Certificates of Confidentiality After the 21st Century Cures Act

The 21st Century Cures Act (the “Act”) has expanded researchers’ ability to obtain a Certificate of Confidentiality (“CoC”) by making the issuance of a CoC mandatory for investigators engaged in federally funded research involving certain sensitive, identifiable information about research subjects. The Act also has provided helpful clarification regarding the definition of identifiable information but has left unresolved certain ambiguities about the CoC application process and the relationship of CoCs to other research protection regimes. In this article, we attempt to identify these ambiguities, and we suggest a need for the U.S. Department of Health and Human Services (“HHS”) to issue clarifying guidance regarding the availability of CoCs.

Certificates of Confidentiality: Before 21st Century Cures

Issued by U.S. government agencies, CoCs permit a researcher to avoid compelled “involuntary disclosure” of certain study records that identify study participants, such as in response to subpoenas or court orders. CoCs are most often requested from, and issued by, the National Institutes of Health (“NIH”) but can also be issued by other agencies under the umbrella of HHS (e.g., Centers for Disease Control and Prevention, Food and Drug Administration, Health Resources and Services Administration, and Substance Abuse and Mental Health Services Administration). (42 U.S.C. §241(d)(1)(A)). The purpose of a CoC is to facilitate enrollment of human subjects in research relating to certain topics in which participants might be concerned about disclosure of personal information collected during the research because the information is of a particularly sensitive nature and/or potentially incriminating. While the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule protects personal information obtained during research from disclosure by health care providers who are workforce members of a “covered entity,” a CoC can supplement the protections of the HIPAA Privacy Rule by protecting the study and its participants from government and court-issued subpoenas and other government demands for disclosure that constitute disclosures “required by law” and are therefore typically not barred by the HIPAA Privacy Rule.

Specifically, CoCs protect certain identifying information generated during research from disclosure compelled by any federal, state, or local civil, criminal, administrative, legislative, or other proceedings. The enabling statute lists identifiable information regarding mental health and the use of alcohol or other psychoactive drugs as examples of the types of information for which a CoC may be issued. (42 U.S.C. §241(d)(1)(A)). NIH website guidance provides that in addition to these two categories, information relating to HIV/AIDS status, illegal conduct, sexual behavior, genetic information, and behavioral interventions may be eligible for protection under a CoC. There are exceptions to this protection for disclosures necessary for treatment, disclosures pursuant to the consent of the individual, and disclosures made to comply with other regulations on human subjects protection. The CoC mechanism has not, however, been subject to extensive judicial review, and uncertainty remains regarding the extent of the protection offered by CoCs if subject to challenge in judicial proceedings. See, e.g., L. Wolf et al., Certificates of Confidentiality Protecting Human Subject Research Data in Law and Practice, 14 Minn. J. L. Sci. & Tech. 11 (2013) (providing an overview of case law related to CoCs).

This article reviews some of the changes made to CoCs by the recently enacted Act and discusses the implications of the changes for the research enterprise.

The 21st Century Cures Act

Before the passage of the Act (Pub. L. No. 114-255) in December 2016, the issuance of a CoC was entirely discretionary by the NIH institute or other HHS entity to which the CoC application was made. Applications for CoCs were evaluated for whether the research dealt with subject matter that was within a mission area of NIH. Certificates were issued for federally funded research as well as research not funded by the federal government, but in both cases on an entirely discretionary basis, without any specific standards binding the issuing agencies. The Act introduces two important changes regarding the issuance of CoCs.

First, the Act provides a new defined term to refer to the types of information that may be protected by a CoC: identifiable sensitive information (“ISI”). ISI is defined to include both information that identifies an individual and information for which there is “at least a very small risk, as determined by current scientific practices or statistical methods, that some combination of the information, a request for the information, and other available data sources could be used to deduce the identity of an individual.” (42 U.S.C. §241(d)(4)). This is an expansion from the current standard of identifiability applied to CoCs, which focuses on whether the information contains “identifying characteristics,” such as name, address, or Social Security number, that could “reasonably lead” to identification of the research subject. Notably, the revised standard of identifiability included in the definition of ISI is very similar to the standard for de-identification by a statistical expert found in the HIPAA Privacy Rule, thus showing a potential movement toward harmonizing identifiability standards across HHS. (45 C.F.R. §164.514(b)(1)).

The enabling statute, as amended by the Act, continues to provide as examples of “sensitive” information only research on mental health or the use and effect of alcohol and other psychoactive drugs. However, in a notice issued on Sept. 7, 2017, NIH stated that any NIH-supported research falling into the following categories will be eligible for a CoC: (i) research involving “human subjects” as defined by 45 C.F.R. Part 46 (of which Subpart A is the “Common Rule”); (ii) research involving the collection of identifiable biospecimens; (iii) research involving collection of biospecimens for which there is a small risk that some combination of the biospecimens, a request for the biospecimens, and other available data sources could be used to identify the individual; and (iv) research involving the generation of individual level, human genomic data. (NIH Notice Number NOT-OD-17-109) This suggests that NIH believes that all studies collecting identifiable information should be eligible for a CoC, not only those studies that collect categories of information traditionally considered to be “sensitive.”

Second, the Act makes the issuance of a CoC mandatory for research involving ISI that is wholly or partially funded by a federal government department or agency. In its Sept. 7, 2017, notice, NIH issued guidance indicating that, effective Oct. 1, 2017, all research funded in whole or in part by NIH that is commenced or ongoing after Dec. 13, 2016 (the enactment date of the 21^st Century Cures Act), will be “deemed to be issued a CoC.” Notably, the notice instructs that “[c]ertificates issued in this manner will not be issued in a separate document.” Accordingly, the notice states that institutions and their investigators will be responsible for determining whether the research they conduct is within the scope of CoC protection and therefore will be deemed to have had a CoC issued for the study.

The NIH’s September 2017 notice advises that investigators whose studies are “deemed” to have a CoC shall not disclose in any Federal, State, or local civil, criminal, administrative, legislative, or other proceeding the names of individuals participating in the research or information, documents, or biospecimens containing ISI about such individuals collected during the research without the consent of the relevant individual. In addition, the notice provides that the investigator shall not disclose to any other person not connected with the research the names of individuals participating in the research or any information, document, or biospecimens containing ISI about such individual collected during the research. Consistent with the Act, the notice states that exceptions to the bar on disclosure exist if the disclosure is (1) required by Federal, State, or local laws (e.g., reporting of communicable diseases); (2) necessary for the medical treatment of the individual to whom the ISI pertains; (3) made with the consent of the individual; or (4) made for the purposes of other scientific research that is in compliance with applicable Federal regulations governing the protection of human subjects in research. As noted above, the notice suggests that all research defined as “research” involving “human subjects” under the Common Rule will now meet the criteria for a CoC, as will research involving the generation of individual level, human genomic data. Accordingly, as a result of the notice, all investigators conducting NIH-supported research should, as a matter of routine practice, determine whether their research is subject to a CoC so that they can comply with the attendant limitations on disclosure imposed by the CoC.

Notably, the NIH notice does not apply directly to research funded by other government agencies. It would therefore appear that investigators conducting such research will still need to make a specific application to NIH for CoCs, unless further federal guidance clarifies this issue. Upon application, issuance of a CoC for these studies will be mandatory, since the Act makes issuance mandatory for all federally funded research, not solely research funded by NIH. It would therefore be helpful for NIH and other CoC-issuing agencies to clarify the process through which investigators may seek and obtain CoCs for research funded by government agencies other than NIH itself. Investigators engaged in privately funded research will still need to make specific application for CoCs, and issuance of CoCs for such research remains discretionary, even after the Act. However, these investigators will be able to take advantage of the broader definition of ISI, and potentially NIH’s broader interpretation of the term, and may be more likely to obtain a CoC.

Implications

Before the Act, there were a number of procedural hurdles to obtaining a CoC. The changes to the CoC application process are likely to increase the number of studies that are able to take advantage of this protection. A wider range of studies are now able to obtain CoCs, and the process for obtaining them will be less burdensome and involve less uncertainty. In the case of NIH-funded studies, the process will be automatic, which eliminates the burden imposed by the application process, but also places a new burden on investigators of NIH-funded research to evaluate whether every study they undertake will be “deemed” to have a CoC and thus required to comply with the terms of the CoC.

The automatic issuance of CoCs for a large percentage of NIH-funded research represents a major policy shift that will shield most human subjects research records developed in the course of NIH-funded research from discovery during the course of civil litigation. Research records will therefore occupy a privileged position in not being discoverable through the issuance of court orders and subpoenas in a way that clinical medical records are not today protected under HIPAA, which generally permits release of medical records in such circumstances subject to certain restrictions. (See 45 C.F.R. §164.512(e)). For example, in a child custody dispute, the parent seeking custody will not be able to obtain through the civil litigation discovery process records of the other parent’s involvement in an NIH-funded smoking cessation study, since such a study will most likely automatically be issued a CoC, even though the parent’s medical records would presumably be discoverable if materially related to issues in custody determinations. One wonders if those within NIH and HHS who approved these CoC changes were fully aware that research records are now more protected from legal disclosure processes than some of the most sensitive medical records. In any event, researchers, institutional review board (“IRB”) staff, institutional research officials, and legal counsel will need to be aware of these restrictions to avoid providing records in response to subpoena requests in violation of a CoC that has been automatically issued for NIH-funded research. These new limitations on access to research records could also lead to liability for institutions or researchers that release records in violation of an automatically-issued CoC.

In addition, the automatic issuance of CoCs in NIH-funded research will likely require revisions to informed consent forms for such studies, as the NIH’s existing website guidance on CoCs states that when a CoC is issued, research subjects must be told about the protections afforded by the CoC and any exceptions to that protection. A related question arises as to whether subjects who were enrolled in NIH-funded research on or after Dec. 13, 2016, for which the investigator did not obtain a CoC will need to be re-consented with a consent procedure that discusses the CoC. While NIH’s notice does not speak directly to this question, as a practical matter it would seem that re-consent would not be required, since a primary purpose of a CoC is to provide subjects with comfort that they can enroll in a research study collecting sensitive or incriminating information without fear that their information will be shared with third parties. Subjects who already enrolled in the study chose to enroll absent this additional protection, and thus it would not seem necessary for the investigator to undertake the burden of re-consenting them solely for the purpose of informing them of the CoC. However, it would seem necessary for the investigator to update the consent forms before consenting any new subjects into such studies, which will require the investigator to undertake the process of obtaining IRB approval for the revised consent forms.

The changed scope of what research can be protected by CoCs is likely to include more types of genetic research. The broader definition of ISI, relative to the previous definition that was limited to names and “identifying characteristics,” will strengthen protections for research participants. As science continues to evolve and identifying an individual based on some aspect of his or her genetic information becomes easier, it will be increasingly likely that the risk-based definition of ISI will include genetic sequencing information that may only have a small chance of being identifiable. Studies that make use of biological samples previously stored for future use may be eligible for issuance of a CoC if the researchers can show that it is possible that the subjects may be identified from data generated through their intended research use of the samples.

Consistency with the Common Rule

The Common Rule (45 C.F.R. Part 46, Subpart A), the set of federal regulations for the protection of human subjects in biomedical and behavioral research conducted or supported by most federal agencies, was the subject of revisions expected to take effect in January 2018 (see 82 Fed. Reg. 7,149 (Jan. 19, 2017)). These final revisions omitted a provision contained in earlier proposed revisions to the rule that would have defined the term “human subject” to include de-identified human biospecimens. Accordingly, under both the current and revised Common Rule, future research on samples of this type is typically not considered “research” subject to the rule, and consequently it does not require investigators to obtain IRB review and approval of the research or the informed consent of participants. However, due to advances in research methods, it is increasingly possible to identify individuals based on genetic information that can be obtained from biospecimens. Under the revised Common Rule, HHS will be required to re-evaluate periodically what it means for information or biospecimens to be identifiable.

Notably, the standard for identifiability contained in the definition of ISI, i.e., any information for which a “very small risk” of re-identification exists, may include information for which the identity of the subject may not “readily be ascertained by the investigator or associated with the information,” the standard of identifiability found in both the current and revised Common Rule. Accordingly, information or biospecimens that have been stripped of direct identifiers and thus fall outside of the jurisdiction of the Common Rule may still present a “very small risk” of re-identifying the individual from whom they were obtained, meaning that research involving such materials may be eligible for a CoC even when the research would not be subject to regulation by the Common Rule. Indeed, NIH’s September 2017 notice states explicitly that NIH-funded research involving the generation of individual level, human genomic data from biospecimens or the use of such data, regardless of whether the data are recorded in such a manner that the identity of individuals can readily be ascertained, will now be considered eligible for a CoC.

Another provision of the revised Common Rule that is relevant to the CoC process is the new requirement that multi-site studies funded by a Common Rule agency make use of a single IRB for all research sites located in the United States. This change to the Common Rule was intended to reduce administrative burden and increase coordination in multi-site studies. Because in multi-site research, a coordinating center or lead institution may be issued a CoC on behalf of all participating institutions as long as each site is using the same study protocol, the move toward increasing use of a central IRB may also facilitate the process of designating a “lead” or “coordinating” institution that could receive a CoC that would protect study participant records in all sites of a multi-site study. NIH’s September 2017 notice reinforces this point by noting that recipients of NIH funding are required to ensure that any subrecipients that receive funds to carry out part of the NIH award that receive a copy of ISI understand that they are also subject to the restrictions of the Certificate.

Research Sponsors and Certificates of Confidentiality

The Act fails to resolve an ambiguity about who may apply for a CoC. The statutory language is unclear about whether sponsors of research studies, such as private pharmaceutical or medical device companies, may apply directly for CoCs, or whether only investigators may do so. At present, based on available NIH website guidance, it appears that sponsors may apply for a CoC if the sponsor has first filed a federalwide assurance with HHS. As private companies increasingly sponsor multi-site research that involves the collection of ISI, particularly genetic information, sponsors may be best placed to apply for and ensure compliance with the requirements of a CoC (e.g., implementing uniform informed consent language describing the CoC across all study sites). It would be beneficial to the research enterprise if HHS were to issue further guidance explicitly addressing the ability of private companies to obtain CoCs for the research they sponsor.

Conclusion

The Act strengthens and increases access to an important tool in the researcher’s arsenal. By making issuance of CoCs mandatory, and in some cases automatic, for federally funded research involving ISI, the Act is likely to expand the number of research studies operating under the protection of a CoC. By broadening the scope of information protected by CoCs, the Act extends protections to more types of research, including secondary research on biospecimens for which the information generated may not be readily identifiable. However, the Act leaves open certain ambiguities, including whether private companies themselves are able to obtain CoCs for research they sponsor. In order to resolve these ambiguities, and provide clearer guidelines generally, it would be helpful for HHS, or issuing agencies such as NIH, to provide further guidance on the CoC application and granting process and the relationship of CoCs to other research protections.