Hostname: page-component-6bf8c574d5-b4m5d Total loading time: 0 Render date: 2025-02-14T22:34:15.309Z Has data issue: false hasContentIssue false
  • English
  • Français

Certificates of Confidentiality: Protecting Human Subject Research Data in Law and Practice

Published online by Cambridge University Press:  01 January 2021

Leslie E. Wolf ,
Mayank J. Patel ,
Brett A. Williams Tarver ,
Jeffrey L. Austin ,
Lauren A. Dame  and
Laura M. Beskow
Get access Rights & Permissions [Opens in a new window]

Extract

Answering important public health questions often requires collection of sensitive information about individuals. For example, our understanding of how HIV is transmitted and how to prevent it only came about with people's willingness to share information about their sexual and drug-using behaviors. Given the scientific need for sensitive, personal information, researchers have a corresponding ethical and legal obligation to maintain the confidentiality of data they collect and typically promise in consent forms to restrict access to it and not to publish identifying data.

The interests of others, however, can threaten researchers' promises of confidentiality when legal demands are made to access research data (e.g., through subpoena). In some cases, the subject of the litigation is tightly connected to the research questions, and litigants' interest in the data is not surprising. Researchers conducting studies on tobacco or occupational or other chemical exposures, for example, are relatively frequent targets of subpoenas.

Type
Independent
Information
Journal of Law, Medicine & Ethics , Volume 43 , Issue 3 , Autumn 2015 , pp. 594 - 609
Copyright
Copyright © American Society of Law, Medicine and Ethics 2015

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

References

See, e.g., Allen, J. R. Curran, J. W., “Prevention of AIDS and HIV Infection: Needs and Priorities for Epidemiological Research,” American Journal of Public Health 78, no. 4 (1988): 381386; Curran, J. W. Jaffe, H. W., “AIDS: The Early Years and CDC's Response,” Morbidity and Mortality Weekly Report 60, Supp. no. 4 (2011): S64–S69. Scholars have discussed the value of Certificates to a wide range of research topics. See, e.g., Wolf, L. E. Lo, B., “Practicing Safer Research: Using the Law to Protect the Confidentiality of Sensitive Research Data,” IRB: Ethics & Human Research 21, no. 5 (Sept.–Oct. 1999): 4–7, at 4 (discussing Certificates and HIV research); Melton, G. B., “Certificates of Confidentiality under the Public Health Service Act: Strong Protection but Not Enough,” Violence and Victims 5, no. 1 (1990): 67–71, at 68–69 (discussing Certificates and research on violence); Hoagwood, K., “The Certificate of Confidentiality at the National Institute of Mental Health: Discretionary Considerations in Its Applicability in Research on Child and Adolescent Mental Disorders,” Ethics and Behavior 4, no. 2 (1994): 123–131, at 123–124 (discussing Certificates and mental health research); Coffey, M. J. Ross, L., “Human Subjects Protections in Genetic Research,” Genetic Testing 8, no. 2 (2004): 209–213, at 209–210 (discussing Certificates and genetic research); Cooper, Z. N. Nelson, R. M. Ross, L. F., “Certificates of Confidentiality in Research: Rationale and Usage,” Genetic Testing 8, no. 2 (2004): 214–220, at 214 (discussing Certificates and genetic research); Earley, C. L. Strong, L. C., “Certificates of Confidentiality: A Valuable Tool for Protecting Genetic Data,” American Journal of Human Genetics 57, no. 3 (1995): 727–731, at 727 (discussing Certificates and genetic research); Lutz, K. F. et al. , “Use of Certificates of Confidentiality in Nursing Research,” Journal of Nursing Scholarship 32, no. 2 (2000): 185–188, at 185 (2000) (discussing Certificates and nursing research).Google Scholar
Wolf, Lo, , supra note 1, at 5 (explaining the obligations stem from the ethical principles of beneficence, which require researchers to minimize risks, and respect for persons); see also 45 C.F.R. §§ 46.111(a)(1), (a)(7) (2013), which explicitly obligates researchers to minimize risk and, “when appropriate,” to maintain confidentiality of data and the privacy of subjects).Google Scholar
See, e.g., Farnsworth v. Procter & Gamble Co., 758 F.2d 1545, 1546–47 (1985) (detailing that industry sought data from Toxic Shock Syndrome studies for use in products liability action); Deitchman v. E.R. Squibb & Sons, Inc., 740 F.2d 556, 557–58 (1984) (detailing that industry sought data from cancer registry in connection with products liability action relating to use of diethylstilbestrol (DES). See also, Confidentiality Order Re WHI Study Data, In re PremPro Products Liability Litigation, No. 4:03-CV-01507-WRW (E.D. Ark. Feb. 1, 2005); Order Re: Motion to Quash Subpoenas Re Yale Study's Hospital Records, In re Phenylpropanolamine Products Liability Litigation, No. 1407 (W.D. Wash. Aug. 19, 2002). These requests may include request for identifiable data, even if not necessary. See Skolnick, A. A., “Burning Mad Tobacco Industry Turns Heat on Major News Media,” Science Writers: Newsletter of the National Association of Science Writers (Berkeley, Cal.), Summer 1994, available at <http://www.aaskolnick.com/naswtob.htm> (last visited September 9, 2015); Barinaga, M., “Who Controls a Researcher's Files,” Science 256, no. 5064 (1992): 16201621, at 1620. Concern about the impact of such requests on researchers led to changes to the Georgia evidence law Ga. Code Ann. § 24–122 (2011).Google Scholar
Jaschik, S., “Oral History, Unprotected,” Inside Higher Education, July 5, 2011, available at <https://www.insidehighered.com/news/2011/07/05/federal_government_questions_confidentiality_of_oral_history> (last visited September 15, 2015) (referring to Boston College oral history project on the Northern Ireland “troubles” as a prime example where interest in the data is unsurprising. The interviews were sought in connection with an unsolved murder suspected of being committed by Irish Republic Army members). Another well-known example is that of sociologist Rick Scarce, who conducted research on the Animal Liberation Front, which subsequently claimed responsibility for a break-in at Washington State University research labs. Prosecutors sought his data for use in the criminal case. When Scarce refused to provide it, he was placed in jail for contempt of court. Marshall, E., “Court Orders ‘Sharing’ of Data,” Science 261, no. 5119 (1993): 284286, at 285. See also Gray, J. N. Lyons, P. H. Melton, G. B., Ethical and Legal Issues in AIDS Research (Baltimore, MD: The Johns Hopkins University Press, 1995): At 13–17, 63–68 (explaining that HIV researchers have long been cognizant that the research they conduct could put their participants at risk of criminal prosecution based on their sexual or drug-using behaviors).Google Scholar
Wolf, L. E. et al. , “Certificates of Confidentiality: Legal Counsels' Experiences with and Perspectives on Legal Demands for Research Data,” Journal of Empirical Research on Human Research Ethics 7, no. 4 (2012): 19, at 3 (providing an example of demographic data, including income, that might be sought for custody and child support purposes).CrossRefGoogle Scholar
See Wolf, Lo, , supra note 1, at 5.Google Scholar
42 U.S.C. § 241(d) (2006).Google Scholar
Beskow, L. M. et al. , “Institutional Review Boards' Use and Understanding of Certificates of Confidentiality,” Public Library of Science One 7, no. 9 (September 4, 2012): 110, at 1.Google Scholar
See Basic IRB Review, in Penslar, R. L., Institutional Review Board Guidebook (Department of Health and Human Services Office for Protection from Research Risks, 1993), available at <http://www.hhs.gov/ohrp/archive/irb/irb_guidebook.htm> (last accessed September 9, 2015) (“IRBs should determine the adequacy of the provisions to protect the privacy of subjects and to maintain the confidentiality of the data and, where the subjects are likely to be members of a vulnerable population (e.g., mentally disabled), determine that appropriate additional safeguards are in place to protect the rights and welfare of these subjects.”); see also Wolf, Lo, , supra note 1, at 5 (describing the legal and ethical bases for the obligation to maintain confidentiality).Google Scholar
See Wolf, Lo, , supra note 1, at 5.Google Scholar
45 C.F.R. § 46.101 (2013) The Department of Health and Human Services (HHS) regulations governing the conduct of research involving human subjects research apply to research that is funded through that department, including the National Institutes of Health (NIH) and the Centers for Disease Control and Prevention (CDC), which together support the greatest amount of federally funded research. Another 17 agencies have agreed to abide by these regulations for their research. Accordingly, the HHS regulations are referred to as the “Common Rule.” Department of Health and Human Services, “Federal Policy for the Protection of Human Subjects (‘Common Rule’),” available at <http://www.hhs.gov/ohrp/humansubjects/commonrule/index.html> (last visited September 9, 2015); see also 21 C.F.R. §§ 50, 56 (2013) (Food and Drug Administration (FDA) regulations that are substantially similar to the Common Rule). For a comparison between these regulations, see U. S. Food and Drug Administration, Comparison of FDA and HHS Human Subjects Protection Regulations, available at <http://www.fda.gov/ScienceResearch/SpecialTopics/RunningClinicalTrials/educationalmaterials/ucm112910.htm> (last visited September 9, 2015).+(last+visited+September+9,+2015);+see+also+21+C.F.R.+§§+50,+56+(2013)+(Food+and+Drug+Administration+(FDA)+regulations+that+are+substantially+similar+to+the+Common+Rule).+For+a+comparison+between+these+regulations,+see+U.+S.+Food+and+Drug+Administration,+Comparison+of+FDA+and+HHS+Human+Subjects+Protection+Regulations,+available+at++(last+visited+September+9,+2015).>Google Scholar
Common Rule, 45 C.F.R. § 46.111(a)(7).Google Scholar
Common Rule, 45 C.F.R. § 46.111(a)(1).Google Scholar
Common Rule, 45 C.F.R. § 46.101(b)(4).Google Scholar
See, e.g., Basic IRB Review, supra note 9 (discussing expectations of privacy and confidentiality in biomedical research compared to social/behavioral research).Google Scholar
Wolf, Lo, , supra note 1, at 4.Google Scholar
Basic IRB Review, supra note 9 (regarding “Privacy and Confidentiality.”).Google Scholar
Wolf, Lo, , supra note 1, at 5.Google Scholar
Comprehensive Drug Abuse Prevention and Control Act of 1970, Pub. L. No. 91–513, 84 Stat. 1236, 1241 (1970). This Act also granted the Attorney General similar authority. In practice, DOJ appears to rely on the protections afforded under 42 U.S.C. § 3789g for research it oversees or funds, as described more fully below.Google Scholar
Comprehensive Narcotic Addiction and Drug Abuse Care and Control Act of 1969: Hearings on S. 2608, S. 2637, S. 1816, S. 1895, H.R. 11701, and H.R. 10342 Before the Special Subcommittee on Alcohol and Narcotics of the S. Comm. on Labor and Public Welfare, 91st Cong. 93, 98 (1969).Google Scholar
Id., at 98.Google Scholar
In 1974, the range of research eligible for protection was broadened from research on “the use and effect of drugs” to research on “mental health, including research on the use and effect of alcohol and other psychoactive drugs.” Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehabilitation Act Amendments of 1974, Pub. L. 93–282, 88 Stat. 125, 132–33 (1974). In 1988, the law re-designated the Certificate authorization language (among others) to 42 U.S.C. § 241(d) while simultaneously broadening the protections to all types of research methods and any research topic where breach of confidentiality of individual information could harm that individual. Health Omnibus Programs Extension of 1988, Pub. L. 100–607, 102 Stat. 3048 (1988).Google Scholar
42 U.S.C. § 241(d) (2012).Google Scholar
42 U.S.C. § 241(d) (2012); and 21 U.S.C. § 872(c) (2012). The NIH website on Certificates of Confidentiality recognizes the broad range of research that may collect sensitive, identifiable research data including research on: “HIV, AIDS and other STDS…sexual attitudes, preferences, or practices…use of alcohol, drugs, or other addictive products…illegal conduct…information that if released could be damaging to a participant's financial standing, employability, or reputation within the community…information that might lead to social stigmatization or discrimination if it were disclosed…psychological well being or mental health…[g]enetic studies, including those that collect and store biological samples for future use; [and]… behavioral interventions and epidemiologic studies.” Office of Extramural Research, National Institutes of Health, Frequently Asked Questions (FAQs) on Certificates of Confidentiality, #C3 (last revised June 20, 2011), available at <http://grants.nih.gov/grants/policy/coc/faqs.htm> (last visited September 9, 2015). (last visited September 9, 2015).' href=https://scholar.google.com/scholar?q=42+U.S.C.+§+241(d)+(2012);+and+21+U.S.C.+§+872(c)+(2012).+The+NIH+website+on+Certificates+of+Confidentiality+recognizes+the+broad+range+of+research+that+may+collect+sensitive,+identifiable+research+data+including+research+on:+“HIV,+AIDS+and+other+STDS…sexual+attitudes,+preferences,+or+practices…use+of+alcohol,+drugs,+or+other+addictive+products…illegal+conduct…information+that+if+released+could+be+damaging+to+a+participant's+financial+standing,+employability,+or+reputation+within+the+community…information+that+might+lead+to+social+stigmatization+or+discrimination+if+it+were+disclosed…psychological+well+being+or+mental+health…[g]enetic+studies,+including+those+that+collect+and+store+biological+samples+for+future+use;+[and]…+behavioral+interventions+and+epidemiologic+studies.”+Office+of+Extramural+Research,+National+Institutes+of+Health,+Frequently+Asked+Questions+(FAQs)+on+Certificates+of+Confidentiality,+#C3+(last+revised+June+20,+2011),+available+at++(last+visited+September+9,+2015).>Google Scholar
See Protection of Identity – Research Subjects, 42 C.F.R. § 2a (2013) These regulations have been unchanged since 1979 and, thus, do not reflect the full scope of the research that is eligible for protection.Google Scholar
42 C.F.R. § 2a.2(g) (2013).Google Scholar
42 C.F.R. §§ 2a.1, 2a.3 (2013). The regulations, which have not been modified since 1979, refer to NIH institutes, although other parts of HHS, such as the CDC, issue Certificates.Google Scholar
See 42 C.F.R. § 2a.4 (2013). (The application must to include a “specific request, signed by the individual primarily responsible for the conduct of the research, for authority to withhold the names and other identifying characteristics of the research subjects and the reasons supporting such request.”) 42 C.F.R. § 2a.4(f) (2013).Google Scholar
42 C.F.R. § 2a.4(j) (2013).Google Scholar
42 C.F.R. § 2a.4(j)(4) (2013).Google Scholar
U.S. Department of Health and Human Services, National Institutes of Health, Certificates of Confidentiality Kiosk, Certificates of Confidentiality: Detailed Application Instructions for Certificate of Confidentiality: Extramural Research Projects, available at <http://grants.nih.gov/grants/policy/coc/appl_extramural.htm> (last visited September 11, 2015).+(last+visited+September+11,+2015).>Google Scholar
See Wright, C. A. Miller, A. R. et al. , Federal Practice and Procedure §3914.23, 2nd ed. (St. Paul, MN: Thomson West, 2012) (describing the lack of finality of most discovery orders and, thus, the inability to get judicial review of them).Google Scholar
People v. Newman, 298 N.E.2d 651 (N.Y. 1973).Google Scholar
Beskow, L. M. Dame, L. Costello, E. J., “Certificates of Confidentiality and Compelled Disclosure of Data,” Science 322, no. 5904 (2008): 10541055.CrossRefGoogle Scholar
Newman, 298 N.E.2d at 653.Google Scholar
Newman, 298 N.E.2d at 653; see also People v. Newman, 336 N.Y.S.2d 127, 129 (App. Div. 1972).Google Scholar
Newman, 298 N.E.2d. at 654. Dr. Newman also claimed state law physician-patient privilege protected the photographs, a claim the Court quickly rejected because the photographs were collected for administrative, rather than treatment purposes. Id., at 653.Google Scholar
Newman, 298 N.E.2d at 654. Unlike the absolute protections under the 1970 Act, 21 U.S.C. §1175 under the 1972 Act provided drug treatment records were confidential, but permitted disclosure for purposes outlined in the statute, including disclosure based upon a court order after a showing of good cause. 21 U.S.C. § 1175 (1976).Google Scholar
Newman, 298 N.E.2d. at 654.Google Scholar
Newman, 298 N.E.2d at 655–56. Accord, State v. White, 363 A.2d 143, 151–52 (Conn. 1975) (distinguishing between the absolute confidentiality of the 1970 Act compared to the qualified confidentiality of the 1972 Act). In contrast, the 1972 Act “covered a wide range of programs and activities (‘drug abuse prevention functions’) in which absolute confidentiality was not regarded as a prerequisite to the successful operation of the programs,” the confidentiality requirements were necessarily different from those in the 1970 Act. Newman, 298 N.E.2d at 656.Google Scholar
People v. Still, 369 N.Y.S.2d 759 (App. Div. 1975).Google Scholar
Still, 369 N.Y.S.2d at 762.Google Scholar
Still, 369 N.Y.S.2d. at 763.Google Scholar
Still, 369 N.Y.S.2d. at 765.Google Scholar
North Carolina v. Bradley, 634 S.E.2d 258 (N.C. Ct. App. 2006).Google Scholar
Bradley, 634 S.E.2d at 260. The protective order was issued after an initial order to produce the documents, which would have permitted the study documents “to be read by the state's chief investigating officer, the witness, the District Attorney's office staff, the defendant and his wife, the Public Defender's office staff, the Assistant Public Defender, and any expert the defendant or state might consult.” See Beskow, et al. , supra note 34, at 1054. Additionally, the trial judge had no prior experience with Certificates and, like the appellate court, focused first on whether the defendant had met a burden to demonstrate a need for the documents. Id.Google Scholar
Bradley, 634 S.E.2d at 260.Google Scholar
Bradley, 634 S.E.2d at 261.Google Scholar
Bradley, 634 S.E.2d at 261.Google Scholar
According to the court, the matters potentially contained in the Duke records were “at best tangential” to the case and, thus, could not have been used by Bradley to impeach his granddaughter, even if there were evidence of inconsistent statements. Bradley, 634 S.E.2d at 262–63.Google Scholar
Bradley, 634 S.E.2d at 262.Google Scholar
Beskow, , supra note 34.Google Scholar
Order Granting Defendant Philip Morris' Motion to Compel Production of Documents in Response to Subpoena Duces Tecum; Protective Order, Murphy v. Philip Morris Inc., No. CV 99–7155-RAP (JWJx) (C.D. Cal. Mar. 17, 2000).Google Scholar
Philip Morris Order at 4.Google Scholar
Philip Morris Order at 5 (citing 45 C.F.R. § 46.116(a)(1)–(5) (part of the Common Rule) and 42 U.S.C. § 241(d) (the Certificate authorizing statute)).Google Scholar
Philip Morris Order at 4–5.Google Scholar
As one of several arguments, USC's counsel asserted that “45 C.F.R. Section 46.116(a)(1)–(5) [part of the consent sections of the Common Rule], coupled with 42 U.S.C. 241(d), set the minimum federal privacy requirements that must be observed” and then went on to quote the Certificate statutory language. Opposition of Third Party University of Southern California to Defendant Philip Morris' Motion to Compel Production of Documents in Response to Subpoena Duces Tecum to Records Custodian and/or to Dr. Anna Wu, Murphy v. Philip Morris Inc., No. 99–07155 CM (JWJx) (C.D. Cal. Aug. 26, 1999) at 20 (on file with author). To understand the reference, we obtained court documents relating to the motion to compel from the National Archive in Southern California. These documents are available from the authors.Google Scholar
A review of papers filed in opposition to the motion reinforces that this is a misunderstanding. These quote portions of the consent form referring to general confidentiality promises, but no reference to the NIH-required Certificate language. The quoted sections are consistent with the language in the California Department of Health consent forms attached to its opposition to the motion to compel (on file with the authors), as well as Dr. Wu's description of the consent process in the study during the hearing before the Honorable Jeffrey W. Johnson (on file with the authors).Google Scholar
Reported cases are those cases that are published out a particular jurisdiction or court. Appellate cases are typically published, whereas trial court decisions often are not. (The federal district courts publish select decisions in official reporters.) Reported cases form precedent that may be followed by other courts. See “Introduction to Legal Research: Judicial Branch (case law),” available at <http://libguides.law.gsu.edu/content.php?pid=154797&sid=1312331> (last visited September 11, 2015). However, sometimes non-reported decisions may be collected, particularly in the electronic age. While these decisions have less precedential value than reported cases, they may be useful to courts in making decisions, particularly on topics for which there is little precedent.+(last+visited+September+11,+2015).+However,+sometimes+non-reported+decisions+may+be+collected,+particularly+in+the+electronic+age.+While+these+decisions+have+less+precedential+value+than+reported+cases,+they+may+be+useful+to+courts+in+making+decisions,+particularly+on+topics+for+which+there+is+little+precedent.>Google Scholar
To identify cases that have not reached the appellate level, we searched the “All Federal and State Briefs and Motions, Combined” database on Lexis and “Trial Motions” database on Westlaw for all cases that referred to the Certificate statute, regulations, or key words “Certificate” and “confidentiality” in close proximity. We note that neither of these databases is comprehensive. We also conducted searches on Google for additional cases, using similar approaches. If we identified a case through these means, but did not find relevant documents (e.g., moving papers or order), we sought to obtain those documents through appropriate sources, including the PACER database for federal cases, on-line state databases, and contacting the state court.Google Scholar
Order Re: Motion to Quash Subpoenas Re Yale Study's Hospital Records, In re Phenylpropanolamine (PPA) Products Liability Litigation, No. 1407 (W.D. Wash. Aug. 19, 2002); Confidentiality Order Re WHI Study Data, In re PremPro Products Liability Litigation, No. 4:03-CV-01507-WRW (E.D. Ark. Feb. 1, 2005).Google Scholar
Dummit v. CSX Transport., Inc., No. 01-C-145 (Cir. Ct. W. Va. Nov. 21, 2006) (on file with author).Google Scholar
PremPro and PPA. PPA Order, supra note 61, at 2, Memorandum in Opposition to Wyeth's Motion to Compel and Motion for Protective Order Re Production of Records by Fred Hutchinson Cancer Research Center, a Non-Party Witness, In re PremPro Products Liability Litigation, No. 4:03-CV-01507-WRW (E.D. Ark. Nov. 30, 2004), at 7–8.Google Scholar
In the CSX case, the parties came to the hearing on the motion to compel having reached an agreementGoogle Scholar
PremPro Order, supra note note 61, at 1; Transcript of Hearing on Motion to Quash/Motion for Protective Order at 3, Dummit v. CSX Transportation, Inc., 01-C-145 (Cir. Ct. W. Va. Dec. 7, 2006) (on file with author).Google Scholar
Louisville Branch–Nat'l Ass'n for the Advancement of Colored People, 06-ORD-094 Op. Ky. Att'y Gen. (2006)(open records decision).Google Scholar
Louisville, , supra note 66, at 1–2. The results of the study were reported in “Racial Fairness in Sentencing: A Case Study of Selected Crimes in Jefferson County.”Google Scholar
Louisville, , supra note 66, at 11.Google Scholar
The NIH defines “identifying” as “any other item or combination of data about a research participant which could reasonably lead, directly or indirectly by reference to other information, to identification of that research subject.” Louisville, supra note 66, at 12. See also Certificate FAQs, supra note 24, at B2.Google Scholar
Memorandum of Decision on Motion to Quash, Connecticut Superior Court for Juvenile Matters (Jud. Dist. Hartford July 1, 2003).Google Scholar
Id., at 9.Google Scholar
Id., at 10.Google Scholar
Id., at 16. Of course, the researchers recognized the interest in protecting the children by contacting the Department about their concerns. Although we do not have access to the consent form in this case, researchers who obtain a Certificate are required to include any circumstances in which they will reveal identifiable information in the consent form. 42 C.F.R. § 2a.4(j) (2013). See also the sample consent language in United States Department of Health & Human Services, “National Institutes of Health, Detailed Application Instructions for Certificate of Confidentiality: Extramural Research Projects,” available at <http://grants.nih.gov/grants/policy/coc/appl_extramural.htm> (last updated January 16, 2014) (last visited September 11, 2015). In doing so, they typically indicate that they will reveal information about the abuse, but not everything that they have learned about the participant through the study. See, e.g., University of California San Francisco Committee on Human Research, Consent Process–Certificate of Confidentiality, available at <http://www.research.ucsf.edu/chr/Recruit/chrConsentCertConf.asp> (last updated April 23, 2013) (last visited September 11, 2015).+(last+updated+January+16,+2014)+(last+visited+September+11,+2015).+In+doing+so,+they+typically+indicate+that+they+will+reveal+information+about+the+abuse,+but+not+everything+that+they+have+learned+about+the+participant+through+the+study.+See,+e.g.,+University+of+California+San+Francisco+Committee+on+Human+Research,+Consent+Process–Certificate+of+Confidentiality,+available+at++(last+updated+April+23,+2013)+(last+visited+September+11,+2015).>Google Scholar
It is not clear from the Juvenile Court's decision whether the Department sought access to records beyond the four children over whom the Department had temporary custody. Unfortunately, we do not have access to the parties' papers to answer this question.Google Scholar
Juvenile Court decision, supra note 70, at 17.Google Scholar
Wolf, , supra note 5.Google Scholar
Wolf, , supra note 5. The results are based on semi-structured interviews with 24 institutional legal counsel.Google Scholar
Wolf, , supra note 5, at 3.Google Scholar
This is what happened in the PPA, supra note 61, Prempro, , supra note 61, and CSX, supra note 62, cases, as well as in cases described by counsel in our interviews. As described in these cases, a protective order typically was also issued with additional confidentiality obligations, such as limiting access to the data and promising not to reidentify subjects using other available data. However, such protections may not always be sufficient. One counsel in our interviews described a circumstance in which research data (not protected by a Certificate) was ordered produced in a deidentified form, but where the counsel felt deidentification was not truly feasible because of the small number of subject (under 20) and the specificity of the data collected (unpublished data). Wolf, , supra note 5.Google Scholar
In our interviews with legal counsel, one respondent described learning that the Certificate protects only identifiable data, “contrary to some people's assumptions.” Wolf, , supra note 5, at 4. Some IRB Chairs reflected the assumption that the Certificate protected all data, with one describing a researcher with a Certificate as being “free of the obligation to deliver data in a lawsuit.” Beskow, , supra note 8, at 5.Google Scholar
Wolf, , supra note 5, at 3. This lack of familiarity may explain counsel's reliance on the Certificate as a general confidentiality obligation in the Philip Morris case and the court's perpetuation of this error.Google Scholar
Id.Google Scholar
People v. Still, 369 N.Y.S.2d at 761 (App. Div. 1975).Google Scholar
Id., at 765.Google Scholar
Juvenile Court decision, supra note 70, at 11.Google Scholar
Id., at 1.Google Scholar
U.S. Department of Health & Human Services, National Institutes of Health, “Reporting of Communicable Diseases Policy,” August 9, 1991, available at <http://grants.nih.gov/grants/policy/coc/cd_policy.htm> (last visited September 11, 2015). Certificate FAQs, supra note 24, at A4. Researchers and institutions have disputed the NIH's description of such disclosures as “voluntary”. Wolf, , supra note 5, at 5.+(last+visited+September+11,+2015).+Certificate+FAQs,+supra+note+24,+at+A4.+Researchers+and+institutions+have+disputed+the+NIH's+description+of+such+disclosures+as+“voluntary”.+Wolf,+,+supra+note+5,+at+5.>Google Scholar
Juvenile Court decision, supra note 70, at 10.Google Scholar
Certificate FAQs, supra note 24, at B1.Google Scholar
Id., at B2 (emphasis added).Google Scholar
Juvenile Court decision, supra note 70, at 1, 9.Google Scholar
42 U.S.C. § 3789g(a) (2010). Importantly, the statute provides: “Such information and copies thereof shall be immune from legal process, and shall not, without the consent of the person furnishing such information, be admitted as evidence or used for any purpose in any action, suit, or other judicial, legislative, or administrative proceedings.” There have been few cases interpreting the protections, although there are several Ohio cases affirming withholding records because of the statute's protections. See, e.g., State ex rel. Multimedia, Inc. v. Snowden, 647 N.E.2d 1374 (Ohio 1995); State ex rel. Johnson v. City of Cleveland, 603 N.E.2d 1011 (Ohio 1992). But cf. State ex rel. Attorney Gen.v. First Judicial Dist. Court, 629 P.2d 330 (N.M.1981) (documents were not protected because the federal funds were awarded only after investigation was completed).Google Scholar
42 U.S.C. §299c-3(c) (2010). Similar to the DOJ version, the AHRQ statute provides that “Such information may not be published or released in other form if the person who supplied the information or who is described in it is identifiable unless such person has consented (as determined under regulations of the Director) to its publication or release in other form.”Google Scholar
42 U.S.C. § 242m (2010). The CDC statutory protection is essentially the same as the AHRQ statute.Google Scholar
Other federal departments and agencies may offer similar protections, but we have identified these three because two (the DOJ and AHRQ) are mentioned in the frequently asked questions on the NIH Certificate Kiosk. FAQs on Certificates, supra note 24, and the third (CDC) is mentioned in connection with the AHRQ statute. For a more in depth discussion of these statutes, see Wolf, L. E. et al. , “Certificates of Confidentiality: Protecting Human Subject Research Data in Law and Practice,” Minnesota Journal of Law, Science & Technology 14, no. 1 (2013): 1187.Google Scholar
For example, the DOJ statute says no one to whom it applies “shall reveal any research or statistical information” when a person is identifiable, 42 U.S.C. § 3789g; the AHRQ and CDC statutes say that “no information…may be used” when an individual is identifiable 42 U.S.C. 299c-3 and 42 U.S.C. § 242m. Contrast the Certificate statute, which refers to “withholding of names or other identifying characteristics.” 42 U.S.C. § 241(d).Google Scholar
Memorandum from Susan Greene Merewitz, Senior Attorney, Agency for Healthcare Research & Quality, to Nancy Foster, Coordinator for Quality Activities, Agency for Healthcare Research & Quality (April 16, 2001), available at <http://www.ahrq.gov/fund/datamemo.htm> (last visited September 11, 2015).+(last+visited+September+11,+2015).>Google Scholar
Memorandum, Merewitz, supra note 97.Google Scholar
Id.Google Scholar
Id. In describing what CDC has done, the memorandum points to Farnsworth v. Procter & Gamble Co., 758 F.3d 1545 (1985), in which the CDC provided deidentified data from its studies on toxic shock to Procter and Gamble and offered to seek permission to share the data from research participants. But it also notes “statutory confidentiality was not before the court.” Fn. 3.Google Scholar
MD. Code. Ann., Health-General § 4–102(a), 72 (LexisNexis 2009) (protecting records from research conducted by the state Drug Abuse Administration, the AIDS Administration, or the Secretary of Health); N.D. Cent. Code § 23-01-15(1) (2012). This statute explicitly states such data are inadmissible. N.D. Cent. Code § 23-01-15(2) (2012) (protecting research data collected by or on behalf of the state department of health and explicating stating such data is inadmissible); S.D. Codified Laws § 34-14-1 (2011) (protecting research data procured by the Department of Health, South Dakota State Medical Association, allied medical societies, or in-hospital staff committees of accredited hospitals and explicitly stating such data are inadmissible); Wash. Rev. Code Ann. § 42.48.040 (West 2006)(generally protecting state research records, although with exceptions for consent, to avert harm, or per court order when the case involves research injury); Ga. Code Ann. § 24-12-2(a) (West 2011) (applying to “raw” research data generally, although there are several exceptions, particularly for criminal defendants).Google Scholar
Haw. Rev. Stat. § 324–13 (West 2008).CrossRefGoogle Scholar
Cal. Health & Safety Code § 121075 (West 2012).Google Scholar
Ark. Code. Ann. § 20-35-103 (LexisNexis 2005); Okla. Stat. tit. 36, § 3614.4 (2011).Google Scholar
On the other hand, some state statutes may be less protective than the Certificate. For example, Georgia's statute appears to eliminate participants‘ protections when researchers’ act as experts and in the context of all criminal proceedings. Ga. Code Ann. § 24-12-2 (West 2011).Google Scholar
MD. Code. Ann., Health-General § 4–101, 72 (LexisNexis 2009); N.D. Cent. Code § 23-01-15 (2012); S.D. Codified Laws § 34-14-1 (2011).Google Scholar
MD. Code. Ann., Health-General § 4–101, 72 (LexisNexis 2009); N.D. Cent. Code § 23-01-15 (2012); S.D. Codified Laws § 34-14-1 (2011).Google Scholar
Ark. Code. Ann. § 20-35-103 (LexisNexis 2005); Okla. Stat. tit. 36, § 3614.4 (2011).Google Scholar
For a more in-depth discussion of how to address subpoenas for scholarly research, see Traynor, M., “Countering the Excessive Subpoena for Scholarly Research,” Law & Contemporary Problems 59, no. 3 (1996): 119148.Google Scholar
Traynor, , supra note 109, at 126. See also Fed. R. Civ. Pro. 45; Wright, C.A. et al. , 9A Federal Practice & Procedure Civil § 2007 (3d ed. 2012).Google Scholar
Traynor, , supra note 109, at 126.Google Scholar
Id., at 131–134.Google Scholar
Id., at 128–131. See Cusumano v. Microsoft Corp., 162 F.3d 708 (1st Cir. 1998)(court concluded that “[a]cademicians engaged in pre-publication research should be accorded protection commensurate to that which the law provides for journalists.” at 714)Google Scholar
Beskow, , supra note 8; Wolf, , supra note 5; U.S. Department of Health and Human Services, Secretary's Advisory Committee on Human Research Protections (SACHRP), “Final Recommendation: Certificates of Confidentiality (COCs) (Approved March 13, 2014),” available at <www.hhs.gov/ohrp/sachrp/mtgings/mtg03–14/cocrecommendations.html> (last visited September 11, 2015). (last visited September 11, 2015).' href=https://scholar.google.com/scholar?q=Beskow,+,+supra+note+8;+Wolf,+,+supra+note+5;+U.S.+Department+of+Health+and+Human+Services,+Secretary's+Advisory+Committee+on+Human+Research+Protections+(SACHRP),+“Final+Recommendation:+Certificates+of+Confidentiality+(COCs)+(Approved+March+13,+2014),”+available+at++(last+visited+September+11,+2015).>Google Scholar
We are assuming that strengthening the Certificate's protection is desirable, given Congress's expansion of the Certificate as a research tool since 1970, the NIH's decision to encourage increased use of Certificates, and the support we have heard from researchers, IRB Chairs, and legal counsel. See Wolf, L. E. et al. , “The Certificate of Confidentiality Application: A View from the NIH Institutes,” IRB 26, no. 1 (2004): 1418, at 14; Wolf, et al. , supra note 5, at 6; Beskow, , supra note 8, at 9; Wolf, L. E. Zandecki, J., “Sleeping Better at Night: Investigators' Experiences with Certificates of Confidentiality,” IRB 28, no. 6 (2006): 1–8, at 4–8; Wolf, et al. , supra note 95, at 82.Google Scholar
SACHRP Final Recommendations, supra note 114. SACHRP also makes some administrative recommendations that we do not address.Google Scholar
Beskow, , supra note 8, at 9.Google Scholar
Id.Google Scholar
SACHRP Final Recommendations, supra note 114. We have previously recommended that IRBs evaluate the data security plan, including Certificates, and training in protecting confidentiality of research data as part of their protocol review. Wolf, et al. , supra note 5, at 7.Google Scholar
Wolf, et al. , supra note 95, at 74. In the Bradley case, Duke took this approach by fighting the subpoena without indicating whether the witness was, in fact, a research participant in the study from which data was sought. Beskow, , supra, note 34, at 1054. We recognize, however, that fighting a subpoena for data protected by a Certificate may be interpreted as confirmation of participation.Google Scholar
Wolf, , supra note 8, at 8.Google Scholar
Id.Google Scholar
Id., at 7.Google Scholar
See Wolf, , supra note 95 for a fuller discussion of our legal analyses regarding Certificates.Google Scholar
SACHRP Final Recommendations, supra note 114.Google Scholar
Wolf, , supra note 95, at 8286.Google Scholar
Ohm, P., “Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization,” University of California Los Angeles Law Review 57 (2010): 17011776, at 1704. Ohm argues that “[d]ata can be either useful or perfectly anonymous, but never both.” Id.Google Scholar
Sweeney, L., “Simple Demographics Often Identify People Uniquely” (Carnagie Mellon Univ., Data Privacy Working Paper No. 3, 2000), available at <http://impcenter.org/wpcontent/uploads/2013/09/Simple-Demographics-Often-Identify-People-Uniquely.pdf> (last visited September 11, 2015) (demonstrated that she could identify 87% of individuals by combining three simple identifiers: Five-digit ZIP code, birth date (including year), and sex). Sweeney, L., “k-Anoymity: A Model for Protecting Privacy,” International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems 10, no. 5 (2002): 557570, at 558–559. Narayanan, A. Shmatikov, V., “How to Break the Anonymity of the Netflix Prize Data-set,” arVix website, October 16, 2006, available at <http://arxiv.org/abs/cs/0610105> (last visited September 12, 2015). See generally Gellman, R., “The Deidentification Dilemma: A Legislative and Contractual Proposal,” Fordham Intellectual Property, Media and Entertainment Law Journal 21, no. 1 (2010): 33–61, at 37; Ohm, , supra note 127, at 1716–1722; Schwartz, P. M. Solove, D. J., “The PII Problem: Privacy and a New Concept of Personally Identifiable Information,” New York University Law Review 86, no. 6 (2011): 1814–1894, at 1836–1843; Yakowitz, J., “Tragedy of the Data Commons,” Harvard Journal of Law and Technology 25, no. 1 (2011): 1–67, at 31–33, 39–41. While these are not human subjects research data, they are useful for understanding the challenges to deidentification in light of today's technology and widely accessible information.Google Scholar
Amending the statute would provide an additional opportunity to consider whether there are better ways to structure the Certificate's protections. For example, some of the other federal statutes and many of the state statutes provide coverage to research generally without requiring an application, and some provide a broader spectrum of coverage to the data. These features may be worth considering as an alternative to the current Certificate approach. SACHRP has similarly recommended changes through the statutory and regulatory processes. Specifically, it recommends allowing researchers the right to refuse to provide deidentified data when reidentification is possible. It also suggests new regulations could provide greater clarity on what is protected by a Certificate. SACHRP Final Recommendation, supra note 114.Google Scholar
In 2011, the Department of Health and Human Services issued an advance notice of proposed rule-making concerning proposed changes to the federal regulations governing human subjects research. Human Subjects Research Protections, “Enhancing Protections for Research Subjects and Reducing Burden, Delay, and Ambiguity for Investigators,” Federal Register 76 (Jul. 26, 2011): 44512 (to be codified at 45 C.F.R. pts. 46, 160, and 164 and 21 C.F.R. pts. 50 and 56). Despite significant attention within the research community, and tens of thousands of responses, it is unclear at this point whether any changes will in fact be made to the regulations.Google Scholar
See Chevron v. Natural Resources Defense Council, 467 U.S. 837, 843–44 (1984) (holding that courts must defer to an agency's reasonable statutory interpretation where Congress has made an implicit agency delegation). In Chevron, the Court reviewed an E.P.A. regulation allowing a state to define the term “stationary source” to include an entire plant, rather than a particular pollution-emitting device. The regulation had been promulgated according to formal procedures and published in the Code of Federal Regulations. Id., at 840–41, 853, 855.Google Scholar
United States v. Mead Corp., 533 U.S. 218, 241 (2001). The Court has ruled that “interpretive rules…enjoy no Chevron status as a class.” Id., at 232. However, guidance documents are entitled to Skidmore deference. Christensen v. Harris County, 529 U.S. 576, 585–87 (2000) (relying on cases in which Skidmore deference was used for guidance documents).Google Scholar
U.S. Department of Health and Human Services, National Institutes of Health, “Certificates of Confidentiality Kiosk,” available at <http://grants.nih.gov/grants/policy/coc/> (last updated May 14, 2014) (last visited September 11, 2015).+(last+updated+May+14,+2014)+(last+visited+September+11,+2015).>Google Scholar
While the current guidance is issued by NIH, it is not clear whether this is done with official delegated authority that would make it more likely that it would receive Skidmore deference. The Certificate implementing statute grants authority only to the Secretary of HHS, although the regulation defines “secretary” as “the Secretary of Health and Human Services and any other officer or employee of the Department of Health and Human Services to whom the authority involved has been delegated.” 42 U.S.C. § 241(d); 42 C.F.R. § 2a.2(a). This suggests that the Secretary could delegate authority to someone within NIH knowledgeable about Certificates. Such delegation is consistent with the General Administration Manual, which outlines agency policy whereby an organization within the agency may request a written delegation of authority from the Secretary by written request outlining the legal authority upon which the Secretary may delegate. See e.g., U.S. Department of Health & Human Services, General Administration Manual § 8-101-20(A) (2006), available at <http://web.archive.org/web/20120707192340/http://www.hhs.gov/hhsmanuals/administration.pdf> (last visited September 15, 2015). Generally, the legal authority exists unless specifically prohibited by statute. Id.+(last+visited+September+15,+2015).+Generally,+the+legal+authority+exists+unless+specifically+prohibited+by+statute.+Id.>Google Scholar
NIH already provides important information about Certificates through the Certificate kiosk, which we rely on frequently in our own work. Certificates of Confidentiality Kiosk, supra note 133. We are aware that the NIH has worked recently to reorganize the information on the website to make it more accessible to users (Personal Communication, Ann Hardy, NIH Certificate of Confidentiality Coordinator (10/27/2011).Google Scholar
While this may be the “easiest” strategy, it does not mean that it is easily accomplished. The internal review process within an agency can be time-consuming and politically sensitive. However, at least it is all within the control of the agency, unlike regulatory or statutory amendments.Google Scholar
Beskow, et al. , supra note 8, at 9.Google Scholar
Check, D. K. et al. , “Certificate of Confidentiality and Informed Consent: Perspectives from IRB Chairs and Institutional Legal Counsel,” IRB: Ethics and Human Research 36, no. 1 (2014): 18, at 6.Google Scholar
Id., at 6.Google Scholar
Beskow, L. M. Check, D. K. Ammarell, N., “Research Participants' Understanding of and Reactions to Certificates of Confidentiality,” American Journal of Bioethics Empirical Bioethics 5, no. 1 (2014): 1222, at 19.Google Scholar