Certificates of Confidentiality (“Certificates”) are a federal legal tool designed to protect sensitive, identifiable research data from compelled disclosure. Congress first authorized their use in 1970 to facilitate research on illegal drug use. The scope of their use was later expanded to cover mental health research and then again to apply broadly to identifiable, sensitive research data, regardless of topic. Certificates can be critical to enabling conduct of essential research on sensitive topics, such as effective interventions to curb the opioid epidemic or reduce HIV transmission among minority youth. Nevertheless, there have been criticisms about Certificates and their use on several grounds. For example, researchers and institutional review boards (“IRBs”) may lack sufficient knowledge about them and, therefore, may not consider using them in studies for which they would be appropriate. In contrast to other protections, such as Department of Justice Privacy Certificates, Certificate protections were not automatically extended to these studies, but instead required an application. In addition, the concept of identifiable data had not kept up with technological changes that may allow for reidentification of data previously considered unidentifiable. Although a researcher who obtained a Certificate could use it to resist a legal demand for identifiable data, little was known about the actual effectiveness of the protection provided.
The 21st Century Cures Act substantially revises the Certificates authorizing statute, and many of the changes are directly responsive to the criticisms that have been raised. Significantly, the Secretary of the Department of Health and Human Services (“HHS”) must issue Certificate protection to federally funded research involving identifiable, sensitive research data, and the National Institutes of Health (“NIH”) will automatically include such protections to research it funds. Non-federally funded researchers can continue to apply for Certificate protection. The definition of identifiable has been expanded to include data “for which there is at least a very small risk” of identification. Certificates will now not only protect against compelled disclosure, but also render protected data inadmissible in legal proceedings without participant consent. In addition, voluntary disclosure is no longer authorized, but there is now a broad exception for disclosure as required by federal, state, and local laws. In this paper, based on our previous research on Certificates, we critically evaluate the 21st Century Cures Act's Certificates revisions and their positive and negative impact on the dual goals of facilitating important, sensitive research while maximally protecting individual research participants.