Home Research Services
Research Services

IRB Policy: Guidance on NIH Certificates of Confidentiality

Last Update: January 27, 2023

Download PDF of this guidance document

Per the Notice of Changes to NIH Policy for Issuing Certificates of Confidentiality (NOT-OD-17-109), all ongoing or new research funded in whole or in part by NIH, on or after December 13, 2016, involving collection or use of identifiable, sensitive information is automatically issued a Certificate of Confidentiality (CoC). Compliance with the CoC is a term and condition of all NIH awards. This policy applies to NIH funded Grants, Cooperative Agreements, R&D Contracts, and Awards.

Certificate of Confidentiality (CoC): A CoC protects the privacy of research participants by prohibiting disclosure of names or any other identifiable, sensitive information in response to legal demands for access to the data, such as a subpoena. 

Identifiable, sensitive information: NIH defines “identifiable, sensitive information” as the following:

  • Biospecimens or information gathered or used for research purposes, through which an individual is identified; or
  • For which there is at least a very small risk that some combination of the biospecimen/information, a request for the biospecimen/information, and other available data sources could be used to deduce the identity of an individual.

    While the definition includes the qualifier “sensitive,” NIH has clarified that it intends for a CoC to protect data, regardless of its nature (i.e., even for data considered to be benign).

Research covered by a CoC: Research data or information related to research that meets any of the criteria below is automatically protected by a CoC from NIH:

  • NIH funded research in which identifiable, sensitive information is collected or used, including research that:
    • Meets the definition of human subjects research, including exempt research in which subjects can be identified;
    • Is collecting or using human biospecimens that are identifiable or that have a risk of being identifiable;
    • Involves the generation of individual level human genomic data (regardless of identifiability); or
    • Involves any other information that might identify a person.

See Appendix A for a decision tree.

Researcher responsibilities for research covered by a CoC:

  • ONLY disclose identifiable, sensitive information in the following circumstances:
    • if required by other Federal, State, or local laws, such as for reporting of communicable diseases;
    • if the subject consents; or
    • as approved by the IRB in a research protocol.

      Note 1: If you receive a legal or governmental request to access identifiable, sensitive information connected to your research, do not release that information without contacting the Cornell IRB office first.

      Note 2: If you want to—or are required to—share de-identified research data with other investigators, a CoC will not prevent you from doing so, as long as you ensure that the data you share do not contain any potentially identifying information.
       
  • Ensure that anyone who is conducting research as a subawardee or receives a copy of identifiable, sensitive information understands they are they are also subject to the disclosure restrictions, even if they are not funded directly by NIH.
     
  • Inform study participants of the CoC and its protections and limitations during the informed consent process. The Cornell IRB has developed recommended language to be added to consent materials; please see Appendix B.  

    Note: If you already consented participants prior to learning that your study is covered under a CoC, NIH will not require that the researcher re-consent those participants.

Documentation for CoC for NIH funded Research: NIH will no longer issue a physical certificate.  The Notice of Award and the NIH Grants Policy Statement serve as documentation of the CoC protection.

CoC for research not funded by the NIH:  Researchers seeking the protection of a CoC for research not funded by NIH must submit an application to the NIH using the online application system, or they may contact the CoC Coordinator for assistance at NIH-CoC-Coordinator@mail.nih.gov.

CoC for International Research: A CoC is deemed to be issued for relevant research, regardless of where the data is collected or housed; however, it is possible that such a certificate may not be effective for data held outside the U.S.

Cornell IRB procedures for CoC: In their review of new applications submitted to the IRB, IRB staff and reviewers will use the criteria outlined in Appendix A to determine if the research is subject to a CoC. If it is, the IRB staff will inform the PI, and recommend the CoC related consent language to be added to the consent form if it is not there already.

 

Appendices

Appendix A: Determining Applicability of NIH CoC Policy

Question 1: Was the research begun or ongoing on or after December 13, 2016?    Yes    No

If the answer is “No” (i.e., the research was completed prior to 12/13/2016), the policy does not apply. If the answer is “Yes”, answer the following questions.

Question 2:

2a. Is the research conducted or funded, in whole or in part, by NIH?      Yes    No

If the answer to the questions is “No", then the policy does not apply, and the activity is not issued a CoC. If the answer is “Yes”, answer the following questions:

Question 3:

3a. Does the research involve human subjects as defined by 45 CFR Part 46?     Yes    No

3b. Are you collecting or using biospecimens or information that are identifiable to an individual as part of the research?     Yes    No

3c. If collecting or using biospecimens/information as part of the research, is there a small risk that some combination of the biospecimen/information, a request for the biospecimens/information, and other available data sources could be used to deduce the identity of an individual?     Yes    No

3d. Does the research involve the generation of individual level, human genomic data?  Yes    No

If the answer to any one of these questions is “Yes”, then the policy applies, and a CoC is automatically issued.

This set of questions was based on a document created by HRP Consulting Group titled “NIH Issues Significant Changes to Certificates of Confidentiality (CoC) Policy.”

 

Appendix B: Recommended Consent Form Language

For studies in which informed consent is obtained, NIH expects PIs to inform participants of the CoC and its protections and limitations via that informed consent process. The Cornell IRB has developed recommended language be added to consent materials:

To help us protect your privacy, this study is covered by a Certificate of Confidentiality from the National Institutes of Health (NIH). With this Certificate, we cannot be forced (for example, by court order or subpoena) to disclose information that could identify you in any federal, state, local, civil, criminal, legislative, administrative, or other proceedings. In general, we cannot disclose information that could identify you to any other person who is not connected with this research, unless you give consent for that information to be disclosed. [If applicable:] The researchers will use the Certificate to resist any demands for information that would identify you, except to prevent serious harm to you or others. [If applicable:] A Certificate of Confidentiality does not prevent the researcher from voluntarily disclosing information about you, without your consent, in incidents such as child abuse, or an intent to harm yourself or others. A Certificate of Confidentiality does not prevent you, or a member of your family, from voluntarily releasing information about yourself or your involvement in this study.

If you have already consented participants prior to learning that your study is covered under a CoC, NIH does not require you to re-contact or re-consent those participants.