CoCs protect the privacy of research participants by prohibiting the research team from disclosing identifiable, sensitive research information to individuals or entities not connected to the research. CoCs are to be issued for any biomedical, behavioral, clinical, or other research, in which identifiable, sensitive information is collected where the research is Funded wholly or in part by the Public Health Services Agencies (PHS), or as required.
The recipient of a CoC shall:
- Adhere to the privacy protections afforded by a CoC (and thus sharing and use restrictions) in perpetuity.
- Not disclose or share identifiable, sensitive research information, except in a few limited instances, e.g., participant consent, as required by law or in compliance with the human subjects research regulations.
The decision trees below and FAQs provide guidance as to whether CoC requirements apply to your research and if so, how to comply with these requirements and processes at Washington University.
|Certificates are automatically awarded to research falling under either the NIH’s or CDC’s COC policy as a term of the notice of award; therefore, NIH and CDC Funded researchers are not required to apply for a CoC. NIH and CDC Funded researchers are expected to be able to identify when their research falls under the CoC policy.
Use the NIH and CDC Funded researcher decision tree to determine:
|Researchers who receive PHS Funding may be required to apply to obtain a CoC from the appropriate issuing agency (i.e., NIH, FDA, HRSA, SAMHSA).
This includes researchers who are:
|Depending on the population and content of research information to be obtained, securing a CoC to protect the privacy of research participants may be an appropriate and/or necessary step.
For researchers without Federal Funding, a CoC can be applied for through the NIH.
Use the decision tree for Non-Federally Funded researchers to determine:
Frequently Asked Questions (FAQs)
- What is a COC?
- What information is protected?
- When may researchers disclose protected information?
- What if I want to share or transfer my data and/or biospecimens to other researchers?
- Who Issues a Coc?
- How do I apply for a CoC?
- How long does a CoC last?
- How do I extend the expiration date on my CoC?
- Does a CoC ever have to be amended?
- I have a new study funded by the NIH or CDC, what do I need to do?
- Does the CoC policy apply to my existing NIH and CDC award?
- I no longer have NIH or CDC Funding, but I did have Funding on/after 12/13/2016. What do I need to know?
- What other resources are available?
1. What is a COC?
A CoC protects the privacy of research participants enrolled in biomedical, behavioral, clinical or other research. Researchers are prohibited from disclosing any information, documents or biospecimens containing identifiable, sensitive information related to a participant to anyone not connected with the research, including in response to legal demands, such as a subpoena.
2. What information is protected?
- A CoC protects identifiable, sensitive information or information for which there is at least a very small risk, that some combination of the information, a request for the information, and other available data sources could be used to identify an individual.
3. When may researchers disclose protected information?
- When the participant consents.
- When disclosure is required by federal, state, or local laws.
- When the disclosure is made for the purposes of research that complies with the human subjects regulations.
- Transfering and/or sharing data and/or biospecimens that are identifiable, have a small risk of being identified, involve generation of individual level human genomic data, and/or any other information that might identify a person should be disclosed to the Office of Technology Management (OTM) or the Joint Research Office for Contracts (JROC), as appropriate, prior to the execution of a data use/transfer agreement (DUA) and/or material transfer agreement (MTA). Please contact the offices below or visit their websites for more information:
5. Who Issues a CoC?
- NIH and CDC automatically issue CoCs to award recipients who are conducting biomedical, behavioral, clinical or other research that involves the collection of sensitive identifiable research information or biospecimens. There is no need to apply to the NIH or CDC for a CoC.
- Three agencies within the Department of Health and Human Services issue CoCs for research Funded by those agencies, through an application process:
- Substance Abuse and Mental Health Services Administration (SAMHSA)
- Health Resources and Services Administration (HRSA)
- Food and Drug Administration (FDA)
- For all other PHS Funded research, researchers should apply to the NIH for a CoC. NIH has been delegated the authority to issue CoCs for other Federal Agencies.
- Please note: Other Federal Agencies like the Department of Justice (DOJ) and the Department of Defense (DOD) may have specific confidentiality requirements. Be sure to contact your Funding Agency to inquire about any specific requirements.
6. How do I apply for a CoC?
- If there is a human studies protocol, submit to IRB/HRPO either a new study application or modification, a) mark in the myProject section of your myIRB application “CoC is pending.”; and b) add the CoC template language to all of the consent documents and/or consent materials being used.
- Prepare the CoC application, following the instructions of the Federal Agency. Some agencies have web-based forms; others require a letter with specific information and attachments. Note: an application is not required for NIH or CDC-Funded research.
- Obtain institutional signature by sending the full application (or screen prints if an online application) to the Office of Sponsored Research Services (OSRS) who will review the application and provide signature on the following documents:
- An assurance page generated by the CoC online system, signed by the PI, and
- A letter prepared by the department, on department letterhead, requesting the CoC, signed and dated by the PI.
- The University’s Director of OSRS (or his/her designee) has been delegated “Institutional Official/Authority,” authorized to sign CoC applications.
- Submit the completed CoC application to the agency with the IRB/HRPO approved consent forms and the assurance page/letter signed by the “Institutional Authority.”
- If you are a student, the CoC application must also be signed by your faculty advisor; some agencies may require the faculty advisor to be the PI on the CoC application.
- Once the agency responds, send a copy of the response to the IRB/HRPO.
- If the CoC has been granted, submit a modification in myIRB to change the myProject section to “CoC Received” and attach a copy of the CoC.
- If the CoC has been denied, submit a modification in myIRB to change the myProject section to “No”, remove the CoC language from the consent forms/materials and include in the modification that a CoC was denied.
7. How long does a CoC last?
- Information, documents and biospecimens collected under a CoC are protected in perpetuity.
- CoCs DO expire.
- For NIH or CDC Funded research, the automatically awarded CoC protection ends when award Funding ends; however, CoC protection continues during no cost extensions.
- If Funding ends but research activities continues, researchers may need to re-apply for a CoC.
- If a researcher applies for and is awarded a CoC, the expiration date will be on the CoC.
- Information, documents and biospecimens collected after a CoC expires are NOT protected by the CoC.
- CoCs may be extended upon application to the issuing agency.
8. How do I extend the expiration date of my CoC?
- Follow the agency’s instructions for extending the expiration date.
- If the CoC extension is granted, notify the IRB/HRPO by submitting a modification in myIRB and attaching a copy of the extended CoC.
- You are responsible for ensuring that the CoC does not expire while identifiable, sensitive information is being collected.
- In the event that the CoC has expired, you cannot enroll/consent any new subjects until a:
- CoC extension has been received or
- Modification has been submitted to the IRB/HRPO to remove the CoC information from the application and informed consent documents/materials.
- In the event that the CoC has expired, you cannot enroll/consent any new subjects until a:
- Data collected after a CoC has expired are NOT protected from disclosure in response to subpoenas or other legal demands.
9. Does a CoC ever have to be amended?
- Yes, amending a CoC is necessary when there are significant changes to the research. If an amendment to the CoC is not obtained, then data collected by the revised study may not be covered by the original CoC.
- Examples of significant changes: major changes in the scope or direction of the research; adding a new subject population; adding the collection of additional types of identifiable sensitive data; changing the lead researcher.
- Follow the amendment instructions of the issuing Federal Agency. When the amendment has been granted, notify the IRB/HRPO by submitting a modification in myIRB and a copy of the amended CoC.
10. I have a new study Funded by the NIH or CDC, what do I need to do?
- You will need to submit a modification to the study in myIRB.
- Update the myProject section of the myIRB application to reflect that a CoC was automatically issued by the sponsor of the study.
- All IRB/HRPO approved consent forms will need to be revised to include the appropriate CoC language.
- This language will be available in myIRB, in a newly generated consent form template, once the response to the myProject section is updated.
- The IRB/HRPO will determine if existing participants will need to be re-consented.
11. Does the CoC policy apply to my existing NIH and CDC award?
- Yes, any NIH and CDC-Funded study using identifiable, sensitive information that was active on/after December 13, 2016 has automatically been issued a CoC.
12. I no longer have NIH or CDC Funding, but I did have Funding on/after 12/13/2016. What do I need to know?
- A CoC was automatically issued to your NIH and CDC Funded research as of December 16, 2016 and data collected during that period is protected by the CoC.
13. What other resources are available?
The University has developed a series of decision trees to assist researchers with managing the CoC process:
The 21st Century Cures Act (Dec, 2016) defined, and expanded, the type of information requiring the protection of a Certificate of Confidentiality.
Following the 21st Century Cures Act, the NIH updated its policy for the issuance of Certificates of Confidentiality for research Funded wholly or in part by the NIH (October 1, 2017).
- NIH Certificate of Confidentiality Kiosk website
- NIH Policy for Issuing Certificates of Confidentiality
- NIH FAQs
- CDC Certificate of Confidentiality Information
- 21st Century Cures Act
- Certificates of Confidentiality for NIH Funded Research
- Certificates of Confidentiality for Other HHS Funded Research (non-NIH)
- Certificates of Confidentiality for Research Funded by Non-HHS Federal Agencies
- Certificates of Confidentiality for Non-Federally Funded Research
- NIJ Privacy Certificate
- Call HRPO at 317-747-6800 or OVCR at 314-747-5525