This section of the Investigator Manual provides information relevant to protecting participant privacy and confidentiality.

Protecting Participant Privacy & Confidentiality

You are required to ensure human research includes adequate provisions to protect the privacy of participants and confidentiality of data, as required by federal regulations.

  • Privacy refers to a person’s desire to control the access of others to themselves. For example, research participants may not want to be seen entering a place that might stigmatize them, such as a pregnancy counseling center that is clearly identified as such by signs on the front of the building.
  • Confidentiality refers to the researcher’s agreement with the participant about how the research participant’s identifiable private information will be handled, managed, and disseminated.

For the IRB to assess privacy and confidentiality protections, you must describe how you will protect participant privacy and data confidentiality in your protocol or application. The IRB will assess whether the participants’ privacy interests and confidentiality of data are protected in ways commensurate with the benefits to participants and the risks of everyday life.

For more information, refer to HRP 314-WORKSHEEET-Criteria for Approval.

Certificates of Confidentiality

A Certificate of Confidentiality (COC) protects the privacy of research participants by prohibiting forced disclosure of their name or any information, document, or biospecimen that contains individually identifiable, sensitive research information to anyone not associated with the research, except when the participant consents to such disclosures or in other limited specific situations. The term “identifiable, sensitive information” means information about an individual gathered or used during the research through which an individual is identified or for which there is a very small risk that some combination of information could identify an individual.

Effective October 1, 2017, all ongoing or new research as of December 13, 2016 that is

  • funded wholly or in part by the NIH AND
  • collects or uses identifiable, sensitive information

is automatically issued a CoC as a term and condition of the NIH grant award. Certificates will no longer be issued in a separate document. The Notice of Award and the NIH Grants Policy Statement will serve as documentation of the Certificate protection. This automatic issuance of CoC protections also applies to research that receives re-distributed NIH funds. There are several campus institutes, programs, and research centers that provide pilot, new-investigator, or other smaller awards using NIH funds. Research conducted under these types of awards are also automatically issued a CoC.

You are required to determine whether your research records are covered by a COC. See HRP 333-Worksheet-Certificate of Confidentiality for details on evaluating whether a non-NIH-funded research study should be covered by a COC.

When a COC covers the research records, and informed consent will be obtained from participants, the participants must be told about the protections afforded by the COC and any limitations to those protections. Available consent form templates have been revised to include language that addresses COC protections. This language must be included in consent forms to be used in studies to which the COC policy applies.

A number of other HHS agencies also issue COCs. For information and instructions go to: Information and templates for requesting a COC when the funding source is not an HHS agency, or when the funding source is not federal can also be found at the link provided above. Researchers conducting a non-federally funded study who are applying for a COC should draft the COC assurance template according to language provided at the link provided above. For assistance in obtaining the institutional officials’ signature, review the CoC Application Help guidance or email for signature routing.

Researchers must be aware that:

  • Information protected by a COC and all copies are subject to the protections of the COC in perpetuity. If a secondary researcher receives information protected by a COC, the secondary researcher is required to uphold the protections. Researchers who provide a secondary researcher with data protected by a COC should inform the secondary researcher of the continuing obligation to protect the data
  • If the study continues to enroll additional participants after your NIH funding ends, those participants will not be protected by the Certificate unless you apply for a Certificate following the process for non- federally funded research.
  • Certificates will be issued for applicable research regardless of the country where the investigator or the protected information resides though a COC may not be effective for data held in foreign countries.
  • Should the researcher ever receive a subpoena, or any other legal process request seeking disclosure of research records, the researcher should not release any records or information and should immediately contact the IRB office and the Office of Legal Affairs.

For complete information about the policy, including FAQs, please visit: