Confidentiality/Privacy in Research

Privacy refers to a person’s desire to control the access of others to themselves. For example, persons may not want to be seen entering a place that might stigmatize them, such as a pregnancy counseling center that is clearly identified as such by signs on the front of the building.  Privacy concerns people, whereas confidentiality concerns data. The research proposal should outline strategies to protect privacy, including how the investigator will access information from or about participants. 

In developing strategies for the protection of subjects’ privacy, consideration should be given to:

• The methods used to identify and contact potential participants.
• The settings in which an individual will be interacting with an investigator.
• The appropriateness of all personnel present for research activities.
• The methods used to obtain information about participants.
• The nature of the requested information.
• Information that is obtained about individuals other than the “target participants,” and whether such individuals meet the regulatory definition of “human participant” (e.g., a subject provides information about a family member for a survey).
• Privacy guidelines developed by relevant professional associations and scholarly disciplines (e.g., oral history, anthropology, psychology).
• How to access the minimum amount of information necessary to complete the study.

Regulatory and Guidance References

• 45 CFR 46.111(a)(7)
• 21 CFR 56.111(a)(7)

Confidentiality refers to the researcher’s agreement with the participant about how the participant’s identifiable private information will be handled, managed, and disseminated.  The research proposal should outline strategies to maintain the confidentiality of identifiable data, including controls on storage, handling, and sharing of data. When appropriate, certificates of confidentiality could be used to maintain the confidentiality of identifiable data..

When the IRB evaluates research proposals for strategies for maintaining confidentiality, where appropriate, consideration will be given as to whether: 

• Methods to shield participants' identities adequately protect participant privacy.
• There is a long-range plan for protecting the confidentiality of research data, including a schedule for destruction of identifiers associated with the data.
• The consent form and other information presented to potential research participants adequately and clearly describe confidentiality risks.
• The informed consent process and the informed consent document (and, if applicable, the HIPAA Authorization section) clearly delineate who will have access to the subject’s information and under what circumstances data may be shared (i.e., with government agencies, sponsors).

Regulatory and Guidance References

• 45 CFR 46.111(a)(7)
• 21 CFR 56.111(a)(7)

*Organizations subject to the HIPAA Privacy Rule should comply with the provisions applicable to research.

A CoC protects the privacy of research participants enrolled in biomedical, behavioral, clinical, or other types of health-related research that collect or use identifiable, sensitive information.

With limited exceptions, researchers may not disclose names or any information, documents, or biospecimens containing identifiable, sensitive information. The CoC prohibits disclosure in response to legal demands, such as a subpoena.

The statute that governs the CoC broadens the meaning of sensitive, identifiable information and focuses directly on identifiability. Identifiable, sensitive information is information about an individual, gathered or used during biomedical, behavioral, clinical, or other research, through which the individual may be identified.

This includes the risk that a combination of the information could be used to determine the identity of an individual through a request for the information and a combination with other available data sources. Identifiable, sensitive information includes but is not limited to name, address, social security, or other identifying number; and fingerprints, voiceprints, photographs, genetic information, tissue samples, or data fields that, when used in combination with other information, may lead to identification of an individual.

Investigators or an institution that is issued a CoC shall NOT:

• Disclose or provide information covered by the CoC, in any Federal, State, or local civil, criminal, administrative, legislative, or other proceeding; or
• Disclose or provide CoC-covered information to any person not connected with the research for which the CoC is issued.

Disclosure of information, physical documents, or biospecimens protected by a CoC is permitted only when:

• Required by other Federal, State, or local laws, such as for public health reporting of communicable diseases, or child or elder abuse reporting;
• Made with consent of the subject; or
• Made for the purposes of scientific research that is compliant with human subjects’ regulations.

When a researcher is issued a CoC and the researcher will be obtaining informed consent from participants, the National Institute of Health (NIH) expects that the subjects will be told about the protections afforded by the CoC and any exceptions to those protections. 

The NIH Human Subjects website has suggested consent language that investigators may refer to. 

See the University of Kentucky’s (UK) consent template in E-IRB [under All Templates] for suggested verbiage required by UK’s Institutional Review Board (IRB).

No, eligible research studies that are funded by NIH are automatically issued a CoC under the NIH CoC Policy. 

Effective October 1, 2017, CoCs have been automatically issued by NIH for all research covered by the policy that was commenced or ongoing on or after December 13, 2016. 

To determine if this policy applies to their NIH-funded research, investigators will need to answer the following question:

• Is the activity biomedical, behavioral, clinical, or other research?

If the answer to this question is NO, the activity is not automatically issued a CoC, and the investigator will need to apply for a CoC. (See How does the CoC application process work at UK?)

If the answer is YES, investigators will need to answer the following questions:

• Does the research involve Human Subjects as defined by 45 CFR Part 46?
• Are you collecting or using biospecimens that are identifiable to an individual as part of the research?
• If collecting or using biospecimens as part of the research, is there a small risk that some combination of the biospecimen, a request for the biospecimen, and other available data sources could be used to deduce the identity of an individual?
• Does the research involve the generation of individual-level, human genomic data?

If the answer to ANY one of these questions is YES, then this Policy will apply, and a CoC is automatically issued.

Several non-NIH HHS agencies issue CoCs, including:

• Centers for Disease Control and Prevention (CDC)
• Food and Drug Administration (FDA)
• Health Resources and Services Administration (HRSA)
• Substance Abuse and Mental Health Services Administration (SAMHSA)
• Indian Health Service (IHS)

If your research is funded by one of these agencies or is operating under the authority of the FDA, contact the CoC Coordinator at the applicable funding agency to determine how to obtain a CoC.

The Agency for Healthcare Research and Quality (AHRQ) has its own privacy regulations, which may apply; NIH will not issue a CoC for projects covered by AHRQ’s regulations. Contact AHRQ for further information about their privacy regulations.

If your health-related research is funded by an HHS agency other than NIH, AHRQ, CDC, FDA, HRSA, SAMHSA, or IHS, you may request a CoC for your research projects that collect or use identifiable, sensitive information through the NIH online CoC system.

For NIH-funded studies, the project is automatically issued a CoC assuming it meets the criteria. 

Please note: The NIH no longer issues a physical certificate. The Notice of Award and the NIH Grants Policy Statement serve as documentation for the CoC protection. For additional information, please visit the CoCs for NIH-funded Research webpage.

For Non-NIH funded studies (it is the investigator’s responsibility to ensure that the CoC is obtained before enrolling a subject):

1. Submit a research proposal to the IRB that contains CoC information in the General Information Sheet and consent form.
   • Recommended consent language for CoC is available on UK ORI’s model consent form and on the NIH Office of Extramural Research webpage.
2. Obtain IRB approval before submitting paperwork for a CoC.
3. Submit the CoC application online.
   • Please note: The NIH online application will request that you list UK’s Institutional Official:
     • William Stoops, PhD, Associate Vice President for Research Integrity (AVPRI)
   • If a funding agency does not have an online submittal process, the investigator should email ORI, and ORI will work with the AVPRI on the investigator’s behalf.
4. The CoC request will go to the AVPRI. The AVPRI will review the request and verify that the information is accurate. The AVPRI may contact ORI if they have any questions regarding your study.
5. The NIH or funding agency will issue the CoC.
   • Please note: the NIH no longer issues a physical certificate.
6. If applicable, submit consent changes to the IRB to comply with NIH (or other funding agency) CoC consent requirements.
7. Submit documentation to the IRB once the CoC is obtained.

Information for applying for a CoC can be found at the NIH CoC website.

For non-NIH-funded studies, visit CoCs for Research Not Funded by NIH.

Inquiries may be sent to the NIH-CoC-Coordinator.