Post

Certificates of Confidentiality for Non-Federally Funded Research: Protection of Human Subject Privacy in FDA-Regulated Studies

This guidance describes FDA's implementation of provisions related to Certificates of Confidentiality (CoC) for protecting privacy of human research subjects from whom identifiable, sensitive information is collected. It focuses on discretionary CoCs for non-federally funded research involving FDA-regulated products, explaining how to request them and the associated statutory responsibilities.

Posted
By ReguVirta
3 min read

What You Need to Know? 👇

What is a Certificate of Confidentiality and how does it protect medical device research participants?

A Certificate of Confidentiality (CoC) protects researchers from being compelled to disclose identifiable, sensitive information about research participants in legal proceedings. It prohibits disclosure of participant information unless specific exceptions apply, helping protect participant privacy and research integrity.

Who can request a discretionary Certificate of Confidentiality from FDA for medical device studies?

Only sponsors or sponsor-investigators (as defined in 21 CFR regulations) can request discretionary CoCs from FDA. The research must involve FDA-regulated products, be subject to FDA regulatory authority, and collect identifiable, sensitive information from participants.

What constitutes “identifiable, sensitive information” in digital health and medical device research?

Identifiable, sensitive information includes data through which an individual is identified or where there’s risk that information combinations could deduce identity. This includes participant names, genomic data, and potentially de-identified data given current technological capabilities for re-identification.

How do I submit a discretionary Certificate of Confidentiality request to FDA?

Submit requests electronically to the appropriate FDA Center (CDER, CBER, CDRH, CTP, CFSAN, or CVM) via specified email addresses. Include descriptive information (sponsor details, FDA application number, research title) and required statutory assurances in PDF format.

What are the disclosure restrictions once a Certificate of Confidentiality is issued?

CoC holders cannot disclose identifiable participant information except when: required by federal/state laws, necessary for medical treatment with consent, made with participant consent, or for compliant scientific research. These protections apply in perpetuity to all information copies.

Can an IRB require sponsors to obtain a Certificate of Confidentiality for sensitive studies?

Yes, if an IRB determines that clinical trial data are sufficiently sensitive, it can request a CoC be obtained to secure IRB approval. Any disagreements between IRBs, sponsors, and investigators regarding CoC necessity should be resolved through appropriate communications.

What You Need to Do 👇

  1. Evaluate if your research requires a CoC by assessing:
    • If you collect identifiable, sensitive information
    • If you are a sponsor/sponsor-investigator
    • If research involves FDA-regulated products
    • If you have adequate confidentiality protection measures
  2. If CoC is needed:
    • Prepare request letter with required descriptive information
    • Include all necessary assurances regarding confidentiality protection
    • Submit electronically to appropriate FDA Center
  3. Implement processes to:
    • Protect identifiable information in perpetuity
    • Control information sharing with other entities
    • Handle permitted disclosures appropriately
    • Maintain documentation of CoC compliance
  4. Review and update privacy protection procedures to enhance confidentiality safeguards
  5. Train relevant staff on CoC requirements and responsibilities

Key Considerations

Cybersecurity

  • Must have sufficient research measures to protect confidentiality of identifiable, sensitive information
  • All copies of identifiable, sensitive information must be protected in perpetuity

Other considerations

  • Only sponsors or sponsor-investigators should submit requests for discretionary CoCs
  • Research must involve FDA-regulated products and be subject to FDA regulatory authority
  • Must collect or use identifiable, sensitive information in the research
  • Disclosure of protected information is only permitted in specific circumstances:
    • When required by Federal, State, or local laws
    • For medical treatment with individual’s consent
    • With individual’s consent
    • For other scientific research compliant with human subject protection regulations

Relevant Guidances 🔗

Related references and norms 📂

  • 21 CFR §50.3: Protection of Human Subjects
  • 21 CFR §56.102: Institutional Review Boards
  • 42 U.S.C. §241(d): Public Health Service Act provisions on Certificates of Confidentiality

Original guidance

  • Certificates of Confidentiality for Non-Federally Funded Research: Protection of Human Subject Privacy in FDA-Regulated Studies
  • HTML / PDF
  • Issue date: 2020-11-13
  • Last changed date: 2024-10-01
  • Status: FINAL
  • Official FDA topics: Radiation-Emitting Products, Tobacco, Medical Devices, Food & Beverages, Good Clinical Practice (GCP), Dietary Supplements, Drugs, Animal & Veterinary, Biologics, Research, Cosmetics
  • ReguVirta ID: 2b121db17b5cacef2633b6fc3c56f3a4
FDA guidance, Final
Radiation-Emitting Products Tobacco Medical Devices Food & Beverages Good Clinical Practice (GCP) Dietary Supplements Drugs Animal & Veterinary Biologics Research Cosmetics
This post is licensed under CC BY 4.0 by the author.