Human Subjects Division
Certificate of Confidentiality (CoC)
GUIDANCE Contents
- Purpose and Applicability
- Questions and Answers
- What is a CoC?
- How do I know if I need a CoC?
- Who issues CoCs and how do I get one?
- How do I apply for a CoC if I don’t have an automatic CoC with my funding?
- How long do the protections last and what is the meaning of the CoC expiration date?
- Are there limitations to CoC protections?
- If identifiable sensitive information is placed in the medical record, is it protected by the CoC?
- Can the expiration date be extended?
- Under what circumstances does a CoC need to be amended?
- What if I’m conducting research internationally?
- How does obtaining the CoC involve the IRB?
- What are the researcher responsibilities associated with having a CoC?
- What if there is a request to access CoC-protected data?
- How do CoC protections interact with other privacy and data protections?
- Related Materials
- References
- Version History
Purpose and Applicability
This guidance provides researchers with a summary of how federal Certificates of Confidentiality (CoC) are issued and the protections they afford. The most complete and detailed source of information can be found on the websites of the agencies that issue the Certificates. Much of the information in this guidance is taken from these sources, particularly the National Institutes of Health (NIH) CoC webpage and Centers for Disease Control (CDC) CoC webpage.
Questions and Answers
What is a CoC?
A Certificate of Confidentiality is a legal protection that some federal agencies can issue to researchers to protect identifiable sensitive information collected as part of a study. It allows researchers to refuse to disclose name or any information, documents, or biospecimens containing identifiable information about the research subjects. The Certificate specifically prohibits disclosure of the information in response to legal demands, such as a subpoena, Public Records request, or Freedom of Information Act (FOIA) request.
The 21st Century Cures Act (passed in December 2016) significantly broadened the type of information that is protected by a CoC, by essentially interpreting “sensitive” to mean “identifiable or possibly identifiable”. This broad definition applies to all current, future, and past CoCs because the 21st Century Cures Act was explicitly written by Congress to be retroactive. Identifiable sensitive information includes:
- All human subjects research, including exempt research (except category 4 exempt research)
- Research involving the collection or use of biospecimens that are identifiable to an individual OR for which there is at least a very small risk that some combination of the biospecimen, a request for the biospecimen, and other available data sources could be used to deduce the identity of an individual
- Research that involves the generation of individual level, human genomic data from biospecimens, or the use of such data, regardless of whether the data are identifiable or can be readily ascertained
- Any other research that involves information about an individual for which there is at least a very small risk, as determined by current scientific practices or statistical methods, that some combination of the information, a request for the information and other available data sources could be used to deduce the identity of an individual.
How do I know if I need a CoC?
The need to obtain a CoC may be identified by the researcher, the sponsor, or the IRB in order to protect subject confidentiality. Many federal agencies automatically issue CoCs as a term of the grant or contract (see below).
Who issues CoCs and how do I get one?
CoCs are issued by the Department of Defense (DoD) and agencies of the Department of Health and Human Services (HHS). The table below provides agency-specific information about how CoCs are granted. For multi-site studies, a coordinating center or lead institution can apply for a CoC on behalf of all participating sites.
| Agency | Process for obtaining a CoC | Other information |
|---|---|---|
| National Institutes of Health (NIH) | Automatically issued as a term of the grant or contract for NIH-funded research that involves collection of sensitive identifiable information.
Researchers without NIH funding may submit an application for a NIH CoC. |
F and K training awards describe specific projects and are issued auto-CoCs.
In general, T awards fund a trainee to work for a short period on a mentor’s project and are not automatically issued CoCs. |
| Centers for Disease Control (CDC) | Automatically issued as a term of the grant or contract for CDC-funded research that involves collection of sensitive identifiable information. | CDC automatically issues CoCs for research with active CDC funding. There is no application process to obtain a CoC from CDC. |
| Food & Drug Administration (FDA) | Automatically issued as a term of the grant or contract for FDA-funded research that involves collection of sensitive identifiable information.
For non-federally funded research operating under an IDE or IND, the FDA will consider requests to issue a discretionary CoC. |
Review this Guidance for instructions on requesting a discretionary CoC from the FDA. |
| Health Resources & Services Administration (HRSA) | Automatically issued as a term of the grant or contract for HRSA-funded research that involves collection of sensitive identifiable information. | |
| Biomedical Advanced Research and Development (BARDA) | Automatically issued as a term of the grant or contract for BARDA-funded research that involves collection of sensitive identifiable information. | |
| Substance Abuse & Mental Health Services Administration (SAMHSA) | Can be requested for studies with a SAMHSA grant or contract and that involve collection of sensitive identifiable information. | |
| Department of Defense | Contact the DoD Human Research Protection Office for information | |
| Other federal agencies and non-federally funded research | Contact the federal agency for information.
For non-federally funded research, apply for a NIH CoC. |
For non-federally funded research, review the next section of this guidance, “How do I apply for a CoC if I don’t have an automatic CoC with my funding? |
How do I apply for a CoC if I don’t have an automatic CoC with my funding?
For a NIH CoC, follow the instructions below. For all other agencies, visit their website for instructions.
Prepare the CoC application. Use the NIH Online Certificate of Confidentiality System. Relatively minimal information is provided by the applicant in short text fields. See this webpage for details about what information is required.
Institutional Assurance Statement. This is provided by the UW Office of Sponsored Programs (OSP). Please contact OSP to determine the Institutional Official name and contact information:
Email: osp@uw.edu
Phone: (206) 543-4043
Send a copy of the agency’s response to the IRB.
If the CoC is granted. Subject recruiting can begin when HSD acknowledges receipt of the CoC, any Conditional Approval requirements have been fulfilled and accepted by the IRB, and the approved consent form has been provided to the researcher.
If the agency denies the CoC request. Researchers, HSD staff, and the IRB work together to determine how to manage or mitigate the confidentiality risks of the study.
How long do the protections last and what is the meaning of the CoC expiration date?
Data collected under an active CoC are permanently protected. This includes any data collected prior to obtaining the CoC because protections are retroactive. Protection continues even after study funding has ended and the study has been completed.
Data collected after the CoC has expired are not protected even if the data are being collected from subjects who were enrolled under an active CoC.
Expiration of CoC protections differs depending on the circumstances under which it was issued and the agency issuing the CoC.
- CoCs issued as a term of the grant or contract. The CoC expires when the funding expires, including any no-cost extensions.
- CoCs granted by NIH through an application process. CoCs granted prior to 01/12/2021 list an expiration date. CoCs granted after 01/12/2021 expire when collection or use of identifiable, sensitive information concludes (i.e., when the study ends).
- Other CoCs. Check with the issuing agency for information about expiration.
Are there limitations to CoC protections?
The CoC does not prevent the subject, or members of their family, from sharing information about themselves or their part in the research.
The CoC does not prevent researchers from voluntarily providing information to:
- Members of the federal government with regulatory oversight over the research (e.g., FDA), sponsoring agencies, or institution(s) conducting the research for purposes of auditing, evaluation, or ensuring ethical and compliant conduct of the research
- An insurer, employer, or other person when the subject has given written consent to release the information
- To individuals who want to conduct secondary research if allowed by federal regulations and when the subject has provided consent for future research
- To the appropriate authorities if evidence of mandatory reporting are revealed during conduct of the research (e.g., child abuse, elder abuse, intent to harm self or others)
A CoC protects research records. When the subject has given consent to have their research information placed in a medical or other record, the CoC protections may not extend to those non-research records.
If identifiable sensitive information is placed in the medical record, is it protected by the CoC?
Information placed in the medical record may not be protected by the CoC. In most cases, subjects must provide consent in order for research information protected by a CoC to be placed in a medical record.
Can the expiration date be extended?
If a study team would like to collect data beyond the expiration of the CoC, the lead site or coordinating center should contact the reviewing IRB prior to the expiration date to determine whether an extension is needed.
This NIH website and this SAMHSA website provide information about extending or amending a CoC from those agencies. The CDC’s website states that researchers should apply for a NIH CoC to extend protections for data collected after the expiration of CDC funding. For other agencies, check with them directly for information about extending CoC protections beyond an expiration date.
Under what circumstances does a CoC need to be amended?
A CoC must be amended (modified) if a significant change is being made to a research project. Significant changes include, but are not limited to:
- Major changes in the scope or direction of the research protocol
- Adding a new subject population
- Adding the collection of additional types of identifiable sensitive data
- Changes in personnel having major responsibilities for the project (e.g., PI)
- Changes in the drugs to be administered and/or the person(s) who will administer them
The NIH website and SAMHSA website have instructions for amending a CoC. The CDC website notes that their CoCs do not need to be amended. Consult directly with other agencies for information about amending their CoCs.
What if I’m conducting research internationally?
Data collected from subjects recruited in another country are protected by the CoC if the data are maintained within the U.S. If the data are maintained only in the foreign country, a CoC may not be effective.
How does obtaining a CoC involve the IRB?
IRB approval.
The IRB may require the researcher to obtain a CoC as a condition for IRB approval. It is UW policy that IRB approval cannot be granted for the components of the study that will be covered by the CoC (including recruitment and consenting for those components) until the CoC is provided to the IRB by the researcher. Studies that are issued an auto-CoC do not need to provide anything to the IRB.
Informed consent.
For studies that will obtain informed consent, subjects must be told about the protections provided by the Certificate, and any exceptions to those protections (e.g., state mandatory reporting). If the study involves a consent process but no written consent materials, the subject should receive CoC information by some other method (e.g., an oral consent script or a few sentences at the top of a survey).
HSD strongly encourages researchers to use the standardized language provided in the guidance on Designing the Consent Process. Researchers may instead choose to use template language provided by NIH, even if the CoC is not from NIH, or create their own language. Whatever language is used, these elements must be included:
- Describe the protections and limitations. Include circumstances in which the researchers plan to voluntarily disclose identifying information about the subjects (e.g., audits, child abuse, harm to self or others, etc.).
- State that the subject or subject’s family can voluntarily disclose information or authorize others to receive such information.
- Ensure other information in the consent about confidentiality and data security is consistent with the CoC protections.
This language must be removed from the consent form(s) if the CoC expires and enrollment is ongoing.
What are the researcher responsibilities associated with having a CoC?
- Do not disclose or provide protected information, documents, or specimens: (1) in any Federal, State, or local civil, administrative, legislative, or other proceeding; or (2) to any person not connected with the research.
- Disclosure of protected information is allowed only in the following circumstances: (1) if required by other Federal, State, or local laws, such as for reporting communicable diseases; (2) if the subject consents; or (3) for the purposes of scientific research that is compliant with human subjects protections.
- Inform the study subjects about the CoC, as described above.
- Inform investigators, institutions, or repositories receiving a copy of the protected information (e.g., when sending biospecimens to another investigator for a different study) that they are also subject to the requirements of the CoC.
- Inform subrecipients of any study funding whose study responsibilities involve using the protected information that they are also subject to the requirements of the CoC.
- Uphold CoC protections: Institutions issued a CoC need to consider these protections when selecting third parties or entities (such as contractors and online platform vendors) and only utilize those that can and will protect covered information against compelled disclosure. Terms that address this requirement should be included in any contract and/or data processing/use agreement with third parties. Remember that the institution holding the CoC is ultimately responsible for safeguarding all the information covered by the Certificate against compelled disclosure. For NIH funded studies, failure to comply with CoC protections is a violation of the terms and conditions of their award.
- Researchers may release information when the subject has given permission. For example, the subject may give them permission to release information to insurers, medical providers or other persons not connected with the research. In addition, the certificate does not prevent the subject from having access to their own information, although there may be other reasons not to share certain information with the subject.
- Researchers cannot use the CoC to refuse to provide information necessary to meet institutional requirements. For example, institutional policies may require inserting information into medical records or providing information to a public records office. The UW Public Records office is responsible for appropriately rejecting a request for protected information, or for redacting identifiers.
What if there is a request to access CoC-protected data?
If any member of the study team at any site receives a request that they believe cannot be met because it is not a permitted disclosure, they should: (1) inform their department advisor or chair; and/or (2) inform the relevant office at their institution (at UW that is Public Records and the Attorney General’s Office).
How do CoC protections intersect with other privacy and data protections?
Department of Justice (DoJ) Privacy Certificate. Research that is covered by a DoJ Privacy Certificate does not need to obtain a CoC. The DoJ Certificate provides essentially the same protections.
Agency for Healthcare Research & Quality (AHRQ) Confidentiality Statue. Research funded by the AHRQ does not need to apply for a CoC. An AHRQ Confidentiality Statute provides similar protections.
Related Materials
INFORMATION SHEET Certificate of Confidentiality
UW Consent Templates
References
- Centers for Disease Control, “Certificates of Confidentiality for CDC Funded Research”
- Department of Defense, “Directorate of Human Research Protections (DOHRP)”
- Food & Drug Administration Guidance, “Certificates of Confidentiality”
- Health Resources & Services Administration, “HRSA Policy Updates: Certificates of Confidentiality for HRSA-Supported Research”
- National Institutes of Health, “Certificates of Confidentiality”
- Substance Abuse & Mental Health Services Administration, “Certificate of Confidentiality”
Version History
Open the accordion below for version changes to this guidance.
| Version Number | Posted Date | Implementation Date | Change Notes |
|---|---|---|---|
| 2.4 | 12.23.2024 | 12.23.2024 | Add researcher responsibilities bullet from NIH CoC webpage |
| 2.3 | 08.29.2024 | 08.29.2024 | Add BARDA as an agency that issues automatic CoCs |
| 2.2 | 06.01.2023 | 06.01.2023 | Revise reference from standard template to Designing Consent guidance and templates landing page |
| 2.1 | 11.30.2022 | 11.30.2022 | Add that CoC protections apply to data placed in repositories |
| 2.0 | 10.27.2022 | 10.27.2022 | Transfer content from Word-based document to webpage; moderate revisions to organization; add note about CoCs and medical records; other minor revisions to content |
| Previous versions | For older versions: HSD staff see the SharePoint Document Library; Others – contact hsdinfo@uw.edu. |
Keywords: CoC and privacy certificate