Certificates can protect subject identities
July 1, 2014
Related Articles
-
Infectious Disease Updates
-
Noninferiority of Seven vs. 14 Days of Antibiotic Therapy for Bloodstream Infections
-
Parvovirus and Increasing Danger in Pregnancy and Sickle Cell Disease
-
Oseltamivir for Adults Hospitalized with Influenza: Earlier Is Better
-
Usefulness of Pyuria to Diagnose UTI in Children
Certificates can protect subject identities
Extend to sensitive’ research topics
Protecting the identities and sensitive information of study subjects is one of the top priorities in research, particularly if a study involves topics that could be damaging to a subject’s reputation. Investigators can seek an extra layer of protection known as Certificates of Confidentiality for such studies.
The National Institutes of Health (NIH) issues Certificates of Confidentiality (CoC) to protect the privacy of research subjects by shielding investigators from being compelled to release subjects’ identifying information. The certificates can allow an investigator to refuse to submit identifying records if compelled by civil or criminal trials, or other proceedings.
Because the statutory authority that established the CoC protection is specific to the Department of Health and Human Services (HHS), to be eligible for a CoC, a research study must be health-related and must also be collecting sensitive, identifiable information. "Sensitive’ is very broadly defined as any information that, if released, could potentially harm the subject," says Ann Hardy, DrPH, Extramural Human Research Protections Officer and Certificates of Confidentiality Coordinator at the NIH Office of Extramural Research (OER). "Identifiable’ is also broadly defined as information that could lead to the identification of a subject; this includes more than just a subject’s name."
Examples of sensitive research include:
• research on the psychological well-being and mental health of subjects;
• studies on sexual attitudes, preferences, or practices;
• studies collecting information on substance abuse or other illegal risk behaviors;
• health-related studies that gather information that, if released, could be damaging to a participant’s financial standing, employability, or reputation within the community.
The definition of "sensitive research" has expanded in recent times to include genetic research. The increase of sensitive genetic research in the last decade has led the NIH to consider genetics studies as containing potentially identifiable data, Hardy says. "We have issued certificates to genetic studies and for research repositories that contain genetic data, in part to encourage researchers to be more willing to submit findings to repositories such as NIH’s dbGaP [database of Genotypes and Phenotypes]," she says.
Eligibility
Certificates are limited to research that is health-related, Hardy says. "One of the misunderstandings IRBs might have is that they [certificates] are for any type of research," she says. "There are a lot of research topics that can be considered sensitive, but are not eligible for a certificate because they are not health-related." Federal funding is not a requirement for a certificate, although the research must be allowable by HHS policy.
The study must also collect identifying information. The CoCs don’t necessarily protect all research data — just the data that can ID subjects. "It may not be widely appreciated that [the regulations] were written specifically to protect identifiable research data," Hardy says.
HHS also requires IRB approval or conditional approval before issuing a certificate. "This way, we can make sure there are no changes to the study, and what we’re describing is what will happen," Hardy says.
"Subjects have to be informed of the certificate and what it does and doesn’t do, and we have suggested informed consent language on the website," Hardy continues. "NIH is happy to work with researchers on the consent language."
It is vital to note that the certificates don’t protect against voluntary disclosure of data by investigators or study subjects, Hardy says. For example, an investigator can disclose identifying data if he or she thinks it’s necessary in order to prevent harm to the subject or someone else, such as cases of abuse or suicidal ideation. "If investigators want to disclose something like suicidal ideation, they need to be clear in the consent form that they intend to do that," she says. "If it’s a study where voluntary disclosure won’t be an issue, then investigators don’t need to worry about this."
The application for a CoC has a study start date and end date for subject recruitment, collection of data, and analysis, Hardy says. If the certificate expires while the data analysis is being performed, the subjects are still protected under the certificate. "What you don’t want is a study that continues to enroll subjects after the expiration date, because those subjects would not be protected by the CoC; in such cases, an extension would be needed," she says. "If there is a change in the study, we may need to issue an amended CoC because we want to make sure if someone uses the CoC to refuse a legal demand that it is clear that the CoC applies to that particular study. Once a study is completed, the CoC protection of the subjects is permanent."
When to use
Some IRBs may not be clear on when and how to require a certificate for research protocols. A study published in 2012 in the journal PLoS ONE examined IRB chairs’ knowledge of certificates, how they work, and when to use them. "We found when we did the survey of the IRBs that there was a lot of uncertainty or incorrect answers about the certificates," says Leslie E. Wolf, JD, MPH, professor of law at Georgia State University College of Law in Atlanta, and co-author of the study. "We were a little surprised, but I think there’s confusion out there and the study confirmed it."
The study involved surveys with 453 IRB chairs nationwide, and follow-up interviews with 21 of these. Forty-five percent responded that they were familiar or very familiar with CoCs. Those with more familiarity had more years of experience as IRB chairs. Fifty-five percent answered three or more of the six true/false knowledge statements correctly.1The statements included:
• The HIPAA Privacy Rule provides the same protections as does a certificate. [False]
• A certificate is granted to the research institution for a particular project, not to the principal investigator of that project. [True]
• With a certificate, a researcher may voluntarily comply with state reporting laws, but only when such disclosures are specified in the informed consent document. [True]
• Research participants are only protected until the expiration date of the certificate. [False]
• Even with a certificate, researchers must release identifiable data to the federal government as required for program evaluation or audits of research records. [True]
• With a certificate, a researcher may withhold identifiable data, even if the participant consents in writing to disclosure. [False]1
The only question a majority of the respondents answered correctly was the question about HIPAA privacy, the study says.1
The study interviews showed that some chairs believed that CoCs only protect information on subjects’ illegal activity. Others responded that they would not require a certificate if there is no risk of a subpoena. Some chairs also stated that they did not consider genetic research sensitive enough to require a certificate.1
Much of the uncertainty surrounding certificates was consistent with individual experience, Wolf says. "I think some IRBs are more experienced in a positive or negative way, or they have a lot of a particular type of research that deals with certificates. Some institutions that don’t do a lot of that type of research may be less informed."
If IRBs or investigators are unsure of how and when to obtain a certificate, the NIH has a Certificates of Confidentiality Kiosk at http://grants.nih.gov/grants/policy/coc/index.htm, which includes frequently asked questions, application instructions for intramural and extramural studies, contact lists, and flow charts. "The flow chart helps guide those who are new to the process," Hardy says.
Legal challenges
In the study, 86% of IRB chairs said that CoCs were currently used at their institutions, and 10% stated that they have received legal demands to disclose identifiable data. It also showed mixed opinions on the level of protection chairs thought the certificates afford, and the extent to which the certificates have been tried in court.1
"We also spoke to legal counsel about the effectiveness of certificates in practice — it was reassuring, though not fully clear, in that the demands for research data were relatively rare," Wolf says. "Often, the certificate was successful, but not through a legal case that would say definitively that this [data] was absolutely protected. Rather, counsel would raise the fact that there was a certificate, and the demand would go away. That’s good as a deterrent."
"Anecdotal information suggests that oftentimes when there is a request for data and certificate is mentioned, it just goes away and doesn’t get to subpoena stage," Hardy adds.
However, there are still concerns about whether certificates would be upheld in some criminal proceedings, Wolf says. "The concern would be if a criminal defendant were to raise the question of guilt or innocence based on the data, and whether those constitutional issues would trump the statutory protections of the certificate," she says.
The closest the issue has come to being tested is in the case of the State of North Carolina v. Bradley. A criminal defendant believed a witness to be part of a Duke University Health System study on psychiatric disorders, and requested a court order for all study records on the witness. The motion was granted, but reversed when Duke researchers moved for a protective order and cited the certificate. The defendant was convicted and later appealed, requesting that Duke turn over the sealed witness records as possible exculpatory evidence. The judge agreed to let attorneys look over the documents and decide the relevance to the case, allowing them only to be viewed by the defense and prosecuting attorneys. The appeals court found the records to be immaterial to the case and vacated the court order. The court declined to consider whether the Certificate of Confidentiality would have protected the records if they were found to be material to the case.2
"The Bradley case was a criminal case, but it was not as directly exculpatory and the court ultimately decided the information wasn’t relevant to the case," Wolf says. "We haven’t seen a case that would decide if it [the certificate] would be upheld if it were something more squarely exculpatory."
The Bradley case wasn’t necessarily a failure for CoCs, Hardy says. "Unfortunately, I think people interpret that case as a failure of the certificate," she says. "[The certificate] was clearly considered and the review of research data allowed was very limited. The court ultimately decided that the information wasn’t relevant, and no further examination of the data was allowed. I view it as the court being very careful about the information because of the certificate. However, someone’s constitutional rights may trump the CoC regulations," she says.
Hardy cites another case in which researchers uncovered evidence of child abuse, and child protective services requested research data. "The courts decided that since the researchers already reported the abuse that they had to disclose the additional data," she says.
If an investigator thinks there is a likelihood that his or her study will draw a legal demand, he or she should consult institutional legal counsel, Hardy says. "It’s unfortunate that a lot of researchers don’t consider this," she says. "I strongly advise talking to legal counsel before designing the study. A certificate isn’t the only means by which counsel could refuse a demand for data."
"Data can be given with certain identifiers removed and only used for particular litigation and not re-identified," Wolf adds. "I think sometimes we think the data is totally protected and it’s not — only the identifiable data."
References
- Beskow LM, Check DK, Namey EE, Dame LA, Lin L, et al. (2012) Institutional Review Boards’ Use and Understanding of Certificates of Confidentiality. PLoS ONE 7(9): e44050. doi:10.1371/journal.pone.0044050.
- Beskow LM, Dame L, Costello EJ. Certificates of Confidentiality and the Compelled Disclosure of Research Data. Science. Nov 14, 2008; 322(5904): 10541055.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.