See, e.g., Allen, J. R. Curran, J. W., “Prevention of AIDS and HIV Infection: Needs and Priorities for Epidemiological Research,” American Journal of Public Health 78, no. 4 (1988): 381–386; Curran, J. W. Jaffe, H. W., “AIDS: The Early Years and CDC's Response,” Morbidity and Mortality Weekly Report 60, Supp. no. 4 (2011): S64–S69. Scholars have discussed the value of Certificates to a wide range of research topics. See, e.g., Wolf, L. E. Lo, B., “Practicing Safer Research: Using the Law to Protect the Confidentiality of Sensitive Research Data,” IRB: Ethics & Human Research 21, no. 5 (Sept.–Oct. 1999): 4–7, at 4 (discussing Certificates and HIV research); Melton, G. B., “Certificates of Confidentiality under the Public Health Service Act: Strong Protection but Not Enough,” Violence and Victims 5, no. 1 (1990): 67–71, at 68–69 (discussing Certificates and research on violence); Hoagwood, K., “The Certificate of Confidentiality at the National Institute of Mental Health: Discretionary Considerations in Its Applicability in Research on Child and Adolescent Mental Disorders,” Ethics and Behavior 4, no. 2 (1994): 123–131, at 123–124 (discussing Certificates and mental health research); Coffey, M. J. Ross, L., “Human Subjects Protections in Genetic Research,” Genetic Testing 8, no. 2 (2004): 209–213, at 209–210 (discussing Certificates and genetic research); Cooper, Z. N. Nelson, R. M. Ross, L. F., “Certificates of Confidentiality in Research: Rationale and Usage,” Genetic Testing 8, no. 2 (2004): 214–220, at 214 (discussing Certificates and genetic research); Earley, C. L. Strong, L. C., “Certificates of Confidentiality: A Valuable Tool for Protecting Genetic Data,” American Journal of Human Genetics 57, no. 3 (1995): 727–731, at 727 (discussing Certificates and genetic research); Lutz, K. F. et al. , “Use of Certificates of Confidentiality in Nursing Research,” Journal of Nursing Scholarship 32, no. 2 (2000): 185–188, at 185 (2000) (discussing Certificates and nursing research).Google Scholar

Wolf, Lo, , supra note 1, at 5 (explaining the obligations stem from the ethical principles of beneficence, which require researchers to minimize risks, and respect for persons); see also 45 C.F.R. §§ 46.111(a)(1), (a)(7) (2013), which explicitly obligates researchers to minimize risk and, “when appropriate,” to maintain confidentiality of data and the privacy of subjects).Google Scholar

See, e.g., Farnsworth v. Procter & Gamble Co., 758 F.2d 1545, 1546–47 (1985) (detailing that industry sought data from Toxic Shock Syndrome studies for use in products liability action); Deitchman v. E.R. Squibb & Sons, Inc., 740 F.2d 556, 557–58 (1984) (detailing that industry sought data from cancer registry in connection with products liability action relating to use of diethylstilbestrol (DES). See also, Confidentiality Order Re WHI Study Data, In re PremPro Products Liability Litigation, No. 4:03-CV-01507-WRW (E.D. Ark. Feb. 1, 2005); Order Re: Motion to Quash Subpoenas Re Yale Study's Hospital Records, In re Phenylpropanolamine Products Liability Litigation, No. 1407 (W.D. Wash. Aug. 19, 2002). These requests may include request for identifiable data, even if not necessary. See Skolnick, A. A., “Burning Mad Tobacco Industry Turns Heat on Major News Media,” Science Writers: Newsletter of the National Association of Science Writers (Berkeley, Cal.), Summer 1994, available at <http://www.aaskolnick.com/naswtob.htm> (last visited September 9, 2015); Barinaga, M., “Who Controls a Researcher's Files,” Science 256, no. 5064 (1992): 1620–1621, at 1620. Concern about the impact of such requests on researchers led to changes to the Georgia evidence law Ga. Code Ann. § 24–122 (2011).Google Scholar

Jaschik, S., “Oral History, Unprotected,” Inside Higher Education, July 5, 2011, available at <https://www.insidehighered.com/news/2011/07/05/federal_government_questions_confidentiality_of_oral_history> (last visited September 15, 2015) (referring to Boston College oral history project on the Northern Ireland “troubles” as a prime example where interest in the data is unsurprising. The interviews were sought in connection with an unsolved murder suspected of being committed by Irish Republic Army members). Another well-known example is that of sociologist Rick Scarce, who conducted research on the Animal Liberation Front, which subsequently claimed responsibility for a break-in at Washington State University research labs. Prosecutors sought his data for use in the criminal case. When Scarce refused to provide it, he was placed in jail for contempt of court. Marshall, E., “Court Orders ‘Sharing’ of Data,” Science 261, no. 5119 (1993): 284–286, at 285. See also Gray, J. N. Lyons, P. H. Melton, G. B., Ethical and Legal Issues in AIDS Research (Baltimore, MD: The Johns Hopkins University Press, 1995): At 13–17, 63–68 (explaining that HIV researchers have long been cognizant that the research they conduct could put their participants at risk of criminal prosecution based on their sexual or drug-using behaviors).Google Scholar

Wolf, L. E. et al. , “Certificates of Confidentiality: Legal Counsels' Experiences with and Perspectives on Legal Demands for Research Data,” Journal of Empirical Research on Human Research Ethics 7, no. 4 (2012): 1–9, at 3 (providing an example of demographic data, including income, that might be sought for custody and child support purposes).CrossRefGoogle Scholar

See Wolf, Lo, , supra note 1, at 5.Google Scholar

42 U.S.C. § 241(d) (2006).Google Scholar

Beskow, L. M. et al. , “Institutional Review Boards' Use and Understanding of Certificates of Confidentiality,” Public Library of Science One 7, no. 9 (September 4, 2012): 1–10, at 1.Google Scholar

See Basic IRB Review, in Penslar, R. L., Institutional Review Board Guidebook (Department of Health and Human Services Office for Protection from Research Risks, 1993), available at <http://www.hhs.gov/ohrp/archive/irb/irb_guidebook.htm> (last accessed September 9, 2015) (“IRBs should determine the adequacy of the provisions to protect the privacy of subjects and to maintain the confidentiality of the data and, where the subjects are likely to be members of a vulnerable population (e.g., mentally disabled), determine that appropriate additional safeguards are in place to protect the rights and welfare of these subjects.”); see also Wolf, Lo, , supra note 1, at 5 (describing the legal and ethical bases for the obligation to maintain confidentiality).Google Scholar

See Wolf, Lo, , supra note 1, at 5.Google Scholar

45 C.F.R. § 46.101 (2013) The Department of Health and Human Services (HHS) regulations governing the conduct of research involving human subjects research apply to research that is funded through that department, including the National Institutes of Health (NIH) and the Centers for Disease Control and Prevention (CDC), which together support the greatest amount of federally funded research. Another 17 agencies have agreed to abide by these regulations for their research. Accordingly, the HHS regulations are referred to as the “Common Rule.” Department of Health and Human Services, “Federal Policy for the Protection of Human Subjects (‘Common Rule’),” available at <http://www.hhs.gov/ohrp/humansubjects/commonrule/index.html> (last visited September 9, 2015); see also 21 C.F.R. §§ 50, 56 (2013) (Food and Drug Administration (FDA) regulations that are substantially similar to the Common Rule). For a comparison between these regulations, see U. S. Food and Drug Administration, Comparison of FDA and HHS Human Subjects Protection Regulations, available at <http://www.fda.gov/ScienceResearch/SpecialTopics/RunningClinicalTrials/educationalmaterials/ucm112910.htm> (last visited September 9, 2015).+(last+visited+September+9,+2015);+see+also+21+C.F.R.+§§+50,+56+(2013)+(Food+and+Drug+Administration+(FDA)+regulations+that+are+substantially+similar+to+the+Common+Rule).+For+a+comparison+between+these+regulations,+see+U.+S.+Food+and+Drug+Administration,+Comparison+of+FDA+and+HHS+Human+Subjects+Protection+Regulations,+available+at++(last+visited+September+9,+2015).>Google Scholar

Common Rule, 45 C.F.R. § 46.111(a)(7).Google Scholar

Common Rule, 45 C.F.R. § 46.111(a)(1).Google Scholar

Common Rule, 45 C.F.R. § 46.101(b)(4).Google Scholar

See, e.g., Basic IRB Review, supra note 9 (discussing expectations of privacy and confidentiality in biomedical research compared to social/behavioral research).Google Scholar

Wolf, Lo, , supra note 1, at 4.Google Scholar

Basic IRB Review, supra note 9 (regarding “Privacy and Confidentiality.”).Google Scholar

Wolf, Lo, , supra note 1, at 5.Google Scholar

Comprehensive Drug Abuse Prevention and Control Act of 1970, Pub. L. No. 91–513, 84 Stat. 1236, 1241 (1970). This Act also granted the Attorney General similar authority. In practice, DOJ appears to rely on the protections afforded under 42 U.S.C. § 3789g for research it oversees or funds, as described more fully below.Google Scholar

Comprehensive Narcotic Addiction and Drug Abuse Care and Control Act of 1969: Hearings on S. 2608, S. 2637, S. 1816, S. 1895, H.R. 11701, and H.R. 10342 Before the Special Subcommittee on Alcohol and Narcotics of the S. Comm. on Labor and Public Welfare, 91st Cong. 93, 98 (1969).Google Scholar

Id., at 98.Google Scholar

In 1974, the range of research eligible for protection was broadened from research on “the use and effect of drugs” to research on “mental health, including research on the use and effect of alcohol and other psychoactive drugs.” Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehabilitation Act Amendments of 1974, Pub. L. 93–282, 88 Stat. 125, 132–33 (1974). In 1988, the law re-designated the Certificate authorization language (among others) to 42 U.S.C. § 241(d) while simultaneously broadening the protections to all types of research methods and any research topic where breach of confidentiality of individual information could harm that individual. Health Omnibus Programs Extension of 1988, Pub. L. 100–607, 102 Stat. 3048 (1988).Google Scholar

42 U.S.C. § 241(d) (2012).Google Scholar

42 U.S.C. § 241(d) (2012); and 21 U.S.C. § 872(c) (2012). The NIH website on Certificates of Confidentiality recognizes the broad range of research that may collect sensitive, identifiable research data including research on: “HIV, AIDS and other STDS…sexual attitudes, preferences, or practices…use of alcohol, drugs, or other addictive products…illegal conduct…information that if released could be damaging to a participant's financial standing, employability, or reputation within the community…information that might lead to social stigmatization or discrimination if it were disclosed…psychological well being or mental health…[g]enetic studies, including those that collect and store biological samples for future use; [and]… behavioral interventions and epidemiologic studies.” Office of Extramural Research, National Institutes of Health, Frequently Asked Questions (FAQs) on Certificates of Confidentiality, #C3 (last revised June 20, 2011), available at <http://grants.nih.gov/grants/policy/coc/faqs.htm> (last visited September 9, 2015). (last visited September 9, 2015).' href=https://scholar.google.com/scholar?q=42+U.S.C.+§+241(d)+(2012);+and+21+U.S.C.+§+872(c)+(2012).+The+NIH+website+on+Certificates+of+Confidentiality+recognizes+the+broad+range+of+research+that+may+collect+sensitive,+identifiable+research+data+including+research+on:+“HIV,+AIDS+and+other+STDS…sexual+attitudes,+preferences,+or+practices…use+of+alcohol,+drugs,+or+other+addictive+products…illegal+conduct…information+that+if+released+could+be+damaging+to+a+participant's+financial+standing,+employability,+or+reputation+within+the+community…information+that+might+lead+to+social+stigmatization+or+discrimination+if+it+were+disclosed…psychological+well+being+or+mental+health…[g]enetic+studies,+including+those+that+collect+and+store+biological+samples+for+future+use;+[and]…+behavioral+interventions+and+epidemiologic+studies.”+Office+of+Extramural+Research,+National+Institutes+of+Health,+Frequently+Asked+Questions+(FAQs)+on+Certificates+of+Confidentiality,+#C3+(last+revised+June+20,+2011),+available+at++(last+visited+September+9,+2015).>Google Scholar

See Protection of Identity – Research Subjects, 42 C.F.R. § 2a (2013) These regulations have been unchanged since 1979 and, thus, do not reflect the full scope of the research that is eligible for protection.Google Scholar

42 C.F.R. § 2a.2(g) (2013).Google Scholar

42 C.F.R. §§ 2a.1, 2a.3 (2013). The regulations, which have not been modified since 1979, refer to NIH institutes, although other parts of HHS, such as the CDC, issue Certificates.Google Scholar

See 42 C.F.R. § 2a.4 (2013). (The application must to include a “specific request, signed by the individual primarily responsible for the conduct of the research, for authority to withhold the names and other identifying characteristics of the research subjects and the reasons supporting such request.”) 42 C.F.R. § 2a.4(f) (2013).Google Scholar

42 C.F.R. § 2a.4(j) (2013).Google Scholar

42 C.F.R. § 2a.4(j)(4) (2013).Google Scholar

U.S. Department of Health and Human Services, National Institutes of Health, Certificates of Confidentiality Kiosk, Certificates of Confidentiality: Detailed Application Instructions for Certificate of Confidentiality: Extramural Research Projects, available at <http://grants.nih.gov/grants/policy/coc/appl_extramural.htm> (last visited September 11, 2015).+(last+visited+September+11,+2015).>Google Scholar

See Wright, C. A. Miller, A. R. et al. , Federal Practice and Procedure §3914.23, 2nd ed. (St. Paul, MN: Thomson West, 2012) (describing the lack of finality of most discovery orders and, thus, the inability to get judicial review of them).Google Scholar

People v. Newman, 298 N.E.2d 651 (N.Y. 1973).Google Scholar

Beskow, L. M. Dame, L. Costello, E. J., “Certificates of Confidentiality and Compelled Disclosure of Data,” Science 322, no. 5904 (2008): 1054–1055.CrossRefGoogle Scholar

Newman, 298 N.E.2d at 653.Google Scholar

Newman, 298 N.E.2d at 653; see also People v. Newman, 336 N.Y.S.2d 127, 129 (App. Div. 1972).Google Scholar

Newman, 298 N.E.2d. at 654. Dr. Newman also claimed state law physician-patient privilege protected the photographs, a claim the Court quickly rejected because the photographs were collected for administrative, rather than treatment purposes. Id., at 653.Google Scholar

Newman, 298 N.E.2d at 654. Unlike the absolute protections under the 1970 Act, 21 U.S.C. §1175 under the 1972 Act provided drug treatment records were confidential, but permitted disclosure for purposes outlined in the statute, including disclosure based upon a court order after a showing of good cause. 21 U.S.C. § 1175 (1976).Google Scholar

Newman, 298 N.E.2d. at 654.Google Scholar

Newman, 298 N.E.2d at 655–56. Accord, State v. White, 363 A.2d 143, 151–52 (Conn. 1975) (distinguishing between the absolute confidentiality of the 1970 Act compared to the qualified confidentiality of the 1972 Act). In contrast, the 1972 Act “covered a wide range of programs and activities (‘drug abuse prevention functions’) in which absolute confidentiality was not regarded as a prerequisite to the successful operation of the programs,” the confidentiality requirements were necessarily different from those in the 1970 Act. Newman, 298 N.E.2d at 656.Google Scholar

People v. Still, 369 N.Y.S.2d 759 (App. Div. 1975).Google Scholar

Still, 369 N.Y.S.2d at 762.Google Scholar

Still, 369 N.Y.S.2d. at 763.Google Scholar

Still, 369 N.Y.S.2d. at 765.Google Scholar

North Carolina v. Bradley, 634 S.E.2d 258 (N.C. Ct. App. 2006).Google Scholar

Bradley, 634 S.E.2d at 260. The protective order was issued after an initial order to produce the documents, which would have permitted the study documents “to be read by the state's chief investigating officer, the witness, the District Attorney's office staff, the defendant and his wife, the Public Defender's office staff, the Assistant Public Defender, and any expert the defendant or state might consult.” See Beskow, et al. , supra note 34, at 1054. Additionally, the trial judge had no prior experience with Certificates and, like the appellate court, focused first on whether the defendant had met a burden to demonstrate a need for the documents. Id.Google Scholar

Bradley, 634 S.E.2d at 260.Google Scholar

Bradley, 634 S.E.2d at 261.Google Scholar

Bradley, 634 S.E.2d at 261.Google Scholar

According to the court, the matters potentially contained in the Duke records were “at best tangential” to the case and, thus, could not have been used by Bradley to impeach his granddaughter, even if there were evidence of inconsistent statements. Bradley, 634 S.E.2d at 262–63.Google Scholar

Bradley, 634 S.E.2d at 262.Google Scholar

Beskow, , supra note 34.Google Scholar

Order Granting Defendant Philip Morris' Motion to Compel Production of Documents in Response to Subpoena Duces Tecum; Protective Order, Murphy v. Philip Morris Inc., No. CV 99–7155-RAP (JWJx) (C.D. Cal. Mar. 17, 2000).Google Scholar

Philip Morris Order at 4.Google Scholar

Philip Morris Order at 5 (citing 45 C.F.R. § 46.116(a)(1)–(5) (part of the Common Rule) and 42 U.S.C. § 241(d) (the Certificate authorizing statute)).Google Scholar

Philip Morris Order at 4–5.Google Scholar

As one of several arguments, USC's counsel asserted that “45 C.F.R. Section 46.116(a)(1)–(5) [part of the consent sections of the Common Rule], coupled with 42 U.S.C. 241(d), set the minimum federal privacy requirements that must be observed” and then went on to quote the Certificate statutory language. Opposition of Third Party University of Southern California to Defendant Philip Morris' Motion to Compel Production of Documents in Response to Subpoena Duces Tecum to Records Custodian and/or to Dr. Anna Wu, Murphy v. Philip Morris Inc., No. 99–07155 CM (JWJx) (C.D. Cal. Aug. 26, 1999) at 20 (on file with author). To understand the reference, we obtained court documents relating to the motion to compel from the National Archive in Southern California. These documents are available from the authors.Google Scholar

A review of papers filed in opposition to the motion reinforces that this is a misunderstanding. These quote portions of the consent form referring to general confidentiality promises, but no reference to the NIH-required Certificate language. The quoted sections are consistent with the language in the California Department of Health consent forms attached to its opposition to the motion to compel (on file with the authors), as well as Dr. Wu's description of the consent process in the study during the hearing before the Honorable Jeffrey W. Johnson (on file with the authors).Google Scholar

Reported cases are those cases that are published out a particular jurisdiction or court. Appellate cases are typically published, whereas trial court decisions often are not. (The federal district courts publish select decisions in official reporters.) Reported cases form precedent that may be followed by other courts. See “Introduction to Legal Research: Judicial Branch (case law),” available at <http://libguides.law.gsu.edu/content.php?pid=154797&sid=1312331> (last visited September 11, 2015). However, sometimes non-reported decisions may be collected, particularly in the electronic age. While these decisions have less precedential value than reported cases, they may be useful to courts in making decisions, particularly on topics for which there is little precedent.+(last+visited+September+11,+2015).+However,+sometimes+non-reported+decisions+may+be+collected,+particularly+in+the+electronic+age.+While+these+decisions+have+less+precedential+value+than+reported+cases,+they+may+be+useful+to+courts+in+making+decisions,+particularly+on+topics+for+which+there+is+little+precedent.>Google Scholar

To identify cases that have not reached the appellate level, we searched the “All Federal and State Briefs and Motions, Combined” database on Lexis and “Trial Motions” database on Westlaw for all cases that referred to the Certificate statute, regulations, or key words “Certificate” and “confidentiality” in close proximity. We note that neither of these databases is comprehensive. We also conducted searches on Google for additional cases, using similar approaches. If we identified a case through these means, but did not find relevant documents (e.g., moving papers or order), we sought to obtain those documents through appropriate sources, including the PACER database for federal cases, on-line state databases, and contacting the state court.Google Scholar

Order Re: Motion to Quash Subpoenas Re Yale Study's Hospital Records, In re Phenylpropanolamine (PPA) Products Liability Litigation, No. 1407 (W.D. Wash. Aug. 19, 2002); Confidentiality Order Re WHI Study Data, In re PremPro Products Liability Litigation, No. 4:03-CV-01507-WRW (E.D. Ark. Feb. 1, 2005).Google Scholar

Dummit v. CSX Transport., Inc., No. 01-C-145 (Cir. Ct. W. Va. Nov. 21, 2006) (on file with author).Google Scholar

PremPro and PPA. PPA Order, supra note 61, at 2, Memorandum in Opposition to Wyeth's Motion to Compel and Motion for Protective Order Re Production of Records by Fred Hutchinson Cancer Research Center, a Non-Party Witness, In re PremPro Products Liability Litigation, No. 4:03-CV-01507-WRW (E.D. Ark. Nov. 30, 2004), at 7–8.Google Scholar

In the CSX case, the parties came to the hearing on the motion to compel having reached an agreementGoogle Scholar

PremPro Order, supra note note 61, at 1; Transcript of Hearing on Motion to Quash/Motion for Protective Order at 3, Dummit v. CSX Transportation, Inc., 01-C-145 (Cir. Ct. W. Va. Dec. 7, 2006) (on file with author).Google Scholar

Louisville Branch–Nat'l Ass'n for the Advancement of Colored People, 06-ORD-094 Op. Ky. Att'y Gen. (2006)(open records decision).Google Scholar

Louisville, , supra note 66, at 1–2. The results of the study were reported in “Racial Fairness in Sentencing: A Case Study of Selected Crimes in Jefferson County.”Google Scholar

Louisville, , supra note 66, at 11.Google Scholar

The NIH defines “identifying” as “any other item or combination of data about a research participant which could reasonably lead, directly or indirectly by reference to other information, to identification of that research subject.” Louisville, supra note 66, at 12. See also Certificate FAQs, supra note 24, at B2.Google Scholar

Memorandum of Decision on Motion to Quash, Connecticut Superior Court for Juvenile Matters (Jud. Dist. Hartford July 1, 2003).Google Scholar

Id., at 9.Google Scholar

Id., at 10.Google Scholar

Id., at 16. Of course, the researchers recognized the interest in protecting the children by contacting the Department about their concerns. Although we do not have access to the consent form in this case, researchers who obtain a Certificate are required to include any circumstances in which they will reveal identifiable information in the consent form. 42 C.F.R. § 2a.4(j) (2013). See also the sample consent language in United States Department of Health & Human Services, “National Institutes of Health, Detailed Application Instructions for Certificate of Confidentiality: Extramural Research Projects,” available at <http://grants.nih.gov/grants/policy/coc/appl_extramural.htm> (last updated January 16, 2014) (last visited September 11, 2015). In doing so, they typically indicate that they will reveal information about the abuse, but not everything that they have learned about the participant through the study. See, e.g., University of California San Francisco Committee on Human Research, Consent Process–Certificate of Confidentiality, available at <http://www.research.ucsf.edu/chr/Recruit/chrConsentCertConf.asp> (last updated April 23, 2013) (last visited September 11, 2015).+(last+updated+January+16,+2014)+(last+visited+September+11,+2015).+In+doing+so,+they+typically+indicate+that+they+will+reveal+information+about+the+abuse,+but+not+everything+that+they+have+learned+about+the+participant+through+the+study.+See,+e.g.,+University+of+California+San+Francisco+Committee+on+Human+Research,+Consent+Process–Certificate+of+Confidentiality,+available+at++(last+updated+April+23,+2013)+(last+visited+September+11,+2015).>Google Scholar

It is not clear from the Juvenile Court's decision whether the Department sought access to records beyond the four children over whom the Department had temporary custody. Unfortunately, we do not have access to the parties' papers to answer this question.Google Scholar

Juvenile Court decision, supra note 70, at 17.Google Scholar

Wolf, , supra note 5.Google Scholar

Wolf, , supra note 5. The results are based on semi-structured interviews with 24 institutional legal counsel.Google Scholar

Wolf, , supra note 5, at 3.Google Scholar

This is what happened in the PPA, supra note 61, Prempro, , supra note 61, and CSX, supra note 62, cases, as well as in cases described by counsel in our interviews. As described in these cases, a protective order typically was also issued with additional confidentiality obligations, such as limiting access to the data and promising not to reidentify subjects using other available data. However, such protections may not always be sufficient. One counsel in our interviews described a circumstance in which research data (not protected by a Certificate) was ordered produced in a deidentified form, but where the counsel felt deidentification was not truly feasible because of the small number of subject (under 20) and the specificity of the data collected (unpublished data). Wolf, , supra note 5.Google Scholar

In our interviews with legal counsel, one respondent described learning that the Certificate protects only identifiable data, “contrary to some people's assumptions.” Wolf, , supra note 5, at 4. Some IRB Chairs reflected the assumption that the Certificate protected all data, with one describing a researcher with a Certificate as being “free of the obligation to deliver data in a lawsuit.” Beskow, , supra note 8, at 5.Google Scholar

Wolf, , supra note 5, at 3. This lack of familiarity may explain counsel's reliance on the Certificate as a general confidentiality obligation in the Philip Morris case and the court's perpetuation of this error.Google Scholar

People v. Still, 369 N.Y.S.2d at 761 (App. Div. 1975).Google Scholar

Id., at 765.Google Scholar

Juvenile Court decision, supra note 70, at 11.Google Scholar

Id., at 1.Google Scholar

U.S. Department of Health & Human Services, National Institutes of Health, “Reporting of Communicable Diseases Policy,” August 9, 1991, available at <http://grants.nih.gov/grants/policy/coc/cd_policy.htm> (last visited September 11, 2015). Certificate FAQs, supra note 24, at A4. Researchers and institutions have disputed the NIH's description of such disclosures as “voluntary”. Wolf, , supra note 5, at 5.+(last+visited+September+11,+2015).+Certificate+FAQs,+supra+note+24,+at+A4.+Researchers+and+institutions+have+disputed+the+NIH's+description+of+such+disclosures+as+“voluntary”.+Wolf,+,+supra+note+5,+at+5.>Google Scholar

Juvenile Court decision, supra note 70, at 10.Google Scholar

Certificate FAQs, supra note 24, at B1.Google Scholar

Id., at B2 (emphasis added).Google Scholar

Juvenile Court decision, supra note 70, at 1, 9.Google Scholar

42 U.S.C. § 3789g(a) (2010). Importantly, the statute provides: “Such information and copies thereof shall be immune from legal process, and shall not, without the consent of the person furnishing such information, be admitted as evidence or used for any purpose in any action, suit, or other judicial, legislative, or administrative proceedings.” There have been few cases interpreting the protections, although there are several Ohio cases affirming withholding records because of the statute's protections. See, e.g., State ex rel. Multimedia, Inc. v. Snowden, 647 N.E.2d 1374 (Ohio 1995); State ex rel. Johnson v. City of Cleveland, 603 N.E.2d 1011 (Ohio 1992). But cf. State ex rel. Attorney Gen.v. First Judicial Dist. Court, 629 P.2d 330 (N.M.1981) (documents were not protected because the federal funds were awarded only after investigation was completed).Google Scholar

42 U.S.C. §299c-3(c) (2010). Similar to the DOJ version, the AHRQ statute provides that “Such information may not be published or released in other form if the person who supplied the information or who is described in it is identifiable unless such person has consented (as determined under regulations of the Director) to its publication or release in other form.”Google Scholar

42 U.S.C. § 242m (2010). The CDC statutory protection is essentially the same as the AHRQ statute.Google Scholar

Other federal departments and agencies may offer similar protections, but we have identified these three because two (the DOJ and AHRQ) are mentioned in the frequently asked questions on the NIH Certificate Kiosk. FAQs on Certificates, supra note 24, and the third (CDC) is mentioned in connection with the AHRQ statute. For a more in depth discussion of these statutes, see Wolf, L. E. et al. , “Certificates of Confidentiality: Protecting Human Subject Research Data in Law and Practice,” Minnesota Journal of Law, Science & Technology 14, no. 1 (2013): 11–87.Google Scholar

For example, the DOJ statute says no one to whom it applies “shall reveal any research or statistical information” when a person is identifiable, 42 U.S.C. § 3789g; the AHRQ and CDC statutes say that “no information…may be used” when an individual is identifiable 42 U.S.C. 299c-3 and 42 U.S.C. § 242m. Contrast the Certificate statute, which refers to “withholding of names or other identifying characteristics.” 42 U.S.C. § 241(d).Google Scholar

Memorandum from Susan Greene Merewitz, Senior Attorney, Agency for Healthcare Research & Quality, to Nancy Foster, Coordinator for Quality Activities, Agency for Healthcare Research & Quality (April 16, 2001), available at <http://www.ahrq.gov/fund/datamemo.htm> (last visited September 11, 2015).+(last+visited+September+11,+2015).>Google Scholar

Memorandum, Merewitz, supra note 97.Google Scholar

Id. In describing what CDC has done, the memorandum points to Farnsworth v. Procter & Gamble Co., 758 F.3d 1545 (1985), in which the CDC provided deidentified data from its studies on toxic shock to Procter and Gamble and offered to seek permission to share the data from research participants. But it also notes “statutory confidentiality was not before the court.” Fn. 3.Google Scholar

MD. Code. Ann., Health-General § 4–102(a), 72 (LexisNexis 2009) (protecting records from research conducted by the state Drug Abuse Administration, the AIDS Administration, or the Secretary of Health); N.D. Cent. Code § 23-01-15(1) (2012). This statute explicitly states such data are inadmissible. N.D. Cent. Code § 23-01-15(2) (2012) (protecting research data collected by or on behalf of the state department of health and explicating stating such data is inadmissible); S.D. Codified Laws § 34-14-1 (2011) (protecting research data procured by the Department of Health, South Dakota State Medical Association, allied medical societies, or in-hospital staff committees of accredited hospitals and explicitly stating such data are inadmissible); Wash. Rev. Code Ann. § 42.48.040 (West 2006)(generally protecting state research records, although with exceptions for consent, to avert harm, or per court order when the case involves research injury); Ga. Code Ann. § 24-12-2(a) (West 2011) (applying to “raw” research data generally, although there are several exceptions, particularly for criminal defendants).Google Scholar

Haw. Rev. Stat. § 324–13 (West 2008).CrossRefGoogle Scholar

Cal. Health & Safety Code § 121075 (West 2012).Google Scholar

Ark. Code. Ann. § 20-35-103 (LexisNexis 2005); Okla. Stat. tit. 36, § 3614.4 (2011).Google Scholar

On the other hand, some state statutes may be less protective than the Certificate. For example, Georgia's statute appears to eliminate participants‘ protections when researchers’ act as experts and in the context of all criminal proceedings. Ga. Code Ann. § 24-12-2 (West 2011).Google Scholar

MD. Code. Ann., Health-General § 4–101, 72 (LexisNexis 2009); N.D. Cent. Code § 23-01-15 (2012); S.D. Codified Laws § 34-14-1 (2011).Google Scholar

MD. Code. Ann., Health-General § 4–101, 72 (LexisNexis 2009); N.D. Cent. Code § 23-01-15 (2012); S.D. Codified Laws § 34-14-1 (2011).Google Scholar

Ark. Code. Ann. § 20-35-103 (LexisNexis 2005); Okla. Stat. tit. 36, § 3614.4 (2011).Google Scholar

For a more in-depth discussion of how to address subpoenas for scholarly research, see Traynor, M., “Countering the Excessive Subpoena for Scholarly Research,” Law & Contemporary Problems 59, no. 3 (1996): 119–148.Google Scholar

Traynor, , supra note 109, at 126. See also Fed. R. Civ. Pro. 45; Wright, C.A. et al. , 9A Federal Practice & Procedure Civil § 2007 (3d ed. 2012).Google Scholar

Traynor, , supra note 109, at 126.Google Scholar

Id., at 131–134.Google Scholar

Id., at 128–131. See Cusumano v. Microsoft Corp., 162 F.3d 708 (1st Cir. 1998)(court concluded that “[a]cademicians engaged in pre-publication research should be accorded protection commensurate to that which the law provides for journalists.” at 714)Google Scholar

Beskow, , supra note 8; Wolf, , supra note 5; U.S. Department of Health and Human Services, Secretary's Advisory Committee on Human Research Protections (SACHRP), “Final Recommendation: Certificates of Confidentiality (COCs) (Approved March 13, 2014),” available at <www.hhs.gov/ohrp/sachrp/mtgings/mtg03–14/cocrecommendations.html> (last visited September 11, 2015). (last visited September 11, 2015).' href=https://scholar.google.com/scholar?q=Beskow,+,+supra+note+8;+Wolf,+,+supra+note+5;+U.S.+Department+of+Health+and+Human+Services,+Secretary's+Advisory+Committee+on+Human+Research+Protections+(SACHRP),+“Final+Recommendation:+Certificates+of+Confidentiality+(COCs)+(Approved+March+13,+2014),”+available+at++(last+visited+September+11,+2015).>Google Scholar

We are assuming that strengthening the Certificate's protection is desirable, given Congress's expansion of the Certificate as a research tool since 1970, the NIH's decision to encourage increased use of Certificates, and the support we have heard from researchers, IRB Chairs, and legal counsel. See Wolf, L. E. et al. , “The Certificate of Confidentiality Application: A View from the NIH Institutes,” IRB 26, no. 1 (2004): 14–18, at 14; Wolf, et al. , supra note 5, at 6; Beskow, , supra note 8, at 9; Wolf, L. E. Zandecki, J., “Sleeping Better at Night: Investigators' Experiences with Certificates of Confidentiality,” IRB 28, no. 6 (2006): 1–8, at 4–8; Wolf, et al. , supra note 95, at 82.Google Scholar

SACHRP Final Recommendations, supra note 114. SACHRP also makes some administrative recommendations that we do not address.Google Scholar

Beskow, , supra note 8, at 9.Google Scholar

SACHRP Final Recommendations, supra note 114. We have previously recommended that IRBs evaluate the data security plan, including Certificates, and training in protecting confidentiality of research data as part of their protocol review. Wolf, et al. , supra note 5, at 7.Google Scholar

Wolf, et al. , supra note 95, at 74. In the Bradley case, Duke took this approach by fighting the subpoena without indicating whether the witness was, in fact, a research participant in the study from which data was sought. Beskow, , supra, note 34, at 1054. We recognize, however, that fighting a subpoena for data protected by a Certificate may be interpreted as confirmation of participation.Google Scholar

Wolf, , supra note 8, at 8.Google Scholar

Id., at 7.Google Scholar

See Wolf, , supra note 95 for a fuller discussion of our legal analyses regarding Certificates.Google Scholar

SACHRP Final Recommendations, supra note 114.Google Scholar

Wolf, , supra note 95, at 82–86.Google Scholar

Ohm, P., “Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization,” University of California Los Angeles Law Review 57 (2010): 1701–1776, at 1704. Ohm argues that “[d]ata can be either useful or perfectly anonymous, but never both.” Id.Google Scholar

Sweeney, L., “Simple Demographics Often Identify People Uniquely” (Carnagie Mellon Univ., Data Privacy Working Paper No. 3, 2000), available at <http://impcenter.org/wpcontent/uploads/2013/09/Simple-Demographics-Often-Identify-People-Uniquely.pdf> (last visited September 11, 2015) (demonstrated that she could identify 87% of individuals by combining three simple identifiers: Five-digit ZIP code, birth date (including year), and sex). Sweeney, L., “k-Anoymity: A Model for Protecting Privacy,” International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems 10, no. 5 (2002): 557–570, at 558–559. Narayanan, A. Shmatikov, V., “How to Break the Anonymity of the Netflix Prize Data-set,” arVix website, October 16, 2006, available at <http://arxiv.org/abs/cs/0610105> (last visited September 12, 2015). See generally Gellman, R., “The Deidentification Dilemma: A Legislative and Contractual Proposal,” Fordham Intellectual Property, Media and Entertainment Law Journal 21, no. 1 (2010): 33–61, at 37; Ohm, , supra note 127, at 1716–1722; Schwartz, P. M. Solove, D. J., “The PII Problem: Privacy and a New Concept of Personally Identifiable Information,” New York University Law Review 86, no. 6 (2011): 1814–1894, at 1836–1843; Yakowitz, J., “Tragedy of the Data Commons,” Harvard Journal of Law and Technology 25, no. 1 (2011): 1–67, at 31–33, 39–41. While these are not human subjects research data, they are useful for understanding the challenges to deidentification in light of today's technology and widely accessible information.Google Scholar

Amending the statute would provide an additional opportunity to consider whether there are better ways to structure the Certificate's protections. For example, some of the other federal statutes and many of the state statutes provide coverage to research generally without requiring an application, and some provide a broader spectrum of coverage to the data. These features may be worth considering as an alternative to the current Certificate approach. SACHRP has similarly recommended changes through the statutory and regulatory processes. Specifically, it recommends allowing researchers the right to refuse to provide deidentified data when reidentification is possible. It also suggests new regulations could provide greater clarity on what is protected by a Certificate. SACHRP Final Recommendation, supra note 114.Google Scholar

In 2011, the Department of Health and Human Services issued an advance notice of proposed rule-making concerning proposed changes to the federal regulations governing human subjects research. Human Subjects Research Protections, “Enhancing Protections for Research Subjects and Reducing Burden, Delay, and Ambiguity for Investigators,” Federal Register 76 (Jul. 26, 2011): 44512 (to be codified at 45 C.F.R. pts. 46, 160, and 164 and 21 C.F.R. pts. 50 and 56). Despite significant attention within the research community, and tens of thousands of responses, it is unclear at this point whether any changes will in fact be made to the regulations.Google Scholar

See Chevron v. Natural Resources Defense Council, 467 U.S. 837, 843–44 (1984) (holding that courts must defer to an agency's reasonable statutory interpretation where Congress has made an implicit agency delegation). In Chevron, the Court reviewed an E.P.A. regulation allowing a state to define the term “stationary source” to include an entire plant, rather than a particular pollution-emitting device. The regulation had been promulgated according to formal procedures and published in the Code of Federal Regulations. Id., at 840–41, 853, 855.Google Scholar

United States v. Mead Corp., 533 U.S. 218, 241 (2001). The Court has ruled that “interpretive rules…enjoy no Chevron status as a class.” Id., at 232. However, guidance documents are entitled to Skidmore deference. Christensen v. Harris County, 529 U.S. 576, 585–87 (2000) (relying on cases in which Skidmore deference was used for guidance documents).Google Scholar

U.S. Department of Health and Human Services, National Institutes of Health, “Certificates of Confidentiality Kiosk,” available at <http://grants.nih.gov/grants/policy/coc/> (last updated May 14, 2014) (last visited September 11, 2015).+(last+updated+May+14,+2014)+(last+visited+September+11,+2015).>Google Scholar

While the current guidance is issued by NIH, it is not clear whether this is done with official delegated authority that would make it more likely that it would receive Skidmore deference. The Certificate implementing statute grants authority only to the Secretary of HHS, although the regulation defines “secretary” as “the Secretary of Health and Human Services and any other officer or employee of the Department of Health and Human Services to whom the authority involved has been delegated.” 42 U.S.C. § 241(d); 42 C.F.R. § 2a.2(a). This suggests that the Secretary could delegate authority to someone within NIH knowledgeable about Certificates. Such delegation is consistent with the General Administration Manual, which outlines agency policy whereby an organization within the agency may request a written delegation of authority from the Secretary by written request outlining the legal authority upon which the Secretary may delegate. See e.g., U.S. Department of Health & Human Services, General Administration Manual § 8-101-20(A) (2006), available at <http://web.archive.org/web/20120707192340/http://www.hhs.gov/hhsmanuals/administration.pdf> (last visited September 15, 2015). Generally, the legal authority exists unless specifically prohibited by statute. Id.+(last+visited+September+15,+2015).+Generally,+the+legal+authority+exists+unless+specifically+prohibited+by+statute.+Id.>Google Scholar

NIH already provides important information about Certificates through the Certificate kiosk, which we rely on frequently in our own work. Certificates of Confidentiality Kiosk, supra note 133. We are aware that the NIH has worked recently to reorganize the information on the website to make it more accessible to users (Personal Communication, Ann Hardy, NIH Certificate of Confidentiality Coordinator (10/27/2011).Google Scholar

While this may be the “easiest” strategy, it does not mean that it is easily accomplished. The internal review process within an agency can be time-consuming and politically sensitive. However, at least it is all within the control of the agency, unlike regulatory or statutory amendments.Google Scholar

Beskow, et al. , supra note 8, at 9.Google Scholar

Check, D. K. et al. , “Certificate of Confidentiality and Informed Consent: Perspectives from IRB Chairs and Institutional Legal Counsel,” IRB: Ethics and Human Research 36, no. 1 (2014): 1–8, at 6.Google Scholar

Id., at 6.Google Scholar

Beskow, L. M. Check, D. K. Ammarell, N., “Research Participants' Understanding of and Reactions to Certificates of Confidentiality,” American Journal of Bioethics Empirical Bioethics 5, no. 1 (2014): 12–22, at 19.Google Scholar