01/26/2021
Image by Jan Alexander from Pixabay
Background
The US Food and Drug Administration (FDA) recently released a guidance on Certificates of Confidentiality. The 21st Century Cures Act (Cures Act) amended the privacy protection for study participants’ section relating to Certificates of Confidentiality (CoC). They are now required for any federally funded clinical research that collects or uses identifiable, sensitive personal information, now known as a mandatory CoC. Discretionary CoC may be requested for non-federally funded clinical research, which is the focus of the guidance. The Cures Act also strengthened the protections for CoC by prohibiting disclosure except under specific exceptions.
What is a Certificate of Confidentiality (CoC)?
A CoC protects the privacy of the study participant by prohibiting the disclosure of identifiable, sensitive personal information to anyone who is not directly involved in the clinical research unless the study participant gives specific consent to disclose this information. The protection is the same whether it is a discretionary or a mandatory CoC. Once issued, a CoC is binding. Identifiable, sensitive information can be used to identify the study participant, either directly, for example with their name, or indirectly, by combining available data that can lead to identification. Other entities who share in using the study participant data are also required to follow the disclosure requirements, which includes CROs and clinical sites. An IRB can request a CoC to be obtained before IRB approval of the clinical trial if it determines the data to be collected are sensitive.
When Should a Discretionary CoC be Requested?
The sponsor, sponsor-investigator, or other authorized representative that will be initiating the clinical research is responsible for determining if their clinical study will involve the collection of identifiable, sensitive information. Other factors include:
Retention time of data for future use
Security of data systems
Extent and type of data used
If it contains more easily identifiable information, such as genomic
Only clinical trials subject to FDA’s regulatory authority are applicable for discretionary CoC. The methodology for protecting study participant data needs to be sufficient to protect confidentiality before applying for a CoC.
How Should a Discretionary CoC be Requested?
The guidance aims to streamline the process for requesting a discretionary CoC. The entity (sponsor, sponsor-investigator, or authorized representative) should electronically submit the request to the appropriate Center. It should include:
Descriptive information (including the name, address, FDA application number, research title, etc.)
Assurances that the entity understands the obligations for complying with the CoC. Suggested wording examples are available in the guidance.
What About Sites?
For federally funded clinical trials where a mandatory CoC is needed, the clinical site is responsible for determining if it involves the collection of identifiable, sensitive information. If it does, it is considered to be issued a CoC and now must comply with all the requirements. Effective internal controls (policies and procedures) are required for NIH supported clinical research.
Updates to the CoC strengthen privacy protections for study participants, and the guidance clarifies when and how to apply for a discretionary CoC. It protects the study participant by prohibiting anyone in contact with their identifiable, sensitive information from being compelled to disclose it to those not involved in the clinical research or during a civil, criminal, or other hearing. Exceptions to the disclosure include if the study participant consents to disclosure, requires medical treatment, is required by law (such as mandated reporting of communicable disease), or is permitted for use in other clinical research. In an evolving world where increasingly personal information is collected, such as DNA sequencing, the updates to CoC offer increased privacy protections.
-The Clinical Pathways Team
Enjoy this blog? Please like, comment, and share with your contacts.