Certificates of Confidentiality (CoC)

Certificates of Confidentiality (CoC) protect the privacy of research participants by prohibiting disclosure of identifiable, sensitive research information to anyone not connected to the research, except under limited circumstances. This includes civil, criminal, administrative, legislative, or other proceedings.

NIH Policy for Issuing Certificates of Confidentiality (CoC)

To increase the protection of privacy of research participants, as of October 1, 2017, NIH funded researchers who are who are collecting identifiable, sensitive information as part of their NIH funded research will automatically be issued a CoC as part of the term and condition of their award. Compliance with the privacy protections afforded by the CoC is also a term and condition of award. NIH will also continue to consider requests for Certificates for non-federally funded research in which identifiable, sensitive information is collected or used.

Limited circumstances when the investigator and institution may release participant’s identifiable sensitive information include:

  • If required by other Federal, State, or local laws, such as for public health reporting of communicable diseases or child or elder abuse reporting*
  • If the participant consents;
  • If necessary for the medical treatment of the participant and made with the consent of the participant; or
  • for the purposes of scientific research that is compliant with human subjects’ regulations

What is Sensitive Information?

NIH Definition of Sensitive Information

Sensitive information includes (but is not limited to) information relating to sexual attitudes, preferences, or practices; information relating to the use of alcohol, drugs, or other addictive products; information pertaining to illegal conduct; information that, if released, might be damaging to an individual’s financial standing, employability, or reputation within the community or might lead to social stigmatization or discrimination; information pertaining to an individual’s psychological well-being or mental health; and genetic information or tissue samples.

Consent Requirements


The consent form or consent script should have language informing participants about the CoC protections and any exceptions to the CoC protections. Template language is provided in the Penn IRB Informed Consent Template.

Applying for a COC for Non-federally Funded Research


NIH will continue to consider requests for Certificates for non-federally funded research in which identifiable, sensitive information is collected or used.


Before submitting a new application to the IRB, investigators should consider whether a CoC would be an added protection for study data. If the investigator seeks to obtain identifying information of a sensitive nature from research subjects, and the disclosure of such information could harm the subjects as described above, the PI may wish to apply to the government for a CoC. The investigator should indicate in the application to the IRB that he or she will seek a CoC after the IRB has approved the application.


You may seek a CoC through the NIH online CoC system.

Entering Information Protected by a COC in a Subject’s Medical Record


In general, placing research information protected by a Certificate of Confidentiality into a subject’s medical record would require the subject’s consent unless such disclosure is required by law. NIH and the IRB encourages investigators who wish to include identifiable, sensitive information protected by a Certificate in a medical record, to work with general counsel to determine how to do so in accordance with applicable federal and state laws.


Section 301(d) of the Public Health Services Act protects identifiable, sensitive information and all copies thereof. Accordingly, if identifiable, sensitive information protected by a Certificate is placed in a subject’s medical record, the protections of the Certificate and prohibitions on further disclosure of the information may apply. Investigators should consult with general counsel to ensure that proper consent is obtained for all potential disclosures from medical records.


If you have obtained a COC, and you need to suppress information from release in the medical record, please review the Tip Sheet below on placing a flag on a record and contact OCR Operations with any associated questions.

Want to speak to an IRB staff member?

Get in Touch