Author: Dr. Ann Hardy and Dr. Sherry Mills
Date: May 3, 2023


Protecting the privacy of research participants and maintaining the confidentiality of their data is an important aspect of ensuring adequate protections in human subjects research. For most investigators, this means having strong physical and electronic methods to protect research information. However, for research that collects sensitive information where release to those outside of the research might cause harm to participants, investigators also need to consider additional protections against legal and other demands for research information. For example:


An investigator is conducting a research study on anger management. A lawyer for the ex-spouse of one of the participants subpoenas the research information as it is deemed relevant to a legal custody proceeding. Is the investigator required to comply with this request? What can investigators do to protect their research information from this type of demand?


This is where a federal Certificate of Confidentiality (CoC) can be very useful.



CoCs provide an additional layer of protection for research participants by prohibiting the release of identifiable, sensitive research information, except in very limited circumstances. This includes research records, associated documents, recordings, and biosamples. Furthermore, the protection covers the original research information as well as all copies, including copies that are shared for other research activities.



– In 1970, in response to concerns expressed by those studying drug abuse and its treatment, Congress passed legislation enabling the Secretary of the Department of Health, Education, and Welfare (now the Department of Health and Human Services or DHHS) to authorize researchers to refuse to disclose identifiable research information for drug abuse research.

– The types of research eligible for CoC protection broadened over time and by 1988, CoCs could be issued for all biomedical, behavioral, clinical, and other research.

– CoCs protected investigators from forced disclosure of research information but did not prevent them from voluntarily disclosing such information.

– CoCs were issued for specific research projects upon application, initially to DHHS and after 1997, directly to DHHS agencies with the National Institutes of Health (NIH) and the Food and Drug Administration (FDA) authorized to issue CoCs for non-DHHS funded research.

– In 2016, The 21st Centuries Cure Act amended the CoC Authority to:

o Direct DHHS to issue CoCs for all federally funded research in which identifiable, sensitive information was collected.

o Permit DHHS to issue CoCs for non-funded research upon request.

o Specifically prohibit any release of identifiable, sensitive research information to anyone outside of the research except in limited instances (see below)



The COC regulations protect information about an individual that is gathered or used during research that can identify an individual, including information for which there is at least a very small risk that it could be used alone or in combination with other available data sources, to deduce a participant’s identity. Note that this definition is broader than the definition of identifiable information in the Protection of Human Subjects Regulations (section 46.102 of the Common Rule). This means that CoCs can be used to protect research information in studies that may not meet the current Common Rule definition of human subjects research.



The current CoC regulations specifically make identifiable research information immune from the legal process and do not allow such information to be disclosed, even voluntarily, as evidence or for any other purpose in any Federal, State or local civil, criminal or other proceeding.


Disclosure is only permitted in these limited circumstances:

o When the participant consents to such release, for example, to a health care provider

o If necessary to comply with specific regulations outside of legal proceedings, for example, for communicable disease or child abuse reporting

o For other research in compliance with applicable Federal regulations governing the protection of human subjects in research


Moreover, CoCs are not meant to limit a participant’s access to their own research information.



The CoC protection lasts in perpetuity for any information existing or collected under a CoC. Studies that continue to collect new research information should continue to request CoC protection but all research information in studies that have a CoC when the study ends are permanently protected.



– For DHHS Funded Research

o Research supported by the Agency for Healthcare Research and Quality (AHRQ) is covered by longstanding AHRQ privacy regulations making it unnecessary for such projects to receive a CoC.

o Both the NIH and the Centers for Disease Control and Prevention (CDC) automatically issue CoCs in awards for applicable research that they fund. For such funded research, no request for a CoC is needed. See the NIH CoC website or the CDC CoC website for more information, including what types of research information are protected by a CoC.

o For research funded by other DHHS agencies, including the Health Services Research Administration, the Substance Abuse and Mental Health Services Administration, and the Indian Health Service, investigators should contact the funding agencies directly about obtaining a CoC.

– Other Research

o The Department of Justice (DOJ) has its own privacy regulations that provide protection that is like CoCs but is specific for DOJ funded research. CoCs are NOT issued for DOJ-funded research. See the DOJ website for more information about their research privacy protections.

o The FDA will consider requests for CoCs for research that fall under their purview, for example, for clinical investigations requesting an IND or IDE; see FDA guidance on CoCs.

o For other applicable research, investigators can apply to NIH for a CoC. Note that issuance of CoCs by NIH is discretionary and is limited to research that falls within the DHHS research mission. NIH has an online application system to request CoCs.



– While the CoC regulations are silent on the issue of informing participants about the CoC protection, for NIH-issued CoCs, NIH expects investigators to inform research participants of the protections and the limits to CoC protections. Sample consent language is on the NIH website.

– Those involved in the research cannot disclose research information without a participant’s consent, even for legal proceedings, except for limited situations.

– Because the CoC protection also applies to all copies of research information, investigators and/or institutions with whom copies of research information protected by a CoC are shared for other research, must be made aware that they are also subject to the disclosure restrictions.


Download our COC Resource page by clicking here!


The authors of this blog, Drs. Ann Hardy and Sherry Mills, directed the NIH Certificates of Confidentiality Program for eight years.

Other Posts