New NIH policy on Certificates of Confidentiality

On Sep. 7, 2017, the National Institutes of Health issued a notice of changes for their policy regarding the issuing of Certificates of Confidentiality (CoC). This change comes as a result of the implementation of Section 2012 of the 21st Century Cures Act. A CoC is a privacy provision that will prevent “compelled disclosure” (a subpoena) of research data.

PadlockPreviously, a researcher had to apply for a CoC. With this new policy, any NIH-funded research involving identifiable, sensitive information, identifiable biospecimens or generating individual level genomic data that was active on Dec. 13, 2016, has retroactively been issued a CoC as of Oct. 1, 2017. For all new grant submissions, the CoC will be issued automatically as part of the NIH grant application process. Studies that are not NIH funded can still apply for a CoC through the usual process.

So what do you need to do now? If your NIH-funded study fits these criteria and, therefore, has a retroactively issued CoC:

  • If you are still seeing subjects, you should inform the subjects of this new privacy protection by modifying consent forms to include CoC language — see new, simplified CoC boilerplate language in the latest consent form template on the IRB Policies and Forms page. Include any limitations on the CoC, such as mandatory public health or child abuse reporting.
  • Update the IRQ CoC question (Study Details page, Q12) at the time of the consent form revision.
  • For NIH-funded studies under a Waiver of Consent, the change to the IRQ can be made in the next Modification or Continuing Review.

If your study is subpoenaed and you have a CoC, contact OHSU Legal ( for assistance. If you are unsure if your study meets the criteria for having a CoC, or you have questions about the necessary changes, please contact Research Integrity at

Leave a Reply