Skip Navigation Links

A. General Information on Certificates

A Certificate of Confidentiality (Certificate) protects the privacy of research participants enrolled in biomedical, behavioral, clinical or other research. With limited exceptions, researchers may not disclose names or any information, documents or biospecimens containing identifiable, sensitive information. The Certificate prohibits disclosure in response to legal demands, such as a subpoena.

Certificates protect names or any information, documents, or biospecimens containing identifiable, sensitive information related to a research participant. This is defined as "covered information" in the policy. In addition, if there is at least a very small risk that information, documents, or biospecimens can be combined with other available data sources to determine the identity of an individual, then they are protected by the certificate.

Yes. The protection covers all copies of information collected or used by the investigator in the research covered by the Certificate, even those copies that are shared for other research.

The protection of the certificate lasts in perpetuity. However, data collected after a certificate expires, or NIH funding ends, may not be protected. (See Question B8).

Disclosure of information, physical documents, or biospecimens protected by a Certificate is permitted only when:

  • Required by other Federal, State, or local laws, such as for reporting of communicable diseases;
  • Made with consent of the subject; or
  • Made for the purposes of scientific research that is compliant with human subjects regulations.

Identifiable, sensitive information is information about an individual, gathered or used during the course of biomedical, behavioral, clinical or other research, through which the individual is identified, or there is at least a very small risk that some combination of the information, a request for the information, and other available data sources could be used to determine the identity of an individual. The policy defines this as "covered information."

Identifiable, sensitive information includes but is not limited to name, address, social security or other identifying number; and fingerprints, voiceprints, photographs, genetic information, tissue samples, or data fields that when used in combination with other information may lead to identification of an individual.

Any investigator or institution issued a Certificate shall not:

  • Disclose or provide covered information, in any Federal, State, or local civil, criminal, administrative, legislative, or other proceeding; or
  • Disclose or provide covered information to any other person not connected with the research.

Researchers with a CoC many ONLY disclose identifiable, sensitive information in the following circumstances:

  • If required by other Federal, State, or local laws, such as for reporting of communicable diseases
  • If the subject consents; or
  • for the purposes of scientific research that is compliant with human subjects regulations

When a researcher is issued a Certificate and the researcher will be obtaining informed consent from participants, NIH expects that the subjects will be told about protections afforded by the Certificate and any exceptions to those protections. 

For studies that were previously issued a Certificate, and notified participants of the protections provided by that Certificate, NIH does not expect participants to be notified that the protections afforded by the Certificate have changed, although IRBs may determine whether it is appropriate to inform participants.

Neither the NIH Policy on Certificates of Confidentiality nor subsection 301(d) expect participants consented prior to the change in authority, or prior to the issuance of a Certificate, to be notified that the protections afforded by the Certificate have changed, or that participants who were previously consented to be re-contacted to be informed of the Certificate, although IRBs may determine whether it is appropriate to inform participants.

NIH generally does not consider summary research results, such as genomic summary results or summary results of clinical trials, to be identifiable, sensitive information as summary results are not “about an individual,” but rather, are about a group of individuals. Moreover, summary results generally pose less than a very small risk that individuals could be re-identified, even when used in conjunction with other available data sources.

Information protected by a Certificate can be shared openly on a public website only where otherwise authorized to be disclosed by the statute. For example, if participants have consented to such sharing. The NIH Policy on Certificates of Confidentiality expects that the recipient of a Certificate shall ensure that an investigator or institution who receives a copy of information protected by a Certificate understands that they are also subject to the requirements of subsection 301(d) of the Public Health Service Act.

B. Certificates for NIH-Funded Research

No, eligible research studies that are funded by NIH are automatically issued a certificate under the NIH Policy on Certificates of Confidentiality.

Effective October 1, 2017, certificates are automatically issued by NIH for all research covered by the policy that was commenced or ongoing on or after December 13, 2016.

To determine if this Policy applies to research conducted or supported by NIH, investigators will need to ask, and answer the following question:

  • Is the activity biomedical, behavioral, clinical, or other research?

If the answer to this question is no, then the activity is not issued a Certificate. If the answer is yes, then investigators will need to answer the following questions:

  • Does the research involve Human Subjects as defined by 45 CFR Part 46?
  • Are you collecting or using biospecimens that are identifiable to an individual as part of the research?
  • If collecting or using biospecimens as part of the research, is there a small risk that some combination of the biospecimen, a request for the biospecimen, and other available data sources could be used to deduce the identity of an individual?
  • Does the research involve the generation of individual level, human genomic data?
If the answer to any one of these questions is yes, then this Policy will apply

In general, no. It is the responsibility of recipients and their investigators to determine if their research is collecting or using covered information.

No, NIH will not provide documentation that specific NIH-funded studies are covered by a Certificate after the effective date of the policy. Documentation of NIH funding or support, the NIH CoC Policy (NOT-OD-17-109), the NIH Grants Policy Statement (See 4.1.4.1) subsection 301(d) of the Public Health Service Act, and any additional future guidance issued by NIH, will serve as documentation of the issuance of a Certificate for a specific study.

Section 2012 of the 21st Century Cures Act covers all research begun on or after December 13, 2016, and all research ongoing as of that date. Therefore, all NIH research within the scope of the policy, that was ongoing on December 13, 2016, or initiated on or after that date, is issued a certificate.

Note that research that was previously issued a Certificate by NIH (regardless of the funding source) is also subject to the new protections and requirements put in place by the 21st Century Cures Act.

The NIH policy issues Certificates for NIH-funded research that was ongoing on December 13, 2016, or initiated on or after that date. For certificates issued prior to December 13, 2016, for research that no longer has NIH funding, a new certificate will not be issued. However, the new protections and requirements enacted by the 21st Century Cures Act apply to all certificates previously issued by NIH, regardless of the funding source.

No.  NIH has long interpreted the protection afforded by Certificates to be permanent, even after a Certificate expires. Information protected by a Certificate that was issued or expired prior to the enactment of section 2012 of the 21st Century Cures Act will be subject to the requirements of the statute, which protects all copies of the information in perpetuity.

For NIH funded research, a Certificate protects the information that was collected or used during the period in which the research is funded by NIH. If the study continues after your NIH funding ends and you need continued protection of a Certificate for new information, you should apply for a Certificate following the process for non-federally funded research. You may want continued protection, for example, if you were collecting new information from participants or enrolling new participants after the period in which the research was funded by NIH.   Note that information protected by a Certificate, and all copies thereof, is protected by a Certificate in perpetuity, even after the research is no longer funded by NIH. 

If a research project was issued a Certificate and continues under a no-cost extension, the research is considered to continue to be covered by the Certificate for the duration of the no-cost extension.

No.  Certificates will be issued automatically to recipients for NIH-funded research that meets the scope of the NIH Policy. Certificates may be issued for non-federally funded research upon request, but are not mandatory.  Information protected by a Certificate and all copies are subject to the protections of the Certificate in perpetuity. Therefore, if a secondary researcher receives information protected by a Certificate the secondary researcher is required to uphold the protections of the Certificates.  NIH expects that recipients of a Certificate will inform secondary researchers when information disclosed to them is protected by a Certificate.

Yes, subrecipients who receive funds to carry out part of the Federal award for which a Certificate is issued are also protected by the Certificate and subject to its requirements.  NIH expects recipients to inform subrecipients of the protections of a Certificate, as well as ensure that the subrecipients comply with the requirements.

Certificates will be issued to recipients for applicable research regardless of the country where the investigator or the protected information resides.  However, Certificates may not be effective for data held in foreign countries.

Yes. Subsection 301(d) of the Public Health Service Act requires that Certificates be issued for all applicable research, both intramural and extramural. The Federal Privacy Act does not protect identifying information if disclosure is ordered by a court of competent jurisdiction.

C. Certificates for Other HHS-Funded Research (Non-NIH)

Several non-NIH HHS agencies, including CDC, FDA, HRSA, SAMHSA issue Certificates of Confidentiality (CoCs). If your research is funded by one of these agencies or is operating under the authority of the FDA, please contact the Certificate Coordinators at the funding agency to determine how to obtain a CoC.  

If your research is funded by an HHS agency other than NIH, CDC, FDA, HRSA or SAMHSA, that does not issue CoCs Health-related research you may request a Certificate of Confidentiality for specific health-related projects using sensitive, identifiable information, using the NIH online application system. NIH issues CoCs on behalf of these agencies.

NIH issues Certificates through its Institutes and Centers (IC). If your research funded by a non-NIH HHS agency, you should request a Certificate through the NIH IC that supports research in a scientific area similar to your project. Detailed application information is available on the NIH website at the Certificates of Confidentiality Kiosk.

If you are uncertain which Institute or Center (IC) you should contact for a Certificate of Confidentiality, please go to this web page to help identify the appropriate NIH IC: Identify the NIH Institute Center.  If you are still uncertain after reviewing this information, please send an email to NIH-Certificate-Coordinator@mail.nih.gov with a brief description of your study.

Yes, all requests for a Certificate must be made on line. You can get information about using the online application system at the NIH Certificates of Confidentiality Kiosk web site.

Applications for Certificates should be submitted at least three months prior to the date on which enrollment of research subjects is expected to begin.

All Certificates issued prior to the law’s enactment or to the October 1st, 2017 effective date of the Policy are also subject to the protections and requirements of subsection 301(d) of the Public Health Service Act (42 U.S.C. 241(d)), including the disclosure requirements

D. Certificates for Research Funded by Non-HHS Federal Agencies

Yes. If your health-related research is funded by a non-HHS Federal Agency other than HHS, you may request a Certificate of Confidentiality for a specific project that involves sensitive, identifiable information, using the NIH online application system.

Please direct your CoC request to the NIH Institute or Center (IC) that supports similar research.  However, please verify this with the appropriate IC coordinatorbefore submitting an application. If you are unsure about which IC is most appropriate for your research topic, you may contact the NIH Central Coordinator at NIH-COC-Coordinator@mail.nih.gov. Issuance of a CoC is at the discretion of NIH.

NIH issues Certificates through its Institutes and Centers (IC). If your research funded by a non-HHS agency, you should request a Certificate through the NIH IC that supports research in a scientific area similar to your project. Note that NIH will only accept applications for research that is within the HHS mission. Detailed application information is available on the NIH website at the Certificates of Confidentiality Kiosk.

If you are uncertain which Institute or Center (IC) you should contact for a Certificate of Confidentiality, please go to this web page to help identify the appropriate NIH IC: Identify the NIH Institute Center.  If you are still uncertain after reviewing this information, please send an email to NIH-Certificate-Coordinator@mail.nih.gov with a brief description of your study.

Yes, all requests for a Certificate must be made on line. You can get information about using the online application system at the NIH Certificates of Confidentiality Kiosk web site.

Applications for Certificates should be submitted at least three months prior to the date on which enrollment of research subjects is expected to begin.

All Certificates issued prior to the law’s enactment or to the October 1st, 2017 effective date of the Policy are also subject to the protections and requirements of subsection 301(d) of the Public Health Service Act (42 U.S.C. 241(d)), including the disclosure requirements.

E. Certificates for Non-Federally Funded Research

Yes. For health-related research that is not federally funded, in which identifiable, sensitive information is collected or used, you may request a Certificate of Confidentiality (CoC) for specific projects using the online application system.

Investigators and/or institutions engaged in non-federally funded research, in which identifiable, sensitive information is collected or used, are not required to obtain a Certificate. Investigators and/or institutions conducting biomedical, behavioral, clinical or other research within the NIH mission in which identifiable, sensitive information is collected or used (or any investigator who intends to engage in such research) may apply for a Certificate of Confidentiality from NIH. Note there are other eligibility requirements.

Significant changes include: major changes in the scope or direction of the research protocol, changes in personnel having major responsibilities in the project, or changes in the drugs to be administered (if any) and the persons who will administer them.

Generally, any research project on a sensitive health-related topic that collects names or other identifiable, sensitive information pertaining to subjects, and that has been approved by an IRB operating under either an approved Federal-Wide Assurance issued by the Office of Human Research Protections or the approval of the Food and Drug Administration (or other documentation of institutional approval), and that is in compliance with the Federal Policy for the Protection of Human Subjects at 45 CFR 46 (the Common Rule) or follows relevant provisions of the Common Rule relating to consent, may be eligible for a Certificate. The subject matter of the study must fall within a mission area of the National Institutes of Health or the Department of Health and Human Services. Issuance of Certificates is discretionary.

No, a non-federally funded research project is not entitled to a Certificate. Issuance of a Certificate for non-federally funded research is discretionary.

The following is an illustrative but not exhaustive list of sensitive research topic areas:

  • Research on HIV, AIDS, and other STDs;
  • Studies that collect information on sexual attitudes, preferences, or practices;
  • Studies on the use of alcohol, drugs, or other addictive products;
  • Studies that collect information on illegal conduct;
  • Studies that gather information that if released could be damaging to a participant's financial standing, employability, or reputation within the community;
  • Research involving information that might lead to social stigmatization or discrimination if it were disclosed;
  • Research on participants' psychological wellbeing or mental health;
  • Genetic studies, including those that collect and store biological samples for future use;
  • Research on behavioral interventions and epidemiologic studies.

Examples of research that would be ineligible to receive a Certificate include:

  • not research based,
  • not collecting or using identifiable, sensitive information pertaining to research participants,
  • not involving a subject matter that is within a mission area of the National Institutes of Health or the Department of Health and Human Services.

A separate application is required for each non-NIH-funded research project for which a Certificate is desired. A Certificate is generally issued to a research institution for a single project (not broad groups or classes of projects). However, projects that use the same sample of subjects but have different protocols may apply for one Certificate since the subjects, whose identities the investigator wishes to protect, are the same. Additionally, a project that is being conducted at multiple sites can request one Certificate to cover all sites.

No, for a multi-site project, a coordinating center or lead institution can apply for and receive a Certificate on behalf of all member institutions. This option is only for a study in which the same protocol, or aspects of the same protocol are being conducted at multiple sites, for example a large clinical trial with 10 clinical sites that will enroll subjects, a central coordinating site, and a genetic testing and tissue repository site. In general, the information provided in the application for a Certificate for a multi-site study, is specific to the lead institution. However, the lead site is expected to maintain a current listing of all the participating sites, including addresses and project directors. In addition, the lead site should obtain signed assurances from each participating institution. These should be kept in the lead institutions' files, to be made available to the NIH upon request. The lead site is also responsible for ensuring that each site's consent forms contain appropriate language describing the Certificate of Confidentiality and should work with the appropriate NIH coordinator to review consent form language. To avoid confusion, all study specific documents across all sites should use a consistent project title. After the Certificate has been issued, the lead institution should provide a copy of the Certificate of Confidentiality to each participating institution. The lead site should also develop appropriate agreements, with the participating institutions, to implement the assurances.

Yes, if the data are maintained within the U.S. If the data are maintained only in the foreign country, a Certificate of Confidentiality may not be effective and will generally not be issued.

Yes, although there are some additional application requirements for such research projects: NIH prefers that the faculty sponsor be designated as the PI on such applications instead of the student; the student or fellow should be listed as a key personnel for the study. Moreover, the IRB approval for a student research project that is submitted with the Certificate application must be issued jointly to the student/fellow and the faculty sponsor or to the sponsor with a copy to the student/fellow.

NIH issues Certificates through its Institutes and Centers (IC). If your research is not supported by NIH, you should apply for a Certificate through the NIH IC that supports research in a scientific area similar to your project. Please note that NIH is authorized to issue Certificates only for research within HHS mission areas. Detailed application information is available on the NIH website at the Certificates of Confidentiality Kiosk.

If you are uncertain which Institute or Center (IC) you should contact for a Certificate of Confidentiality, please go to this web page to help identify the appropriate NIH IC: Identify the NIH Institute Center.  If you are still uncertain after reviewing this information, please send an email to NIH-Certificate-Coordinator@mail.nih.gov with a brief description of your study.

Yes, all requests for a Certificate must be made on line. You can get information about using the online application system at the NIH Certificates of Confidentiality Kiosk web site.

Applications for Certificates should be submitted at least three months prior to the date on which enrollment of research subjects is expected to begin.

For studies that are not funded by NIH, the Institutional Official must sign the application. The authorized institutional official is the individual named by the applicant organization who is authorized to act for that organization and assumes on behalf of the institution the obligations imposed by assurances as well as obligations imposed by the Federal laws, regulations, requirements and other conditions that apply to grant applications and awards.

If a significant change in your research project is proposed after a Certificate is issued, you must inform the Certificate Coordinator of the NIH Institute or Center (IC) that issued the Certificate by sending an email request for an amendment that describes the proposed changes in your project. Your request will be reviewed and will either be approved or disapproved. If your request for an amendment is approved, an amended Certificate of Confidentiality will be issued. If your request is disapproved, you will be notified that adoption of the proposed significant change(s) will result in prospective termination of the original Certificate.

Significant changes in a research project include, but are not limited to:

  • Major changes in the scope or direction of the research protocol
  • Changes in personnel having major responsibilities in the project
  • Changes in the drugs to be administered (if any) and the persons who will administer them.

All Certificates issued prior to the law’s enactment or to the October 1st, 2017 effective date of the Policy are also subject to the protections and requirements of subsection 301(d) of the Public Health Service Act (42 U.S.C. 241(d)), including the disclosure requirements.

F. Existing Certificates of Confidentiality

All certificates issued prior to the law’s enactment or prior to the October 1st, 2017 effective date of the Policy are also subject to the protections and requirements of subsection 301(d) of the Public Health Service Act (42 U.S.C. 241(d)), including the disclosure requirements.

If you research is funded by NIH, your certificate will automatically extend until the end of the project period, including any no-cost extensions.  For non-NIH funded research you may continue to extend or amend existing certificates as needed using the online system.

Yes. The updated protections and requirements apply to all Certificates issued by NIH, including those issued prior to the law’s enactment.

G. Legal Considerations

There have been a few reported court cases. In a 1973 case, People v Newman, the Certificate's authority was upheld in the New York Court of Appeals; the U.S. Supreme Court declined to hear the case.

The researcher should immediately seek legal counsel from his or her institution. If the research was issued a Certificate through an application, such as for Certificates issued prior to October 1st, 2017, or for research not funded by NIH, the investigator should also inform the Certificate Coordinator who issued the Certificate.

A proceeding  includes any action or procedure before a body that conducts a legal, administrative, legislative, or other hearing or investigation, including courts of law, commissions, or other tribunals. A proceeding encompasses all phases of existing actions, hearings or investigations including pretrial and posttrial stages of litigation. Formal requests by attorneys or others involved in legal proceedings are included in the definition of a proceeding. Examples of actions in which disclosure or use of identifiable, sensitive information protected by a Certificate would be prohibited from being disclosed or used, excluding instances where the disclosure or use is made with the consent of the individual to whom the information pertains, include arbitration, a grand jury investigation or hearing, or a subpoena compelling the production of documents or testimony.

H. Certificate of Confidentiality Vs. Other Privacy and Data Protections

No. Certificates of Confidentiality offer an important protection for the privacy of research participants by protecting identifiable health information from compelled disclosure (e.g., by court order). While the Privacy Rule does establish protections for covered entities’ use and disclosure of PHI, it permits use or disclosure in response to certain judicial or administrative orders. Therefore, Certificates protect investigators from being forced to disclose identifiable, sensitive information collected or used in research that might otherwise have to be disclosed under the Privacy Rule.

No. You should not apply for an NIH Certificate if your study is covered by AHRQ or the DOJ statute.  However, you should contact AHRQ or the DOJ to determine whether you should apply for a Certificate pursuant to their policies.

Title 42 Part 2a – Protection of Identity - Research Subjects was promulgated in 1979 to establish procedures for issuing certificates upon application to the Secretary of Health and Human Services.  Title 42 Part 2a was authorized under subsection 301(d) of the Public Health Service Act (42 U.S.C. §241(d)) prior to the statute’s amendment by section 2012 of the 21st Century Cures Act. Because these regulations govern the process for issuing certificates upon application, and NIH’s implementation of the amended subsection 301(d) of the Public Health Service Act (42 U.S.C. §241(d)) automatically issues certificates for research involving the collection or use of identifiable, sensitive information, Title 42 Part 2a is only applicable to the issuance of certificates upon request for non-federally-funded research, and only to the extent that the regulations do not conflict with the amended statute. Individuals and institutions engaged in this category of non-federally-funded research may continue apply to the NIH in order to be issued a certificate. Where there exists a contradiction between Title 42 Part 2a and subsection 301(d) of the Public Health Service Act (42 U.S.C. §241(d)), the statute will prevail.

Back to Top