Certificates of Confidentiality 

Certificates of Confidentiality were developed to encourage participation in research by granting certain protections to a subject divulging possible compromising information. 

Data collection about sensitive issues (such as illegal behavior, alcohol or drug use, or sexual practices or preferences) requires the protection of confidentiality beyond preventing accidental disclosures. 

Under Federal law, researchers may obtain a Certificate of Confidentiality (CoC) that will provide protection against compulsory disclosure, such as subpoena, for research records that contain “identifiable sensitive information”.

Per the 21st Century Cures Act ( sec 2012) “Identifiable Sensitive Information” is defined as information that is about an individual and that is gathered or used during the course of research described in paragraph (1)(A) and :

A. Through which an individual is identified

B. For which there is at least a very small risk as determined by current scientific practices or statistical methods, that some combination of the information, a request for the information, and other available data sources could be used to deduce the identity of an individual.

Paragraph (1)(A) includes biomedical, behavioral, clinical or other research including research on mental health and research on the use and effect of alcohol and other psychoactive drugs. 

Under Federal law, a CoC allows an investigator and others who have access to research records to refuse to disclose identifying information on research participants in any civil, criminal, administrative, legislative, or other proceeding, whether at the federal, state, or local level. By protecting researchers and institutions from being compelled to disclose information that would identify research subjects, Certificates of Confidentiality help achieve the research objectives and promote participation in studies by helping assure confidentiality and privacy to participants.

Whether or not a CoC is necessary depends on the sensitivity of the research data and the potential impact it may have on subjects should it be disclosed (e.g., potential damage to their financial standing, employability, insurability, or reputation). Examples of sensitive research data include:

  • Genetic Information
  • Information of psychological well-being of participants
  • Information on participants' sexual attitudes, preferences or practices
  • Data on substance abuse or other illegal risk behaviors

The Certificates, however, do not exempt investigators from performing ethical research nor do they allow investigators to abdicate the responsibility to act in the public good. 

Therefore, investigators are required to include a statement in the consent form that alerts potential subjects of the legal and ethical mandate compelling researchers to report certain criteria. 

The IRB is required to determine whether the risks to subjects are minimized, informed consent is appropriate, and privacy and confidentiality protections are adequate. 

Effective December 13, 2016, DHHS enacted new provisions that automatically provide a Certificate of Confidentiality for any study funded by the Federal government (except the Department of Justice) that will collect identifiable sensitive information. No application for a Certificate of Confidentiality is required and no Certificate will be provided by the NIH. 


You must know your funding source to determine if and how you obtain a

CoC.  For more information refer to https://era.nih.gov/files/Cert_Confidentiality_Ext_userguide.pdf

Researchers working on eligible human subjects research projects can use the Online Certificate of Confidentiality System to request a Certificate of Confidentiality (CoC) from NIH.

For Non-NIH, Federally-Funded Research:

Several non-NIH HHS agencies, including CDC, FDA, HRSA,  SAMHSA, and the Department of Justice issue Certificates of Confidentiality (CoCs). If your research is funded by one of these agencies or is operating under the authority of the FDA, please contact the Certificate Coordinators at the funding agency to determine how to obtain a CoC.   Requests for Certificates should be submitted at least three months prior to the date on which you expect to begin enrollment of research.


If your research is funded by an HHS agency, other than NIH, CDC, FDA, HRSA or SAMHSA, that do not issue CoCs, you may request a Certificate of Confidentiality for specific health-related projects using sensitive, identifiable information, using the NIH online system. NIH issues CoCs on behalf of these HHS agencies.  These requests usually take less than a week to receive approval. 

The CoC protections begin upon the date of the certificate approval.  Therefore, the IRB-HSR will not open a study to enrollment until it has received the approval for the CoC for a study not funded by the NIH that has a CoC automatically granted.