Skip Navigation Links

A. General Information on Certificates and the Protections Provided 

A Certificate of Confidentiality helps researchers protect the privacy of human research participants enrolled in biomedical, behavioral, clinical and other forms of sensitive health-related research. Certificates protect against compulsory legal demands, such as court orders and subpoenas, for identifying information or identifying characteristics of a research participant. 

Researchers can use a Certificate to avoid compelled "involuntary disclosure" (e.g., subpoenas) of names and other identifying information about any individual who participates as a research subject (i.e., about whom the investigator maintains identifying information) during any time the Certificate is in effect. It does not protect against voluntary disclosures by the researcher, but those disclosures must be specified in the informed consent form. A researcher may not rely on the Certificate to withhold data if the participant consents in writing to the disclosure.

Individuals who participate as research subjects (i.e., about whom the investigator maintains identifying information) in the specified research project during any time the Certificate is in effect are protected permanently- even if the subject gave the researcher data before the Certificate is issued.

Identifying information protected by a Certificate may be disclosed under the following circumstances:

  • Voluntary disclosure of information by study participants themselves or any disclosure that the study participant has consented to in writing, such as to insurers, employers, or other third parties;
  • Voluntary disclosure by the researcher of information on such things as child abuse, reportable communicable diseases, possible threat to self or others, or other voluntary disclosures provided that such disclosures are spelled out in the informed consent form;
  • Voluntary compliance by the researcher with reporting requirements of state laws, such as knowledge of communicable disease, provided such intention to report is specified in the informed consent form (click here to see the 1991 PHS policy on Reporting of Communicable Diseases); or
  • Release of information by researchers to DHHS as required for program evaluation or audits of research records or to the FDA as required under the federal Food, Drug, and Cosmetic Act (21 U.S.C. 301 et seq.)

B. Definitions

Sensitive information includes (but is not limited to) information relating to sexual attitudes, preferences, or practices; information relating to the use of alcohol, drugs, or other addictive products; information pertaining to illegal conduct; information that, if released, might be damaging to an individual's financial standing, employability, or reputation within the community or might lead to social stigmatization or discrimination; information pertaining to an individual's psychological well-being or mental health; and genetic information or tissue samples.

Identifying characteristics include things such as: name, address, social security or other identifying number, fingerprints, voiceprints, photographs, genetic information or tissue samples, or any other item or combination of data about a research participant which could reasonably lead, directly or indirectly by reference to other information, to identification of that research subject.

The authorized institutional official is the individual named by the applicant organization who is authorized to act for that organization and assumes on behalf of the institution the obligations imposed by assurances as well as obligations imposed by the Federal laws, regulations, requirements and other conditions that apply to grant applications and awards.

C. Eligibility for a Certificate

Any Investigator conducting health related research in which sensitive information is gathered from human research participants (or any Investigator who intends to engage in such research) may apply for a Certificate of Confidentiality. Note there are other eligibility requirements (see FAQ Section C. Questions 2-4)

Generally, any research project on a sensitive health-related topic that collects names or other identifying characteristics of subjects, and that has been approved by an IRB operating under either an approved Federal-Wide Assurance issued by the Office of Human Research Protections or the approval of the Food and Drug Administration may be eligible for a Certificate. Federal funding is not a prerequisite for an NIH-issued Certificate, but the subject matter of the study must fall within a mission area of the National Institutes of Health or the Department of Health and Human Services. Issuance of Certificates is discretionary.

The following is an illustrative but not exhaustive list of sensitive research topic areas:

  • Research on HIV, AIDS, and other STDs;
  • Studies that collect information on sexual attitudes, preferences, or practices;
  • Studies on the use of alcohol, drugs, or other addictive products;
  • Studies that collect information on illegal conduct;
  • Studies that gather information that if released could be damaging to a participant's financial standing, employability, or reputation within the community;
  • Research involving information that might lead to social stigmatization or discrimination if it were disclosed;
  • Research on participants' psychological well being or mental health;
  • Genetic studies, including those that collect and store biological samples for future use;
  • Research on behavioral interventions and epidemiologic studies.

Ineligible studies include projects that are:

  • not research based,
  • not approved by an IRB operating under either an approved Federal-Wide Assurance issued by the Office of Human Research Protections or the approval of the Food and Drug Administration,
  • not collecting sensitive information or information that, if released publicly, might harm the research participants,
  • not collecting names or other identifying characteristics of research subjects, or
  • not involving a subject matter that is within a mission area of the National Institutes of Health or the Department of Health and Human Services.

A separate application is required for each research project for which a Certificate is desired. A certificate is generally issued to a research institution for a single project (not broad groups or classes of projects). However, projects that use the same sample of subjects but have different protocols may apply for one Certificate since the subjects, whose identities the investigator wishes to protect, are the same. Additionally, a project that is being conducted at multiple sites can request one Certificate to cover all sites (see FAQ C6).

No, for a multi-site project, a coordinating center or lead institution can apply for and receive a Certificate on behalf of all member institutions. This option is only for a study in which the same protocol, or aspects of the same protocol are being conducted at multiple sites, for example a large clinical trial with 10 clinical sites that will enroll subjects, a central coordinating site, and a genetic testing and tissue repository site. In general, the information provided in the application for a Certificate for a multi-site study, is specific to the lead institution. However, the lead site is expected to maintain a current listing of all the participating sites, including addresses and project directors. In addition, the lead site should obtain signed assurances from each participating institution, as well as their FWA numbers and copies of their IRB approvals. These should be kept in the lead institutions' files, to be made available to the NIH upon request. The lead site is also responsible for ensuring that each site's IRB-approved consent forms contain appropriate language describing the Certificate of Confidentiality and should work with the appropriate NIH coordinator to review consent form language. To avoid confusion, all study specific documents across all sites should use a consistent project title. After the Certificate has been issued, the lead institution should provide a copy of the Certificate of Confidentiality to each participating institution. The lead site should also develop appropriate agreements, with the participating institutions, to implement the assurances.

Yes, if the data are maintained within the U.S. If the data are maintained only in the foreign country, a Certificate of Confidentiality would not be effective.

Yes, because the Federal Privacy Act does not protect identifying information if disclosure is ordered by a court of competent jurisdiction. Moreover, there are other exceptions to the protection afforded by the Privacy Act.

Yes, although there are some additional application requirements for such research projects: NIH prefers that the faculty sponsor be designated as the PI on such applications instead of the student; the student or fellow should be listed as a key personnel for the study. Moreover, the IRB approval for a student research project that is submitted with the Certificate application must be issued jointly to the student/fellow and the faculty sponsor or to the sponsor with a copy to the student/fellow. The assurance must be signed by the faculty sponsor and the Institutional Official; it is optional to also include the student or fellow’s signature.

D. Certificate Application Process

Any Investigator conducting health related research in which sensitive information is gathered from human research participants (or any Investigator who intends to engage in such research) may apply for a Certificate of Confidentiality. Note there are other eligibility requirements (see FAQ Section C. Questions 2-4)

No. No project is entitled to a Certificate; its issuance is discretionary.

NIH issues Certificates through its Institutes/Centers (ICs). If NIH funds the research project for which you would like to request a Certificate, you should apply through the funding IC. If your research is not supported by NIH, you should apply for a Certificate through the NIH IC that supports research in a scientific area similar to your project. Please note that NIH is authorized to issue Certificates only for important research within its mission areas. Detailed application information is available on the NIH website at the Certificates of Confidentiality Kiosk.

If you are uncertain which Institute or Center (IC) you should contact for a Certificate of Confidentiality, please go to this web page to help identify the appropriate NIH IC: Identify the NIH Institute Center.  If you are still uncertain after reviewing this information, please send an email to NIH-CoC-Coordinator@mail.nih.gov with a brief description of your study.

Yes. A Certificate of Confidentiality can be awarded whether or not a research project is federally funded. However, please note, there are eligibility requirements (see FAQ Section C. Eligibility for a Certificate).

Yes, all requests for a CoC must be made on line. You can get information about using the online application system at the NIH Certificates of Confidentiality Kiosk web site

Generally, an application for a Certificate of Confidentiality is submitted after the Institutional Review Board (IRB) responsible for its review approves the research project (because IRB approval or approval conditioned upon issuance of a Certificate of Confidentiality is a prerequisite for issuance of a Certificate). Since the informed consent form should include language describing the Certificate and any voluntary disclosures specified by the investigator, the Applicant could tell the IRB that they are applying for a Certificate of Confidentiality and have included appropriate language in the informed consent form. Applications for Certificates should be submitted at least three months prior to the date on which enrollment of research subjects is expected to begin.

The authorized institutional official is the individual named by the applicant organization who is authorized to act for that organization and assumes on behalf of the institution the obligations imposed by assurances as well as obligations imposed by the Federal laws, regulations, requirements and other conditions that apply to grant applications and awards.

E. For Studies That Have a Certificate

When a researcher obtains a Certificate of Confidentiality, the subjects must be told about protections afforded by the Certificate and any exceptions to those protections - i.e., the circumstances in which the investigators plan to disclose, voluntarily, identifying information about research participants (e.g., child abuse, harm to self or others, etc.). This information should be included in the informed consent form unless a research subject is no longer actively participating in the project so amendment of the informed consent would be impractical The researchers should eliminate provisions in consent form templates that may be inconsistent with the Certificate protections (such as references to disclosures required by law, since the Certificate enables researchers to resist disclosures that would otherwise be compelled by law). In addition, researchers may not represent the Certificate as an endorsement of the research project by the DHHS or use it in a coercive manner when recruiting subjects.

If a significant change in your research project is proposed after a Certificate is issued, you must inform the Certificate Coordinator of the NIH Institute or Center (IC) that issued the certificate by sending an email request for an amendment that describes the proposed changes in your project. Your request will be reviewed and will either be approved or disapproved. If your request for an amendment is approved, an amended Certificate of Confidentiality will be issued. If your request is disapproved, you will be notified that adoption of the proposed significant change(s) will result in prospective termination of the original Certificate. Any termination of a Certificate of Confidentiality is operative only with respect to the identifying characteristics of individuals who began their participation as research subjects after the effective date of such termination.

Significant changes include: major changes in the scope or direction of the research protocol, changes in personnel having major responsibilities in the project, or changes in the drugs to be administered (if any) and the persons who will administer them.

If you determine that the research project for which you have received a Certificate of Confidentiality will extend beyond the expiration date on the Certificate, you may submit a request via email for extension of the date. This request should be submitted to the NIH Institute issuing the certificate at least three months prior to the Certificate's expiration. It must include an explanation of the reasons for requesting an extension (e.g., new subjects continue to be enrolled in the project), a revised estimate of the date for completion of the project, documentation of the Institutional Review Board's most recent approval for the project, and a copy of the current consent form that explains the Certificate's protections, specifies any voluntary disclosures, and clearly states any other limitations. Your request will be reviewed and will either be approved or disapproved. If your request for an extension is approved, an amended Certificate of Confidentiality will be issued. Note that an extension is generally not necessary if you are no longer enrolling subjects or collecting new data, even if data analysis is ongoing.

In the informed consent form, you should tell subjects who are still actively involved in your study that the Certificate is in effect. If subjects are no longer actively participating in the project, an amendment to the informed consent form would be impractical. Please consult your IRB to verify how this situation should be handled.

Identifying information protected by a Certificate may be disclosed under the following circumstances:

  • Voluntary disclosure of information by study participants themselves or any disclosure that the study participant has consented to in writing, such as to insurers, employers, or other third parties;
  • Voluntary disclosure by the researcher of information on such things as child abuse, reportable communicable diseases, possible threat to self or others, or other voluntary disclosures provided that such disclosures are spelled out in the informed consent form;
  • Voluntary compliance by the researcher with reporting requirements of state laws, such as knowledge of communicable disease, provided such intention to report is specified in the informed consent form (see Attachment D, which sets forth PHS policy on reporting of communicable diseases); or
  • Release of information by researchers to DHHS as required for program evaluation or audits of research records or to the FDA as required under the federal Food, Drug, and Cosmetic Act (21 U.S.C. 301 et seq.)

F. Legal Considerations

There have been a few reported court cases. In 1973, the certificate's authority was upheld in the New York Court of Appeals; the U.S. Supreme Court declined to hear the case. You may also refer to the following article which summarized court cases related to CoCs: Wolf, Leslie E., et.al. Certificates of Confidentiality: Protecting Human Subject Research Data in Law and Practice, 14 Minn. J. Law Sci. Tech. 11(2013).

The researcher should immediately inform the Certificate Coordinator who issued the Certificate and seek legal counsel from his or her institution. The Office of the NIH Legal Advisor is willing to discuss the regulations with the researcher's attorney.

G. Certificate of Confidentiality vs Other Privacy and Data Protections

No. Certificates of Confidentiality offer an important protection for the privacy of research study participants by protecting identifiable health information from forced disclosure (e.g., by court order). While the Privacy Rule does establish protections for covered entities’ use and disclosure of PHI, it permits use or disclosure in response to certain judicial or administrative orders. Therefore, researchers/contractors may obtain Certificates of Confidentiality to protect them from being forced to disclose information that would have to be disclosed under the Privacy Rule.

No, a Certificate of Confidentiality protects investigators and institutions from being compelled to release information that could be used to identify study participants in any civil, criminal, administrative, legislative, or other proceeding, whether at the federal, state, or local level. The Patriot Act does not affect those protections.

Back to Top