Overall, our results suggest some degree of uncertainty about Certificates among IRB chairs. On our objective knowledge questions, most chairs chose the incorrect answer or ‘unsure’ rather than the answer reflected on NIH’s Kiosk. Most were in the middle opinion score group, expressing neither a particularly positive nor negative view of Certificates. Higher levels of self-reported familiarity with Certificates tended to move respondents out of the middle opinion score group–some toward a more positive view and others toward a more negative view. Further, respondents expressed a variety of ideas about the appropriate use of Certificates and what they are intended to protect, as well as their role in managing versus reducing risk.
Despite this uncertainty, chairs who participated in our study commonly viewed Certificates as a potentially valuable means for facilitating participation in sensitive research and protecting participants’ privacy and the confidentiality of their data. In the hypothetical research study we presented–despite a range of opinions about the level of risk involved and the need for a Certificate–the effect of obtaining a Certificate was a shift toward lower levels of perceived risk and increased protection for participants. In general, chairs frequently described Certificates as an ‘extra layer’ of protection and emphasized the critical importance of ensuring the implementation of more basic confidentiality measures. These findings lead to several practical observations:
First, our data suggest that IRBs’ understanding of Certificates is lacking and more education for human research protection professionals is needed. IRBs play a key role in identifying studies for which a Certificate may be appropriate and researchers likely look to the IRB for guidance about the use of Certificates; thus, it is essential that they have accurate information. Although IRB personnel may look into specific aspects of Certificates as needed, chairs’ generally poor performance on our objective knowledge questions is troubling given that four of the six questions were directly related to core IRB functions (confidentiality-related aspects of HIPAA, state reporting laws, and government audits, as well as participant consent). In addition, it may indicate that some IRB personnel overestimate what they know about Certificates or are unaware of what they do not know. Indeed, IRB chairs reporting the highest level of familiarity with Certificates still had a mean knowledge score indicating some misunderstanding (). Education about Certificates should involve active outreach at multiple levels, including greater promotion of NIH’s recently revamped Kiosk, programs by professional organizations, and incorporation into training and certification of IRBs and human research protection professionals.
Second, IRBs may not be using Certificates for the entire range of studies that are eligible for them. The current statute enables the use of Certificates for biomedical, behavioral, clinical or other types of research collecting sensitive data that, if disclosed, could have adverse consequences for participants or damage their financial standing, employability, insurability, or reputation 
. Available data suggest that applications for Certificates are rarely denied 
. Even so, a number of chairs who participated in our study expressed a narrow conception of Certificates as being meant only (or primarily) for studies that collect information about illegal behavior. Certificates should be considered for a broader range of research, and the topics listed on NIH’s Kiosk as examples of research for which a Certificate may be appropriate (summarized in ) are a good place to start. For instance, it is noteworthy that few of our respondents’ IRBs seemed to consider Certificates important for research involving genetics, despite recommendations to the contrary per NIH’s Kiosk, NCI’s Best Practices for Biorepositories 
, and NIH’s “Points to Consider” for genome-wide association studies 
. This discrepancy may be attributed, in part, to a perceived lack of sensitivity of genetic data given the Genetic Information Nondiscrimination Act 
and state genetic privacy laws 
, which prohibit certain kinds of discrimination based on genetic information. However, these are not the only ways genetic information could be used to harm someone.
Of course, given broader consideration of Certificates, one could begin to imagine a reason why virtually any piece of data might be of at least theoretical interest in a legal action, leading to the prospect of requiring or recommending a Certificate for nearly every study. Thus, it is important to take into account tempering factors such as those articulated by our study participants, including reasonably foreseeable risk of litigation, realistic threat of serious harm, and the availability of the sensitive information elsewhere.
Third, the mixed opinions we uncovered about the extent to which Certificates protect identifiable research data may be due, in large part, to true uncertainty in the field rather than misunderstanding or lack of knowledge. There is little guidance from the courts on the scope of protection offered by Certificates because there have been very few published opinions that consider the effect of Certificates. In cases that do exist, the varied and unique factual situations involved make it difficult to generalize to other situations. While it is unclear whether Certificates can provide the absolute protection the statute authorizes in all circumstances (for example, if constitutional rights were at stake in a criminal case 
), it is difficult at this juncture to know how far their protection extends. Chairs in our study offered alternative views of Certificates–a strong deterrent to legal demands versus an obstacle that may help lead to compromise and negotiation. Under either view, chairs underscored the importance of remaining vigilant and using all tools available to protect participants’ confidentiality.
Finally, many of our respondents felt that Certificates do facilitate research participation by reassuring subjects, but they were less inclined to think a Certificate is necessary to ensure the collection of truthful information. Rather, several commented that participants’ trust in the researcher was a more important factor. In reality, these areas have been little studied 
and require further empirical investigation.
Our national sampling frame, good response rate, and mixed methods approach are important strengths of this work. However, several factors may limit the interpretation of our results. First, we do not have data about the characteristics of chairs who did not respond to our survey and thus cannot assess potential response bias; in general, the demographic characteristics of our respondents were similar to those found in surveys of IRBs on other topics 
. Second, our online survey comprised primarily closed-ended questions and we had variable power to detect statistically significant differences; further, we had the resources to conduct only a relatively small number of follow-up interviews. Thus our ability to assess even more nuanced factors that might explain or influence IRB chairs’ opinions about Certificates view was constrained. Third, to keep the survey to a reasonable length, we did not include questions covering every possible issue (e.g., IRB chairs’ view and experiences of the ease or difficulty of obtaining a Certificate). Thus, further research is warranted–among IRB leaders and other institutional officials, as well as researchers and research participants–to facilitate the development of sound policies that promote the appropriate use and understanding of Certificates of Confidentiality.