Human Subjects Research

Certificates of Confidentiality (CoCs)

Created 8/21/2018
Revised 09/09/2022

CoCs protect the privacy of research participants by prohibiting the research team from disclosing identifiable, sensitive research information to individuals or entities not connected to the research. CoCs are to be issued for any biomedical, behavioral, clinical, or other research, in which identifiable, sensitive information is collected where the research is Funded wholly or in part by the Public Health Services Agencies (PHS), or as required.

The recipient of a CoC shall:

  • Adhere to the privacy protections afforded by a CoC (and thus sharing and use restrictions) in perpetuity.
  • Not disclose or share identifiable, sensitive research information, except in a few limited instances, e.g., participant consent, as required by law or in compliance with the human subjects research regulations.

The decision trees below and FAQs provide guidance as to whether CoC requirements apply to your research and if so, how to comply with these requirements and processes at Washington University.

The National Institutes of Health (NIH), the Centers for Disease Control (CDC), Food & Drug Administration (FDA), and Health Resources & Services Administration (HRSA) also offer specific guidance for CoCs on their websites: NIH, CDC, FDA, and HRSA.

NIH, CDC, FDA, & HRSA Funded Researchers

Certificates are automatically awarded to research falling under either the NIH’s, CDC’s, FDA’s, or HRSA’s COC policy as a term of the notice of award; therefore, NIH, CDC, FDA, and HRSA Funded researchers are not required to apply for a CoC. NIH, CDC, FDA, and HRSA Funded researchers are expected to be able to identify when their research falls under the CoC policy.

Use the NIH, CDC, FDA, and HRSA Funded researcher decision tree to determine:

  • If the CoC policy applies to your research and
  • How to comply with the policy

Non-NIH, Non-CDC, and Non-FDA PHS Funded Researchers

Researchers who receive PHS Funding may be required to apply to obtain a CoC from the appropriate issuing agency (i.e. IHS, SAMHSA). This includes researchers who are:
  • Funded by HHS agencies other than the NIH, CDC, FDA, or AHRQ* including:  ACF, ACL, ATSDR, IHS, SAMHSA

Use the decision tree for researchers who are receiving PHS Funding from an agency other than the NIH, CDC, FDA, HRSA, or AHRQ to determine:

  • If the CoC requirements apply to your research, and
  • How to obtain a CoC and comply with the policy

*Studies with AHRQ funding are protected under the AHRQ Confidentiality Statute and do not require a Certificate of Confidentiality. See NOT-HS-18-012 for more information.

Non-Federally Funded Researchers

Depending on the population and content of research information to be obtained, securing a CoC to protect the privacy of research participants may be an appropriate and/or necessary step.

For researchers without Federal Funding, a CoC can be applied for through the FDA (for FDA-regulated studies) or the NIH.

Use the decision tree for Non-Federally Funded researchers to determine:

  • If a CoC is an appropriate mechanism to protect participant privacy, and
  • How to obtain a CoC and comply with the policy

    • Template CoC Request Letter to FDA

    Frequently Asked Questions (FAQs)

    1. What is a COC?
    2. What information is protected?
    3. When may researchers disclose protected information?
    4. What if I want to share or transfer my data and/or biospecimens to other researchers?
    5. Who Issues a Coc?
    6. How do I apply for a CoC?
    7. How long does a CoC last?
    8. How do I extend the expiration date on my CoC?
    9. Does a CoC ever have to be amended?
    10. I have a new study funded by the NIH, CDC, or FDA, what do I need to do?
    11. Does the CoC policy apply to my existing NIH, CDC, or FDA award?
    12. I no longer have NIH, CDC, or FDA Funding, but I did have Funding on/after 12/13/2016. What do I need to know?
    13. What other resources are available?


    1. What is a COC?

    A CoC protects the privacy of research participants enrolled in biomedical, behavioral, clinical or other research. Researchers are prohibited from disclosing any information, documents or biospecimens containing identifiable, sensitive information related to a participant to anyone not connected with the research, including in response to legal demands, such as a subpoena.

    Return to top

    2. What information is protected?

    • A CoC protects identifiable, sensitive information or information for which there is at least a very small risk, that some combination of the information, a request for the information, and other available data sources could be used to identify an individual.

    Return to top

    3. When may researchers disclose protected information?

    • When the participant consents.
    • When disclosure is required by federal, state, or local laws (e.g., as required by the Federal Food, Drug, and Cosmetic Act, or state laws requiring the reporting of communicable diseases to State and local health departments), excluding instances of disclosure in any Federal, State, or local civil, criminal, administrative, legislative, or other proceeding.
    • When the disclosure is made for the purposes of research that complies with the human subjects regulations.

    Return to top

    4. What if I want to share or transfer my data and/or biospecimens to other researchers?

    • Transferring and/or sharing data and/or biospecimens that are identifiable, have a small risk of being identified, involve generation of individual level human genomic data, and/or any other information that might identify a person should be disclosed to the Office of Technology Management (OTM) or the Joint Research Office for Contracts (JROC), as appropriate, prior to the execution of a data use/transfer agreement (DUA) and/or material transfer agreement (MTA). Please contact the offices below or visit their websites for more information:

    Return to top

    5. Who Issues a CoC?

    1. NIH, CDC, FDA, and HRSA automatically issue CoCs to award recipients who are conducting biomedical, behavioral, clinical or other research that involves the collection of sensitive identifiable research information or biospecimens. There is no need to apply to the NIH, CDC, or FDA for a CoC for research funded by these agencies.
      • The FDA also issues CoCs for research operating under an IND or IDE that is not funded by any of the above agencies; these CoCs require an application.
    2. Two agencies within the Department of Health and Human Services issue CoCs for research Funded by those agencies, through an application process:
      • Substance Abuse and Mental Health Services Administration (SAMHSA)
      • Indian Health Service (IHS)
    3. The Agency for Healthcare Research & Quality (AHRQ) has its own confidentiality statute that applies in lieu of CoCs. 
    4. For all other PHS Funded research, researchers should apply to the NIH for a CoC. NIH has been delegated the authority to issue CoCs for other Federal Agencies.
    5. Please note:  Other Federal Agencies like the Department of Justice (DOJ) and the Department of Defense (DOD) may have specific confidentiality requirements. Be sure to contact your Funding Agency to inquire about any specific requirements.

    Return to top

    6. How do I apply for a CoC?

    1. If there is a human studies protocol, submit to IRB/HRPO either a new study application or modification, a) mark in the myProject section of your myIRB application “CoC is pending.”; and b) add the CoC template language to all of the consent documents and/or consent materials being used.
    2. Determine what information is needed for your CoC application. Some agencies have web-based forms; others require a letter with specific information and attachments.
      1. Note: an application is not required for NIH, CDC, FDA, or AHRQ Funded research.
      2. For research Funded by SAMHSA, or IHS, contact the Funding agency.
      3. For other research funding, gather the information outlined on the NIH’s website to use the NIH’s Online Certificate of Confidentiality System.
    3. If you are using the NIH’s Online Certificate of Confidentiality system, apply for the CoC online here.
      1. Enter the following for the Institutional Official: (Director of OSRS):
        • Name of Institutional Official: Teri Medley
        • Email address of Institutional Official: researchgrants@wusm.wustl.edu
        • Phone number of Institutional Official: 314-747-4134
      2. The system will email the Director of OSRS to confirm the accuracy of the CoC request and affirm the Institutional Assurance statement.
      3. Send an email to OSRS at researchgrants@wusm.wustl.edu with:
        • A subject line indicating you are applying for a CoC
        • Your grant information (funding agency, grant number, and grant title)
        • A copy of your IRB approval letter
    4. If you are applying for a CoC through SAMHSA, HRSA, or IHS, complete the agency’s CoC application.
      1. Obtain institutional signature by emailing the Director of OSRS at researchgrants@wusm.wustl.edu the full application (or screen prints if an online application) and a copy of the IRB Approval letter.  Director of OSRS will review the application and provide signature on the following documents:
        • The assurance page generated by the CoC online system, signed by the PI, and
        • The letter prepared by the department, on department letterhead, requesting the CoC, signed and dated by the PI.
          • Note: the University’s Director of OSRS (and his/her designees) have “Institutional Official/Signature Authority.”
    5. Once the agency responds, send a copy of the response to the IRB/HRPO.
      1. If the CoC has been granted, submit a modification in myIRB to change the myProject section to “CoC Received” and attach a copy of the CoC.
      2. If the CoC has been denied, submit a modification in myIRB to change the myProject section to “No”, remove the CoC language from the consent forms/materials and include in the modification that a CoC was denied.

    Return to top

    7. How long does a CoC last?

    • Information, documents and biospecimens collected under a CoC are protected in perpetuity.
    • CoCs DO expire.
      • For NIH, CDC, or FDA Funded research, the automatically awarded CoC protection ends when award Funding ends; however, CoC protection continues during no cost extensions.
      • If Funding ends but research activities continues, researchers may need to re-apply for a CoC.
      • If a researcher applies for and is awarded a CoC, the expiration date will be on the CoC.
    • Information, documents and biospecimens collected after a CoC expires are NOT protected by the CoC.
    • CoCs may be extended upon application to the issuing agency.

    Return to top

    8. How do I extend the expiration date of my CoC?

    • Follow the agency’s instructions for extending the expiration date.
      • If the CoC extension is granted, notify the IRB/HRPO by submitting a modification in myIRB and attaching a copy of the extended CoC.
    • You are responsible for ensuring that the CoC does not expire while identifiable, sensitive information is being collected.
      • In the event that the CoC has expired, you cannot enroll/consent any new subjects until  a:
        1.  CoC extension has been received or
        2.  Modification has been submitted to the IRB/HRPO to remove the CoC information from the application and informed consent documents/materials.
    • Data collected after a CoC has expired are NOT protected from disclosure in response to subpoenas or other legal demands.

    Return to top

    9. Does a CoC ever have to be amended?

    • Yes, amending a CoC is necessary when there are significant changes to the research. If an amendment to the CoC is not obtained, then data collected by the revised study may not be covered by the original CoC.
      • Examples of significant changes: major changes in the scope or direction of the research; adding a new subject population; adding the collection of additional types of identifiable sensitive data; changing the lead researcher.
      • Follow the amendment instructions of the issuing Federal Agency. When the amendment has been granted, notify the IRB/HRPO by submitting a modification in myIRB and a copy of the amended CoC.

    Return to top

    10. I have a new study Funded by the NIH, CDC, FDA, or HRSA what do I need to do?

    • You will need to submit a modification to the study in myIRB.
      • Update the myProject section of the myIRB application to reflect that a CoC was automatically issued by the sponsor of the study.
      • All IRB/HRPO approved consent forms will need to be revised to include the appropriate CoC language.
        • This language will be available in myIRB, in a newly generated consent form template, once the response to the myProject section is updated.
      • The IRB/HRPO will determine if existing participants will need to be re-consented.

    Return to top

    11. Does the CoC policy apply to my existing NIH, CDC, or FDA award?

    • Yes, any NIH and CDC-Funded study using identifiable, sensitive information that was active on/after December 13, 2016 has automatically been issued a CoC. Any FDA-Funded study using identifiable, sensitive information that was active on/after October 1, 2018 has been automatically issues a CoC.

    Return to top

    12. I no longer have NIH, CDC, or FDA Funding, but I did have Funding on/after 12/13/2016. What do I need to know?

    • A CoC was automatically issued to your NIH and CDC Funded research as of December 16, 2016 and data collected during that period is protected by the CoC.
    • A CoC was automatically issued to your FDA Funded research as of October 1, 2018 and data collected during that period is protected by the CoC.

    Return to top

    13. What other resources are available?

    The University has developed a series of decision trees to assist researchers with managing the CoC process:

    1. NIH, CDC, FDA, and HRSA Funded Decision Tree
    2. Non-NIH, Non-CDC, Non-FDA, non-HRSA, and Non-AHRQ Funded Decision Tree
    3. Non-Federally Funded Decision Tree

    The 21st Century Cures Act (Dec, 2016) defined, and expanded, the type of information requiring the protection of a Certificate of Confidentiality.

    Following the 21st Century Cures Act, the NIH updated its policy for the issuance of Certificates of Confidentiality for research Funded wholly or in part by the NIH (October 1, 2017).

    Return to top