Skip to main content

Certificates of Confidentiality

A Certificate of Confidentiality (Certificate) protects the privacy of research participants enrolled in biomedical, behavioral, clinical or other types of health-related research that collect or use identifiable, sensitive information. The Certificate prohibits disclosure in response to legal demands, such as a subpoena.

Certificates protect “covered information.” Covered information includes names or any information, documents, or biospecimens containing identifiable, sensitive information related to a research participant. In addition, if there is at least a very small risk that information, documents, or biospecimens can be combined with other available data sources to determine the identity of an individual, then they are also protected by the Certificate.

Generally, any research project that collects personally identifiable, sensitive information and that has been approved by an IRB operating under either an approved Federal‐Wide Assurance issued by OHRP or the approval of the FDA is eligible for a Certificate. Federal funding is not a prerequisite for an NIH‐issued Certificate, but the subject matter of the study must fall within a mission area of the National Institutes of Health, including its Institutes, Centers and the National Library of Medicine.

As of 10/1/2017, NIH-funded researchers will no longer have to request a CoC, nor will they receive an actual certificate. The CoC will be issued automatically to NIH-funded grants, cooperative agreements, contracts and intramural research projects funded wholly or in part by the NIH that collects or uses identifiable, sensitive information.

Usage
CoC Application Procedures for Non-Federally Funded Research
Limitations
Amending Certificates of Confidentiality
Expiration of Certificates of Confidentiality
References and Resources

Usage

The CoC policy and 42 U.S. Code §241(d) defines identifiable, sensitive information as information that is about an individual and that is gathered or used during the course of research where the following may occur:

  • Through which an individual is identified; or
  • For which there is at least a very small risk, that some combination of the information, a request for the information, and other available data sources could be used to deduce the identify of an individual.

Identifiable sensitive information includes:

  • All human subjects research, including exempt research.
  • Research involving the collection or use of biospecimens that are identifiable to an individual OR for which there is at least a very small risk that some combination of the biospecimen, a request for the biospecimen, and other available data sources could be used to deduce the identity of an individual.
  • Research that involves the generation of individual level, human genomic data from biospecimens, or the use of such data, regardless of whether the data are identifiable or can be readily ascertained.
  • Any other research that involves information about an individual for which there is at least a very small risk, as determined by current scientific practices or statistical methods, that some combination of the information, a request for the information and other available data sources could be used to deduce the identity of an individual.

Studies that should obtain a Certificate of Confidentiality include, but are not limited to:

  • Information about sexual attitudes, preferences, or practices, including HIV/AIDS, and STDs;
  • Information that could lead to social stigmatization or discrimination, including psychological well‐being or mental health;
  • Information about personal use of alcohol, drugs, or other addictive products;
  • Information about illegal conduct;
  • Research that involves the generation of individual level, human genomic data from biospecimens, or the use of such data, regardless of whether the data is recorded in such a manner that human subjects can be identified or the identity of the human subjects can readily be ascertained;
  • Information that otherwise could damage an individual’s financial standing, employability, or reputation within the community.  Back to top

CoC Application Procedures for Non-Federally Funded Research

NIH CoC System Unavailable

The NIH Certificates of Confidentiality (CoC) system is temporarily unavailable while undergoing renewal of its Paperwork Reduction Act (PRA) approval. Currently, NIH cannot accept submissions to the CoC system or Institutional Official verifications. An update will be provided by July 2025. We apologize for any inconvenience this may cause.
CoCs for NIH-funded studies (i.e., deemed issued CoCs) are not affected. Visit the NIH Grants and Funding webpage for more information.

NIH will consider requests for Certificates for non-federally funded research in which identifiable, sensitive information is collected or used.

Only apply for the certificate for an approved IRB study that includes the CoC language in the approved consent form. This must be done prior to enrollment.

The IRB is not able to make certifications to the NIH for a CoC request until there is an approved study with the CoC language in the consent form. Do not submit the CoC request form to NIH until your study is IRB approved.

Step 1

The CoC request for non-federally funded research must be submitted at: https://public.era.nih.gov/commonsplus/public/coc/request/init.era

Step 2

Fill out the 6 initial questions on the first page and click “Next”.

Step 3

Complete the additional questions that come up.

  • Include the IRB number in the same field as the title for the study in the request for the CoC. Failure to do so will result in a delay of the IRB approving the CoC request.
    • [UNC IRB #(XX-XXXX)]  Research Project Title
  • Project Start Date – must be dated a few weeks after the submission date. NIH won’t approve if they receive a start date that is prior to their review.
  • Project End Date – select a date beyond your estimated project end date to allow the project flexibility in the start and end time.
  • Project Description
  • Name of Institution: The University of North Carolina at Chapel Hill
  • Institution Address: 200 E Cameron Ave, Chapel Hill, NC 27514
    • Please use the above UNC-CH address as the institutional address. Any other UNC address where the research is being conducted will be included under “performance site” addresses.
  • Name of Institutional Official – Carley Emerson, as designated by Penny Gordon-Larsen
  • Email Address of Institutional Official: carley_emerson@unc.edu
  • Phone Number of Institutional Official: 919-966-6893
  • Performance Site Name
  • Performance Site Address
  • Name of PI
  • Other Key Personnel
  • List any drugs that will be administered in this study, including method of administration and dosage (e.g. Phenobarbital 50 mg 2 times daily)
    • Add Drug name [if applicable, upload proof of DEA controlled substance registration in field provided]

Step 4

Click “Submit for Verification”. You will receive a confirmation email of your submission. The NIH will send an e-mail to the individual designated by the Institutional Official, Carley Emerson, for verification. If all documents are in order and the study is IRB approved, the submission will be verified within 48 hours.

Step 5

Wait to receive an email from NIH regarding the status of the CoC request.

Note: NIH approvals for CoCs are currently on hold. Your submission will be approved by UNC, but the timeframe for NIH approval is unknown.

Step 6

Send a copy of the agency’s response to the IRB or submit a modification in IRBIS notifying the IRB of the receipt of the CoC.

If the CoC is granted…

Participant recruiting can begin when OHRE acknowledges receipt of the CoC, any Conditional Approval requirements have been fulfilled and accepted by the IRB, and the approved consent form has been provided to the researcher.

If the agency denies the CoC request…

Researchers and the IRB will work together to determine how to manage or mitigate the confidentiality risks of the study.

For more information, see the NIH Certificates of Confidentiality Kiosk.

It is the PI’s responsibility to ensure that:

  • They understand the NIH CoC policy and the expanded protections and limitations around disclosures
  • All funding is accurately described in the IRB application;
  • Consents/assents include information about protections afforded by the Certificate and any exceptions to those protections.
  • CoCs are uploaded to the IRB application;
  • New CoCs are obtained, as necessary;
  • Researchers with whom you share identifiable (or coded and linked) data or biospecimens are informed about the CoC protections and limitations around disclosure; and
  • Collaborators who are collecting identifiable, sensitive research participant data/biospecimens as part of the project should apply for a CoC using their institution’s process to cover their work on the project.
  • Any investigator or institution issued a Certificate shall not:
    • Disclose or provide covered information, in any Federal, State, or local civil, criminal, administrative, legislative, or other proceeding; or
    • Disclose or provide covered information to any other person not connected with the research.   Back to top

Limitations

The protection offered by a Certificate of Confidentiality is not absolute. A CoC protects research subjects only from legally compelled disclosure of their identity. It does not restrict voluntary disclosures by subjects or investigators.

For example, a CoC does not prevent investigators from voluntarily disclosing to appropriate authorities such matters as child abuse or a subject’s threatened violence to self or others, or from reporting a communicable disease. However, if investigators intend to make such disclosures, this should be clearly stated in the consent process and the form which research subjects are asked to sign.

In addition, a Certificate of Confidentiality does not authorize the person to whom it is issued to refuse to reveal the name or other identifying characteristics of a research subject if:

  1. The subject (or, if he or she is legally incompetent, his or her legal guardian) consents, in writing, to the disclosure of such information;
  2. Authorized personnel of the Department of Health and Human Services (DHHS) request such information for audit or program evaluation, or for investigation of DHHS grantees or contractors and their employees; or
  3. Release of such information is required by the federal Food, Drug, and Cosmetic Act or regulations implementing that Act.

Should you ever receive a subpoena, or any other legal process request seeking disclosure of research records, immediately contact the Office of University Counsel (OUC) at 919-962-1219. Do not release any records or information without assistance from the Office of University Counsel (OUC). OUC will assist researchers with responding to the legal request for records.  Also notify Office of Human Research Ethics (OHRE) through the submission of a PRI.  Back to top

Amending Certificates of Confidentiality

A CoC may need to be amended if a significant change is being made to a research project.

The NIH website and SAMHSA website have instructions for amending a CoC. The CDC website notes that their CoCs do not need to be amended. Consult directly with other agencies for information about amending their CoCs.  Back to top

Expiration of Certificates of Confidentiality

Research that is funded by the NIH automatically receives a certificate of confidentiality.

This type of CoC is funding-based. CoCs automatically cover research activities and do not need to be extended or amended while the research remains funded by NIH. All identifiable, sensitive information (e.g., data, biospecimens) collected or used for research during the funding period are protected by the CoC in perpetuity. These permanent CoC protections also extend to all copies of this information.

If the NIH funding ends, the study will no longer be deemed issued a CoC. While CoC protections remain in perpetuity for already collected or used information, a new CoC will need to be obtained in order to cover any new data collected from already enrolled participants or any new participants. However, CoC protections continue for the duration of a no-cost extension. Please check with the funding agency directly for information about extending CoC protections beyond an expiration date.

A non-funding related CoC obtained after January 12, 2021, through the application process does not expire until the collection or use of sensitive identifiable data concludes.

If you have questions, please contact the NIH directly at NIH-COC-Coordinator@mail.nih.gov.  Back to top

References and Resources

  • NIH CoC FAQs – Link to the NIH’s webpage of frequently asked questions for certificates of confidentiality
  • NIH CoC Webpage – NIH policy & compliance webpage for certificates of confidentiality
  • NIH Online CoC Request System – Link to the NIH system to request a CoC. UNC investigators must first obtain UNC IRB approval prior to using this system.
  • NIH Online CoC System User Guide – Instructions and information to use the NIH online certificate of confidentiality system to request a CoC.  Back to top

Related Materials:

  • Archived: Office of Human Research Ethics SOP 2601: Certificate of Confidentiality

Version Dates:

  • 3/14/2025: Guidance created
 AAHRPP Element:
  • II.3.E