A Certificate of Confidentiality (CoC) provides additional privacy protections to research participants enrolled in biomedical, behavioral, clinical, or other research that collects or uses identifiable, sensitive information. “Identifiable, sensitive information” is information about an individual gathered during the course of research where the individual is identified or there is at least a very small risk that available data sources could be used to deduce the identity of an individual. When a CoC is in place, researchers may not disclose in any Federal, State, or local civil, criminal, administrative, legislative, or other proceedings the names or any information, documents, or biospecimens containing identifiable, sensitive information about the individual that was created or compiled for purpose of research. A CoC also restricts disclosure to any other person not connected to the research team.
When to obtain a Certificate of Confidentiality
The need to obtain a CoC may be identified by the researcher, the sponsor, or the IRB in order to further protect participant identifying information. Many federal agencies automatically issue CoCs as a term of the grant or contract. Additional information on the process to obtain a CoC is below. A CoC should be obtained before the collection of “identifiable, sensitive information” in order to ensure protection of the data. For studies where a CoC is not automatically issued, researchers need to be mindful of the expiration date of the CoC and ensure extension/renewal well in advance so that there is no lapse in CoC protection for data collected after expiration. CoCs are study specific so researchers need to apply for a CoC for each specific study where the protections of a CoC are sought.
How to obtain a Certificate of Confidentiality
To ensure the most up to date information, researchers should confirm information for each agency using the links below.
Other HHS Agency Funding
Non-federally funded research
Investigators whose research is funded by the Centers for Disease Control and Prevention (CDC), Health Resources and Services Administration (HRSA), Indian Health Service (IHS), and Substance Abuse and Mental Health Services Administration (SAMHSA), or is under the authority of the Food and Drug Administration (FDA) should contact the CoC Coordinator at their funding agency for questions on how to obtain a CoC. CoC coordinator information is available here. NIH will not issue a CoC for Agency for Healthcare Research & Quality- (AHRQ) or Department of Justice- (DoJ) funded research. AHRQ and DoJ must be contacted directly.
For all other federally funded research or non-federally funded research, NIH will consider requests for CoC for specific research projects and in doing so, takes into consideration if the research project is:
- Collecting or using identifiable, sensitive information,
- On a topic that is within the NIH mission or HHS health-related research mission, and
- Research information that is collected, used, or stored in the US.
Instructions on requesting a CoC through NIH are available here. CoC requests that utilize the online CoC request system will need to identify the designated institutional official, who will also need to sign the Certificate of Confidentiality Assurance for all CoC requests:
- For research managed under the Duke University Health System Human Research Protection Program, this is Geeta Swamy (firstname.lastname@example.org).
- For research managed under the Campus Institutional Review Board (IRB), please contact the Campus IRB at campusIRB@duke.edu.
Review the following policy (as applicable to your project oversight) for additional information:
Researcher responsibilities when a Certificate of Confidentiality is in place
Should you receive a request to disclose information that you believe may be protected by a CoC, please contact Duke’s Office of Counsel.
Do not disclose or provide protected information, documents, or specimens: (1) in any Federal, State, or local civil, administrative, legislative, or other proceeding; or (2) to any person not connected with the research. Disclosure of protected information is allowed only in the following circumstances: (1) if required by other Federal, State, or local laws, such as for reporting communicable diseases or child abuse and neglect; (2) if the participant consents; or (3) for the purposes of scientific research that is compliant with human subjects protections.
All participants should be informed about the presence of a CoC. The Duke University Health System and Duke Campus Institutional Review boards provide guidance on how to incorporate information about the existence of a CoC into consent forms.
Inform investigators, institutions, or repositories receiving any protected information (e.g., when sending biospecimens to another investigator for a different study) that they are also subject to the requirements of the CoC. Inform subrecipients of any study funding whose study responsibilities involve using the protected information that they are also subject to the requirements of the CoC.
Researchers may release information when the participant has given permission. For example, the participant may give their permission to release information to insurers, medical providers or other persons not connected with the research. In addition, the certificate does not prevent the participant from having access to their own information, although there may be other reasons not to share certain information with the participant.