude the need for Certificates of Confidentiality (CoC)?
No. CoCs offer an important protection for the privacy of research study participants by protecting identifiable health information from forced disclosure (e.g., by court order). While the Privacy Rule establishes protections for covered entities’ use and disclosure of protected health information, it permits use or disclosure in response to certain judicial or administrative orders. Therefore, researchers/contractors may obtain a CoC to protect them from being forced to disclose information that might have to be disclosed under the HIPAA Privacy Rule.

Does the Patriot Act affect the Certificate of Confidentiality (CoC) protections?
No, a CoC protects investigators and institutions from being compelled to release information that could be used to identify study participants in any civil, criminal, administrative, legislative, or other proceeding, whether at the federal, state, or local level. The Patriot Act does not affect those protections.

How can I get more information about a Certificate of Confidentiality (CoC)?
You may contact the Privacy and Confidentiality Office in the CDC Office of Scientific Integrity at 404-639-4642 or cdccoc@cdc.gov.

 Top of Page

Page last reviewed: October 11, 2017
Content source: