Certificate of confidentiality

In the United States, a certificate of confidentiality (CoC) is issued by the National Institutes of Health (NIH) and other Health and Human Services (HHS) agencies to protect identifiable research information from forced or compelled disclosure. It allows the investigator and others who have access to research records to refuse to disclose identifying information on research participants in civil, criminal, administrative, legislative, or other proceedings, whether federal, state, or local. Certificates of confidentiality may be granted for studies collecting information that, if disclosed, could have adverse consequences for subjects, such as damage to their financial standing, employability, insurability, or reputation. By protecting researchers and institutions from being compelled to disclose information that would identify research subjects, certificates of confidentiality help to minimize risks to subjects by adding an additional level of protection for maintaining confidentiality of private information.

According to Section 2012 of the 21st Century Cures Act, as implemented in the 2017 NIH Certificates of Confidentiality Policy, all ongoing or new research funded wholly or in part by NIH as of December 13, 2016 that is collecting or using identifiable, sensitive information is automatically deemed to be issued a certificate of confidentiality. Compliance requirements are outlined in the NIH Grants Policy Statement and the NIH DGS Contract Handbook- Special Contracts Requirements, which is a term and condition of all NIH grant awards and contract solicitations, respectively.

Information protected by a certificate of confidentiality
Certificates of confidentiality protect information, documents, and/or biospecimens that contain identifiable, sensitive information related to a participant. The certificate of confidentiality policy and 42 U.S. Code §241(d) define identifiable, sensitive information as information that is about an individual and that is gathered or used during the course of research where the following may occur:
 * Through which an individual is identified; or
 * For which there is at least a very small risk, that some combination of the information, a request for the information, and other available data sources could be used to deduce the identity of an individual.

Note that the law focuses on the identifiability of the information, and not on the sensitivity of the information.

The certificate of confidentiality protections cover all copies of information, documents, or biospecimens gathered (i.e., collected) or used by the investigator during the research, including copies that are shared for other research activities.

Once covered by certificate of confidentiality protections, these protections last in perpetuity.