Guidance on Certificates of Confidentiality for CDC Funded Research

Purpose

The purpose of this Guidance is to explain changes to CDC’s process of issuing Certificates of Confidentiality (Certificates) for CDC-funded and conducted research. This Guidance comes as a result of amendments made to subsection 301(d) of the Public Health Service Act (42 U.S.C. 241(d)) by Section 2012 of the 21st Century Cures Act, P.L. 114-255. The newly amended subsection 301(d) states that the Secretary, HHS shall issue Certificates of Confidentiality to persons engaged in biomedical, behavioral, clinical or other research, in which identifiable, sensitive information is collected. These Certificates protect the privacy of subjects by limiting the disclosure of identifiable, sensitive information.

Scope and Applicability

The new provisions of subsection 301(d) of the Public Health Service Act (PHSA) apply to all biomedical, behavioral, clinical, or other research funded wholly or in part by the CDC, whether supported through grants, cooperative agreements, contracts, other transaction awards, or conducted by the CDC Intramural Research Program, that collects or uses identifiable, sensitive information. Consistent with subsection 301(d), the term “identifiable, sensitive information” means information about an individual that is gathered or used during the course of biomedical, behavioral, clinical, or other research, where the following may occur:

  • An individual is identified; or
  • For which there is at least a very small risk, that some combination of the information, a request for the information, and other available data sources could be used to deduce the identity of an individual.

Background

Section 2012 of the 21st Century Cures Act, enacted December 13, 2016, enacted new provisions governing the authority of the Secretary of Health and Human Services (Secretary) to protect the privacy of individuals who are the subjects of research, including significant amendments to the previous statutory authority for such protections, under subsection 301(d) of the Public Health Service Act. Specifically, the amended authority requires the Secretary to issue to investigators or institutions engaged in biomedical, behavioral, clinical, or other research in which identifiable, sensitive information is collected (“Covered Information”), a Certificate to protect the privacy of individuals who are subjects of such research, if the research is funded wholly or in part by the Federal Government. Subsection 301(d) also specifies the prohibitions on disclosure of the names of research participants or any information, documents, or biospecimens that contain identifiable, sensitive information collected or used in research by an investigator or institution with a Certificate.

As of May 2018, all research that was commenced or ongoing on or after December 13, 2016 and is within the scope of subsection 301(d) is deemed to be issued a Certificate and is therefore required to protect the privacy of individuals who are subjects of such research in accordance with subsection 301(d). Information about the scope and applicability of subsection 301(d) has been included as a standard term and condition in CDC’s new and non-competing grant and cooperative agreement awards as of May 2018. Institutions and their investigators are responsible for determining whether research they conduct is subject to subsection 301(d) and therefore covered by a Certificate. Certificates will no longer be issued as a separate document. Previously, CDC provided these protections through the issuance of Certificates only upon receipt and approval of an application. However, in order to comply with the requirement in subsection 301(d) to minimize the burden to researchers, streamline the process, and reduce the time it takes to comply with the requirements associated with applying for a Certificate, CDC will now provide Certificates automatically to any CDC-funded recipients conducting research determined to fall within the scope of 301(d).

For the purposes of this Guidance and consistent with subsection 301(d), CDC considers research in which identifiable, sensitive information is collected or used, to include:

  • Human subjects research as defined in the Federal Policy for the Protection of Human Subjects (45 CFR 46), including exempt research except for human subjects research that is determined to be exempt from all or some of the requirements of 45 CFR 46 if the information obtained is recorded in such a manner that human subjects cannot be identified or the identity of the human subjects cannot readily be ascertained, directly or through identifiers linked to the subjects;
  • Research involving the collection or use of biospecimens that are identifiable to an individual or for which there is at least a very small risk that some combination of the biospecimen, a request for the biospecimen, and other available data sources could be used to deduce the identity of an individual;
  • Research that involves the generation of individual level, human genomic data from biospecimens, or the use of such data, regardless of whether the data is recorded in such a manner that human subjects can be identified or the identity of the human subjects can readily be ascertained as defined in the Federal Policy for the Protection of Human Subjects (45 CFR 46); or
  • Any other research that involves information about an individual for which there is at least a very small risk, as determined by current scientific practices or statistical methods, that some combination of the information, a request for the information, and other available data sources could be used to deduce the identity of an individual, as defined in subsection 301(d) of the Public Health Service Act.

Recipient Responsibilities

To determine if a Certificate of Confidentiality applies to research conducted or supported by CDC, investigators will need to ask, and answer the following question:

  • Is the activity biomedical, behavioral, clinical, or other research?

If the answer to this question is no, then the activity is not issued a Certificate of Confidentiality. If the answer is yes, then investigators will need to answer the following questions:

  • Does the research involve Human Subjects as defined by 45 CFR Part 46?
  • Are you collecting or using biospecimens that are identifiable to an individual as part of the research?
  • If collecting or using biospecimens as part of the research, is there a small risk that some combination of the biospecimen, a request for the biospecimen, and other available data sources could be used to deduce the identity of an individual?
  • Does the research involve the generation of individual level, human genomic data?

If the answer to any one of these questions is yes, then a Certificate of Confidentiality will apply to the research and therefore, in accordance with subsection 301(d) of the Public Health Service Act, the recipient of the Certificate shall not:

All recipients of a Certificate shall not:

  • Disclose or provide, in any Federal, State, or local civil, criminal, administrative, legislative, or other proceeding, the name of such individual or any such information, document, or biospecimen that contains identifiable, sensitive information about the individual and that was created or compiled for purposes of the research, unless such disclosure or use is made with the consent of the individual to whom the information, document, or biospecimen pertains; or
  • Disclose or provide to any other person not connected with the research the name of such an individual or any information, document, or biospecimen that contains identifiable, sensitive information about such an individual and that was created or compiled for purposes of the research.Disclosure is permitted only when:
  • Required by Federal, State, or local laws (e.g., as required by the Federal Food, Drug, and Cosmetic Act, or state laws requiring the reporting of communicable diseases to State and local health departments), excluding instances of disclosure in any Federal, State, or local civil, criminal, administrative, legislative, or other proceeding;
  • Necessary for the medical treatment of the individual to whom the information, document, or biospecimen pertains and made with the consent of such individual;
  • Made with the consent of the individual to whom the information, document, or biospecimen pertains; or
  • Made for the purposes of other scientific research that is in compliance with applicable Federal regulations governing the protection of human subjects in research.

Consistent with 45 CFR 75.303(a), grant and cooperative agreement recipients conducting CDC supported research are required to establish and maintain effective internal controls (e.g., policies and procedures) that provide reasonable assurance that the award is managed in compliance with Federal statutes, regulations, and the terms and conditions of award.

Recipients of Certificates are also required to ensure that any investigator or institution not funded by CDC who receives a copy of identifiable, sensitive information protected by a Certificate, understand they are also subject to the requirements of subsection 301(d) of the Public Health Service Act and for ensuring that collaborators that are carrying out part of the research involving a copy of identifiable, sensitive information protected by a Certificate issued by CDC understand they are also subject to subsection 301(d) of the Public Health Service Act.

For studies in which informed consent is sought, CDC expects investigators to inform research participants of the protections and the limits to protections provided by a Certificate issued by CDC.

Additional Information

Have a CoC Question?

Contact the Privacy and Confidentiality Unit coccdc@cdc.gov

Page last reviewed: November 20, 2018
Content source: