Bloomberg Law
July 19, 2022, 9:50 AM

NIH Privacy Certificates Shield Reproductive Research Post-Roe

Jeannie Baumann
Jeannie Baumann

Reproductive health researchers shouldn’t have to turn over their data to law enforcement in states with post-Roe abortion bans thanks to a federal statute—although legal experts caution it’s an added layer of protection and not a guarantee.

A program known as certificates of confidentiality protects identifiable, sensitive research data from the legal process, making the data inadmissible as evidence unless the participant agrees to its disclosure. The program is written into the Public Health Service Act.

These certificates aren’t new. They’ve been around since the 1970s, allowing researchers to study illicit drug use to guide evidence-based policies. The 21st Century Cures law (Pub. L. 114-255) further streamlined the process so the National Institutes of Health automatically protects human research data using identifiable, sensitive information. Other researchers can apply for the same protections.

But the Supreme Court’s decision last month to overturn Roe v. Wade prompted new concerns about how much control someone has over their identifiable, sensitive information.

“Abortion and fertility data are certainly the sort of information that is intended to be covered by Certificates of Confidentiality, as the rules were set up in part explicitly to protect subjects in research that took on sensitive, illegal, or stigmatized issues like drug use, sexual behaviors, etc., and, in our current moment, abortions,” Elisa A. Hurley, executive director of Public Responsibility in Medicine and Research, wrote in an email.

‘Implications for Reproductive Health Research’

The Dobbs v. Jackson Women’s Health Organization decision has new implications for reproductive health research, ranging from miscarriage to assisted reproductive technologies and abortion care, said Leslie E. Wolf, a Georgia State University law professor who’s been conducting research on Certificates of Confidentiality since 1998.

“We now have a wide range of activities that could be addressed in a research setting that are illegal,” Wolf said, “and where you can imagine a prosecutor trying to make a name for themselves, who may be interested in trying to get the data to know who in their state may be engaging in behavior that is criminal.”

Certificates of confidentiality only apply to research data and protect any information if there’s “at least a very small risk” that it can be combined with other data sources to uncover someone’s identity. These human subjects research studies must collect identifiable, sensitive information, be cleared by an ethics panel known as an institutional review board, and comply with human subject protection regulations known as the Common Rule (45 CFR 46).

“You cannot get it through compelled disclosure. That data is protected, and the language is extraordinarily broad,” Wolf said. “It cannot be obtained. You cannot be compelled to disclose it in any federal, state, local, civil, criminal, administrative, legislative, or other legal proceeding. That’s huge.”

There are a larger group of researchers who need to be aware of these certificates who may not have been paying attention before, such as obstetricians conducting research on miscarriages, Wolf said.

“I don’t think that they were thinking of themselves as doing something that other people would want to get at,” she said. “This is just part of care. And they don’t think of themselves as performing abortion, even though the method is similar.”

What Information Is Covered?

Dobbs has raised questions about what information states with new bans will use to identify abortions and the certificates offer protections for information collected through research. People have been urged to delete their period tracking apps, Google Inc. has said it will automatically delete records of user visits to sensitive locations such as abortion clinics, and President Joe Biden has called on the Federal Trade Commission to help the Department of Health and Human Services guard reproductive health-care privacy.

“If there were a study that involves collection of information through a period tracking app, the investigator for the study could seek a certificate of confidentiality,” which that researcher could use in a court proceeding to protect them from disclosure, David Peloquin, a partner in the health-care group at Ropes & Gray LLP, said.

“If there’s sensitive information about reproductive rights that are being collected in research, this could be a tool to limit disclosure of that information in response to court orders or subpoenas,” Peloquin, who’s written about certificates of confidentiality for Bloomberg Law’s Insights, said.

However, both Wolf and Peloquin noted that the certificates of confidentiality statute allows for disclosure if it’s required by federal, state, or local laws. The examples used in the statute point to the reporting of communicable diseases or child abuse.

“We’ve experienced in the last three years a reason for really wanting to make sure that we continue to report people to public health authorities when there’s an infectious disease, child abuse. There are other things like that, and that’s what NIH tends to focus on,” Wolf said. “But the language is really broad.”

Certificates Versus State Laws

If a state legislature were to mandate disclosure of certain information about reproductive health, that may overrule the certificate and require disclosures to state agencies, Peloquin said.

“Researchers should, if they’re doing research on those topics, think about a certificate of confidentiality as adding protection,” Peloquin said. “Perhaps if people are reluctant to enroll in a study because they’re worried about the information collected, this could provide some comfort to those individuals. They just need to understand the shortcomings.”

While the certificates allow the investigator and others with data access to refuse to provide sensitive data, Hurley said, they don’t require the investigator to refuse to provide these data under those circumstances.

It’s unclear how the state law versus certificates would play out because it hasn’t been tested in court.

“I don’t really know how an NIH policy would overlap with a state law enforcement request if actually pushed, but that does seem to say that no response to a subpoena is permitted without consent of the individual,” Kirk J. Nahra, a privacy and cybersecurity attorney with WilmerHale, said.

Danielle Bessett, a sociology professor at the University of Cincinnati, offered such protections long before Dobbs. Bessett is a co-principal investigator of OPEN, a research initiative that studies the impacts of reproductive health policy—especially abortion policy—on Ohio, Kentucky, and West Virginia residents. Bessett said OPEN’s first certificate application is about five years old.

OPEN receives its funding through a foundation and not through NIH, so Bessett’s team had to apply for a certificate. The certificate is one of several layers of protections the research team implements. Others include deleting audio recordings after they’re transcribed and not collecting the names of participants.

“CoCs are really an important marker for people considering doing this research or participating in this research, because I think it suggests a level of diligence about the researcher,” Bessett said.

While certificates of confidentiality, or CoCs, have always been important to have, Bessett feels even more grateful to have them after the Supreme Court overturned Roe.

“It’s always really important to do our very best to protect our research participants,” Bessett said. “There’s a great deal of uncertainty in the current moment, around just so many of our core institutions. And so in that sense, I think the importance of the CoCs is heightened.”

Other agencies, such as the Centers for Disease Control and Prevention and the Food and Drug Administration, can issue certificates, but the NIH issues the bulk of them. An investigator funded by another agency can request a certificate, as can someone who receives private funding, such as a drug company or a foundation that’s conducting eligible health research.

“It’s important for people to know that even if you’re dealing with an industry funded study, it’s possible you that still obtain the protection of confidentiality,” Peloquin said.

The certificate protections apply to information collected while the research is funded by the NIH, and that protection lasts in perpetuity. However, if a researcher collects new information from those participants or enrolls new people into that study after the NIH funding ends, those data wouldn’t be protected unless the scientist requests a new certificate.

The NIH referred questions to its website on certificates of confidentiality.

To contact the reporter on this story: Jeannie Baumann in Washington at

To contact the editors responsible for this story: Karl Hardy at; Cheryl Saenz at