Skip to main content
NCBI home page
NIHPA Author Manuscripts logoLink to NIHPA Author Manuscripts
. Author manuscript; available in PMC: 2016 Apr 1.
Published in final edited form as: J Law Med Ethics. 2015 Fall;43(3):594–609. doi: 10.1111/jlme.12302

Certificates of Confidentiality: Protecting Human Subject Research Data in Law and Practice

Leslie E Wolf 1, Mayank J Patel 2, Brett A Williams Tarver 3, Jeffrey L Austin 4, Lauren A Dame 5, Laura M Beskow 6
PMCID: PMC4636332  NIHMSID: NIHMS733475  PMID: 26479569

Answering important public health questions often requires collection of sensitive information about individuals. For example, our understanding of how HIV is transmitted and how to prevent it only came about with people’s willingness to share information about their sexual and drug-using behaviors.1 Given the scientific need for sensitive, personal information, researchers have a corresponding ethical and legal obligation to maintain the confidentiality of data they collect and typically promise in consent forms to restrict access to it and not to publish identifying data.2

The interests of others, however, can threaten researchers’ promises of confidentiality when legal demands are made to access research data (e.g., through subpoena). In some cases, the subject of the litigation is tightly connected to the research questions, and litigants’ interest in the data are not surprising. Researchers conducting studies on tobacco or occupational or other chemical exposures, for example, are relatively frequent targets of subpoenas.3 Similarly, those conducting research on illegal behaviors should not be surprised that their data may be considered useful in building cases.4 In other instances, litigants’ interest in the data may relate to individual participants, rather than the research per se, and may not be anticipated.5

When the research data collected could place participants at risk from disclosure, researchers need to take steps to minimize that risk.6 A Certificate of Confidentiality (“Certificate”) is a potentially important tool for protecting individually identifiable, sensitive research data from compelled disclosure. Under the terms of the authorizing federal statute, the holder of a Certificate “may not be compelled in any Federal, State, or local civil, criminal, administrative, legislative, or other proceedings to identify such individuals.”7 However, questions persist about the strength of Certificate protections, and the evidence on which to judge their strength is scant.8

In this article, we examine Certificates and related statutory protections to enhance understanding and suggest ways to strengthen Certificates’ protections. We begin by briefly describing researchers’ obligations to protect the confidentiality of data they collect. We next summarize the legislative and regulatory history, and the case law—both reported and unreported—interpreting Certificates. We then analyze other statutes and regulations that provide similarly broad confidentiality protections for research data and compare them to Certificates. We briefly examine other legal strategies available for protecting research data. Finally, we make recommendations for how to strengthen protection of sensitive research data based on our research on this topic.

I. RESEARCHERS’ CONFIDENTIALITY OBLIGATIONS

Researchers are widely acknowledged to have an ethical and a legal obligation to protect the confidentiality of information that participants share with them.9 The ethical obligation arises out of the principle of beneficence, which requires researchers to minimize harms to research participants, and respect for persons.10 Federal regulations governing human subjects research (“federal regulations” or the “Common Rule”)11 impose an obligation on institutional review boards (IRBs) to ensure that “there are adequate provisions to protect the privacy of subjects and to maintain the confidentiality of data” before approving a study.12 In addition, federal regulations require that “risks to subjects are minimized.”13 These two provisions thus impose an obligation on researchers to take steps to protect confidentiality, at least when the study methods and topic make confidentiality an issue. The importance of preserving confidentiality is also implied in other parts of the federal regulations. For example, whether information is collected or maintained in a way that could be linked back to an individual participant is an important consideration in determining whether the research is subject to the Common Rule and requires IRB oversight.14 Finally, laws protecting confidentiality of materials often used in research, such as medical records, may give rise to participant expectations about data confidentiality.15

There are a number of ways that researchers may protect confidentiality. For example, they may collect data anonymously so that it cannot be linked back to an individual. Alternatively, researchers may code data so that participants are not immediately identifiable. Access to the key that links the code to identifying information is typically limited, and additional steps taken to secure the data through physical means (e.g., locked cabinets) and/or electronic means (e.g., password protection).16 Researchers also often destroy the key once the research is completed.17

Even without ethical and regulatory obligations to protect participants’ confidentiality, many researchers would likely take steps to do so on purely pragmatic grounds. Without assurances that researchers will protect their information, people may not participate in research on sensitive topics.18

II. CERTIFICATES OF CONFIDENTIALITY

Legislative Authority

Certificates were originally authorized in 1970 for research involving drug use.19 In order to succeed with such research, researchers “had to guarantee confidentiality”20 because, as one researcher explained, Congress wanted researchers “to study people under conditions where they must admit they have committed a felony.”21 Since this original authorization, the scope of Certificates has been expanded several times.22 The statute now reads:

“The Secretary [of Health and Human Services] may authorize persons engaged in biomedical, behavioral, clinical or other research (including research on mental health, including research on the use and effect of alcohol and other psychoactive drugs) to protect the privacy of individuals who are the subject of such research by withholding from all persons not connected with the conduct of such research the names or other identifying characteristics of such individuals. Persons so authorized to protect the privacy of such individuals may not be compelled in any Federal, State, or local civil, criminal, administrative, legislative, or other proceedings to identify such individuals.”23

Regulatory Authority

While statutes provide the authority for Certificates’ confidentiality protections,24 HHS regulations specify their form.25 These regulations define the “identifying characteristics” that are protected by the Certificate as “the name, address, any identifying number, fingerprints, voiceprints, photographs or any other item or combination of data about a research subject which could reasonably lead directly or indirectly by reference to other information to identification of that research subject.”26 (emphasis added) They also give authority to National Institutes of Health (NIH) to issue Certificates upon application, regardless of whether the research is funded by the federal government.27 The regulations also specify the content of the application 28 and the information that must be disclosed to research participants about the Certificate.29

Reported Cases Involving Certificates

The disclosures Certificates protect against come about in the legal process called discovery, which is the phase when parties to the case, in whatever forum, can seek relevant documents, testimony, and other information from the other side and from non-parties. For both procedural and practical reasons, discovery decisions are seldom appealed and thus do not give rise to reported decisions.30 In this section, we analyze the few reported cases that address Certificates and their implications.

People v. Newman

31 This was the first case to address the confidentiality provision introduced in the Comprehensive Drug Abuse Prevention and Control Act of 1970 (“1970 Act”). While a compelling factual story, the legal story focused more on the conflict between two statutes than the scope of the Certificate’s protections.32

In Newman, a methadone maintenance clinic patient who witnessed a murder told police that she had previously seen the murderer in the clinic’s waiting room.33 Based on this information, a grand jury subpoena was served on the clinic’s director, Dr. Robert Newman, ordering him to produce photographs of patients who fit the witness’s description. Dr. Newman moved to quash the subpoena on the grounds that the production was prohibited because he had a Certificate. The trial court denied Dr. Newman’s motion and, when he still refused to produce the photographs, found him in contempt of court and sentenced him to thirty days in jail.34

In his appeal, Dr. Newman claimed that the photographs were protected because he had a Certificate authorized by the 1970 Act.35 The New York District Attorney countered that the 1970 Act was superseded by the Drug Abuse Office and Treatment Act of 1972 (“the 1972 Act”), and it permitted court-ordered disclosure of methadone maintenance program records.36 Thus the Court needed to determine whether the 1972 repealed the more stringent protections of the 1970’s Act.37

The Court determined that the 1972 Act did not repeal the 1970 Act’s “absolute confidentiality” protections, noting those protections were necessary to “ensure the success of drug research programs in which addict participants require anonymity.”38 Having made the decision about which statute controlled, the Court quickly decided that Dr. Newman could not be compelled to produce the photographs and could not be held in contempt for his failure to do so.

People v. Still

39 In this case, the defendant, Still, was charged with criminal possession of methadone. Still asserted that his possession was lawful because he was a patient in a methadone clinic. In support of his claim, he provided the district attorney with a letter from the clinic’s director to his attorney affirming his participation in the program and that he received the methadone in question from the clinic. The district attorney issued a subpoena to the clinic for the defendant’s records to assess the credibility of Still’s claim. The clinic moved to quash the subpoena, and the trial court, relying on Newman, granted their request.

On appeal, the Court ordered the clinic to produce the records, allowing the district attorney to inspect only those records necessary to determine whether Mr. Still lawfully possessed the methadone.40 In reaching this conclusion, the court noted, unlike Newman, where the methadone clinic director was being asked to identify participants in his program to the police,41 Still had waived his right to anonymity by disclosing his participation in the program to defend himself from criminal charges.42

North Carolina v. Bradley

43 Bradley was a criminal defendant charged with “indecent liberties with a minor” and statutory rape. Bradley’s granddaughter was a prosecution witness who was expected to testify (and ultimately did) that Bradley had sexually abused her. Prior to trial, Bradley subpoenaed research records pertaining to his granddaughter from a study conducted by Duke University researchers for the purpose of challenging her credibility. Duke moved for a protective order on the grounds that a Certificate protected the data, which the trial court granted.44 However, Duke was ordered to maintain a sealed copy of the records that could be used should the defendant later appeal the ruling.45

After a jury convicted Bradley on all the charges against him, his appellate lawyer moved for access to the Duke files for his appeal.46 The trial court granted the request and ordered disclosure of the study documents to allow Bradley’s appellate lawyer to determine whether earlier denial of access to the documents provided a basis for appeal.47 The judge limited access to the study documents to the defendants’ and Duke’s lawyers. Duke appealed the order requiring disclosure.

Bradley sought to set aside Duke’s appeal, but the court allowed the appeal it because the order required Duke to disclose information that it was required to protect under the Certificate and federal statute. Despite this recognition of Duke’s obligations, the appellate court did not rely on the Certificate in its decision that the records should not have been released to defense counsel. Rather, the court relied on the lack of evidence of materiality of the records, a general discovery concept, to make its determination.48 Having resolved the matter on materiality, the court concluded that it “need not consider [Duke’s] argument that the confidentiality of the documents was statutorily privileged.”49 The appellate court found that the trial court erred in ordering the documents produced and vacated that order, but, at that point, the disclosure had already been made.50

Murphy v. Philip Morris Inc

51 The discovery dispute in this case arose in a personal injury suit against Philip Morris. The plaintiff, Robert Murphy, claimed that he contracted lung cancer through exposure to second-hand smoke. Philip Morris sought data from a study conducted by the University of Southern California (USC), the California Department of Health Services, and others, which was pivotal to the United States Environmental Protections Agency’s conclusion that second-hand smoke causes lung cancer. According to the Court, USC’s opposition to the motion presented “a compelling case” that “a reasonably capable researcher” could connect redacted data to specific study subjects.52 The court also noted that USC had obligations to preserve the confidentiality of “the names and ‘identifying characteristics’ of the subjects,” citing the consent provisions of the Common Rule and the Certificate authorizing statute.53 Nevertheless, the court ordered production of the data, in part because the data alone were not identifiable.54 It did, however, issue a protective order that, among other things, (1) imposed restrictions on attempts to re-identify the subjects; (2) limited use of the documents to the particular case; (3) limited the disclosure of the documents to specified individuals who first signed a non-disclosure agreement; and (4) required return of the documents after the case was concluded.

What is most interesting about the Murphy case is that, despite citation to the Certificate authorizing statute, it does not appear that the study had a Certificate and, thus, that the statute had any bearing on the case. So why did the court’s order refer to 42 U.S.C. § 241(d)? It appears that the court adopted the arguments presented by USC’s counsel55, which seem to be a misunderstanding of 42 U.S.C. §241(d) as a protection that extends to all research projects, rather than protection granted to qualified research projects that apply.56 In its reply, Philip Morris’ attorneys did not address this argument, except to note that it did not seek identifying information.

Unreported Cases Involving Certificates

Because of the paucity of reported57 cases involving Certificates, and the limited legal analysis of Certificates within those cases, we sought to identify cases at any level that might involve Certificates and add to our understanding of how courts address them.58 Through these searches, we were able to identify some additional cases, although the amount of information available on each was variable.

Three cases involved claims of harm following drug59 or other chemical60 exposure and were resolved similarly. In each case, the defendants sought access to research data, and the researchers asserted that a Certificate protected the data from disclosure. In two of these,61 the researchers raised concerns about whether the data could be effectively deidentified and about the chilling effects on future research if the data were shared. In all three, redacted data were disclosed under a protective order issued by the court.62 Among the terms of the protective orders were a uniform protocol for redaction, promises not to try to re-identify the subjects, limiting who could access the data, and limiting use to the litigation at hand.63

Two others unreported cases, a state attorney general opinion and a juvenile court case, highlight different interpretations of the Certificate’s protections, with implications for our recommendations. Thus, we discuss them in some detail despite their limited precedential value.

In re: Louisville Branch-National Association for the Advancement of Colored People/Administrative Office of the Courts and the University of Louisville

64 involved a study conducted by Louisville for the Administrative Office of the Courts (AOC) evaluating racial fairness in sentencing at the court. The NAACP filed an open records request to the AOC and Louisville for the data supporting Louisville’s research report “to monitor the performance of [the] elected judiciary through records access.”65 Louisville asserted the Certificate in opposing the request.

In its opinion, the Kentucky Attorney General found that Louisville’s Certificate was controlling and provided “absolute protection against compelled disclosure of identifying information about the subjects of the study.”66 Louisville had submitted information demonstrating how someone could piece information from the data with publicly available documents to identify the judges. Based on this information coupled with the NIH FAQ definition of “identifying”, the AG concluded: “To require involuntary disclosure of the disputed data would be tantamount to breaching the protection afforded by the certificate through release of a combination of data about research subjects that could reasonably lead, directly or indirectly by reference to other information, to the identification of those subjects.”67

Juvenile court case

68 This case involved four children who were participants in Yale studies on abuse and neglect and stress on brain development. The Yale researchers voluntarily notified the government that they were concerned about the children’s welfare. The government took temporary custody of the children and subsequently subpoenaed the research records, contending they were necessary to providing appropriate medical treatment to the children.

Critically, in this case, both sides agreed that the government learned about the children’s study participation through the researchers’ notification.69 Relying on People v. Still, the regulations, and the Certificate language (which allows the researcher to voluntarily disclose identifying information in instances of suspected child abuse), the Court concluded the researchers could “waive the right to refuse to disclose identifying information,”70 which they did when they voluntarily disclosed their concerns about the children’s welfare based on information from the children’s study participation. The Court went on to conclude that the policy of protecting the identity and records of research subjects must “give way to the extent necessary to accommodate the dominant public policy of protecting children.”71 As with the environmental exposure cases described above, the Court provided some confidentiality protections: it restricted the use of the records to providing treatment for the children, required disclosure of identifiable information only to the four children in custody,72 and prohibited the government from seeking to re-identify any research subject or to disclose information about them.73 It is unclear why the Department needed the research records, given that it had already obtained custody of the children and, thus, was in a position to provide medical treatment.

Experiences reported by institutional counsel

As reported in more detail elsewhere,74 legal counsel at major academic medical centers have described experiences similar to those reflected in the cases described above.75 In qualitative interviews (n=24), nearly all counsel had experience with legal demands for research data, and almost two-thirds reported having experience with demands for research data protected by a Certificate.76 Most cases that counsel described were civil, not criminal cases. Overall, counsel reported that usually they were able to resolve cases without going to court and without disclosure of identifiable data. Counsel described multiple strategies they had successfully used in protecting research data. In some cases, simply informing opposing counsel of the Certificate was sufficient. In others, counsel were able to persuade the requesting attorney to obtain the information from other sources. In some cases, counsel negotiated disclosure of non-identifiable data. Even when required to go to court, counsel indicated that they were often successful in protecting the data, although they typically relied on other legal protections, rather than the Certificate.

Implications of the Cases

Several lessons can be taken away from the cases we uncovered—reported and unreported—involving Certificates. First, the cases and the experiences of counsel suggest that Certificates generally function as intended. Counsel often are able to avoid both production of data and court fights over production by informing the requesting counsel about the Certificate and its protections. When data are produced, typically only limited data are produced to avoid identification;77 such production is consistent with the Certificate’s protection, although perhaps not with people’s ordinary understanding of the protections.78

Second, despite this seemingly reassuring picture of data protection, the cases reveal some important areas of concern. Significantly, the cases suggest uncertainty and confusion about Certificates and their protections. Specifically, despite the strong statutory language, it appears that when research data are sought, counsel and judges do not start by considering whether the Certificate protects the data, but rather by viewing the Certificate as one aspect among many to be considered. This approach, perhaps, is not so surprising given that lawyers encounter few Certificate cases in their careers and may not be familiar with them.79 Given how few cases go to court, judges are even less likely to encounter Certificates and, therefore, may be likely to approach demands for research data the same way they approach other discovery disputes about sensitive, confidential data. However, this apparent hesitancy to raise the Certificate as a primary argument to protect data may also reflect uncertainty about whether courts will uphold a Certificate’s protection. In interviews, counsel expressed concerns about the strength of the protections and reluctance to assert the Certificate when there were other protections on which to rely. As one counsel explained, “I guess the prevailing thought or position is that we don’t want to challenge [Certificates] in court and set precedent for the court saying they’re not effective.”80

Finally, judicial treatment of two critical issues related to the Certificate’s protections—waiver and identifiability—in some cases seem to validate counsels’ concerns about how Certificates will fare in the courts. With regard to waiver of a Certificate’s protections, the two issues that arise are 1) whether waiver has occurred, and 2) the scope of the waiver. In People v. Still, the court had to determine whether the methadone clinic could assert the Certificate’s protections against the district attorney’s subpoena, when the patient, Still, had revealed his relationship with the clinic and was relying on a letter from the clinic, provided at his request, to support his defense.81 The court appropriately concluded that Still’s disclosure constituted a waiver of the Certificate’s protections, although only with respect to records that would “aid in determining the veracity of the defendant’s claim of lawful possession of the methadone found on him.”82 In Still, the waiver was voluntary, purposeful, and limited in scope.

The opposite is true in the juvenile court case. While it is true that the researchers’ disclosure of the pediatric participants’ identity was voluntary, the ultimate extent of the waiver of the Certificate’s protections could hardly be said to be voluntary and purposeful, nor limited in scope. The judge interpreted the researchers’ disclosure of participant identities in order to report child neglect as a waiver of all the Certificate’s protections.83 This interpretation appears inconsistent with both the researchers’ intentions, as evidenced by their motion to quash the subpoena for the records,84 and with the intent of the Certificate statute and implementing regulations. Specifically, researchers can use a Certificate to resist compelled disclosure of identifying information, but the regulations and NIH’s Certificate kiosk make it explicit that the Certificate does not apply to voluntary disclosures. With respect to communicable disease, for example, NIH policy requires an agreement to comply with state disease reporting requirements in order to receive a Certificate.85 If disclosure of limited but identifiable information for reporting purposes waived the Certificate’s protections, this NIH policy would be nonsensical, because the agreement to report would render the Certificate’s protections meaningless. Such a broad interpretation of waiver also raises concerns that the Certificate’s protections could be waived inadvertently. From the juvenile court’s decision, it is not difficult to imagine a case where a researcher’s response, “I cannot give you Mary Smith’s records. She is in a research study protected by a Certificate,” is interpreted as a waiver of the protections because the researcher confirmed an identified person as a participant in the study.

The juvenile court case also highlights some problems concerning the concept of identifiability. In that case, the judge appears to consider only the identity (i.e., the names) to be protected. In the judge’s view, once the researchers revealed to the department the names of four children who were participating in the study, there was no reason to keep any data relating to them confidential.86 This interpretation appears to be too narrow. Certainly when Certificates’ protections only applied to research on illegal drug use, identity was the critical issue. Identifying someone as a participant in such a study revealed sensitive information about them—that is, that they had engaged in illegal activity. But even then, identity in and of itself was not the only issue. Rather, it was—and is—the individual’s identity in connection with some other information that the statute addresses (originally, use of illegal drugs) that creates the risk to participants. This point is reinforced in the illegal drug use context by considering that there are different legal penalties for possessing different types of drugs, as well as different levels of opprobrium and stigma attached to such use; for example, marijuana use is judged less harshly (and is even legal is some states) than heroin use. Thus, the harm to a person identified as a participant in a study of illegal drug use could be increased by also revealing specific information about her drug use. The importance of the connection between the data and the identity is evidenced in the way that NIH describes research topics that are appropriate for a Certificate’s protection, under the current, broader statute. For example, NIH lists “[s]tudies that gather information that if released could be damaging to a participant’s financial standing, employability or reputation within the community; [r]esearch involving information that might lead to social stigmatization or discrimination if it were disclosed” as studies eligible for a Certificate.87 This is consistent with the NIH definition of “identifying characteristics,” which not only lists specific identifiers, such as name and social security number, but notes that “any other item or combination of data about a research participant which could reasonably lead, directly or indirectly by reference to other information to identification of that research subject.”88 (emphasis added)

Viewed against this background, the juvenile court’s ruling is inconsistent with the purpose of the Certificate. Moreover, if other courts were to follow this approach, such decisions could ultimately stifle the type of research that Certificates are intended to encourage. While it seems likely that the court’s interest in protecting the health and well-being of the children factored into its ultimate decision to require disclosure of the data, it is not clear such disclosure was necessary to do so. Indeed, the researchers already had disclosed to the government their concerns about the children’s welfare, and, as a result, the government had custody of the children.89 It is difficult to understand how, under such circumstances, the research data could enhance the government’s ability to protect the children; the government could access medical records, as well as speak with the children, their doctors, and others to get information that might help in their care. Moreover, had the researchers understood that identified data would be subject to compelled disclosure if they reported their concerns, they may have hesitated to disclose, which would have decreased protection for the children.

III. OTHER STATUTORY CONFIDENTIALITY PROTECTIONS

Federal protections

The Certificate is not the only statutory protection for research data. The Department of Justice,90 Agency for Healthcare Quality and Research,91 and the Centers for Disease Control and Prevention,92 among others, have statutes protecting research that is conducted by or on behalf of the federal government about identifiable individuals or entities.93 These statutes differ from the Certificate authorizing statute in two important ways. First, they do not require that a researcher apply for the protections. Rather, the protections attach to all research within the scope of the statute. Second, they prohibit disclosure of any of the information collected, not just the identifiers.94 Accordingly, this avoids some of the problems arising with data that is not directed identified, but may, when coupled with other information, be identifiable.

The only guidance for any of these statutes comes from a 2001 AHRQ Memorandum on Statutory Confidentiality Protection of Research Data.95 The Agency interprets the restrictions of the statute as attaching to “any identifiable research data once it has been collected pursuant to AHRQ-supported programs or projects.”96 The terms of the statute are not time-limited—the obligation of protection does not end, even if the original statute is replaced.97 The memorandum acknowledges the lack of legal challenges to the AHRQ statute, but notes examples of potential legal challenges and also that the CDC has taken steps to avoid potential legal problems by negotiating solutions with parties to avoid a violation of its similar statute.98

State protections

A number of states have adopted statutes to protect research data from compelled disclosure. Some of these statutes are similar to the federal statutes described above, in that they broadly protect data derived from research conducted by or for a state agency.99 Other states have adopted protections that are specific to certain types of research, rather than research conducted by or for a particular state agency. These tend to be for research involving potentially stigmatizing topics, such as mental health (Hawaii100), HIV/AIDS (California101), and genetics (Arkansas and Oklahoma102).

One of the strengths of these statutes compared to the Certificate statute is that the protection attaches to all research within the statute’s scope, either by topic or under the aegis of the state entity, rather than requiring a researcher to know about and apply for the protection. In some cases, the protection afforded is stronger than that offered by the Certificate.103 For example, the Maryland, North Dakota, and South Dakota statutes explicitly limit the use of the data for purposes other than research.104 In addition, these statutes refer to any disclosure, not just compelled disclosure.105 Similarly, the Arkansas and Oklahoma statutes allow disclosure for litigation only if the data form the basis of the claims.106 Several of these do not appear to be limited to identifiable information, even though they may permit publication of aggregate information.

Although these laws have important strengths compared to a Certificate, they may ultimately be less protective because, as state laws, they may not be able to prevent disclosure where federal law permits or even requires the disclosure.

IV. OTHER AVAILABLE PROTECTIONS

Our interviews with counsel and our review of the cases suggests that there are a variety of legal tools beyond Certificates that can be used to try to protect sensitive, identifiable data from compelled disclosure.107

First, our interviews and the cases serve as a reminder of the general discovery tools that are available when research data are subpoenaed. Counsel can, and should (where appropriate), object to demands, for example, on the grounds of relevance, materiality, breadth, and burden.108 Objections can form the basis for negotiating limits on the subpoena, such as excluding identifiers, or, if necessary, for moving to quash the subpoena.109 The counsel with whom we spoke reported that they frequently are successful in limiting requests using these types of tools. If disputes do go to court, protective orders provide another mechanism for protecting data.110 As our case examples demonstrate, the protective order can be used not only to limit disclosure of identifiable components of data, but also to limit who has access to the data and how they can be used (e.g., limited to the lawsuit in which they were subpoenaed), forbid attempts to re-identify, and require destruction of data held by the requesting party when the litigation ends.

Second, some counsel reported success in protecting data based on First Amendment claims and/or a researcher’s privilege, a concept akin to a reporter’s privilege. These claims have been successful particularly when the data have not yet been published, recognizing the researchers’ interests in the fruits of their labor and in choosing how and when to publish.111

V. DISCUSSION

Certificates of Confidentiality and other confidentiality statutes and legal doctrines can be effective tools for protecting sensitive, identifiable research data. However, problems have been identified with understanding about Certificates and their implementation,112 and, as our discussion demonstrates, their protections can be vulnerable to judicial interpretation. In this section, we offer recommendations to improve understanding about Certificates, minimize the vulnerabilities in Certificates’ identified through our analysis, and strengthen the Certificate’s protection.113

Education regarding Certificates

The Secretary’s Advisory Committee on Human Research Protections (SACHRP) recently recommended better guidance for IRBs on informing researchers about Certificates and suggested that IRBs may want to include questions about Certificates on their application forms.114 We agree with this recommendation, and would expand on that recommendation to include better guidance for university counsel and others who may be involved in the IRB process. Our research suggests that IRBs’ understanding of Certificates is lacking and more education is needed.115 IRBs play a key role in identifying studies for which a Certificate may be appropriate and researchers likely look to the IRB for guidance about the use of Certificates; thus, it is essential that they have accurate information. Lack of understanding may explain why IRBs do not recommend or require Certificates for the full range of studies in which they may be beneficial.116 If they are not alerted to the existence of such protections, researchers may not apply for a Certificate for studies that would benefit from a Certificate’s protections. SACHRP’s suggestion that IRBs include questions about Certificates in the application process is one way to make researchers aware of this tool.117

Any such education should also include instructions for avoiding inadvertent waiver of the Certificate’s protections or expansion of the scope of any waiver. For example, researchers may want to avoid explicitly confirming the participation of any individual when research data are requested and to limit the amount of data shared in response to any request—compelled or otherwise.118 Scrupulously following confidentiality measures will make it easier for an attorney to argue for keeping the data confidential.

Increasing appropriate use of Certificates in the ways just described is not enough to ensure appropriate protections. IRBs, researchers, and their counsel need to understand what they should do if they receive a legal demand.119 Institutions should have policies to ensure prompt responses such demands, including established procedures that researchers should follow if they receive a subpoena. At a minimum, such policies should require notification of appropriate legal counsel as soon as possible to enable counsel to develop a timely response. It would also be appropriate to notify the IRB and, if applicable, the project officer and the Certificate coordinator at the NIH institute issuing their Certificate because of the potential threat to data confidentiality.120 This might facilitate better collection of information about legal demands.

We recognize that, for good reasons, counsel may be unfamiliar with Certificates; three-quarters of the counsel we interviewed saw only a few legal demands for human subjects research data, with or without a Certificate, in their careers.121 Accordingly, to prepare adequate, timely responses, counsel need access to information about legal strategies that have been successful in protecting research data. Because this information is rarely available in reported cases, the shared experiences, such as those we have collected, are vital;122 NIH and professional organizations, such as the National Association of College and University Attorneys and the American Health Lawyers Association, should help to gather and communicate those experiences so that they are available to institutional counsel when they need them.

Strengthening Certificate’s protections

SACHRP recommended some changes to the laws concerning Certificates to strengthen its protections.123 This includes a recommendation to expand the Certificate’s protections to non-identified data, at least where reidentification is possible. We agree that expansion of the Certificate’s protection is needed.124 When the Certificate protection was first adopted in 1970, the focus on name and other direct identifiers made sense. Particularly in its earliest incarnation, the risk to individuals came from being identified as a user of illegal drugs. However, as technology has advanced, concerns about how data may be used and how to protect private information have evolved. Some have begun to fear that re-identification of individuals may be possible no matter how many “identifying characteristics” have been removed from released data.125 A number of recent examples lend credibility to this fear.126

While examples of re-identification animate the broader debate about whether de-identification is ever feasible, for our purposes, they serve to illustrate how the world has changed since Certificates were first adopted in 1970, and to suggest that our understanding of what Certificates protect needs to adapt to that world. In particular, to keep confidentiality promises to participants, the research community needs to be prepared to articulate how seemingly unidentified data could be “readily identifiable” and, therefore, should be protected by a Certificate.

Amending the statute to address under what circumstances data are considered “identifiable” in light of technological and informational advances would be the strongest approach.127 However, there are also drawbacks to this strategy. First, a statute may not be flexible enough to keep up with rapidly changing technology and increasing availability of information. Some of the specifics may be better addressed through regulations or guidance, which are more easily changed. Second, in the current political environment, getting any legislation passed is challenging, and, thus, it may not be feasible to implement statutory change. Of course, there are political considerations to the regulatory process as well, which may limit the ability to effectuate change.128

An alternative approach is for NIH to issue clarifying guidance on these topics. While such guidance can be useful to individuals interacting with the agency (e.g., in this case, can enhance researchers’ and IRBs’ understanding of Certificates), it also has legal significance. While not entitled to as much deference as regulations that interpret a statute that is silent or ambiguous on an issue,129 agency guidance is entitled to some deference by reviewing courts.130

While deference is not guaranteed, HHS should take advantage of the experience it has with Certificates to educate courts about their purpose and scope. It already does so to some extent through the NIH Certificate kiosk. The kiosk contains a wide variety of information, from basic instructions for investigators, to information about the statute authorizing Certificates, to contact information for NIH legal counsel.131 However, HHS could expand this information to provide more guidance regarding how it views the Certificates it grants, issues that have arisen, and how those issues have been resolved.132 Provided the guidance is consistent with its overall position, which has supported strong confidentiality protections, courts would likely welcome guidance on this otherwise unfamiliar topic. Even if more detailed guidance from HHS does not get deference in judicial decision-making, such guidance can be beneficial from an educational standpoint and provide important, practical information to those confronting a legal demand involving a Certificate.133 In any event, issuing guidance is likely to be the easiest to accomplish134 and, therefore, may a good short-term strategy.

Improving communication to research participants about Certificate protections

We previously concluded that the mixed opinions expressed by IRB Chairs about the extent of Certificate protections “may be due, in large part, to true uncertainty in the field rather than misunderstanding or lack of knowledge.”135 This uncertainty contributes to challenges in simply and accurate describing the Certificate’s protections to research participants, potentially leading to heightened concern or false reassurance.136 IRB chairs and institutional legal counsel both expressed dissatisfaction with the NIH’s sample consent language, although it appears few institutions have attempted to simplify it.137 Our interviews with prospective research participants give some support for these concerns. While most interviewees were neither reassured nor alarmed by information about Certificates, a higher proportion who read the NIH standard description said that it raised new concerns compared to those who read our simplified version.138 In addition, a higher proportion of those who read the NIH standard description reported sections of the description were unclear.

Conclusion

Our research demonstrates that Certificates have generally been effective as a deterrent to legal demands for research data and may be useful when disputes end up in court. However, those protections have some vulnerabilities, particularly arising from changing technological and informational advances. IRBs, researchers, and, presumably, research participants rely on Certificates to protect sensitive, identifiable research data and facilitate research on important public health issues. We owe it to them to ensure those protections are used appropriately and are as strong as possible. Combined with SACHRP’s recommendations, we believe our recommendations present realistic strategies for improving understanding of Certificates and addressing some of the uncertainty concerning their protections.

Acknowledgments

This project was supported by Award Number R01HG005087 from the National Human Genome Research Institute (NHGRI). The content is solely the responsibility of the authors and does not necessarily represent the official views of NHGRI or the National Institutes of Health. The authors would like to thank their other colleagues on the project, Kevin Weinfurt, PhD, Alexandra Cooper, PhD, Emily Namey, MA, and Devon Check, BA, for their input and support. The authors would also like to thank the expert advisory group for their helpful comments and suggestions throughout this project: Mark Barnes, JD, LLM, John Falletta, MD, William E. Freeman, JD, Bernard L, MD, John Merz, MBA, JD, PhD, Lawrence Muhlbaier, PhD, Pearl O’Rourke, MD, Mark Rothstein, JD, Marjorie Speers, PhD, and Jeremy Sugarman, MD. This paper is adapted from the following previously published article: Wolf LE, Dame LA, Patel MJ, Williams BA, Austin JL, Certificates of Confidentiality: Protecting human subject research data in law and practice, Minnesota Journal of Law, Science & Technology, 14(1): 11-87 (2013)(http://purl.umn.edu/144219).

Biographies

Leslie E. Wolf received her J.D. in 1991 from Harvard Law School in Cambridge, Massachusetts and her M.P.H. in 1997 from Johns Hopkins School of Public Health in Baltimore, Maryland.

Mayank J. Patel received his J.D. in 2012 from Georgia State University College of Law in Atlanta, Georgia and his M.P.H. in 2009 from the George Washington University in Washington, D.C. He was a research assistant with Professor Wolf from 2010-2012.

Brett A. Williams Tarver received her J.D. in 2012 from Georgia State University College of Law in Atlanta, Georgia. She was a research assistant with Professor Wolf from 2010-2012.

Jeffrey L. Austin received his J.D. in 2012 from Georgia State University College of Law in Atlanta, Georgia. He was a research assistant with Professor Wolf from 2010-2012.

Lauren A. Dame received her J.D. in 1983 from Harvard Law School in Cambridge, Massachusetts and her M.P.H. in 1992 from the Harvard School of Public Health in Boston, Massachusetts.

Laura M. Beskow received her M.P.H. in 1995 from Boston University and her Ph.D. in Health Policy and Administration with a minor in Epidemiology in 2005 from the University of North Carolina in Chapel Hill, North Carolina.

Contributor Information

Leslie E. Wolf, is Professor of Law at Georgia State University College of Law in Atlanta, Georgia, and Director of the GSU Center for Law, Health & Society

Mayank J. Patel, is an attorney with Jones Day in Atlanta, Georgia

Brett A. Williams Tarver, is an attorney with Insley & Race in Atlanta, Georgia

Jeffrey L. Austin, is a research associate with the University of North Carolina School of Government in Chapel Hill, North Carolina

Lauren A. Dame, is Associate Director of Graduate Studies, MA in Bioethics and Science Policy at Duke University and a Senior Lecturing Fellow at Duke University School of Law in Durham, North Carolina

Laura M. Beskow, is Associate Professor with the Duke Clinical Research Institute and the Duke University School of Medicine, Department of General Internal Medicine

References

  • 1.See, e.g., Allen JR, Curran JW. Prevention of AIDS and HIV Infection: Needs and Priorities for Epidemiological Research. American Journal of Public Health. 1988;78:381–386. doi: 10.2105/ajph.78.4.381. Curran JW, Jaffe HW. AIDS: the Early Years and CDC’s Response. Morbidity and Mortality Weekly Report. 2011;60:S64–69. Scholars have discussed the value of Certificates to a wide range of research topics. See, e.g., Wolf LE, Lo B. Practicing Safer Research: Using the Law to Protect the Confidentiality of Sensitive Research Data. IRB: Ethics & Human Research. 1999 Sep-Oct;:4–7. 4. discussing Certificates and HIV research. Melton GB. Certificates of Confidentiality Under the Public Health Service Act: Strong Protection but Not Enough. Violence and Victims. 1990;5(1):67–71. 68–69. discussing Certificates and research on violence. Hoagwood K. The Certificate of Confidentiality at the National Institute of Mental Health: Discretionary Considerations in Its Applicability in Research on Child and Adolescent Mental Disorders. Ethics and Behavior. 1994;4(2):123–131. 123–124. doi: 10.1207/s15327019eb0402_5. discussing Certificates and mental health research. Coffey MJ, Ross L. Human Subjects Protections in Genetic Research. Genetic Testing. 2004;8:209–213. 209–210. doi: 10.1089/gte.2004.8.209. discussing Certificates and genetic research. Cooper ZN, Nelson RM, Ross LF. Certificates of Confidentiality in Research: Rationale and Usage. Genetic Testing. 2004;8:214–220. 214. doi: 10.1089/gte.2004.8.214. discussing Certificates and genetic research. Earley CL, Strong LC. Certificates of Confidentiality: A Valuable Tool for Protecting Genetic Data. American Journal of Human Genetics. 1995;57(3):727–731. 727. discussing Certificates and genetic research. Lutz KF, et al. Use of Certificates of Confidentiality in Nursing Research. Journal of Nursing Scholarship. 2000;32(2):185–188. 185. doi: 10.1111/j.1547-5069.2000.00185.x. (2000) (discussing Certificates and nursing research)
  • 2.Wolf and Lo, supra note 1, at 5 (explaining the obligations stem from the ethical principles of beneficence, which require researchers to minimize risks, and respect for persons); see also 45 C.F.R. §§ 46.111(a)(1), (a)(7) (2013) (containing the principles which form the foundation for the Common Rule, which explicitly obligates researchers to minimize risk and, “when appropriate,” to maintain confidentiality of data and the privacy of subjects).
  • 3.See, e.g., Farnsworth v. Procter & Gamble Co. 1985. pp. 1546–47. 758 F.2d 1545. detailing that industry sought data from Toxic Shock Syndrome studies for use in products liability action. Deitchman v. E.R. Squibb & Sons, Inc. 1984. pp. 557–58. 740 F.2d 556. detailing that industry sought data from cancer registry in connection with products liability action relating to use of diethylstilbestrol (DES) See also, Confidentiality Order Re WHI Study Data, In re PremPro Products Liability Litigation, No. 4:03–CV–01507–WRW (E.D. Ark. Feb. 1, 2005); Order Re: Motion to Quash Subpoenas Re Yale Study’s Hospital Records, In re Phenylpropanolamine Products Liability Litigation, No. 1407 (W.D. Wash. Aug. 19, 2002). These requests may include request for identifiable data, even if not necessary. See Skolnick AA. Science Writers: Newsletter of the National Association of Science Writers. Berkeley, Cal.: 1994. Summer. Burning Mad Tobacco Industry Turns Heat on Major News Media. available at http://www.aaskolnick.com/naswtob.htm. Barinaga M. Who Controls a Researcher’s Files. Science. 1992;256(5064):1620–21. 1620. doi: 10.1126/science.256.5064.1620. Concern about the impact of such requests on researchers led to changes to the Georgia evidence law Ga. Code Ann. § 24-122 (2011).
  • 4.Jaschik S. Another Subpoena for Research. Inside Higher Education. 2010 Aug 13; http://insiderhighered.com/news/2010/08/013/arizona (referring to Boston College oral history project on the Northern Ireland “troubles” as a prime example where interest in the data is unsurprising. [Google Scholar]; Marshall E. Court Orders ‘Sharing’ of Data. Science. 1993;261(5119):284–286. 285. doi: 10.1126/science.261.5119.284. [DOI] [PubMed] [Google Scholar]; Gray JN, Lyons PH, Melton GB. Ethical and Legal Issues in AIDS Research. The Johns Hopkins University Press; Baltimore, MD: 1995. pp. 13–17.pp. 63–68. explaining that HIV researchers have long been cognizant that the research they conduct could put their participants at risk of criminal prosecution based on their sexual or drug-using behaviors. [Google Scholar]
  • 5.Wolf LE, et al. Certificates of Confidentiality: Legal Counsels’ Experiences with and Perspectives on Legal Demands for Research Data. Journal of Empirical Research on Human Research Ethics. 2012;7(4):1–9. 3. doi: 10.1525/jer.2012.7.4.1. providing an example of demographic data, including income, that might be sought for custody and child support purposes. [DOI] [PMC free article] [PubMed] [Google Scholar]
  • 6.See Wolf and Lo, supra note 1, at 5.
  • 7.42 U.S.C. § 241(d) (2006).
  • 8.Beskow LM, et al. Institutional Review Boards’ Use and Understanding of Certificates of Confidentiality. Public Library of Science One. 2012 Sep 4;7(9):1–10. 1. doi: 10.1371/journal.pone.0044050. [DOI] [PMC free article] [PubMed] [Google Scholar]
  • 9.See Penslar RL. Institutional Review Board Guidebook. Department of Health and Human Services Office for Protection from Research Risks; [last accessed August 9, 2014]. 1993. Basic IRB Review. available at http://www.hhs.gov/ohrp/archive/irb/irb_guidebook.htm. (“IRBs should determine the adequacy of the provisions to protect the privacy of subjects and to maintain the confidentiality of the data and, where the subjects are likely to be members of a vulnerable population (e.g., mentally disabled), determine that appropriate additional safeguards are in place to protect the rights and welfare of these subjects.”); see also Wolf and Lo, supra note 1, at 5 (describing the legal and ethical bases for the obligation to maintain confidentiality).
  • 10.Wolf and Lo, supra note 1, at 5.
  • 11.45 C.F.R. § 46.101 (2013) The Department of Health and Human Services (HHS) regulations governing the conduct of research involving human subjects research apply to research that is funded through that department, including the National Institutes of Health (NIH) and the Centers for Disease Control and Prevention (CDC), which together support the greatest amount of federally funded research. Another 17 agencies have agreed to abide by these regulations for their research. Accordingly, the HHS regulations are referred to as the Department of Health and Human Services [last accessed August 9, 2014];Common Rule. Federal Policy for the Protection of Human Subjects (‘Common Rule’) http://www.hhs.gov/ohrp/humansubjects/commonrule/index.html. see also 21 C.F.R. §§ 50, 56 (2013) (Food and Drug Administration (FDA) regulations that are substantially similar to the Common Rule). For a comparison between these regulations, see U. S. Food and Drug Administration [last accessed August 14, 2014];Comparison of FDA and HHS Human Subjects Protection Regulations. http://www.fda.gov/ScienceResearch/SpecialTopics/RunningClinicalTrials/educationalmaterials/ucm112910.htm.
  • 12.Common Rule, 45 C.F.R. § 46.111(a)(7).
  • 13.Common Rule, 45 C.F.R. § 46.111(a)(1).
  • 14.Common Rule, 45 C.F.R. § 46.101(b)(4).
  • 15.See, e.g., Basic IRB Review, supra note 9 (discussing expectations of privacy and confidentiality in biomedical research compared to social/behavioral research).
  • 16.See Wolf and Lo, supra note 1, at 4.
  • 17.See Basic IRB Review, supra note 9 (regarding “Privacy and Confidentiality.”).
  • 18.See Wolf and Lo, supra note 1, at 5.
  • 19.Comprehensive Drug Abuse Prevention and Control Act of 1970, Pub. L. No. 91-513, 84 Stat. 1236, 1241 (1970). This Act also granted the Attorney General similar authority. In practice, DOJ appears to rely on the protections afforded under 42 U.S.C. § 3789g for research it oversees or funds, as described more fully below.
  • 20.Comprehensive Narcotic Addiction and Drug Abuse Care and Control Act of 1969: Hearings on S. 2608, S. 2637, S. 1816, S. 1895, H.R. 11701, and H.R. 10342 Before the Special Subcommittee on Alcohol and Narcotics of the S. Comm. on Labor and Public Welfare, 91st Cong. 93, 98 (1969).
  • 21.Comprehensive Narcotic Addiction Hearings, supra note 20, at 98.
  • 22.In 1974, the range of research eligible for protection was broadened from research on “the use and effect of drugs” to research on “mental health, including research on the use and effect of alcohol and other psychoactive drugs.” Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehabilitation Act Amendments of 1974, Pub. L. 93-282, 88 Stat. 125, 132–33 (1974). In 1988, the law re-designated the Certificate authorization language (among others) to 42 U.S.C. § 241(d) while simultaneously broadening the protections to all types of research methods and any research topic where breach of confidentiality of individual information could harm that individual. Health Omnibus Programs Extension of 1988, Pub. L. 100-607, 102 Stat. 3048 (1988).
  • 23.42 U.S.C. § 241(d) (2012).
  • 24.42 U.S.C. § 241(d) (2012); and 21 U.S.C. § 872(c) (2012). The NIH website on Certificates of Confidentiality recognizes the broad range of research that may collect sensitive, identifiable research data including research on: “HIV, AIDS and other STDS … sexual attitudes, preferences, or practices … use of alcohol, drugs, or other addictive products … illegal conduct … information that if released could be damaging to a participant’s financial standing, employability, or reputation within the community … information that might lead to social stigmatization or discrimination if it were disclosed … psychological well being or mental health … [g]enetic studies, including those that collect and store biological samples for future use; [and] … behavioral interventions and epidemiologic studies.” Office of Extramural Research. National Institutes of Health [last accessed August 9, 2014];Frequently Asked Questions (FAQs) on Certificates of Confidentiality, #C3. (last revised June 20, 2011) http://grants.nih.gov/grants/policy/coc/faqs.htm.
  • 25.See Protection of Identity—Research Subjects, 42 C.F.R. § 2a (2013) These regulations have been unchanged since 1979 and, thus, do not reflect the full scope of the research that is eligible for protection.
  • 26.42 C.F.R. § 2a.2(g) (2013).
  • 27.42 C.F.R. §§ 2a.1, 2a.3 (2013). The regulations, which have not been modified since 1979, refer to NIH institutes, although other parts of HHS, such as the CDC, issue Certificates.
  • 28.See 42 C.F.R. § 2a.4 (2013). (The application must to include a “specific request, signed by the individual primarily responsible for the conduct of the research, for authority to withhold the names and other identifying characteristics of the research subjects and the reasons supporting such request.”) 42 C.F.R. § 2a.4(f) (2013).
  • 29.42 C.F.R. § 2a.4(j) (2013).
  • 30.See Wright CA, Miller AR, et al. Federal Practice and Procedure §3914.23. 2d ed. Thomson West; St. Paul, Minn: 2012. describing the lack of finality of most discovery orders and, thus, the inability to get judicial review of them.
  • 31.People v. Newman, 298 N.E.2d 651 (N.Y. 1973).
  • 32.Beskow LM, Dame L, Costello EJ. Certificates of Confidentiality and Compelled Disclosure of Data. 2008;322(5904):1054–5. doi: 10.1126/science.1164100. [DOI] [PMC free article] [PubMed] [Google Scholar]
  • 33.Newman, 298 N.E.2d at 653.
  • 34.Newman, 298 N.E.2d at 653; see also People v. Newman, 336 N.Y.S.2d 127, 129 (App. Div. 1972).
  • 35.Newman, 298 N.E.2d. at 654. Dr. Newman also claimed state law physician-patient privilege protected the photographs, a claim the Court quickly rejected because the photographs were collected for administrative, rather than treatment purposes. Id. at 653.
  • 36.Newman, 298 N.E.2d at 654. Unlike the absolute protections under the 1970 Act, 21 U.S.C. §1175 under the 1972 Act provided drug treatment records were confidential, but permitted disclosure for purposes outlined in the statute, including disclosure based upon a court order after a showing of good cause. 21 U.S.C. § 1175 (1976).
  • 37.Newman, 298 N.E.2d. at 654.
  • 38.Newman, 298 N.E.2d at 655–56. Accord, State v. White, 363 A.2d 143, 151–52 (Conn. 1975) (distinguishing between the absolute confidentiality of the 1970 Act compared to the qualified confidentiality of the 1972 Act). In contrast, the 1972 Act “covered a wide range of programs and activities (‘drug abuse prevention functions’) in which absolute confidentiality was not regarded as a prerequisite to the successful operation of the programs,” the confidentiality requirements were necessarily different from those in the 1970 Act. Newman, 298 N.E.2d at 656.
  • 39.People v. Still, 369 N.Y.S.2d 759 (App. Div. 1975).
  • 40.Still, 369 N.Y.S.2d at 762.
  • 41.Still, 369 N.Y.S.2d. at 763.
  • 42.Still, 369 N.Y.S.2d. at 765.
  • 43.North Carolina v. Bradley, 634 S.E.2d 258 (N.C. Ct. App. 2006).
  • 44.Bradley, 634 S.E.2d at 260. The protective order was issued after an initial order to produce the documents, which would have permitted the study documents “to be read by the state’s chief investigating officer, the witness, the District Attorney’s office staff, the defendant and his wife, the Public Defender’s office staff, the Assistant Public Defender, and any expert the defendant or state might consult.” Beskow, supra note 33, at 1054. Additionally, the trial judge had no prior experience with Certificates and, like the appellate court, focused first on whether the defendant had met a burden to demonstrate a need for the documents. Id.
  • 45.Bradley, 634 S.E.2d at 260.
  • 46.Bradley, 634 S.E.2d at 261.
  • 47.Bradley, 634 S.E.2d at 261.
  • 48.According to the court, the matters potentially contained in the Duke records were “at best tangential” to the case and, thus, could not have been used by Bradley to impeach his granddaughter, even if there were evidence of inconsistent statements. Bradley, 634 S.E.2d at 262–63.
  • 49.Bradley, 634 S.E.2d at 262.
  • 50.Beskow, supra note 33.
  • 51.Order Granting Defendant Philip Morris’ Motion to Compel Production of Documents in Response to Subpoena Duces Tecum; Protective Order, Murphy v. Philip Morris Inc., No. CV 99–7155–RAP (JWJx) (C.D. Cal. Mar. 17, 2000).
  • 52.Philip Morris Order at 4.
  • 53.Philip Morris Order at 5 (citing 45 C.F.R. § 46.116(a)(1)–(5) (part of the Common Rule) and 42 U.S.C. § 241(d) (the Certificate authorizing statute)).
  • 54.Philip Morris Order at 4–5.
  • 55.As one of several arguments, USC’s counsel asserted that “45 C.F.R. Section 46.116(a)(1)-(5) [part of the consent sections of the Common Rule], coupled with 42 U.S.C. 241(d), set the minimum federal privacy requirements that must be observed” and then went on to quote the Certificate statutory language. Opposition of Third Party University of Southern California to Defendant Philip Morris’ Motion to Compel Production of Documents in Response to Subpoena Duces Tecum to Records Custodian and/or to Dr. Anna Wu, Murphy v. Philip Morris Inc., No. 99-07155 CM (JWJx) (C.D. Cal. Aug. 26, 1999) at 20 (on file with author). To understand the reference, we obtained court documents relating to the motion to compel from the National Archive in Southern California. These documents are available from the authors.
  • 56.A review of papers filed in opposition to the motion reinforces that this is a misunderstanding. These quote portions of the consent form referring to general confidentiality promises, but no reference to the NIH-required Certificate language. The quoted sections are consistent with the language in the California Department of Health consent forms attached to its opposition to the motion to compel (on file with the authors), as well as Dr. Wu’s description of the consent process in the study during the hearing before the Honorable Jeffrey W. Johnson (on file with the authors).
  • 57.Reported cases are those cases that are published out a particular jurisdiction or court. Appellate cases are typically published, whereas trial court decisions often are not. (The federal district courts publish select decisions in official reporters.) Reported cases form precedent that may be followed by other courts. See Introduction to Legal Research: Judicial Branch (case law) http://libguides.law.gsu.edu/content.php?pid=154797&sid=1312331. However, sometimes non-reported decisions may be collected, particularly in the electronic age. While these decisions have less precedential value than reported cases, they may be useful to courts in making decisions, particularly on topics for which there is little precedent.
  • 58.To identify cases that have not reached the appellate level, we searched the “All Federal and State Briefs and Motions, Combined” database on Lexis and “Trial Motions” database on Westlaw for all cases that referred to the Certificate statute, regulations, or key words “Certificate” and “confidentiality” in close proximity. We note that neither of these databases is comprehensive. We also conducted searches on Google for additional cases, using similar approaches. If we identified a case through these means, but did not find relevant documents (e.g., moving papers or order), we sought to obtain those documents through appropriate sources, including the PACER database for federal cases, on-line state databases, and contacting the state court.
  • 59.Order Re: Motion to Quash Subpoenas Re Yale Study’s Hospital Records, In re Phenylpropanolamine (PPA) Products Liability Litigation, No. 1407 (W.D. Wash. Aug. 19, 2002); Confidentiality Order Re WHI Study Data, In re PremPro Products Liability Litigation, No. 4:03–CV–01507–WRW (E.D. Ark. Feb. 1, 2005).
  • 60.Dummit v. CSX Transport., Inc. , No. 01–C–145 (Cir. Ct. W. Va. Nov. 21, 2006) (on file with author).
  • 61.PremPro and PPA. PPA Order, supra note 60, at 2, Memorandum in Opposition to Wyeth’s Motion to Compel and Motion for Protective Order Re Production of Records by Fred Hutchinson Cancer Research Center, a Non-Party Witness, In re PremPro Products Liability Litigation, No. 4:03-CV-01507-WRW (E.D. Ark. Nov. 30, 2004), at 7–8.
  • 62.In the CSX case, the parties came to the hearing on the motion to compel having reached an agreement
  • 63.PremPro Order, supra note note 59, at 1; Transcript of Hearing on Motion to Quash/Motion for Protective Order at 3, Dummit v. CSX Transportation, Inc., 01–C–145 (Cir. Ct. W. Va. Dec. 7, 2006) (on file with author).
  • 64.Louisville Branch–Nat’l Ass’n for the Advancement of Colored People, 06–ORD–094 Op. Ky. Att’y Gen. (2006)(open records decision).
  • 65.Louisville, supra note 64, at 1–2. The results of the study were reported in “Racial Fairness in Sentencing: A Case Study of Selected Crimes in Jefferson County.”
  • 66.Louisville, supra note 64, at 11.
  • 67.The NIH defines “identifying” as “any other item or combination of data about a research participant which could reasonably lead, directly or indirectly by reference to other information, to identification of that research subject.” Louisville, supra note 64 at 12. See also Certificate FAQs, supra note 24, at B2
  • 68.Memorandum of Decision on Motion to Quash, Connecticut Superior Court for Juvenile Matters. Jud. Dist. Hartford; Jul 1, 2003. [Google Scholar]
  • 69.Juvenile Court decision, supra note 68, at 9.
  • 70.Juvenile Court decision, supra note 68, at 10.
  • 71.Juvenile Court decision, supra note 68, at 16. Of course, the researchers recognized the interest in protecting the children by contacting the Department about their concerns. Although we do not have access to the consent form in this case, researchers who obtain a Certificate are required to include any circumstances in which they will reveal identifiable information in the consent form. 42 C.F.R. § 2a.4(j) (2013). See also the sample consent language in United States Department of Health & Human Services. National Institutes of Health [last accessed August 9, 2014];Detailed Application Instructions for Certificate of Confidentiality: Extramural Research Projects. http://grants.nih.gov/grants/policy/coc/appl_extramural.htm (last updated January 16, 2014) In doing so, they typically indicate that they will reveal information about the abuse, but not everything that they have learned about the participant through the study. See, e.g., University of California San Francisco Committee on Human Research [last accessed August 9, 2014];Consent Process–Certificate of Confidentiality. http://www.research.ucsf.edu/chr/Recruit/chrConsentCertConf.asp (last updated April 23, 2013)
  • 72.It is not clear from the Juvenile Court’s decision whether the Department sought access to records beyond the four children over whom the Department had temporary custody. Unfortunately, we do not have access to the parties’ papers to answer this question.
  • 73.Juvenile Court decision, supra note 68, at 17.
  • 74.Wolf, supra note 5.
  • 75.Wolf, supra note 5. The results are based on semi-structured interviews with 24 institutional legal counsel.
  • 76.Wolf, supra note 5, at 3.
  • 77.This is what happened in the PPA, supra note 60, Prempro, supra note 60, and CSX, supra note 61, cases, as well as in cases described by counsel in our interviews. As described in these cases, a protective order typically was also issued with additional confidentiality obligations, such as limiting access to the data and promising not to reidentify subjects using other available data. However, such protections may not always be sufficient. One counsel in our interviews described a circumstance in which research data (not protected by a Certificate) was ordered produced in a deidentified form, but where the counsel felt deidentification was not truly feasible because of the small number of subject (under 20) and the specificity of the data collected (unpublished data). Wolf, supra note 5.
  • 78.In our interviews with legal counsel, one respondent described learning that the Certificate protects only identifiable data, “contrary to some people’s assumptions.” Wolf, supra note 5, at 4. Some IRB Chairs reflected the assumption that the Certificate protected all data, with one describing a researcher with a Certificate as being “free of the obligation to deliver data in a lawsuit.” Beskow, supra note 8, at 5.
  • 79.Wolf, supra note 5, at 3. This lack of familiarity may explain counsel’s reliance on the Certificate as a general confidentiality obligation in the Philip Morris case and the court’s perpetuation of this error.
  • 80.Id.
  • 81.People v. Still, 369 N.Y.S.2d at 761 (App. Div. 1975).
  • 82.Id. at 765.
  • 83.Juvenile Court decision, supra note 68, at 11.
  • 84.Juvenile Court decision, supra note 68, at 1.
  • 85.U.S. Department of Health & Human Services. National Institutes of Health [last accessed August 9, 2014];Reporting of Communicable Diseases Policy. 1991 Aug 9; http://grants.nih.gov/grants/policy/coc/cd_policy.htm.
  • 86.Juvenile Court decision, supra note 68, at 10.
  • 87.Certificate FAQs, supra note 24, B1.
  • 88.Certificate FAQs, supra note 24, B2.
  • 89.Memorandum, supra note 68, at 1, 9.
  • 90.42 U.S.C. § 3789g(a) (2010). Importantly, the statute provides: “Such information and copies thereof shall be immune from legal process, and shall not, without the consent of the person furnishing such information, be admitted as evidence or used for any purpose in any action, suit, or other judicial, legislative, or administrative proceedings.” There have been few cases interpreting the protections, although there are several Ohio cases affirming withholding records because of the statute’s protections. See, e.g., State ex rel. Multimedia, Inc. v. Snowden, 647 N.E.2d 1374 (Ohio 1995); State ex rel. Johnson v. City of Cleveland, 603 N.E.2d 1011 (Ohio 1992). But cf. State ex rel. Attorney Gen.v. First Judicial Dist. Court, 629 P.2d 330 (N.M.1981) (documents were not protected because the federal funds were awarded only after investigation was completed).
  • 91.42 U.S.C. §299c–3(c) (2010). Similar to the DOJ version, the AHRQ statute provides that “Such information may not be published or released in other form if the person who supplied the information or who is described in it is identifiable unless such person has consented (as determined under regulations of the Director) to its publication or release in other form.”
  • 92.42 U.S.C. § 242m (2010). The CDC statutory protection is essentially the same as the AHRQ statute.
  • 93.Other federal departments and agencies may offer similar protections, but we have identified these three because two (the DOJ and AHRQ) are mentioned in the frequently asked questions on the NIH Certificate Kiosk. FAQs on Certificates, supra note 24, and the third (CDC) is mentioned in connection with the AHRQ statute. For a more in depth discussion of these statutes, see Wolf LE, et al. Certificates of Confidentiality: Protecting human subject research data in law and practice. Minnesota Journal of Law, Science & Technology. 2013;14(1):11–87. http://purl.umn.edu/144219.
  • 94.For example, the DOJ statute says no one to whom it applies “shall reveal any research or statistical information” when a person is identifiable, 42 U.S.C. § 3789g; the AHRQ and CDC statutes say that “no information … may be used” when an individual is identifiable 42 U.S.C. 299c-3 and 42 U.S.C. § 242m. Contrast the Certificate statute, which refers to “withholding of names or other identifying characteristics.” 42 U.S.C. § 241(d).
  • 95.Memorandum from Merewitz Susan Greene. Senior Attorney, Agency for Healthcare Research & Quality, to Nancy Foster, Coordinator for Quality Activities. Agency for Healthcare Research & Quality; [last accessed August 9, 2014]. Apr. 2001. available at http://www.ahrq.gov/fund/datamemo.htm.
  • 96.Merewitz Memorandum, supra note 95.
  • 97.Merewitz Memorandum, supra note 95.
  • 98.Merewitz Memorandum, supra note 95.
  • 99.MD. Code. Ann., Health-General § 4–102(a), 72 (LexisNexis 2009) (protecting records from research conducted by the state Drug Abuse Administration, the AIDS Administration, or the Secretary of Health); N.D. Cent. Code § 23–01–15(1) (2012). This statute explicitly states such data are inadmissible. N.D. Cent. Code § 23–01–15(2) (2012) (protecting research data collected by or on behalf of the state department of health and explicating stating such data is inadmissible); S.D. Codified Laws § 34–14–1 (2011)(protecting research data procured by the Department of Health, South Dakota State Medical Association, allied medical societies, or in-hospital staff committees of accredited hospitals and explicitly stating such data are inadmissible); Wash. Rev. Code Ann. § 42.48.040 (West 2006)(generally protecting state research records, although with exceptions for consent, to avert harm, or per court order when the case involves research injury); Ga. Code Ann. § 24–12–2(a) (West 2011) (applying to “raw” research data generally, although there are several exceptions, particularly for criminal defendants).
  • 100.Haw. Rev. Stat. § 324–13 (West 2008).
  • 101.Cal. Health & Safety Code § 121075 (West 2012).
  • 102.Ark. Code. Ann. § 20–35–103 (LexisNexis 2005); Okla. Stat. tit. 36, § 3614.4 (2011).
  • 103.On the other hand, some state statutes may be less protective than the Certificate. For example, Georgia’s statute appears to eliminate participants’ protections when researchers’ act as experts and in the context of all criminal proceedings. Ga. Code Ann. § 24–12–2 (West 2011).
  • 104.MD. Code. Ann., Health-General § 4–101, 72 (LexisNexis 2009); N.D. Cent. Code § 23–01–15 (2012); S.D. Codified Laws § 34–14–1 (2011).
  • 105.MD. Code. Ann., Health-General § 4–101, 72 (LexisNexis 2009); N.D. Cent. Code § 23–01–15 (2012); S.D. Codified Laws § 34–14–1 (2011).
  • 106.Ark. Code. Ann. § 20–35–103 (LexisNexis 2005); Okla. Stat. tit. 36, § 3614.4 (2011).
  • 107.For a more in-depth discussion of how to address subpoenas for scholarly research, see Traynor M. Countering the Excessive Subpoena for Scholarly Research. Law & Contemporary Problems. 1996;59(3):119–148.
  • 108.Traynor, supra note 107, at 126. See also Fed. R. Civ. Pro. 45; C.A. Wright, et al, 9A Federal Practice & Procedure Civil § 2007 (3d ed. 2012).
  • 109.Traynor, supra note 107, at 126.
  • 110.Traynor, supra note 107, at 131–34.
  • 111.Traynor, supra note 107, at 128–31. See Cusumano v. Microsoft Corp., 162 F.3d 708 (1st Cir. 1998)(court concluded that “[a]cademicians engaged in pre-publication research should be accorded protection commensurate to that which the law provides for journalists.” at 714)
  • 112.Beskow, supra note 8; Wolf, supra note 5; U.S. Department of Health and Human Services. Secretary’s Advisory Committee on Human Research Protections (SACHRP) [last accessed August 6, 2014];Final Recommendation: Certificates of Confidentiality (COCs) (approved March 13, 2014), available at www.hhs.gov/ohrp/sachrp/mtgings/mtg03-14/cocrecommendations.html.
  • 113.We are assuming that strengthening the Certificate’s protection is desirable, given Congress’s expansion of the Certificate as a research tool since 1970, the NIH’s decision to encourage increased use of Certificates, and the support we have heard from researchers, IRB Chairs, and legal counsel. See Wolf LE, et al. The Certificate of Confidentiality Application: A View from the NIH Institutes. 2004. p. 14. 26 IRB 14. Wolf, supra note 5, at 6 ; Beskow, supra note 8, at 9; Wolf LE, Zandecki J. Sleeping Better at Night: Investigators’ Experiences with Certificates of Confidentiality. 2006. pp. 4–8. 28 IRB 1. Wolf, supra note 93, at 82.
  • 114.SACHRP Final Recommendations, supra note 112. SACHRP also makes some administrative recommendations that we do not address.
  • 115.Beskow, supra note 8, at 9.
  • 116.Beskow, supra note 8, at 9.
  • 117.SACHRP Final Recommendations, supra note 112. We have previously recommended that IRBs evaluate the data security plan, including Certificates, and training in protecting confidentiality of research data as part of their protocol review. Wolf, supra note 5, at 7.
  • 118.Wolf, supra note 93, at 74. In the Bradley case, Duke took this approach by fighting the subpoena without indicating whether the witness was, in fact, a research participant in the study from which data was sought. Beskow, Dame & Costello, supra, note 33, at 1054. We recognize, however, that fighting a subpoena for data protected by a Certificate may be interpreted as confirmation of participation.
  • 119.Wolf, supra note 8, at 8.
  • 120.Wolf, supra note 8, at 8.
  • 121.Wolf, supra note 8, at 7.
  • 122.See Wolf, supra note 93 for a fuller discussion of our legal analyses regarding Certificates.
  • 123.SACHRP Final Recommendations, supra note 112.
  • 124.See Wolf, supra note 93, at 82-86.
  • 125.Ohm P. Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization. University of California Los Angeles Law Review. 2010;57:1701–1776. 1704. Ohm argues that “[d]ata can be either useful or perfectly anonymous, but never both.” Id.
  • 126.Sweeney L. Simple Demographics Often Identify People Uniquely. Carnagie Mellon Univ.; [last accessed August 9, 2014]. 2000. Data Privacy Working Paper No. 3. available at http://impcenter.org/wp-content/uploads/2013/09/Simple-Demographics-Often-Identify-People-Uniquely.pdf. demonstrated that she could identify 87% of individuals by combining three simple identifiers: five-digit ZIP code, birth date (including year), and sex. Sweeney L. k-Anoymity: A Model for Protecting Privacy. International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems. 2002;10(5):557–570. 558–59. Narayanan A, Shmatikov V. How to Break the Anonymity of the Netflix Prize Dataset. 2006 Oct. arVix. http://www.citebase.org/abstract?id=oai:arXiv.org:cs/0610105. See generally Gellman R. The Deidentification Dilemma: A Legislative and Contractual Proposal. Fordham Intellectual Property, Media and Entertainment Law Journal. 2010;21(1):33–61. 37. Ohm, supra note 125, at 1716–22; Schwartz PM, Solove DJ. The PII Problem: Privacy and a New Concept of Personally Identifiable Information. New York University Law Review. 2011;86:1814–1894. 1836–43. Yakowitz J. Tragedy of the Data Commons. Harvard Journal of Law and Technology. 2011;25(1):1–67. 31–33, 39–41. While these are not human subjects research data, they are useful for understanding the challenges to deidentification in light of today’s technology and widely accessible information.
  • 127.Amending the statute would provide an additional opportunity to consider whether there are better ways to structure the Certificate’s protections. For example, some of the other federal statutes and many of the state statutes provide coverage to research generally without requiring an application, and some provide a broader spectrum of coverage to the data. These features may be worth considering as an alternative to the current Certificate approach. SACHRP has similarly recommended changes through the statutory and regulatory processes. Specifically, it recommends allow researchers the right to reuse to provide deidentified data when reidentification is possible. It also suggests new regulations could provide greater clarity on what is protected by a Certificate. SACHRP Final Recommendation, supra note 112.
  • 128.In 2011, the Department of Health and Human Services issued an advance notice of proposed rule-making concerning proposed changes to the federal regulations governing human subjects research. Human Subjects Research Protections: Enhancing Protections for Research Subjects and Reducing Burden, Delay, and Ambiguity for Investigators, 76 Fed. Reg. 44512 (Jul. 26, 2011) (to be codified at 45 C.F.R. pts. 46, 160, and 164 and 21 C.F.R. pts. 50 and 56). Despite significant attention within the research community, and tens of thousands of responses, it is unclear at this point whether any changes will in fact be made to the regulations.
  • 129.See Chevron v. Natural Resources Defense Council, 467 U.S. 837, 843–44 (1984) (holding that courts must defer to an agency’s reasonable statutory interpretation where Congress has made an implicit agency delegation). In Chevron, the Court reviewed an E.P.A. regulation allowing a state to define the term “stationary source” to include an entire plant, rather than a particular pollution-emitting device. The regulation had been promulgated according to formal procedures and published in the Code of Federal Regulations. Id. at 840–41, 853, 855.
  • 130.United States v. Mead Corp., 533 U.S. 218, 241 (2001). The Court has ruled that “interpretive rules … enjoy no Chevron status as a class.” Id. at 232. However, guidance documents are entitled to Skidmore deference. Christensen v. Harris County, 529 U.S. 576, 585–87 (2000) (relying on cases in which Skidmore deference was used for guidance documents).
  • 131.U.S. Department of Health and Human Services. National Institutes of Health [last accessed August 9, 2014];Certificates of Confidentiality Kiosk. http://grants.nih.gov/grants/policy/coc/ (last updated May 14, 2014)
  • 132.While the current guidance is issued by NIH, it is not clear whether this is done with official delegated authority that would make it more likely that it would receive Skidmore deference. The Certificate implementing statute grants authority only to the Secretary of HHS, although the regulation defines “secretary” as “the Secretary of Health and Human Services and any other officer or employee of the Department of Health and Human Services to whom the authority involved has been delegated.” 42 U.S.C. § 241(d); 42 C.F.R. § 2a.2(a). This suggests that the Secretary could delegate authority to someone within NIH knowledgeable about Certificates. Such delegation is consistent with the General Administration Manual, which outlines agency policy whereby an organization within the agency may request a written delegation of authority from the Secretary by written request outlining the legal authority upon which the Secretary may delegate. U.S. Department of Health & Human Services General Administration Manual. 2006 § 8–101–20(A) available at http://www.hhs.gov/hhsmanuals/administration.pdf. Generally, the legal authority exists unless specifically prohibited by statute. Id.
  • 133.NIH already provides important information about Certificates through the Certificate kiosk, which we rely on frequently in our own work. Certificates of Confidentiality Kiosk, supra note 131. We are aware that the NIH has worked recently to reorganize the information on the website to make it more accessible to users (Personal Communication, Ann Hardy, NIH Certificate of Confidentiality Coordinator (10/27/2011).
  • 134.While this may be the “easiest” strategy, it does not mean that it is easily accomplished. The internal review process within an agency can be time-consuming and politically sensitive. However, at least it is all within the control of the agency, unlike regulatory or statutory amendments.
  • 135.Beskow, supra note 8, at 9.
  • 136.Check DK, et al. Certificate of Confidentiality and Informed Consent: Perspectives from IRB Chairs and Institutional Legal Counsel. IRB: Ethics and Human Research. 2014;36(1):1–8. 6. [PMC free article] [PubMed] [Google Scholar]
  • 137.Check, supra note 138, at 6.
  • 138.Beskow LM, Check DK, Ammarell N. Research Participants’ Understanding of and Reactions to Certificates of Confidentiality. American Journal of Bioethics Empirical Bioethics. 2014;5(1):12–22. 19. doi: 10.1080/21507716.2013.813596. [DOI] [PMC free article] [PubMed] [Google Scholar]

RESOURCES