I. INTRODUCTION
Certificates of Confidentiality (“Certificates”) are a federal mechanism designed to protect sensitive, identifiable research data from compelled disclosure in any legal proceeding. The 21st Century Cures Act revised the authorizing statute to address criticisms that had been raised about Certificates’ coverage and protections. Despite many changes that expanded the scope and reinforced the protection of Certificates, questions remain concerning the robustness of the protection Certificates afford. Here we briefly review the legal evolution of Certificates and then examine the gaps in protections that remain and their implications. We conclude with recommendations for areas of clarification and future research.
II. The Evolution of Certificates
Certificates are a tool to help researchers meet their ethical and legal obligations to protect research participants’ privacy and the confidentiality of their data.1 Authorized by federal law and granted by units of the U.S. Department of Health and Human Services (HHS), Certificates are intended to prevent—with limited exceptions—the disclosure of identifiable information about research participants during any legal proceeding.2
The purpose of providing this protection is to facilitate important public health research on sensitive topics. Originally authorized in 1970 for research on illegal drug use, the impetus for Certificates was concern about people’s willingness to participate in research if disclosure of identifiable data could place them in legal jeopardy or have other adverse consequences for their financial standing, employability, insurability, or reputation.3
Over time, the applicability of Certificates has been expanded from “research on the use and effect of drugs” to a broader set of research topics.4 The most recent amendments to the statutory language governing Certificates came with the enactment of the 21st Century Cures Act.5 Certificates now apply to “biomedical, behavioral, clinical, or other research, in which identifiable, sensitive information is collected (including research on mental health and research on the use and effect of alcohol and other psychoactive drugs).”6
The 21st Century Cures Act also implemented other significant substantive and procedural changes to Certificates, including:
Mandatory issue: Previously, researchers were required to apply for a Certificate and issuance was at the discretion of the HHS Secretary.7 Under the current statute, the Secretary “shall” issue a Certificate if the research is funded (in whole or part) by the federal government.8 Indeed, the National Institutes of Health (NIH) considers a Certificate automatically issued for all research it funds that involves identifiable, sensitive information.9 Obtaining a Certificate for research not funded by the federal government still requires application and approval.10
Scope: Certificate holders were previously authorized to withhold the “names or other identifying characteristics” of research participants.11 That scope has now been expanded to “the name of such an individual or any such information, document, or biospecimen that contains identifiable, sensitive information about such an individual and that was created or compiled for purposes of the research.”12
Definition of identifiability: Previously defined primarily by reference to a list of specific identifiers,13 the term “identifiable, sensitive information” now means “information (a) through which an individual is identified; or (b) for which there is at least a very small risk, as determined by current scientific practices or statistical methods, that some combination of the information, a request for the information, and other available data sources could be used to deduce the identity of an individual.”14
- Disclosure prohibition: Prior statutory language stated that Certificate holders “may not” be compelled in any federal, state, or local civil, criminal, administrative, legislative, or other proceedings to identify research participants.15 The current statute more forcefully asserts that Certificate holders “shall not” make such disclosures.16 The statute goes on to provide that:
- Identifiable, sensitive information shall be immune from the legal process, and shall not, without the consent of the individual to whom the information pertains, be admissible as evidence or used for any purpose in any legal proceeding.17
- Identifiable, sensitive information collected by a person to whom a Certificate has been issued, and all copies thereof, shall be subject to the protections afforded for perpetuity.18
These prohibitions against disclosure are subject to limited exceptions—allowing only for disclosures that are required by Federal, State, or local laws (excluding instances of legal demands); necessary for the medical treatment of the individual to whom the information pertains; made with the consent of the individual to whom the information pertains; or made for the purposes of other scientific research that is in compliance with applicable Federal regulations governing the protection of human subjects in research.19
As we have discussed in detail elsewhere, the changes made to the Certificate authorizing statute through the 21st Century Cures Act addressed several key concerns about Certificates.20 While there are many positive aspects of these changes,21 two new provisions reveal gaps in Certificates’ protections. First, the protection of “all copies … for perpetuity” faces practical challenges created by inclusion of research data in the Electronic Health Record (EHR).22 Second, the permitted disclosure of information as “required by Federal, State, and local laws” (excluding instances of compelled disclosure)23 may be broader than currently described—and raises important questions about whether recommended consent language adequately informs research participants about the scope of the permitted disclosures. In the next section, we explore these gaps and their implications.
III. GAPS IN PROTECTION FROM DISCLOSURE
A. All copies in perpetuity: Research data in electronic health records
Integration of clinical and research data is increasingly viewed as desirable for advancing the goals of both healthcare and research.24 For example, access to such data could allow clinicians to avoid drug interactions or facilitate appropriate response to an adverse health event. Some studies routinely put research data in EHRs.25 The most prominent example of routine inclusion of research data in health records is the Veterans Affairs Hospitals, which have policies requiring the creation of a health record for research participants who receive research interventions on an inpatient or outpatient basis; the U.S. Department of Veterans Affairs has required this practice since at least 2015.26
The 2st Century Cures Act’s express extension of Certificate protections to all copies of the research information suggests that research data placed in the medical record remains protected from compelled disclosure. As the NIH explains in its frequently asked questions about Certificates:
Section 301(d) of the Public Health Services Act protects identifiable, sensitive information and all copies thereof. Accordingly, if identifiable, sensitive information protected by a Certificate is placed in a subject’s medical record, the protections of the Certificate and prohibitions on further disclosure of the information may apply.27
The most significant concern about the robustness of protection for copies of Certificate-protected information in the EHR results from the combination of two factors: (1) information contained in EHRs are subject to subpoena28 and (2) large numbers and types of individuals and entities within and outside the health system have legitimate access to EHRs without a legal demand.29 A third-party could potentially access information that is covered by a Certificate by serving a subpoena on any of these individuals or entities, who may be – or most likely are – unaware of the Certificate. Our prior research revealed that even people in the research context who were aware of Certificates were often unfamiliar with the details of their protections.30 We have noted that this lack of familiarity could lead to unauthorized disclosure of Certificate-protected information should research data be subpoenaed directly from researchers.31 This risk may be magnified by the NIH’s shift to automatic issue of Certificates.32 Accordingly, it is hard to imagine that individuals who are not involved in research and, thus, do not have any exposure to Certificates would know to treat the research data in the EHR differently from the rest of the EHR if they received a subpoena and to avoid disclosure as the new provisions intend.
Even if the recipient of the subpoena understands to withhold the Certificate-covered research information in the EHR, it will be up to the institution to defend against legal efforts to compel disclosure. The NIH provides limited assistance, if any, to institutions who receive a legal demand for data protected by a Certificate.33 Institutions may not be willing to take on the legal costs of resisting disclosure should the case end up in court.34 With the strengthening of the statute’s provisions from the permissive “may not” to the mandatory “shall not disclose,”35 institutions should undertake such fights, but they may not do so if they do not fully appreciate the protections afforded the data.
Further, the extension of Certificate protections to research data in the EHR undermines a strategy that legal counsel have used to avoid challenges to a Certificate protections. In our interviews with them, institutional legal counsel told us that, when they received a subpoena for research data protected by a Certificate, they would consider whether there were other sources for the data the requester sought. Often the information sought was originally collected independently for medical purposes (not for research). Accordingly, counsel would suggest to the requestor subpoena the medical record. This approach allowed them to avoid a court fight that might end in a decision that formally limits Certificate protections.36 If research information is in the EHR, this avenue is foreclosed; institutional legal counsel will still be called on to withhold the research data in the EHR and may have to defend those denials of disclosure and risk judgments adverse to Certificate protections.
B. Disclosure permitted as required by federal, state, and local law
The revised Certificate statute eliminated researchers’ voluntary disclosure of identifiable data protected by a Certificate,37 but now explicitly authorizes disclosure otherwise protected by the Certificate when “required by Federal, State, or local laws.”38 In public presentations and in suggested consent language, NIH has referred only to disclosures pursuant to traditional public health reporting, such as communicable diseases, abuse, and harm to self or others.39 However, the language of this provision is unbounded, and our prior research revealed myriad state laws that may apply to various types of research.40 Accordingly, federal regulatory agencies, including NIH, or courts may have grounds to find that the scope of the disclosures that may be made under this provision may be much broader than NIH’s sample consent language suggests. While a comprehensive analysis requires significant legal research, we provide three examples that illustrate the potential breadth of this exception.
Our first two examples fit within the kinds of laws that the NIH sample consent language highlights, but they may not be ones that come to mind when reading the statement: “The Certificate DOES NOT stop reporting that federal, state or local laws require. Some examples are laws that require reporting of child or elder abuse, some communicable diseases, and threats to harm yourself of others.” Imagine a study seeking to identify safe and effective treatment of substance use disorder among pregnant women. Many states require any person41 to report child abuse, whereas others require only those who are in particular professions or hold a certain license.42 Some states also define child abuse or neglect to include use of controlled substance during pregnancy and/or evidence of substance use after delivery.43 Accordingly, researchers would be required to report substance abuse by a pregnant research participant if the researchers were identified as a mandated reporter and the state’s child abuse or neglect statute applies to use of controlled substance during pregnancy and/or evidence of substance use after delivery. These circumstances fit within the way NIH has described the intent of the provision allowing for disclosure “as required by Federal, State, and local law”: disclosures consistent with public health reporting requirements and “harm to self or others.” However, it is unclear whether the typical research participant would understand that substance use during pregnancy falls within these categories.
But the circumstances described above are exactly the type of studies for which the Certificate was first intended. Certificates were adopted to facilitate research on drug use.44 Researchers understood that people would be unlikely to participate in this kind of research without strong confidentiality protections because disclosure of their illegal drug use could put them in legal jeopardy.45 In our example, women may be unwilling to participate – despite potential benefits to their and their babies’ health – without promises that they will not be reported to child protective services or other authorities because of the very real risks of investigation, criminal process, and loss of custody.46 These concerns could also impact studies that are not about substance use per se, but include women who are pregnant or may become pregnant and involve routine screening of blood samples. In such cases, it seems even less likely that participants would understand the recommended consent language to apply to their participation. As institutional legal counsel informed us, most legal demands they received for disclosure were for information about individual participants rather than being related to the topic of the study.47 These legal demands arise from “personal injury case[s] or divorce or custody matters in which the research data might be relevant.”.48
Similarly, researchers conducting studies that focus on cognitive or functional impairment, as well as in studies that routinely administer cognitive tests as only one part of a broader focus, may be required to report conditions that may impair the ability to drive safely. Some states require individuals with medical degrees to report to the motor vehicle department certain conditions that may impair ability to drive.49 Others require physicians who diagnose a disorder “characterized by lapses of consciousness” to report.50 In the latter group of states, physician-researchers would have to report these conditions when identified in the course of research to the government agency that oversees driving.51 The public health importance of this kind of reporting is clear, as are the risks to participants of such disclosure—including being subject to investigation, loss of license, and the potential financial implications and loss of independence that might result from loss of license to drive. But given the limited statements about the types of mandated disclosures NIH has highlighted in its model consent form language, it is not clear whether researchers appreciate that, depending on the relevant state law, these are the kinds of exceptions to the Certificate’s protections—and associated risks—that should be included in a consent form.52
A review of the 21st Century Cures Act legislative history points to a third example of disclosures that fall within the as “required by Federal, State or local law” provision – state open records acts. Prior to the adoption of the 21st Century Cures Act, there were concerns that genomic data that were “collected or retained by a federal executive branch agency[ ] could be subject to public release pursuant to the Freedom of Information Act (FOIA).53 The 21st Century Cures Act ultimately included language from the proposed, but unenacted, Advancing Precision Medicine Act of 2016, to amend section 201 of the Public Health Service Act to specifically exempt biomedical research information that is identifiable or could be identifiable, if combined with other information, from disclosure under FOIA.54 The language about identifiability of data is the same between the amendments to FOIA and to the Certificate authorization; both provisions define identified data as those that are explicitly identified or where “there is at least a very small risk, as determined by current scientific practices or statistical methods, that some combination of the information, the request, and other available data sources could be used to deduce the identity of an individual.”55 These changes bring such biomedical research data within one of the FOIA exceptions to disclosure that might otherwise be required under the as “required by Federal, State, or local law” provision.56 But, unless states similarly exempt research records from disclosure,57 research data held by state entitles may be subject to disclosure under state open records laws.58 While a comprehensive review of these statutes is beyond the scope of this article, some states explicitly include their public universities and colleges within their open records laws.59 Provisions that exempt research data may be drafted to focus on researcher benefit, rather than participant protections, and may not protect against some disclosures (e.g., after publication of research findings).60 Again, as this example illustrates, current NIH sample consent language may not sufficiently convey the kinds of exceptions to Certificate protections that matter to prospective participants.
IV. RECOMMENDATIONS
Certificates have been an important tool for protecting the confidentiality of research data gathered by research studies for fifty years. The 21st Century Cures Act made important changes to the Certificate statute that strengthened those protections. However, a closer look at those changes reveals gaps that could undermine Certificate protections and participant trust. We have outlined two of those here: the provision protecting all copies of research data in perpetuity and the provision authorizing disclosure of identifiable information as “required by Federal, State, and local law.”.
Our concerns about the extension of Certificate’s protections to all copies in perpetuity are about implementing that provision in practice. Our discussion focused on the specific risk posed by placing research data in EHRs. Academic medical centers and other health care institutions that are incorporating research data in EHRs need to consider what strategies they can adopt to ensure they have met their obligations under the Certificate. For example, they may develop systems that flag protected research data before disclosure in response to a subpoena. Tailored education for appropriate personnel might also reduce risk of inappropriate disclosure of protected research data. NIH could aid the research community by developing education materials about that addresses the general purposes of Certificates and how they apply to research data in EHRs for institutions to use.
With respect to the provision authorizing disclosure as “required by Federal, State, and local law,” we believe that elucidation of the full scope of this exception is critically needed. As we have illustrated, important examples are not reflected in current consent language and there may be others. How much detail is important to prospective participants is a matter for empirical inquiry. For example, it may be sufficient to amend NIH’s recommended language to state: “Common examples are laws that require reporting of child or elder abuse, some communicable diseases, and threats to harm yourself or others. Your state may have others.” (amendments in italics) However, research might demonstrate that additional specific exceptions should be listed.
Some authorized disclosures, however, may be inconsistent with the Certificate’s underlying purpose, and action may be required to close those gaps. As we discuss, states’ open records laws example demonstrates one way that research data protected by a Certificate may be at risk of disclosure because of this new provision. Given that the FOIA statute was amended to protect research data from disclosure in the same statute that amended the Certificate’s statute, it is illogical to think the drafters intended to make research data protected by a Certificate vulnerable to state open records laws. Without additional research, we cannot know the full scope of the exceptions this provision has introduced, how best to respond, or how best to inform participants.
Acknowledgments
This work was supported by a grant from the National Human Genome Research Institute (R21-HG-010952). The content is solely the responsibility of the authors and does not necessarily represent the official views of NHGRI or NIH. The authors would like to thank Saliha Moore, a J.D. candidate at Case Western Reserve University School of Law, for preliminary research on this project, as well as Pamela Brannon, Coordinator of Faculty Services in the Georgia State Law library, and Madison Hayes, a J.D. candidate and library research assistant at Georgia State Law, for their research on the legislative history of the 21st Century Cures Act. The authors would also like to thank the students of the University of Utah S.J. Quinney College of Law law review for the opportunity to present at their virtual symposium, “The Law and Ethic of Medical Research,” and to contribute to its symposium volume.
Footnotes
Leslie E. Wolf et al., Certificates of Confidentiality: Protecting Human Subject Research Data in Law and Practice, 43 J. Law, Med. & Ethics 594, 594 (2015).
42 U.S.C. § 241(d) (2016). For a comprehensive history of the Certificate of Confidentiality, see generally Leslie E. Wolf et al., Certificates of Confidentiality: Protecting Human Subject Research Data in Law and Practice, 14 Minn. J. Law Sci. & Tech. 11, 20-26. For a discussion of changes made to the Certificate of Confidentiality through the 21st Century Cures, see generally Leslie E. Wolf & Laura M. Beskow, New and Improved? 21st Century Cures Act Revisions to Certificates of Confidentiality, 44 Am. J.L. & Med. 343 (2018).
Comprehensive Drug Abuse Prevention and Control Act of 197, Pub. L. No. 91-513, sec. 3(a), § 303(a), 84 Stat. 1236, 1241 (codified at 42 U.S. C. § 242a(a) (1970))(current version at 42 U.S.C. § 241(d) (2016)). For a discussion of the history of the Comprehensive Drug Abuse Prevention and Control Act, see Wolf et al., supra note 2, 20-25.
Pub. L. No. 91-513, sec. 3(a), § 303(a), 84 Stat. 1236, 1241 (codified at 42 U.S. C. § 242a(a) (1970)).
Wolf et al., supra note 2, 20-25; 21st Century Cures Act, Pub. L. 114-255, sec. 2012, § 301, 130 Stat. 1033, 1049-50 (2016)). See also Kathy L. Hudson and Francis S. Collins, The 21st Century Cures Act – A View from the NIH, 376 New Eng. J. Med. 111, 112 (2017) (describing key features of the 21st Century Cures Act) and Wolf & Beskow, supra note 2 (describing the key changes to the Certificate authorizing statute and its implications).
42 U.S.C. § 241(d)(1)(A).
42 U.S.C. § 241(TK)(TK)(TK) (2015). [Copyworkers please pincite to paragraphs and subparagraphs]
42 U.S.C. § 241(d)(1)(A)(i).
National Institute of Health, NOT-OD-17-109, Notice of Changes to NIH Policy for Issuing Certificates of Confidentiality, (2017), https://grants.nih.gov/grants/guide/notice-files/NOT-OD-17-109.html.
42 U.S.C. § 241(d)(1)(A)(ii).
42 U.S.C. § 421(d) (2015).
42 U.S.C. § 241(d)(1)(A).
42 C.F.R. § 2a2(d) (2011) defined “identifying characteristics” as “the name, address, any identifying number, fingerprints, voiceprints, photographs or any other item or combination of data about a research subject which could reasonably lead directly or indirectly by reference to other information to identification of that research subject.”
42 U.S.C. § 241(d)(1)(D). See also Frequently Asked Questions (FAQ) FAQ A.6, Certificates of Confidentiality (CoC) Kiosk, Nat’l Insts. Health, https://grants.nih.gov/faqs#/certificates-of-confidentiality.htm?anchor=question55502.
42 U.S.C. § 241(d) (2015).
42 U.S.C. § 241(d)(1)(D). Specifically, the statute provides: “Any person to whom a certificate is issued under subparagraph (A) to protect the privacy of an individual described in such subparagraph shall not, in any Federal, State, or local, civil, criminal, administrative, legislative, or other proceeding, disclose or provide the name of such individual or any such information, document, or biospecimen that contains identifiable, sensitive information about the individual and that was created or compiled for purposes of the research, except in the circumstance described in subparagraph (C)(iii).”
42 U.S.C. § 241(d)(1)(E). Specifically, the statute provides: “Identifiable, sensitive information protected under subparagraph (A), and all copies thereof, shall be immune from the legal process, and shall not, without the consent of the individual to whom the information pertains, be admissible as evidence or used for any purpose in any action, suit, or other judicial, legislative, or administrative proceeding.”
42 U.S.C. § 241(d)(1)(F). The statute provides: “Identifiable, sensitive information collected by a person to whom a certificate has been issued under subparagraph (A), and all copies thereof, shall be subject to the protections afforded by this section for perpetuity.”
42 U.S.C. § 241(d)(1)(C).
See generally, Wolf & Beskow, supra note 2.
Id.
42 U.S.C. § 241(d)(1)(F).
42 U.S.C § 241(d)(1)(C).
See, e.g., Overhaul of the Human Research Subject Common Rule Proposed, ¶ 21,295 Med. Devices Rep. 2015 WL 7510317 (2018) (“Clinical research networks connected through electronic health records (EHRs) have developed methods for extracting clinical data for research purposes and are working toward integration of research data into EHRs in a meaningful way. … Recent trends clearly show that the scientific community recognizes the value of data sharing and open-source resources and understand that pooling intellectual resources and capitalizing on efficient uses of data and technology represent the best ways to advance knowledge.”); Philipp Bruland, Justin Doods et al., Connecting healthcare and clinical research: Workflow optimizations through seamless integration of EHR, pseudonymization services and EDC system, 119 Internat’l. J. Med. Informatics 103 (2018) (describing an approach to integrate electronic health records and research data). See also James Scheibner, Marcello Ienca et al., Data protection and ethics requirements for multisite research with health data: a comparative examination of legislative governance frameworks and the role of data protection technologies, 7 J. Law Biosci. 1 (noting that Australia has high rates of electronic health record systems and research data linkage).
See, e.g., Iftikhar J. Kullo et al., Return of Results in the Genomic Medicine Projects of the eMERGE Network, 5 Frontiers in Genetics 1, 2 (2014)(“pharmacogenomic information is being placed pre-emptively in the EHR as part of the network-wide eMERGE PGx project); Otto Gottesman, et al., The Electronic Medical Records and Genomics (eMERGE) Network: past, present, and future, 15 Genet. Med. 761 (2013) (“These data [pulled from EHRs) can then be combined with genomic data for the discovery of genotype-phenotype associations, and the discoveries, once validated, may be introduced back into the [EHR] to augment clinical care” (emphasis added)) See also Anya Prince et al., Automatic Placement of Genomic Research Results in Medicine Records: Do Researchers Have a Duty? Should Participants Have a Choice?, 43 J.L., Med., & Ethics 827, at 827, 829, 832.
U.S. Department of Veterans Affairs, Health Information Management and Health Records, VHA Directive § 1907.01, March 15, 2015. Section 23.g provides that “A VA health record must be created or updated for all research subjects when required by VHA research policy as found in VHA Handbook 1200.05.” Section 23.h further provides that “A method to identify clinic visits solely for research must be used to differentiate those visits from any other clinic visits.” Id. See also U.S. Department of Veterans Affairs, Requirements for the Protection of Human Subjects in Research, VHA Directive 1200.05(2), January 7, 2019 Section 5.g, which specifies that “Each VA investigator is responsible for: … (16) Creating or updating a VHA health record and creating a progress note for all research subjects (Veterans or non-Veterans) who receive research procedures or interventions as inpatients or outpatients at VA medical facilities that are either used in or may impact the medical care of the research subject at a VA medical facility or at facilities contracted by VA to provide services to Veterans (e.g., Community-Based Outpatient Clinics or community living centers).” Id. at 11.
Frequently Asked Questions (FAQ) A.12, Certificates of Confidentiality (CoC) Kiosk, Nat’l Insts. Health, https://grants.nih.gov/faqs#/certificates-of-confidentiality.htm?anchor=question55502 (emphasis added).
The Health Information Portability & Accountability Act (HIPAA) Privacy Rule, which sets a federal floor for protection of identifiable health information, has multiple exceptions to its protections, including pursuant to a court order or subpoena. While some state laws provide more protection than HIPAA does, these similarly typically allow for disclosure pursuant to a court order or subpoena. See discussion in Leslie E. Wolf, et al., The Web of Legal Protections for Participants in Genomic Research, 29 HEALTH MATRIX 1, at 43-47 and 77-88.
Under HIPAA and related state medical privacy laws, covered entities and business associates typically can access protected health information for treatment, payment, and health care operations. Wolf et al., The Web of Legal Protections, supra note 29,. at 43-47. The following categories of people fall within this authorized disclosure: treating physician(s), consulting physician(s), nurse(s), physician assistants, technicians, pharmacist, appointments personnel, billing personnel, quality assurance personnel, state licensure personnel, accreditation personnel, and insurers. Disclosures can also be made without authorization for law enforcement, public health or other governmental purposes. Id.
Leslie E. Wolf, et al., Certificates of Confidentiality: Legal Counsels’ Experiences with and Perspectives on Legal Demands for Research Data, 7 J. Empirical Res. Hum. Res. Ethics 1, 6 (2012) (finding “counsel [who represent academic medical centers] are not particularly knowledgeable about Certificates’ protections and exceptions”); Laura M. Beskow, et al., Institutional Review Boards’ Use and Understanding of Certificates of Confidentiality, 7 Plos One e44050 at 3 (2012) (finding “only slightly more than half (55%) of respondents answered three or more of the six knowledge questions correctly”).
This problem is heightened with data sharing between research teams because researchers receiving the data may be unaware that the data comes with the Certificates’ protections. Wolf et al., supra note 2, at 349.
42 U.S.C. § 241(d)(1)(A)(i); National Institute of Health, NOT-OD-17-109, Notice of Changes to NIH Policy for Issuing Certificates of Confidentiality, (2017), https://grants.nih.gov/grants/guide/notice-files/NOT-OD-17-109.html.
Beskow et al. supra note 6, at 1055; Wolf et al. supra note31, at 7. The NIH Certificate kiosk previously included a statement that the “NIH Legal Advisor is willing to discuss the regulations with the researcher’s attorney,” although some institutional counsel desired more proactive assistance. Wolf et al. supra note 31, at 7. Now, the FAQ only indicates that a “researcher should immediately seek legal counsel from his or her institution” should they receive legal action seeking release of personally identifying information protected by a Certificate. [cross-ref to FAQs], FAQ F.2.
Beskow et al., supra note 6, at 1055. We have heard of cases in which institutions have turned over data over researchers’ objections, but we have been unable to confirm these anecdotal accounts (which also would not appear in reported cases).
Supra notes 15-16.
Leslie E. Wolf, et al., Certificates of Confidentiality, supra note 31, at 6.
Supra notes 15-16.
Wolf et al. supra note 1 at 350; 42 U.S.C. § 241(d)(1)(F).
The sample consent language released after the statutory changes referred to child abuse and communicable diseases. Suggested Consent Language Describing the CoC Protections, Nat’l Insts. Health, https://perma.cc/2JSL-M5HS (captured March 2, 2018). The current version refers to “child or elder abuse, some communicable diseases, and threats to harm yourself or others.” Example Informed Consent Language, Nat’l Insts. Health, https://grants.nih.gov/policy/humansubjects/coc/helpful-resources/suggested-consent.htm.
Wolf et al., supra note 30.
Child Welfare Information Gateway, Children’s Bureau/ACYF/ACF/HHS, Mandatory Reports of Child Abuse and Neglect, childwelfare.gov/pubPDFs/manda.pdf (identifying 18 states and Puerto Rico as requiring “any person who suspects child abuse or neglect” to report). See, e.g., Texas Family Code § 261.101 (“A person having cause to believe that a child’s physical or mental health or welfare has been adversely affected by abuse or neglect by any person shall immediately make a report as provided by this subchapter”); Tenn. Code. 37-1-403 (“Any person who has knowledge of or is called upon to render aid to any child who is suffering from or has sustained any wound, injury, disability, or physical or mental condition shall report such harm immediately if the harm is of such a nature as to reasonably indicate that it has been caused by brutality, abuse or neglect or that, on the basis of available information, reasonably appears to have been caused by brutality, abuse or neglect.”).
See, e.g., NDCC 50-25.1-03; 325 ILSC 5/4.
See, e.g., NDCC 50-25.1-17 (requires toxicology test and reporting when reason to believe controlled substance use during pregnancy); Texas Family Code § 261.001 (child abuse definition includes use of controlled substance “in a manner …that the use results in … injury to a child”); 705 ILCS 405/2-3 (child abuse definition includes detection of any amount of a controlled substance in a newborn).
Wolf et al., supra note 2, at 20–24 (2013).
Id.
Pregnant women have been jailed as a result of drug use during pregnancy identified during a research study, including a program conducted by the Medical University of South Carolina. Ferguson v. Charleston, 532 U.S. 67 (2001).
Wolf et al., supra note 31, at 3.
Id.
See, e.g., Oregon ORS 807.710.
See, e.g., California Cal. Health & Safety Code § 103900.
Id.
We previously highlighted the gap created by the as “required by federal, state, or local laws” provision creates problems for consent, noting “How do you describe what this exception may include, if you do not know which laws may be implicated.” Wolf & Beskow, New and Improved?, supra note 2, at 351.
C. Stephen Redhead, et al., Cong. Research Serv. R44502, Senate Medical Innovation Bills: Overview and Comparison with the 21st Century Cures Act (H.R. 6), May 17, 2016), at 19.
Advancing Precision Medicine Act of 2016, S. 2713, 114th Cong., (as reported in the Senate, Apr. 18, 2016), Section 4 at 10-11. This section provides “The Secretary may exempt from disclosure under section 552(b)(3) of title 5, United States Code, biomedical information that is about an individual and that is gathered or used during the course of biomedical research if – (A) an individual is identified; or (B) there is a risk, as determined by current scientific practices or statistical methods, that some combination of the information, the request, and other available data sources could be used to deduce the identity of an individual.” The 21st Century Cures Act adopts this language with slight modifications. It omits the reference to the United States Code and section (B) reads there is at least a very small risk, as determined by current scientific practices or statistical methods, that some combination of the information, the request, or other available data sources could be used to deduce the identity of the individual.” 21st Century Cures Act supra note 8, § 2013, codified at 42 U.S.C. § 241(f)(emphasis added). 5 U.S.C. § 552(b)(3) provide that “This section [regarding public disclosure of information] does not apply to matters that are – (3) specifically exempted from disclosure by statute (other than section 552b of this title), if that statute – (A)(i) requires that the matters be withheld from the public in such a manner as to leave no discretion on the issue; or (ii) establishes particular criteria for withholding or refers to particular types of matters to be withheld; and (B) if enacted after the date of enactment of the OPEN FOIA Act of 2009, specifically cites to this paragraph.
42 U.S.C. § 241(d)(1)(G)(4) and 42 U.S.C. § 241(f)(1) (2016).
5 U.S.C. § 552(b)(3).
See, e.g., Wyo. St. 1977 § 16-4-203(b)(iii) provides that “[t]he custodian may deny the right of inspection of the following records, unless otherwise provide by law, on the ground that disclosure to the applicant would be contrary to the public interest: … (iii) The specific details of bona fide research projects being conducted by a governmental entity or any other person.”
A 2010 report of state open records laws notes the substantial variation in terms of entities and records included in the scope of the laws and exemptions to the obligations to disclose. Nat’l Assoc. Counties, Open Records Laws: A State by State Report, December 2010 https://www.governmentecmsolutions.com/files/124482256.pdf. Alabama is an example of a broad statute with limited exceptions that do not address research data. The Alabama law provides: “Every citizen has the right to inspect and take a copy of any public writing of this state, except as otherwise expressly provided by statute. Provided however, registration and circulation records and information concerning the use of the public, public school or collections and university libraries of this state shall be exempted from this section. Provided further, any parent of a minor child shall have the right to inspect the registration and circulation records of any school or public library that pertain to his or her child. Notwithstanding the foregoing, records concerning security plans, procedures, assessments, measures, or systems, and any other records relating to, or having an impact upon, the security or safety of persons, structures, facilities, or other infrastructures, including without limitation information concerning critical infrastructure (as defined at 42 U.S.C. § 5195c(e) as amended) and critical energy infrastructure information (as defined at 18 C.F.R. § 388.113(c)(1) as amended) the public disclosure of which could reasonably be expected to be detrimental to the public safety or welfare, and records the disclosure of which would otherwise be detrimental to the best interests of the public shall be exempted from this section. Any public officer who receives a request for records that may appear to relate to critical infrastructure or critical energy infrastructure information, shall notify the owner of such infrastructure in writing of the request and provide the owner the opportunity to comment on the request and on the threats to public safety or welfare that could reasonably be expected from public disclosure on the records.” Ala. Code 1975 § 36-12-40.
See, e.g., 5 ILCS 140/2 “(a) ‘Public body; means all legislative, executive, administrative, or advisory bodies of the State, state universities and colleges, counties, townships, cities, villages, incorporated towns, school districts and all other municipal corporations, boards, bureaus, committees, or commissions of this State, any subsidiary bodies of any of the foregoing including but not limited to committees and subcommittees thereof, and a School Finance Authority created under Article 1E of the School Code. ‘Public body’ does not include a child death review team or the Illinois Child Death Review Teams Executive Council established under the Child Death Review Team Act, or a regional youth advisory board or the Statewide Youth Advisory Board established under the Department of Children and Family Services Statewide Youth Advisory Board Act.” (footnotes omitted). “Private information” is defined by specific identifiers, without reference to the kinds of connections that may be made. Id. § c-5.
See, e.g., Il. St. Ch. 5, § 140/7, which exempts from disclosure “(i) Valuable formulae, computer geographic systems, designs, drawings and research data obtained or produced by any public body when disclosure could reasonably be expected to produce private gain or public loss” and “(J) The following information pertaining to educational matters: … (iv) course materials or research materials used by faculty members.” See also Georgia’s Open Records Law, which has exceptions for research records, but is framed in terms of researcher interests, rather than participant protection. The exceptions are for “35. Data, records, or information of a proprietary nature produced or collected by or for faculty or staff of state institutions of higher learning, or other government agencies, in the conduct of or as a result of, study or research on commercial, scientific, technical, or scholarly issues, whether sponsored by the institution alone or in conjunction with a governmental body or private concern, where such data, records, or information has not been publicly released, published, copyrighted, or patented. 36. Any data, records, or information developed, collected, or received by or on behalf of faculty, staff, employees, or students of an institution of higher education or any public or private entity supporting or participating in the activities of an institution of higher education in the conduct of, or as a result of study or research on medical, scientific, technical, scholarly, or artistic issues, whether sponsored by the institution alone or in conjunction with a governmental body or private entity, until such information is published, patented, otherwise publicly disseminated, or released to an agency whereupon the request must be made to the agency. This paragraph shall apply to, but shall not be limited to, information provided by participants in research, research notes and data, discoveries, research projects, methodologies, protocols, and creative works.” O.C.G.A. § 50-18-70.
Contributor Information
Leslie E. Wolf, Georgia State University College of Law.
Laura M. Beskow, Center for Biomedical Ethics & Society at the Vanderbilt University Medical Center in Nashville, Tennessee.