1 / 30

Certificates of Confidentiality

Certificates of Confidentiality. Emory IRB Webinar 2/9/2017. Objectives. Review the need for confidentiality protection Cover definitions and basic protections provided by a Certificate of Confidentiality – and what it does not protect

jveronica
Download Presentation

Certificates of Confidentiality

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Certificates of Confidentiality Emory IRB Webinar 2/9/2017

  2. Objectives • Review the need for confidentiality protection • Cover definitions and basic protections provided by a Certificate of Confidentiality – and what it does not protect • Outline steps for Obtaining a Certificate of Confidentiality • IRB Requirements for approval of a Certificate of Confidentiality

  3. Key Concepts: Privacy v. Confidentiality • Privacy is a sphere of protection surrounding a person and his/her property or information, in which s/he can be let alone, without unwarranted interference or intrusion • Confidentiality is the limited scope in which a person’s private information is shared with others • Breach of confidentiality happens when a person’s private information is taken outside the scope of confidentiality by someone else (intentionally or not, with resulting harm or not)

  4. Privacy, Confidentiality and the Belmont Report • Respect for persons (autonomy) • Researchers actively protect subject’s privacy • Comply with all applicable rules and laws, including HIPAA • Researchers don’t breach confidentiality of subject’s private info • Use appropriate data security measures

  5. How to Describe Risks of Breachof Confidentiality • Honestly • E.g., “no known risk,” “remote” or “slight” risk • Avoid “no risk” • Give statistical risk if available • Specify data security measures • E.g., locked file, encryption, stripped of identifiers (name, address, SSN, date of birth) at what point, electronic technical protections, who will have access to personal identifiers

  6. Certificate of Confidentiality • What is it? • A legally effective form of protection permitting a PI and/or institution under subpoena not to identify subjects in the research study • Whom does it “cover”? • The PI and/or institution, not the subject • But the subject benefits from preservation of confidentiality

  7. Certificate of Confidentiality Subpoena • A legally enforceable written command to appear at a certain time and place to give testimony upon a certain matter. A subpoena is served on a person (e.g., a PI).

  8. CoC: Statutory Authority • Section 301(d) of the Public Health Service Act, 42 U.S.C. 241(d) • Secretary of DHHS may authorize persons engaged in biomedical, behavioral, clinical and other research to protect the privacy of individuals who are the subjects of that research • Authority has been delegated to the NIH • NIH can grant CoC for non-NIH-funded studies as well

  9. Certificate of Confidentiality • Boundaries of its protection: • Date of issuance to date of expiration (but covers research data collected prior to issuance) • Does not protect against PI’s voluntary disclosure • Does not protect against request for disclosure without a subpoena • PI can say “yes” or “no” voluntarily, unless IRB bars disclosure

  10. Certificate of Confidentiality • Does not prevent subject from voluntarily disclosing private information • Does not prevent mandatory reporting by PI in accordance with law • Child abuse • Threat of harm to self or others • Reportable communicable diseases

  11. Certificate of Confidentiality • Does not prevent seeker from getting same private info from other sources (e.g. medical records) • Though it does protect research data that is added to the medical record • NIH, FDA, IRB may still audit files and view research information

  12. CoC: Requirements PI/Institution obtaining CoC must: • Disclose its existence to subjects • In consent form or information sheet • PI may need to recontact subjects and reconsent with new information • Include a clear explanation of COC • What it does, its power v. a subpoena • What it doesn’t do, its limits

  13. CoC: Requirements • PI/Institution obtaining CoC must also: • Document IRB approval and IRB qualifications • Provide a copy of the informed consent forms approved by the IRB • PI and Institutional Official must sign application

  14. CoC: Assurances undertaken byPI/institution • Agree to protect against compelled disclosure and to support and defend the authority of the Certificate against legal challenges • Agree to comply with Federal regulations that protect human subjects • Agree not to represent Certificate as endorsement of project by DHHS or NIH or use to coerce participation • Agree to inform subjects about Certificate, its protections and limitations

  15. CoC: Eligible Studies • What kind of information is eligible for its protection? • Only “sensitive” information, i.e., if disclosure could have adverse consequences for subjects or damage their: • financial standing • employability • insurability, or • reputation

  16. CoC: Identifying information • “Identifying Information” is broadly defined • Not just name, address, social security number, etc. • Includes any item or combination of items that could lead directly or indirectly to the identification of a research participant

  17. CoC: Eligible Studies • Collecting genetic information • Collecting information on psychological well-being of subjects • Collecting information on sexual attitudes, preferences or practices • Collecting data on substance abuse or other illegal risk behaviors • Studies where participants may be involved in litigation related to exposures under study (e.g., breast implants, environmental or occupational exposures)

  18. COC: Non-Eligible Projects • Not research • Not collecting personally identifiable information • Not reviewed and approved by the IRB as required by NIH guidelines • Collecting information, that if disclosed, would not significantly harm or damage the subject (e.g; Information that is already part of the medical record)

  19. CoC: Does it Work? • The CoC been challenged in a few cases but was ultimately upheld

  20. Certificate of Confidentiality • Privileges protecting against subpoena are rare: • Attorney-client • Doctor-patient • Marital • Clergy • CoC – provides high degree of protection and privilege to the PI

  21. Certificate of Confidentiality • Caveat: CoC does not obviate need for data security • Data security is key to protecting subjects’ private information • Unauthorized persons must not be granted access to research data or learn the identities of human subjects • CoC does not protect a subject from a negligent researcher

  22. CoC: For more information • Go to the Certificates of Confidentiality Kiosk @ https://humansubjects.nih.gov/coc/index • Kiosk includes: • background information and Instructions • application information for extramural investigators • application information of intramural investigators • FAQs • contact list

  23. Steps to Obtain a CoC • Go to the NIH’s CoC Kiosk submit your application electronically. After it is received, the NIH will provide you with a form that must be signed by the PI and the Emory Institutional Official.  • Once you have the form ready to be signed, DO NOT send the form directly to the Emory Institutional Official. Instead, email the IRB analyst who is responsible for your study.  

  24. Submitting CoC Request to IRB

  25. Details to Include with IRB Request • The full CoC application, as an attachment, along with the “Assurances” form that needs to be signed; • The nature of the sensitive data to be generated during the research study and how that data will be identifiable/linked to the subject; • Whether that sensitive information also exists somewhere outside the research record (e.g. HIV diagnosis already present in subjects’ medical record - either at EHC or elsewhere - before the study begins).

  26. Following CoC Approval • If you are granted a CoC for a study that has already been approved, you should submit an amendment in eIRB to do the following: • Upload the approved CoC into the eIRB system under the "Miscellaneous Documents" section. • Add the required language in the ICF to note the CoC 

  27. CoC Timing and Consent Form • The CoC’s protections – and limitations – must be stated in the Informed Consent form once the CoC is granted, and the language is dictated by the NIH • If the IRB agrees that enrollment prior to obtaining the CoC is acceptable, the IRB can approve a non-CoCversion of the consent form, along with a CoC version that you can submit to the NIH with your CoC application - but which cannot be used to enroll until the CoC is granted.

  28. CoC vs “Sensitive Study” Status • When a study is declared to have "sensitive status“ at Emory, steps are taken to limit the amount of information that is put into the EHC medical record. • The CoC doesn't limit the information put into the record but instead it covers that information with privacy protections. 

  29. 21st Century Cures Act • In an effort to enhance the impact of “big data” through data sharing, CoC’s will be provided to all NIH-funded scientists as part of the Act. https://nexus.od.nih.gov/all/2016/12/14/21st-century-cures-perspectives-from-nih/

  30. Contact the IRB Contact the QA and Education Team!

More Related