Skip to main content

N3C Enclave Data Overview

The N3C Enclave is a centralized, secure, national clinical data resource with powerful analytics capabilities that the research community can use to study a variety of health conditions.

About N3C Enclave Data

Data Types

The N3C Enclave systematically and regularly collects data derived from the electronic health records of people meeting the N3C data inclusion criteria. The data set includes information such as demographics, lab test results, procedures, medications, medical conditions, physical measurements and more.

Participating institutions release data to the N3C Enclave under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. Read more about the HIPAA Privacy Rule.

N3C harmonizes clinical data into the OMOP Common Data Model. For detailed information about the data elements present, see the OMOP Common Data Model specification document.

While NIH is not pursuant to HIPAA, NCATS asks medical institutions and health care organizations to contribute this information as a limited data set, pursuant to the requirements in the HIPAA Privacy Rule.

A limited data set is defined as protected health information that excludes certain direct identifiers of an individual or of relatives, employers or household members of the individual — but may include city, state, ZIP code and elements of dates. A limited data set can be disclosed only for purposes of research, public health or health care operations.

Three levels of data are available for analysis:

  • Limited Data Set (LDS): Consists of patient data that retain the following protected health information —
    • dates of service
    • patient ZIP code
  • De-identified Data Set: Consists of patient data from the LDS with the following changes —
    • Dates of service are algorithmically shifted to protect patient privacy.
    • Patient ZIP codes are truncated to the first three digits or removed entirely if the ZIP code represents fewer than 20,000 individuals or represents Tribal lands.
  • Synthetic Data Set: Consists of data that are computationally derived from the LDS and that resemble patient information statistically but are not actual patient data.

Access Requirements for Researchers by Data Level

Data LevelData DescriptionEligible UsersAccess Requirements*
Limited Data Set (LDS)

Patient data that retain the following protected health information —

  • dates of service
  • patient ZIP code
  • Researchers from U.S.-based institutions
  • N3C registration
  • N3C Enclave account
  • Data Use Agreement (DUA) executed with NCATS
  • NIH IT training completion
  • Approved Data Use Request (DUR)
  • Human Subjects Research Protection training completion
  • Local Human Research Protection Program IRB determination letter
De-identified Data Set

Patient data from the LDS with the following changes —

  • Dates of service are algorithmically shifted to protect patient privacy.
  • Patient ZIP codes are truncated to the first three digits or removed entirely if the ZIP code represents fewer than 20,000 individuals.
  • Researchers from U.S.-based institutions
  • Researchers from foreign institutions
  • N3C registration
  • N3C Enclave account
  • DUA executed with NCATS
  • NIH IT training completion
  • Approved DUR
  • Human Subjects Research Protection training completion
Synthetic Data SetData that are computationally derived from the LDS that resemble patient information statistically but are not actual patient data.
  • Researchers from U.S.-based institutions
  • Researchers from foreign institutions
  • Citizen scientists
  • N3C registration
  • N3C Enclave account
  • DUA executed with NCATS
  • NIH IT training completion
  • Approved DUR
*Data access requirements may change over time

Download in PDF format (PDF - 64KB)

Additional Access Requirements

N3C Enclave data may be used only for approved research purposes. Before researchers can request access to the data, their institutions must execute a Data Use Agreement (DUA) (PDF - 826KB) with NCATS. Once a DUA is in place, researchers can submit a Data Use Request (DUR) through the N3C Enclave. In the DUR, researchers will need to include, among other information, the project research title, names of project personnel, a non-confidential research statement, the project proposal and the requested data access level. Additional DUR requirements include reviewing and agreeing to comply with the N3C Data User Code of Conduct. The N3C Data Access Committee reviews and approves DURs.

Learn more about how to apply for data access or see FAQs about using the data.

Data Stewardship and Protection

As the steward of the data, NCATS is taking every reasonable precaution to guarantee the confidentiality, security and integrity of the data. NCATS oversees the use of the enclave through user registration, federated login, data use agreements with institutions and data use requests with users. All work must be done within the enclave, and no data may be downloaded. The N3C Enclave’s secure, cloud-based environment is certified through the Federal Risk and Authorization Management Program, or FedRAMP, which provides standardized assessment, authorization and continuous monitoring for cloud products and services, ensuring the validity of the data while protecting patient privacy. NCATS monitors the data protections in place on an ongoing basis and may adjust or augment them. Additionally, in conjunction with the U.S. Department of Health and Human Services, NCATS participates in ongoing security testing of multiple aspects of the enclave.


Data Security and Privacy

We have taken a comprehensive approach to addressing the security of the N3C Enclave and protecting patient privacy.

We follow all applicable policies and regulations, have integrated key privacy measures into the enclave and its governance processes, and perform security testing and monitoring of activity inside the enclave. We also require researchers to, among other rules, adhere to a code of conduct, sign an agreement with NCATS outlining terms and conditions for using the data, and take NIH information technology security training.

The following table — showing N3C’s four pillars of data protection — provides additional detail about the steps we take to keep data secure and protect patient privacy.

Regulatory and Policy

  • Data-contributing sites abide by the HIPAA Privacy Rule
  • N3C research is subject to the Federal Policy for the Protection of Human Subjects in research ("Common Rule")
  • Data are provided as a HIPAA-defined limited data set
  • NIH IRB oversight and waiver of consent
  • For approved research only
  • No genomic data
  • No emergency public health authorities were used to obtain the data under these conditions
  • Engaged in an NIH Tribal Consultation regarding use of American Indian and Alaska Native (AI/AN) data

Privacy Measures

  • Certificate of Confidentiality
  • Data stay within the N3C Enclave: No download or capture of raw data
  • Privacy Impact Assessment
  • Review of project requests by the Data Access Committee
  • Full five-digit ZIP codes will never be shown for AI/AN demographic data

Security Testing and Monitoring

  • Federal government–compliant enclave managed by NCATS
  • Meets government security controls for cloud security and privacy
  • Data encryption in transit and at rest, without exception
  • Scheduled penetration testing
  • Active monitoring and logging by NIH and HHS
  • Auditing of activities in the N3C Enclave

Researcher Responsibilities

  • A user's organization signs a Data Use Agreement with NCATS for terms and conditions of use
  • Users adhere to the N3C Data User Code of Conduct
  • Required NIH IT security training
  • Required Human Subjects Research Protection training
  • Follow N3C’s Community Guiding Principles
  • Users attest that they understand that use of AI/AN data and ZIP code information to make assumptions about Tribal affiliation is not valid, or permitted

Learn more about using the N3C Enclave:

Data Sources and Harmonization

NCATS has established a Data Transfer Agreement (DTA) (PDF - 139KB) that provides terms and conditions for data transfer and outlines the general terms of data use. Institutions contributing data sign the DTA, then work with NCATS to transfer a limited data set in the institution’s preferred common data model (derived from electronic health records) to the N3C Enclave on a recurring basis. The N3C data harmonization team ingests the limited data set, runs quality checks and transforms different data models into a harmonized OMOP analytics data set.

See a list of institutions that have executed DTAs with NCATS.

Privacy Preserving Record Linkage

Privacy Preserving Record Linkage (PPRL) is a means of connecting records using secure, pseudonymization processes in a data set that refer to the same individual across different data sources while maintaining the individuals’ privacy. Linking multiple data sets enhances real-word data research in the N3C Enclave.

All organizations contributing data to the N3C Enclave must have an approved Data Transfer Agreement (DTA). In addition to the DTA, these organizations have the option of signing the Linkage Honest Broker Agreement (LHBA) (PDF - 1.1MB). The LHBA is an agreement between the organization, NCATS and The Regenstrief Institute, which serves as the linkage honest broker. The data remains under the complete control of the organizations that provide data to N3C and is never accessible by or under the control of the linkage honest broker.

Learn how N3C’s PPRL initiative enables data connectivity while maintaining security.

Read frequently asked questions about PPRL and the LHBA.

Watch a demonstration of N3C’s PPRL initiative (video length: 0:51).

Last updated on July 2, 2025