Join Advarra

Learn more about our company team, careers, and values. Join Advarra’s Talented team to take on engaging work in a dynamic environment.

See Jobs

New FDA Certificate of Confidentiality Guidance: What Does it Mean for You?

FDA has recently issued guidance relating to changes for Certificates of Confidentiality (CoCs) brought about by the 21st Century Cures Act (“Cures Act”), which was passed in 2016. In this blog, we discuss what has and has not changed regarding CoCs and how this new guidance impacts research sponsors, research sites, and institutional review boards (IRBs).


CoCs are intended to protect the privacy of research participants by preventing sponsors and researchers from being compelled to disclose “identifying, sensitive information,” which is defined as follows:

information that is about an individual and that is gathered or used during the course of research” … and (A) through which an individual is identified; or (B) for which there is at least a very small risk, as determined by current scientific practices or statistical methods, that some combination of the information, a request for the information, and other available data sources could be used to deduce the identity of an individual.

As examples of “identifying, sensitive” data, FDA lists data collected during “research on mental health and research on the use and effect of alcohol and other psychoactive drugs,” and states that “genomic data also are often considered to fall automatically into the category of identifiable, sensitive information.”

What Has Changed

The Cures Act strengthened the protection provided by CoCs, outright prohibiting sponsors and researchers from disclosing personal, sensitive information collected during the research (except under very specific circumstances) and making the issuance of CoCs mandatory for federally funded research involving such information, including federally funded research that is FDA regulated.

What Has Not Changed

Historically, FDA has accepted requests for CoCs from sponsors and researchers and issued CoCs on a discretionary, case-by-case basis. The guidance clarifies that, for FDA-regulated research that is not federally funded, FDA will continue to consider applications for discretionary CoCs and issue them as appropriate, depending on the nature of the case. For all federally funded research, the guidance states that the issuance of CoCs will be mandatory for research collecting identifying and sensitive information and that requests for discretionary CoCs should not be made.

What This Means for You

For sponsors: The new guidance recognizes sponsors as the appropriate entity to submit requests to the FDA for discretionary CoCs in FDA regulated research that is not federally funded, as sponsors or “sponsor-investigators” are typically the “entities or individuals who have responsibility and control over the information and data collected and used in research.” Sponsor evaluations of whether a CoC is needed or appropriate should “take into account the type of information collected, whether the information is retained for any further use or purpose, the extent of the information, and the security of the data systems that contain the information.” The guidance clarifies that once issued, sponsors have a legal obligation to comply with the protections afforded to participants by the CoC, as set out here.

For institutions/sites: According to NIH guidance, for NIH-funded research, the institution(s) hosting the research and its investigators are responsible for determining whether the research involves the collection of identifying, sensitive information. NIH-funded research that meets this condition is “automatically deemed to be issued a Certificate and must comply with the requirements.” Please note that this may not apply to research funded by other federal agencies.

For IRBs: While FDA guidance identifies sponsors as the correct entity to request discretionary CoCs in FDA-regulated research that is not federally funded, it also acknowledges an important role for the IRB in determining whether a CoC may be appropriate. IRBs may, as a condition of IRB approval, request that a discretionary CoC be obtained when the IRB deems that the data being collected is identifiable and sufficiently sensitive. Because such assessments can be challenging and involve different ethical views and perspectives, this is a point on which commitment to clear communication and collaboration between IRBs and sponsors is crucial.


The recent FDA guidance on CoCs highlights encouraging developments around the nature of CoCs and the processes for obtaining them. Clearly delineating the different roles of sponsors, institutions, and IRBs is important and will help to further streamline and improve this aspect of research, promoting greater protection of participant privacy.

Need more information on CoCs? Find out about NIH Certificate of Confidentiality requirements in our blog Changes to NIH Policy for Issuing Certificates of Confidentiality: What You Need to Know.

Back to Resources