Certificates of confidentiality and unexpected complications for pragmatic clinical trials

Abstract Introduction The need to protect the confidentiality of research data has long been recognized. One means to help protect research data from use in civil or criminal matters in the United States is a Certificate of Confidentiality (CoC). Until recently, investigators applied for a CoC when conducting research that was sensitive, stigmatizing or where the disclosure of private information could possibly result in civil or criminal liability. However, effective October 1, 2017, CoCs are automatically issued for much research supported by the National Institutes of Health (NIH). While automatic issuance reduces administrative burden, it also poses some surprising unanticipated challenges for research in general and pragmatic clinical trials (PCTs) in particular, which are key elements of learning health systems. Methods We reviewed the new policy on CoCs to identify and analyze issues related to it that are potentially problematic for PCTs. Results We identified three relevant issues: (1) whether the EHR may be populated with research data that may be sensitive or stigmatizing without explicit consent from subjects; (2) incomplete protections for sensitive data in the EHR; and (3) requirements for notifying subjects about the CoC provisions. Conclusion Formal guidance from the NIH is needed to address the application of CoCs to the setting of PCTs. In the meantime, it is essential for researchers designing and conducting PCTs, as well as health care systems in which this research is conducted, to be aware of the nuances inherent in CoCs so they can best adhere to their legal obligations regarding them. In the absence of guidance, special attention should be paid to pragmatic research that populates the electronic health record with research data as well as research conducted without explicit consent. Given the large amount of pragmatic research precipitated by the Coronavirus Disease 2019 pandemic, which has been accompanied by major efforts to share data, the need for such guidance is especially urgent.


| INTRODUCTION
The need to protect the confidentiality of research data, particularly sensitive or stigmatizing research data, has long been recognized, not only as an ethical obligation to protect research participants, but also as instrumental to conducting research. Simply put, if those eligible to participate are not assured of data protection they may be unwilling to enroll in research or reluctant to reveal sensitive information essential to the research. One means that has been utilized to help protect such research data from use in civil or criminal matters in the United States is a Certificate of Confidentiality (CoC). 1 Until recently, investigators applied to the National Institutes of Health (NIH) for a CoC only when conducting research that was sensitive, stigmatizing or where the disclosure of private information could possibly result in civil or criminal liability. 2 However, effective October 1, 2017, pursuant to the 21st Century Cures Act 3 that aims to accelerate research, CoCs are automatically issued for all NIH funded research within the scope of the new policy, which is both broader than the prior policy and redefines identifiable data. [4][5][6] While the automatic issuance of a CoC reduces administrative burden, it also poses some surprising unanticipated challenges for research in general 6 and pragmatic clinical trials (PCTs) and comparative effectiveness research in particular, which are key elements of learning health systems.
PCTs are being increasingly used to generate evidence to guide healthcare decision-making by patients, clinicians and payers. By Like all research, responsibly designing and conducting PCTs necessitates identifying and addressing a range of ethical and regulatory issues to help ensure that the rights, interests and welfare of those who are involved are protected. 7 For example, since many PCTs evaluate standards of care, the traditional informed consent process is often modified in various ways (eg, waiver of consent, opt-out notification, oral consent). However, it can be difficult to determine when it is appropriate to use such alternatives. 8 In addition, while PCTs do not typically entail additional burdens for research subjects, there can be particular challenges related to ensuring the privacy and confidentiality of subjects. 9 PCTs often include the use of clinical data across different health systems, which heightens concerns about data privacy and confidentiality, particularly when sensitive information is being collected (eg, illicit drug use, sexually transmitted infections). For example, this could include pragmatic research aimed at addressing major public health issues such as HIV and the opioid crisis. 10 While at first glance a CoC might seem well suited to help manage such concerns, the current CoC provisions without guidance or modification present challenges for many PCTs.
In this paper, after outlining the provisions of the new CoC policy, we describe selected issues that seem especially problematic in the context of PCTs and thereby threaten learning health systems.

| KEY PROVISIONS OF THE CoC POLICY
As noted earlier, NIH funded or conducted human subjects research is now issued a CoC automatically, which makes the scope of research covered by the policy much broader. The new policy applies to all biomedical, behavioral, clinical or other research funded wholly or in part by the NIH that "collects or uses identifiable sensitive information". 4 Identifiable sensitive information is defined to include information about an individual that is "gathered or used during" the research and (1) the individual is identified, or (2) where "there is at least a very small risk, that some combination of the information, a request for information and other available data sources could be used to deduce the identity of the individual". 4 The policy now covers research deemed exempt under federal regulations unless the information obtained is recorded in such a manner that human subjects cannot be identified or the identity of the human subjects cannot readily be ascertained, directly or through identifiers linked to the subjects; biospecimen research where the identity of the source might be  Table 1). In addition, researchers must "ensure that any investigator or institution not funded by NIH who receives a copy of identifiable, sensitive information protected by a Certificate issued by this Policy, understand they are also subject to the requirements". 4 Finally, "For studies in which informed consent is sought, NIH expects investigators to inform research participants of the protections and the limits to protections provided by a Certificate." 4

| Incomplete protections for sensitive data in the EHR
The CoC protects "names or any information, documents, or biospecimens containing identifiable, sensitive information related to a research participant". 1 If separate research records are maintained for the study, the CoC protections could be implemented. However, once this information is included in the EHR, the question of whether the CoC protections apply and can be implemented becomes more complex. 6 Perhaps paradoxically, a CoC provides incomplete protection of sensitive data because the EHR is unlikely to be deemed a research record and the CoC protections and investigator responsibilities apply only to the research records. Nevertheless, research data incorporated in the EHR arguably warrant similar protections. Although these protections are important for all research data, they become even more critical when the data are generated through a research activity where subjects were enrolled with a waiver of consent and were not aware of the research.

| Requirements for notifying subjects about CoCs
The CoC policy requires that participants be notified of the CoC protections and limitations for research "in which informed consent is sought". While this requirement is clear for conventional research that involves explicit written informed consent, and NIH offers template language to do so, 12 it is less clear for PCTs that may use a wide array of alternative approaches to providing information about the research and seeking permission to participate. 8 These approaches may include no disclosure (waiver of consent), simple disclosure with opt-out or opt-in provisions (alteration of consent), oral consent, and a brief or standard written consent process. Each of these approaches can comport with federal research regulations and be approved by an IRB.

| CONCLUDING COMMENTS
While the NIH policy regarding CoCs derives from the 21st Century Cures Act and therefore must adhere to its stipulations unless Congress modifies it, formal guidance from the NIH is needed to address the application of CoCs to the setting of PCTs. In the meantime, it is essential for researchers designing and conducting PCTs, as well as health care systems in which this research is conducted, to be aware of the nuances inherent in CoCs so they can best adhere to their legal obligations regarding them. 6 In the absence of guidance, special attention should be paid to pragmatic research that populates the EHR with research data as well as research conducted without explicit consent.
Finally, the unprecedented Coronavirus Disease 2019 (COVID-19) public health emergency obviously necessitates a broad array of research efforts aimed at identifying safe and effective means of prevention and treatment, including explanatory and pragmatic research. When such research is supported by the NIH, the CoC provisions would apply and researchers must be sensitive to them. While it is beyond the scope of this article to examine COVID-19 pandemic research efforts and the potential issues that may arise in regard to CoCs for them in detail, special challenges may arise as investigators are prompted to participate in enhanced data sharing to accelerate scientific understanding as a means to help attenuate the pandemic. 13 This makes the need for formal guidance about CoCs from the NIH especially urgent.