Advanced Search

Investigator Resources

Information for Research Participants
Information for Study Teams
Information for Sponsors
Institutional Review Boards
UM Policies & Procedures - HSRO/IRB
1. Preface
2. Background Topics
3. Authorities and Responsibilities
4. Conflict of Interest
5. Institutional Review Boards
6. IRB Meetings
7. General Principles for IRB Reviews
8. Definition of IRB Review Types
9. IRB Review of Initial Studies
10. IRB Review of Continuing Studies
11. Amendments
12. Closing Studies and Final Reports
13. Suspension, Termination and Administrative Closure of IRB Approved Research
14. Unanticipated Problems and Adverse Events
15. Study Violations
16. Compliance Audits
17. Data Safety Monitoring Boards
18. Ancillary Committees
19. External IRB's
20. Policies Specific to Certain Types of Research
21. Informed Consent
22. Participant Recruitment Methods, Advertising Materials and Recruitment-Relevant Payment Arrangements
23. Vulnerable Populations
24. Privacy, Security, Confidentiality and HIPAA
25. Subcontracts/Agreements for UM-Initiated Studies that Engage or Involve non-UM Institutions or Investigators
26. International Research
27. Emergency Use
28. Record Retention
Other Policies
UChart Forms & Guidance
HSRO Forms & Documents
University Fees
Ancillary Committee Information
eProst User Guide
Ethics, Federal Regulations & Guidance
Western IRB (WIRB)
About the HSRO

Basic Folder Information

24.7 Confidentiality

Approval Date

Review Responsibility:

IRB Policy and Procedure Committee

Current Approval Date:

August 6, 2008


24.7(a)  General Principles of Confidentiality

Confidentiality of identifiable information shall be maintained unless subjects give permission to relinquish confidentiality.  The more sensitive the information, the greater is the need for confidentiality.  This is to protect subjects from potential harms such as psychological distress, loss of insurance, loss of employment and damage to social standing. Investigators should understand that to do other than maintain confidentiality would be inconsistent with the principles of the Belmont report requiring respect for persons and beneficence.

All information relating to research studies shall be kept secure and confidential to the extent permitted by law.  However, records shall be available to the IRB and appropriate governmental agencies and authorized University employees or other agents authorized by the University. All others requesting information on research studies must obtain written approval from the Principal Investigator or the AssociateVice Provost for Human Subject Research.

Principal Investigators should design and conduct studies that protect to the fullest extent possible the participants’ and confidentiality.  The Principal Investigator must comply with the UM policy entitled “Policy and Security of Confidential Health Information”.

24.7(b)  IRB Review of Confidentiality

Studies must include appropriate strategies to protect the identity of human subjects and the confidentiality of research records. These strategies should cover all types of data collected, including personality inventories, interviews, questionnaires, observations, photographs and film, taped records and other stored data.  Plans should explain the mechanisms devised for this purpose such as numbering or code systems or the locking of files in private offices and shall describe who has access to the data and under what circumstances a code system may be broken. Plans should also define the final disposition or destruction of such information.

The IRB shall evaluate strategies for confidentiality in its review process.  The appropriateness of such strategies shall be a requirement for study approval.  In its review, the IRB shall be guided by the following:

  1. Questionnaires, inventories, interview schedules, and other data-gathering instruments and procedures should be carefully designed to limit the personal information to be acquired to that which is essential, and should be administered using procedures that will protect the subject's privacy
  2. Information that could reveal a subject's identity should be securely stored in files accessible only to the principal investigator and authorized staff listed in the IRB approved protocol
  3. As early as feasible, data should be coded to remove identifying information, and identifiers destroyed
  4. The identity of subjects should not be released except with their express permission. This includes through the use of audio tapes, videos, photos, or other images (e.g., MRI, CT scan) that either show the subject's face or would divulge unique or identifying features. Subjects should always be told during the informed consent process if their likeness or other unique or identifying features will be imaged and how the images will be used.  Explicit consent must be obtained for any public use of such images (including uses in the classroom, on the internet, or as part of a presentation of the research results), since publication would otherwise constitute a breach of the basic confidentiality requirement.
  5. Use of existing data that were originally obtained for different purposes and that involve identifiable subject information requires examination of the risks involved. The IRB must determine whether the new use is within the scope of the original consent or whether it is necessary or feasible to obtain additional consent. Anonymity of the subjects must be preserved in these cases

24.7(c)  Certificates of Confidentiality

Certificates of Confidentiality: Certificates of Confidentiality are issued by the National Institutes of Health (NIH) to protect the privacy and confidentiality of research subjects by protecting investigators and institutions from being compelled to release information that could be used to identify subjects

In certain circumstances involving civil, criminal, administrative, legislative or other proceedings at the federal, state or local level, investigators and institutions may be compelled to release information that could be used to identify subjects within a research study. To ensure the privacy of research subjects, investigators and institutes may refuse to disclose any item or combination of items in the research data that could lead directly or indirectly to the identification of a research subject if protected by a Certificate of Confidentiality.

Principal Investigators may apply for a Certificate of Confidentiality from the National Institutes of Health (NIH) under section 301(d) of the Public Health Service Act [42 U.S.C. 241(d)]. A Certificate may be awarded whether or not a research project is federally funded. Certificates may be requested prior to the submission of an application for study approval to the IRB; or the IRB may require that the Principal Investigator obtain a Certificate of Confidentiality from the NIH prior to conducting the research. Generally, an application for a Certificate is submitted after IRB approval of the research because IRB approval is a prerequisite for issuance of a Certificate.

A separate application is required for each research project for which a Certificate is desired even if the projects have a common Principal Investigator. A Certificate is generally issued to a research institution for a single project (not broad groups or classes of projects). However, projects that use the same sample of subjects but have different protocols may file for one Certificate since the subjects, whose identities the investigator wishes to protect, are the same.

Instructions for applying for a Certificate of Confidentiality are available at http://grants.nih.gov/grants;polocy/coc/appl-extramural.htm.  Both the Principal Investigator and the Institutional Official (the Vice Provost for Research) must sign the Certificate application.

Certificates of Confidentiality may be issued to institutions or universities for biomedical, behavioral or other types of research where disclosure of identifying information could have adverse consequences for subjects such as by damaging their financial standing, employability, insurability, or reputation or by involving them in criminal or civil litigation. Examples of sensitive research activities that may qualify for Certificates of Confidentiality include but are not limited to:

  1. Collecting genetic information
  2. Collecting information on the psychological well-being or mental health of subjects
  3. Collecting information on subjects' sexual attitudes, preferences or practices
  4. Collecting data on substance abuse or other legal or illegal risk behaviors
  5. Studies where subjects may be involved in litigation related to exposures under study (e.g. breast implants, environmental or occupational exposures)

Specific cultural or other factors may make information in other, unlisted, categories to be considered as sensitive. Certificates of Confidentiality may be granted in such cases upon appropriate justification and explanation.

Some projects are ineligible for a Certificate of Confidentiality such as those that are:

  1. Not research
  2. Not collecting personally identifiable information
  3. Not reviewed and approved by the IRB as required by these policies
  4. Collecting information that if disclosed would not significantly harm or damage the participant

In general, Certificates are issued for single, well-defined research projects rather than groups or classes of projects. In some instances, they can be issued for cooperative multi-site projects. A coordinating center or "lead" institution designated by the NIH program officer can apply on behalf of all institutes associated with the multi-site project. The lead institution must ensure that all participating institutions conform to the application assurances and inform participants appropriately about the Certificate, its protections and the circumstances in which voluntary disclosures would be made.

A Certificate of Confidentiality protects personally identifiable information about subjects in the research project while the Certificate is in effect. Generally, Certificates are effective on the date of issuance or upon commencement of the research project if that occurs after the date of issuance. The expiration date should correspond to the completion of the study. The Certificate will state the date upon which it becomes effective and the date upon which it expires. A Certificate of Confidentiality protects all information identifiable to any individual who participates as a research subjects (i.e., about whom the investigator maintains identifying information) during any time the Certificate is in effect. An extension of coverage must be requested if the research extends beyond the expiration date of the original Certificate. However, the protection afforded by the Certificate is permanent. All personally identifiable information maintained about participants in the project while the Certificate was in effect is protected in perpetuity.

Although Certificates of Confidentiality protect against involuntary disclosure, research subjects may voluntarily disclose their research data or information to physicians or other third parties and they may also authorize in writing the Principal Investigator to release the information to insurers, employers, or other third parties. In such cases, the Certificate should not be used to refuse disclosure. Moreover, Principal Investigators are not prevented from the voluntary or mandatory disclosure of matters such as child abuse, reportable communicable diseases, or a subject's threatened violence to self or others. However, if the Principal Investigator intends to make any voluntary disclosures, the consent form must specify such disclosure.

In the informed consent documents, Principal Investigators shall inform research subjects if a Certificate of Confidentiality is in effect. Subjects should be given a fair and clear explanation of the protection that a Certificate affords, including the limitations and exceptions noted above.

Certificates of Confidentiality do not authorize investigators to refuse to disclose information about subjects to the HSRO or the IRB or authorized DHHS or FDA personnel requesting such information requirements such as an audit or program evaluation.

Footer Block

University of Miami Office of Research UM School of Medicine CITI Program Jackson Health System
 University of Miami logo University of Miami
Human Subjects Research Office

1500 NW 12th Avenue, Ste. 1002, Miami, FL 33136
Tel. 305-243-3195
Copyright, University of Miami, All Rights Reserved
Requests for information. Send technical feedback.
View Privacy statement