Hostname: page-component-84b7d79bbc-2l2gl Total loading time: 0 Render date: 2024-07-27T12:11:14.791Z Has data issue: false hasContentIssue false
  • English
  • Français

New and Improved? 21st Century Cures Act Revisions to Certificates of Confidentiality

Published online by Cambridge University Press:  06 January 2021

Leslie E. Wolf  and
Laura M. Beskow
Leslie E. Wolf
Affiliation:
Georgia State University College of Law and School of Public Health and Center for Law, Health & Society
Laura M. Beskow
Affiliation:
Vanderbilt University School of Medicine and Center for Biomedical Ethics & Society at Vanderbilt University Medical Center
Get access Rights & Permissions [Opens in a new window]

Abstract

Certificates of Confidentiality (“Certificates”) are a federal legal tool designed to protect sensitive, identifiable research data from compelled disclosure. Congress first authorized their use in 1970 to facilitate research on illegal drug use. The scope of their use was later expanded to cover mental health research and then again to apply broadly to identifiable, sensitive research data, regardless of topic. Certificates can be critical to enabling conduct of essential research on sensitive topics, such as effective interventions to curb the opioid epidemic or reduce HIV transmission among minority youth. Nevertheless, there have been criticisms about Certificates and their use on several grounds. For example, researchers and institutional review boards (“IRBs”) may lack sufficient knowledge about them and, therefore, may not consider using them in studies for which they would be appropriate. In contrast to other protections, such as Department of Justice Privacy Certificates, Certificate protections were not automatically extended to these studies, but instead required an application. In addition, the concept of identifiable data had not kept up with technological changes that may allow for reidentification of data previously considered unidentifiable. Although a researcher who obtained a Certificate could use it to resist a legal demand for identifiable data, little was known about the actual effectiveness of the protection provided.

The 21st Century Cures Act substantially revises the Certificates authorizing statute, and many of the changes are directly responsive to the criticisms that have been raised. Significantly, the Secretary of the Department of Health and Human Services (“HHS”) must issue Certificate protection to federally funded research involving identifiable, sensitive research data, and the National Institutes of Health (“NIH”) will automatically include such protections to research it funds. Non-federally funded researchers can continue to apply for Certificate protection. The definition of identifiable has been expanded to include data “for which there is at least a very small risk” of identification. Certificates will now not only protect against compelled disclosure, but also render protected data inadmissible in legal proceedings without participant consent. In addition, voluntary disclosure is no longer authorized, but there is now a broad exception for disclosure as required by federal, state, and local laws. In this paper, based on our previous research on Certificates, we critically evaluate the 21st Century Cures Act's Certificates revisions and their positive and negative impact on the dual goals of facilitating important, sensitive research while maximally protecting individual research participants.

Type
Articles
Information
American Journal of Law & Medicine , Volume 44 , Issue 2-3: Symposium - The 21st Century Cures Act: A Cure for the 21st Century? , May 2018 , pp. 343 - 358
Copyright
Copyright © American Society of Law, Medicine and Ethics and Boston University 2018

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

References

1 Comprehensive Drug Abuse Prevention and Control Act of 1970, Pub. L. No. 91-513, sec. 3(a), § 303(a), 84 Stat. 1236, 1241 (codified at 42 U.S.C. § 242a(a) (1970)) (current version at 42 U.S.C. § 241(d) (2016)).

2 For a discussion of the history of the Comprehensive Drug Abuse Prevention and Control Act, see Leslie E. Wolf et al., Certificates of Confidentiality: Protecting Human Subject Research Data in Law and Practice, 14 Minn. J.L. Sci. & Tech. 11, 20-25 (2013).

3 Id.

4 Comprehensive Drug Abuse Prevention and Control Act, sec. 3(a).

5 For a discussion of the history of the Comprehensive Drug Abuse Prevention and Control Act, see Wolf et al., supra note 2, at 24-25.

6 Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehabilitation Act Amendments of 1974, Pub. L. No. 93-282, sec. 122(b), § 303(a), 88 Stat. 125, 132-33 (codified at 42 U.S.C. § 242a(a) (1974)) (current version at 42 U.S.C. § 241(d) (2016)).

7 Health Omnibus Programs Extension of 1988, Pub. L. No. 100-607, sec 163, § 303(a), 102 Stat. 3048, 3062 (codified at 42 U.S.C. § 241(d) (1988)). This Act redesignated section 303(a) of the Public Health Service Act to section 301(d), moving the Certificate authority from 42 U.S.C. § 242a(a) to 42 U.S.C. § 241(d); see Wolf, supra note 2, at 24.

8 The language, which was in effect from 1988 to 2015, read “[t]he Secretary [of Health and Human Services] may authorize persons engaged in biomedical, behavioral, clinical, or other research (including research on mental health, including research on the use and effect of alcohol and other psychoactive drugs) to protect the privacy of individuals who are the subject of such research by withholding from all persons not connected with the conduct of such research the names or other identifying characteristics of such individuals. Persons so authorized to protect the privacy of such individuals may not be compelled in any Federal, State, or local civil, criminal, administrative, legislative, or other proceedings to identify such individuals.” 42 U.S.C. §§ 201(c), 241(d) (2015).

9 21st Century Cures Act, Pub. L. 114-255, sec. 2012, § 301, 130 Stat. 1033, 1049-50 (2016) (codified at 42 U.S.C. § 241(d) (2016)).

10 Id. § 241(d)(1)(A).

11 Id. § 241(d)(1)(G).

12 National Institutes of Health, NOT-OD-17-109, Notice of Changes to NIH Policy for Issuing Certificates of Confidentiality (2017), https://grants.nih.gov/grants/guide/notice-files/NOT-OD-17-109.html [https://perma.cc/GHX4-BFXC] (effective October 1, 2017) (explaining NIH will provide Certificates automatically to any NIH-funded research in which identifiable information is collected).

13 42 U.S.C. § 241(d)(1)(B).

14 Id. § 241(d)(4). The previous statute referred only to withholding “names or other identifying characteristics,” without defining “identifying characteristics.” Id. § 241(a). The regulations defined “identifying characteristics” as “the name, address, any identifying number, fingerprints, voiceprints, photographs or any other item or combination of data about a research subject which could reasonably lead directly or indirectly by reference to other information to identification of that research subject.” 42 C.F.R. § 2a.2(g) (2011). However, the regulation did not include the “very small” risk of reidentification now included in the statute. Moreover, NIH indicates these regulations now only apply to non-federally-funded research and “only to the extent that the regulations do not conflict with the amended statute.” Frequently Asked Questions (FAQ), Certificates of Confidentiality (CoC) Kiosk, Nat'l Insts. Health, https://humansubjects.nih.gov/coc/faqs [https://perma.cc/RG7H-QG9N] [hereinafter FAQs].

15 The NIH emphasizes this point, noting that “[t]he new statute that governs Certificates of Confidentiality broadened the meaning of sensitive, identifiable information and focuses more directly on identifiability. Identifiable, sensitive information is considered to be information about an individual, gathered or used during the course of biomedical, behavioral, clinical or other research, through which the individual is identified, or there is at least a very small risk that some combination of the information, a request for the information, and other available data sources could be used to determine the identity of the individual. The [Certificates of Confidentiality] defines this as ‘covered information.’ Identifiable, sensitive information includes but is not limited to name, address, social security or other identifying number, and fingerprints, voiceprints, photographs, genetic information, tissue samples, or data fields that when used in combination with other information may lead to identification of an individual.” FAQs, supra note 14.

16 42 U.S.C. § 241(d)(1)(C).

17 Id. § 241(d)(1)(E).

18 Id. § 241(d)(1)(F). Although NIH guidance stated that the Certificates protections continued without end, this was not previously included in the statutory authority.

19 Elonna Ekweani et al., NIH, Address at the Public Responsibility in Medicine and Research, 2017 Advancing Ethical Research Conference: Certificates of Confidentiality (CoC): When, Why and So What? (Nov. 8, 2017) (on file with the author).

20 See 42 U.S.C. § 241(d)(1)(D). This protection is further supported by the addition of language specifying that “[i]dentifiable, sensitive information protected [by a Certificate], and all copies thereof, shall be immune from legal process.” Id. § 241(d)(1)(E).

21 Id. § 241(d).

22 Id. § 241(d)(1)(A)(i).

23 See id. § 241(d)(1)(A)(ii) (stating that the Secretary may issue a certificate of confidentiality if the research is not funded by the federal government).

24 FAQs, supra note 14.

25 The list of research which is eligible for Certificate protection supports this interpretation. Although it mostly refers to the type of research that HHS supports (e.g., “biomedical, behavioral, [and] clinical” research), it includes the unqualified “other research,” rather than limiting it to similar types of research (e.g., by stating “other such research”). See 42 U.S.C. § 241(d)(1)(A).

26 See Sec'y's Advisory Comm. on Human Research Protections, Final Recommendations: Certificates of Confidentiality (COCs), HHS (Mar. 13, 2014), https://www.hhs.gov/ohrp/sachrp-committee/recommendations/2014-july-3-letter-attachment-b/index.html [https://perma.cc/PPU2-A6PW] [hereinafter Final Recommendations]; Wolf, Leslie E., Certificates of Confidentiality: Protecting Human Subject Research Data in Law and Practice, 43 J.L. Med. & Ethics 594, 600-01 (2015)Google Scholar; Wolf et al., supra note 2, at 55-65.

27 Final Recommendations, supra note 26; Wolf et al., supra note 26, at 600-01; Wolf et al., supra note 2, at 55-65.

28 Final Recommendations, supra note 26; see Wolf, Leslie E., The Certificate of Confidentiality Application: A View from the NIH Institutes, 26 IRB: Ethics & Hum. Res. 14, 15-16 (2004)CrossRefGoogle ScholarPubMed; Wolf, Leslie E. & Zandecki, Jolanta, Sleeping Better at Night: Investigators' Experiences with Certificates of Confidentiality, 28 IRB: Ethics & Hum. Res. 1, 4 (2006)Google ScholarPubMed.

29 42 U.S.C. § 241(d)(1)(A).

30 Id.

31 As stated by Petrice Brown-Longenecker, NIH Extramural Human Research Prot. Officer, Presentation at the Public Responsibility in Medicine & Research Advancing Ethical Research Conference, San Antonio, Tex., (Nov. 8, 2017).

32 Non-NIH HHS agencies issue Certificates, including CDC, FDA, HRSA, and SAMHSA. NIH refers researchers funded by those agencies to Certificate coordinators at those agencies to determine how to obtain a Certificate. Researchers funded by other non-NIH HHS and other federal agencies may apply to NIH for a Certificate. Certificates of Confidentiality for Other HHS Funded Research (non-NIH), Nat'l Insts. Health, https://humansubjects.nih.gov/coc/HHS-funded [https://perma.cc/GTQ9-JJ2Y]; Certificates of Confidentiality for Research Funded by Non-HHS Federal Agencies, Nat'l Insts. Health, https://humansubjects.nih.gov/coc/another-FedDep, [https://perma.cc/LB25-DFZ4]. Because the revisions provide that the Secretary “shall coordinate with the heads of other applicable Federal agencies to ensure that such departments have policies in place with respect to the issues of a certificate confidentiality,” the processes for non-NIH funded research may eventually become automatic as well. 42 U.S.C. § 241(d)(1)(G)(2).

33 Certificates of Confidentiality for Research Funded by Non-HHS Federal Agencies, supra note 32.

34 Final Recommendations, supra note 26.

35 For some examples of studies that were not eligible for a Certificate as falling outside the NIH mission, see id.; Wolf et al., supra note 26, at 17. Anecdotally, we have heard complaints from researchers and IRB members about other cases in which NIH determined a Certificate could not be issued because the research fell outside of the agency's mission.

36 See Laura M. Beskow et al., Institutional Review Boards' Use and Understanding of Certificates, 7 Plos One e44050 (2012); Wolf, Leslie E., Certificate of Confidentiality: Legal Counsels' Experiences with and Perspectives on Legal Demands for Research Data, 7 J. Empirical Res. on Hum. Res. Ethics 1, 1 (2012)CrossRefGoogle ScholarPubMed.

37 Beskow et al., supra note 36; Wolf & Zandecki, supra note 28, at 4.

38 FAQs, supra note 14, at A.11 (“The NIH Policy on Certificates of Confidentiality expects that the recipient of a Certificate shall ensure that an investigator or institution who receives a copy of information protected by a Certificate understands that they are also subject to the requirements of subjection 301(d) of the Public Health Service Act.”); see also Michael Lauer, NIH's Certificates of Confidentiality Policy Enhances Confidentiality of Participants Enrolled in Clinical Research Studies, Nat'l Inst. Health Off. Extramural Res. (Sept. 7, 2017), https://nexus.od.nih.gov/all/2017/09/07/nih-new-certificates-of-confidentiality-policy/ [https://perma.cc/B8Y3-C3JE] (noting “A point that is important to understand is that if your research is covered by a CoC, you are required to ensure that any investigator or institution with whom you share a copy of the identifiable sensitive information that is protected by the policy understands that they are they are [sic] also subject to the disclosure restrictions, even if they are not funded by NIH.”).

39 See Beskow et al., supra note 36.

40 See generally id. (showing through studies that there is a need for stakeholder education about Certificates of Confidentiality).

41 See Beskow et al., supra note 36; Wolf et al., supra note 36 (reporting on the legal demands for data protected by a Certificate, identified by legal counsel).

42 Under the regulations for the previous statute, “[t]he Confidentiality Certificate does not govern the voluntary disclosure of identifying characteristics of research subjects.” 42 C.F.R. § 2a.4(j)(4) (consent disclosure requirements); see Certificates of Confidentiality (CoC) FAQs, Ctrs. for Disease Control & Prevention: Off. Associate Director for Sci., https://www.cdc.gov/od/science/integrity/confidentiality/faq_confidentiality.htm [https://perma.cc/UXV2-99BP] (identifying information or characteristics protected by a Certificate may be disclosed under the following circumstances: voluntary disclosure of information by the research of information on such thing as child abuse, reportable communicable diseases, possible threat to self or others, or other voluntary disclosures provided that such disclosures are spelled out in the informed consent form; voluntary compliance by the researcher with reporting requirements of state laws, such as knowledge of communicable disease, provided such disclosures are spelled out in the informed consent form); see also 42 C.F.R. § 2a.7 (regarding the effect of the Certificates).

43 42 U.S.C § 241(d)(1)(C) (2016).

44 Id. § 241(d)(1)(D).

45 See generally Wolf & Zandecki, supra note 28 (reporting on researchers' experiences with the Certificates and their opinions about the usefulness of obtaining this form of protection).

46 FAQs, supra note 14 (identifying information or characteristics protected by a Certificate may be disclosed under the following circumstances: voluntary disclosure of information by the research of information on such thing as child abuse, reportable communicable diseases, possible threat to self or others, or other voluntary disclosures provided that such disclosures are spelled out in the informed consent form; voluntary compliance by the researcher with reporting requirements of state laws, such as knowledge of communicable disease, provided such disclosures are spelled out in the informed consent form). NIH policy required that researchers report communicable diseases. Reporting of Communicable Diseases Policy, Nat'l Insts. Health Certificates Confidentiality Kiosk (Aug. 9, 1991), http://grants.nih.gov/grants/policy/coc/cd_policy.htm [https://perma.cc/ZQ7X-AQ9L].

47 Wolf et al., supra note 36, at 5.

48 It is not clear why provisions (ii) and (iii) were listed separately, as disclosure for treatment requires consent.

49 42 U.S.C. § 241(d)(1)(E); see FAQs, supra note 14.

50 Interestingly, this exception leaves out tribal laws.

51 FAQs, supra note 14; Suggested Consent Language Describing the CoC Protections, Nat'l Insts. Health, https://humansubjects.nih.gov/coc/suggested-consent-language [https://perma.cc/2JSLM5HS].

52 This also creates a consent problem. It is nearly impossible to explain to participants under what circumstances disclosures may be made. We previously documented consent challenges relating to Certificates without this complication. See Beskow, Laura M., Research Participants' Understanding of and Reactions to Certificates of Confidentiality, 5 AJOB Empirical Bioethics 12 (2014)CrossRefGoogle ScholarPubMed; Check, Devon K., Certificates of Confidentiality and Informed Consent: Perspectives of IRB Chairs and Institutional Legal Counsel, 36 IRB 1 (2014)Google ScholarPubMed.

53 42 U.S.C. § 241(d)(1)(F).

54 Id. § 241(d)(1)(E).

55 Id.

56 Wolf et al., supra note 26, at 599-600; Wolf et al., supra note 2, at 47-52.

57 Final Recommendations, supra note 26; Wolf et al., supra note 26, at 600; Wolf et al., supra note 2, at 74-82.

58 42 U.S.C § 241(d) (2006).

59 42 C.F.R. § 2a.2(g); see FAQs, supra note 14.

60 42 U.S.C. § 241(d)(1)(G)(4)(A).

61 Id. Although we have heard some refer to “any risk” of identification, that interpretation is not supported by the statutory language. Id. § 241(d)(1)(G)(4)(B).

62 See Wolf et al., supra note 26, at 603; Wolf et al., supra note 26, at 76-78.

63 Mark Barnes of Ropes & Gray raised this point in a meeting of the Secretary's Advisory Committee on Human Research Protections on October 18, 2017 (emphasis added). NIH states in its frequently asked questions that such sharing is still permitted. FAQs, supra note 14.

64 Beskow et al., supra note 52; Catania, Joseph et al., Research Participants Perceptions of the Certificate of Confidentiality's Assurances and Limitations, 2 J. Empirical Res. on Hum. Res. Ethics 53 (2007)CrossRefGoogle ScholarPubMed; Check et al., supra note 52.

65 Beskow et al., supra note 52; Catania et al., supra note 65; Check et al., supra note 52.

66 Suggested Consent Language, supra note 51. The complete text of the suggested language is as follows:

This research is covered by a Certificate of Confidentiality from the National Institutes of Health. The researchers with this Certificate may not disclose or use information, documents, or biospecimens that may identify you in any federal, state, or local civil, criminal, administrative, legislative, or other action, suit, or proceeding, or be used as evidence, for example, if there is a court subpoena, unless you have consented for this use. Information, documents, or biospecimens protected by this Certificate cannot be disclosed to anyone else who is not connected with the research except, if there is a federal, state, or local law that requires disclosure (such as to report child abuse or communicable diseases but not for federal, state, or local civil, criminal, administrative, legislative, or other proceedings, see below); if you have consented to the disclosure, including for your medical treatment; or if it is used for other scientific research, as allowed by federal regulations protecting research subjects.

[Use the following language as applicable] The Certificate cannot be used to refuse a request for information from personnel of the United States federal or state government agency sponsoring the project that is needed for auditing or program evaluation by [THE AGENCY] which is funding this project or for information that must be disclosed in order to meet the requirements of the federal Food and Drug Administration (FDA).

You should understand that a Certificate of Confidentiality does not prevent you from voluntarily releasing information about yourself or your involvement in this research. If you want your research information released to an insurer, medical care provider, or any other person not connected with the research, you must provide consent to allow the researchers to release it.

[language such as the following should be included if researcher intends to disclose information covered by a Certificate, such as potential child abuse, or intent to hurt self or others in response to specific federal, state, or local laws.] The Certificate of Confidentiality will not be used to prevent disclosure as required by federal, state, or local law of [list what will be reported, such as child abuse and neglect, or harm to self or others].

[language such as the following should be included if researcher intends to disclose information covered by a Certificate, with the consent of research participants.] The Certificate of Confidentiality will not be used to prevent disclosure for any purpose you have consented to in this informed consent document [restate what will be disclosed, such as including research data in the medical record].

Id.

67 The length is surely going to make it difficult to comply with the new Common Rule provisions designed to shorten consent documents, now slated to go into effect in July 2018. See generally Federal Policy for the Protection of Human Subjects, 82 Fed. Reg. 7149, 7211-14 (Jan. 19, 2017); Federal Policy for the Protection of Human Subjects: Delay of the Revisions to the Federal Policy for the Protection of Human Subjects, 83 Fed. Reg. 2885 (Jan. 22, 2018).

68 A Flesch Reading rates text on a 100-point scale, with the higher the score indicating the easier the text is to understand. Test Your Document's Readability, Microsoft, https://support.office.com/en-us/article/Test-your-document-s-readability-85b4969e-e80a-4777-8dd3-f7fc3c8b3fd2#__toc342546557 [https://perma.cc/6YN3-JFF2].

69 We used the built-in feature in Microsoft Word to calculate these results. IRBs typically recommend that consent language be at a sixth to eighth grade level. See Jessica Ridpath et al., PRISM Readability Toolkit 5 (Group Health Research Institute ed., 3d ed. 2010).

70 42 U.S.C. § 241(d) (2006).

71 See supra text accompanying note 52.

72 Wolf et al., supra note 2, at 603.

73 Informed Consent, Nat'l Cancer Inst. (last updated Jan. 31, 2018), https://ctep.cancer.gov/protocolDevelopment/informed_consent.htm [https://perma.cc/4WKF-KWZP].

74 425. Certificates of Confidentiality, U. Nevada, Reno, https://www.unr.edu/research-integrity/human-research/human-research-protection-policy-manual/425-certificates-of-confidentiality [https://perma.cc/AB8E-SWZS].

75 Catania et al., supra note 65; Check et al., supra note 52, at 4.

76 Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L. No. 104-191, 110 Stat. 1936; see 42 U.S.C. § 1320d-7 (2015); 45 C.F.R. § 160.203 (2004).

77 See generally State Health IT Privacy and Consent Laws and Policies, HealthIT.gov, https://www.healthit.gov/policy-researchers-implementers/state-health-it-privacy-and-consent-laws-and-policies [https://perma.cc/423S-YAD3].

78 See Wolf et al., supra note 26, at 598; Wolf et al., supra note 2, at 43-46.

79 See Wolf et al., supra note 26, at 599-600; Wolf et al., supra note 2, at 48-52.

80 Beskow et al., supra note 36; Wolf et al., supra note 36, at 5.

81 See Wolf et al., supra note 26, at 596-600; Wolf et al., supra note 2, at 18-38.

82 See Wolf et al., supra note 26, at 596; Wolf et al., supra note 2, at 17.

83 See Wolf et al., supra note 26, at 596; Wolf et al., supra note 2, at 17.

84 See Wolf et al., supra note 26, at 596; Wolf et al., supra note 2, at 27-31 (discussing People v. Newsman).

85 See Wolf et al., supra note 26, at 599; Wolf et al., supra note 2, at 22-23 (discussing In re: Louisville Branch-NAACP).

86 See Wolf et al., supra note 26, at 604; Wolf et al., supra note 2, at 38-39.

87 See Wolf et al., supra note 26, at 597; Wolf et al., supra note 2, at 34-36 (discussing Murphy v. Philip Morris Inc.).

88 See Wolf et al., supra note 26, at 599-600; Wolf et al., supra note 2, at 48-52.

89 42 U.S.C. § 241(d)(1)(E).

90 Id. § 241(d)(1)(C)(i).

91 See discussion supra Part II.B.2 (discussing the possible meanings of consent with respect to disclosure and admissibility).

92 Beskow et al., supra note 36, at 5; Wolf et al., supra note 36, at 4.

93 Specifically, the Act provides that “beginning 180 days after the date of enactment of this Act, all persons engaged in research and authorized by the Secretary of Health and Human Services to protect information under section 301(d) of the Public Health Service Act (42 U.S.C. 241(d)) prior to the date of enactment of this Act shall be subject to the requirements of such section (as amended by this Act).” § 2012(b).

94 FAQs, supra note 14.

95 Id. (“Neither the NIH Policy on Certificates of Confidentiality nor subsection 301(d) expect participants consented prior to the change in authority, or prior to the issuance of a Certificate, to be notified that the protections afforded by the Certificates have changed, or that participants who were previously consented to be re-contacted to be informed of the Certificate, although IRBs may determine whether it is appropriate to inform participants.”).

96 Wolf et al., supra note 36, at 3.

97 Id. at 4.