Certificate of confidentiality

Last updated

In the United States, a certificate of confidentiality (CoC) is issued by the National Institutes of Health (NIH) and other Health and Human Services (HHS) agencies to protect identifiable research information from forced or compelled disclosure. [1] [2] It allows the investigator and others who have access to research records to refuse to disclose identifying information on research participants in civil, criminal, administrative, legislative, or other proceedings, whether federal, state, or local. [3] Certificates of confidentiality may be granted for studies collecting information that, if disclosed, could have adverse consequences for subjects, such as damage to their financial standing, employability, insurability, or reputation. By protecting researchers and institutions from being compelled to disclose information that would identify research subjects, certificates of confidentiality help to minimize risks to subjects by adding an additional level of protection for maintaining confidentiality of private information.

According to Section 2012 of the 21st Century Cures Act, as implemented in the 2017 NIH Certificates of Confidentiality Policy, all ongoing or new research funded wholly or in part by NIH as of December 13, 2016 that is collecting or using identifiable, sensitive information is automatically deemed to be issued a certificate of confidentiality. [4]  Compliance requirements are outlined in the NIH Grants Policy Statement and the NIH DGS Contract Handbook- Special Contracts Requirements, which is a term and condition of all NIH grant awards and contract solicitations, respectively.

Information protected by a certificate of confidentiality

Certificates of confidentiality protect information, documents, and/or biospecimens that contain identifiable, sensitive information related to a participant. [5] The certificate of confidentiality policy and 42 U.S. Code §241(d) define identifiable, sensitive information as information that is about an individual and that is gathered or used during the course of research where the following may occur:

Note that the law focuses on the identifiability of the information, and not on the sensitivity of the information.

The certificate of confidentiality protections cover all copies of information, documents, or biospecimens gathered (i.e., collected) or used by the investigator during the research, including copies that are shared for other research activities.

Once covered by certificate of confidentiality protections, these protections last in perpetuity.

Related Research Articles

<span class="mw-page-title-main">National Institutes of Health</span> US government medical research agency

The National Institutes of Health, commonly referred to as NIH, is the primary agency of the United States government responsible for biomedical and public health research. It was founded in the late 1880s and is now part of the United States Department of Health and Human Services. Many NIH facilities are located in Bethesda, Maryland, and other nearby suburbs of the Washington metropolitan area, with other primary facilities in the Research Triangle Park in North Carolina and smaller satellite facilities located around the United States. The NIH conducts its own scientific research through the NIH Intramural Research Program (IRP) and provides major biomedical research funding to non-NIH research facilities through its Extramural Research Program.

Information privacy is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, contextual information norms, and the legal and political issues surrounding them. It is also known as data privacy or data protection.

<span class="mw-page-title-main">Classified information</span> Material that government claims requires confidentiality

Classified information is material that a government body deems to be sensitive information that must be protected. Access is restricted by law or regulation to particular groups of people with the necessary security clearance and need to know, and mishandling of the material can incur criminal penalties.

Confidentiality involves a set of rules or a promise usually executed through confidentiality agreements that limits the access or places restrictions on certain types of information.

Medical privacy, or health privacy, is the practice of maintaining the security and confidentiality of patient records. It involves both the conversational discretion of health care providers and the security of medical records. The terms can also refer to the physical privacy of patients from other patients and providers while in a medical facility, and to modesty in medical settings. Modern concerns include the degree of disclosure to insurance companies, employers, and other third parties. The advent of electronic medical records (EMR) and patient care management systems (PCMS) have raised new concerns about privacy, balanced with efforts to reduce duplication of services and medical errors.

<span class="mw-page-title-main">Privacy Act of 1974</span>

The Privacy Act of 1974, a United States federal law, establishes a Code of Fair Information Practice that governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by federal agencies. A system of records is a group of records under the control of an agency from which information is retrieved by the name of the individual or by some identifier assigned to the individual. The Privacy Act requires that agencies give the public notice of their systems of records by publication in the Federal Register. The Privacy Act prohibits the disclosure of information from a system of records absent of the written consent of the subject individual, unless the disclosure is pursuant to one of twelve statutory exceptions. The Act also provides individuals with a means by which to seek access to and amendment of their records and sets forth various agency record-keeping requirements. Additionally, with people granted the right to review what was documented with their name, they are also able to find out if the "records have been disclosed" and are also given the right to make corrections.

A privacy policy is a statement or legal document that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. Personal information can be anything that can be used to identify an individual, not limited to the person's name, address, date of birth, marital status, contact information, ID issue, and expiry date, financial records, credit information, medical history, where one travels, and intentions to acquire goods and services. In the case of a business, it is often a statement that declares a party's policy on how it collects, stores, and releases personal information it collects. It informs the client what specific information is collected, and whether it is kept confidential, shared with partners, or sold to other firms or enterprises. Privacy policies typically represent a broader, more generalized treatment, as opposed to data use statements, which tend to be more detailed and specific.

Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person.

In common law jurisdictions, the duty of confidentiality obliges solicitors to respect the confidentiality of their clients' affairs. Information that solicitors obtain about their clients' affairs may be confidential, and must not be used for the benefit of persons not authorized by the client. Confidentiality is a prerequisite for legal professional privilege to hold.

Information sensitivity is the control of access to information or knowledge that might result in loss of an advantage or level of security if disclosed to others.

Pseudonymization is a data management and de-identification procedure by which personally identifiable information fields within a data record are replaced by one or more artificial identifiers, or pseudonyms. A single pseudonym for each replaced field or collection of replaced fields makes the data record less identifiable while remaining suitable for data analysis and data processing.

<span class="mw-page-title-main">Patient Safety and Quality Improvement Act</span> US law

The Patient Safety and Quality Improvement Act of 2005 (PSQIA): Pub. L. 109–41 (text)(PDF), 42 U.S.C. ch. 6A subch. VII part C, established a system of patient safety organizations and a national patient safety database. To encourage reporting and broad discussion of adverse events, near misses, and dangerous conditions, it also established privilege and confidentiality protections for Patient Safety Work Product. The PSQIA was introduced by Sen. Jim Jeffords [I-VT]. It passed in the Senate July 21, 2005 by unanimous consent, and passed the House of Representatives on July 27, 2005, with 428 Ayes, 3 Nays, and 2 Present/Not Voting.

The Collaborative Human Tissue Network was established in 1987 by the National Cancer Institute in response to an increase in the demand for high quality biospecimens for cancer research. The purpose of the CHTN is to stimulate, for the good of the public, cooperative efforts to collect and distribute human biospecimens and to thereby facilitate research utilizing those specimens. These activities are expected to encourage basic and developmental studies in many areas of cancer research, including molecular biology, immunology and genetics. The CHTN is not intended to be a human tissue bank, but instead procures tissue at the request of an investigator. Limited banking was to be done as needed to meet specific requests and longer-term banking of targeted specimens to assure availability of rare and hard to obtain materials. It is funded under a UM1 NIH grant.

The NIH Office of Technology Transfer (OTT) plays a strategic role by supporting the patenting and licensing efforts of our NIH ICs. OTT protects, monitors, markets and manages the wide range of NIH discoveries, inventions, and other intellectual property as mandated by the Federal Technology Transfer Act and related legislation.

The Personal Data Privacy and Security Act of 2009, was a bill proposed in the United States Congress to increase protection of personally identifiable information by private companies and government agencies, set guidelines and restrictions on personal data sharing by data brokers, and to enhance criminal penalty for identity theft and other violations of data privacy and security. The bill was sponsored in the United States Senate by Patrick Leahy (Democrat-Vermont), where it is known as S.1490.

<span class="mw-page-title-main">De-identification</span>

De-identification is the process used to prevent someone's personal identity from being revealed. For example, data produced during human subject research might be de-identified to preserve the privacy of research participants. Biological data may be de-identified in order to comply with HIPAA regulations that define and stipulate patient privacy laws.

The National Database for Autism Research (NDAR) is a secure research data repository promoting scientific data sharing and collaboration among autism spectrum disorder (ASD) investigators. The project was launched in 2006 as a joint effort between five institutes and centers at the National Institutes of Health (NIH): the National Institute of Mental Health (NIMH), the National Institute of Child Health and Human Development (NICHD), the National Institute of Neurological Disorders and Stroke (NINDS), the National Institute of Environmental Health Sciences (NIEHS), and the Center for Information Technology (CIT). The goal of NDAR is to provide a shared common platform for data collection, retrieval, and archiving to accelerate the advancement of research on autism spectrum disorders. The largest repository of its kind, NDAR makes available data at all levels of biological and behavioral organization for all data types. As of November 2013, data from over 90,000 research participants are available to qualified investigators through the NDAR portal. Summary information about the available data is accessible through the NDAR public website.

Statistical disclosure control (SDC), also known as statistical disclosure limitation (SDL) or disclosure avoidance, is a technique used in data-driven research to ensure no person or organization is identifiable from the results of an analysis of survey or administrative data, or in the release of microdata. The purpose of SDC is to protect the confidentiality of the respondents and subjects of the research.

Data re-identification or de-anonymization is the practice of matching anonymous data with publicly available information, or auxiliary data, in order to discover the individual to which the data belong. This is a concern because companies with privacy policies, health care providers, and financial institutions may release the data they collect after the data has gone through the de-identification process.

<span class="mw-page-title-main">Ann M. Hardy</span> American epidemiologist and microbiologist

Ann Marie Hardy is an American epidemiologist and microbiologist who served as the human research protections officer at the National Institutes of Health Office of Extramural Programs.

References

  1. "Certificates of Confidentiality - Privacy Protection for Research Subjects: OHRP Guidance (2003)". US Department of Health and Human Services. February 25, 2003. Retrieved March 30, 2023.PD-icon.svg This article incorporates text from this source, which is in the public domain .
  2. "Certificates of Confidentiality (CoC)". US National Institutes of Health. Retrieved March 31, 2023.
  3. "Certificates of Confidentiality". Johns Hopkins Medicine. Retrieved March 31, 2023.
  4. "CoCs for NIH-funded Research". US National Institutes of Health. Retrieved March 31, 2023.PD-icon.svg This article incorporates text from this source, which is in the public domain .
  5. "Information Protected by a CoC". US National Institutes of Health. Retrieved March 31, 2023.PD-icon.svg This article incorporates text from this source, which is in the public domain .