Skip to main content

NIH Policy Change Regarding Certificates of Confidentiality

As communicated by TraCS in early December 2017, the National Institutes of Health (NIH) recently updated its policy for issuing Certificates of Confidentiality (COCs) for NIH-funded and conducted research.  Effective October 1, 2017, COCs will be issued automatically for any NIH-funded project using identifiable, sensitive information that was on-going on or after December 13, 2016.  The COC will be issued as a term and condition of award.  No physical certificate document will be issued for the NIH-funded projects affected by this policy change.  This policy change is a result of the 21st Century Cures Act, section 2012, which requires all federally funded research in which identifiable, sensitive information is collected or used to be issued a Certificate.  The Certificate protects the privacy of research participants enrolled in biomedical, behavioral, clinical or other research by prohibiting the disclosure of any information, documents or biospecimens containing identifiable, sensitive information in response to legal demands, such as a subpoena.

Following is additional information to assist the University research community in complying with the NIH policy change.

What research is covered automatically by a COC?

Research meeting the following criteria is now covered automatically by a COC:

  • Funded by NIH, in whole or in part, and
  • Commenced or ongoing on or after December 13, 2016, and
  • Any one of the following:
    • Is “human subjects research” as defined by federal regulations, including exempt research where data is identifiable; or
    • Is research involving the collection or use of biospecimens that are individually identifiable or for which there is at least a very small riskthat some there is some way to deduce the identity of an individual; or
    • Is research that generates individual level, human genomic data from biospecimens, or the use of such data, regardless of whether the data is “identifiable” per the Common Rule; or
    • Is any other research that involves information about an individual for which there is at least a very small risk, as determined by current scientific practices or statistical methods, that the subject’s identity could be deduced.
  • NIH-funded research conducted internationally and meeting the above criteria will still be considered to have been issued a COC, however the enforceability of the COC is uncertain in foreign jurisdictions.

What information does the COC protect?

  • The recent policy change broadened the meaning of sensitive, identifiable information and focuses more directly on identifiability.  Identifiable information is now considered to be sensitive regardless of the subject matter, in contrast to previous interpretations of what sensitive data might refer to in the research setting (illegal behaviors, sexual history, etc)
  • COCs protect names or any information, documents, or biospecimens containing identifiable, sensitive information related to a research participant. This includes all information collected, not only data included in a dataset.
  • Identifiable, sensitive information is information about an individual, gathered or used during the course of biomedical, behavioral, clinical or other research, where the following may occur:
  • The individual is identified; or
  • For which there is at least a very small risk, that that some combination of the information, a request for the information, and other available data sources could be used to determine the identity of an individual.
  • Identifiable, sensitive information includes but is not limited to name, address, dates, social security or other identifying number; and fingerprints, voiceprints, photographs, genetic information, tissue samples, or data fields that when used in combination with other information may lead to identification of an individual.

What are the restrictions on sharing information covered by a COC?

Unless an exception applies (below), the researcher is not permitted to:

  • Disclose or provide the names or any information, documents, or biospecimens containing identifiable, sensitive information related to a research participant, in any Federal, State, or local civil, criminal, administrative, legislative, or other proceeding; or
  • Disclose or provide the names or any information, documents, or biospecimens containing identifiable, sensitive information related to a research participant to a person not connected with the research.

Exceptions to the limitations on disclosure include:

  • Disclosure that is required by other Federal, State, or local laws, such as for reporting of communicable diseases or to meet other mandatory reporting requirements;
  • Disclosure to insurers for health care provider payment purposes;
  • Disclosure made with consent of the subject; or
  • Disclosure made for the purposes of scientific research that is compliant with human subjects regulations.

Does the COC cover data already collected in our ongoing study?

Yes. Once established, the COC retroactively applies to all information collected during the study, including information collected before the COC was issued.  If your research is funded by NIH, your certificate will automatically extend until the end of the funded period, including any no-cost extensions.  For non-NIH funded research you may request to extend or amend existing certificates as needed

What are the obligations if the study was under a COC before the policy change?

If your study already has a COC in place, regardless of funding sources, you must comply with the requirements of the new COC policy, especially the new disclosure requirements and restrictions.

How long do the protections of a COC last?

The protections provided by the COC lasts in perpetuity.  However, data collected after a COC expires, or NIH funding ends, may not be protected.  COCs issued automatically by this policy change apply to information collected during the NIH funding period. If the study continues after NIH funding ends and continued protection of a COC is needed for new information, you should apply for a COC following the process in place prior to the recent policy changes.  The COC application process for non-federally funded research remains the same and should be followed to extend a COC beyond the NIH funding period.  For information on that process see the NIH Frequently Asked Questions about COC.

What should NIH-funded investigators and research teams do to address this policy change?

The UNC IRB has made minor adjustments to the IRBIS application and COC consent language to reflect the policy change.  All projects being reviewed by the convened Board (initial, modification and renewal reviews) are being evaluated for the applicability of the COC.  Exempt and expedited research projects are being evaluated at the initial review and renewal reviews.

Investigators who have studies meeting the criteria set forth in the “What research is covered automatically by a COC?” section above should indicate at question A.10.4 in the IRBIS application ‘yes’, noting that a COC applies to their study.  The study team is responsible for updating any active consents or consent scripts to include COC language.  UNC’s updated COC language and a Notice that may be provided to current participants may be found here  The NIH expects that any currently enrolled subjects will be informed of the existence of the COC at any future research interaction, but does not require formal re-consenting of active subjects, accordingly, study teams should use the prepared Notice.  If a consent or consent script already includes COC language, you will not be required to replace that language with the updated COC language but you are expected to provide currently enrolled subjects a copy of the Notice.

NIH-funded investigators who are conducting research affected by the policy update may also submit a modification to update their IRBIS application in advance of being asked to by the IRB during their next submission.

Where can I get more information?

For additional guidance, please feel free to contact the UNC Office of Human Research Ethics by phone at 919-966-3113 or by email to The full COC policy may be accessed here  The NIH website also has a helpful page on Frequently Asked Questions about COCs here






Comments are closed.