Adapting Certificates of Confidentiality Policy Under the 21st Century Cures Act: Benefits and Challenges

At PRIM&R’s 2017 SBER conference, I had the opportunity to sit in on the excellent didactic session, “Certificates of Confidentiality (CoCs) and National Institute of Justice (NIJ) Privacy Certificates,” given by Petrice Brown-Longenecker, PhD, CIP (Extramural Human Research Protection Officer, NIH); Elonna Ekweani, JD (Public Health Analyst, NIH); Mary Ramirez, MA, CIP (Assistant Director, Health Sciences and Behavioral Sciences IRB, University of Michigan); and Leslie E. Wolf, JD, MPH (Professor; Director, Center for Law, Health, and Society, Georgia State University College of Law).

The panel discussed the implications of the 21st Century Cures Act on CoC policy and practice. One of the most significant changes is that the HHS Secretary now automatically issues CoCs for all NIH-funded studies involving the collection of identifiable, sensitive data. (The NIH specifies that “identifiable, sensitive information” includes data where an individual is identified, or where there is a “very small risk” of an individual being identified through scientific practices or statistical methods; NIH does not offer a definition of “sensitive”). Researchers who are collecting identifiable, sensitive data, but who are not funded by NIH, do still need to apply for CoCs, as do researchers who lose NIH funding, but want to continue collecting or analyzing identifiable, sensitive data.

NIH-funded researchers will not receive any documentation from the NIH confirming that a CoC has been issued for their study, but researchers can use their award notice and a copy of the September 7, 2017 “Notice of Changes to NIH Policy for Issuing Certificates of Confidentiality” as evidence of their coverage.

Also of note is that the 21st Century Cures Act has widened the scope of studies for which CoCs are applicable. Whereas CoCs were previously granted based on the sensitivity of the study data, they are now tied to the ability of researchers to identify a participant, with the sensitivity of the data being of secondary importance.

In some respects, the elimination of the CoC application process for NIH-funded studies will reduce the burden for these researchers (who previously had to fill out extensive CoC applications) and their IRBs (who had to facilitate the signature of the Institutional Official to accompany the CoC applications). The fact that there will no longer be a formal CoC application process for NIH-funded studies will allow the researchers to begin their data collection under the protections of the CoC, without having to re-consent enrolled participants to inform them of their retroactive protections once the CoC is granted. (These burdens will remain for non-NIH funded researchers seeking CoCs).

In other respects, though, the automatic issuance of CoCs for NIH-funded studies will increase the burden for researchers and their IRBs.

Because researchers will not be notified by the NIH as to whether a CoC has been issued for their study, but are expected to comply with NIH CoC guidelines, IRBs will be saddled with the difficult task (and additional liability) of making the CoC determination so that they can then monitor the studies to ensure compliance with NIH CoC policy.

Once an IRB has determined that a NIH-funded study involves identifiable, sensitive data and that a CoC applies, they must ensure that consent forms contain information about the protections and limitations of the CoC, and communicate (or have the PI communicate) this information to the sub-awardees and collaborating sites. (Since the CoC will apply to the data, any sites receiving or working with the data must employ the same policies and protections as the parent site). Finally, because CoCs are only valid as long as NIH funding is in place, IRBs will need to monitor NIH funding to ensure that researchers whose funding has lapsed know that they may choose to manually apply for CoCs in order to continue offering this protection to their participants.

Sarah Luery is an IRB Administrator at the University of Southern California and a member of the 2017 PRIM&R Blog Squad.

Members of PRIM&R’s Blog Squad and other guest contributors are valued members of our community willing to share their insights. The views expressed in their posts do not necessarily reflect those of PRIM&R or its employees.


Save the date for PRIM&R’s 2018 Advancing Ethical Research Conference, taking place November 14-17 in San Diego, CA.