Interim Policy Statement

This statement sets forth the Public Health Service policy, on an interim basis, for exercise of new authority to grant protection against compulsory legal process for personally-identifiable research information. This authority is in a new subsection 301(d) of the Public Health Service Act, added by the Health Omnibus Programs Extension of 1988. It reads as follows:

The Secretary may authorize persons engaged in biomedical, behavioral, clinical, or other research (including research on mental health, including research on the use and effect of alcohol and other psychoactive drugs) to protect the privacy of individuals who are the subject of such research by withholding from all persons not connected with the conduct of such research the names or other identifying characteristics of such individuals. Persons so authorized to protect the privacy of such individuals may not be compelled in any Federal, State, or local civil, criminal, administrative, legislative, or other proceedings to identify such individuals. (Public Health Service Act, § 301(d), 42 U.S.C. § 241(d), as added by Pub. L. No. 100- 607, § 163 (November 4, 1988)).

It extends to “biomedical, behavioral, clinical, or other research” an earlier authority (in section 303 of the Public Health Service Act) that was available only for “research on mental health, including research on the use and effect of alcohol and other psychoactive drugs.” The latter authority has been administered by the Alcohol, Drug Abuse, and Mental Health Administration (ADAMHA) which grants the protection in the form of confidentiality certificates to researchers who request them.

Regulations will be developed for exercise of the new authority. Meanwhile, the Public Health Service may be asked to issue confidentiality certificates granting this protection, or officials of the PHS may conclude that it is necessary to issue them, before the regulations embodying the permanent policies are promulgated. The following standards and procedures govern grant of the protection, on an interim basis, until promulgation of regulations.

1. 1. Existing ADAMHA Authority. Existing regulations at 42 C.F.R. Part 2a govern ADAMHA’s grant of this protection. Those regulations continue to apply directly to grants of the protection by the Alcohol, Drug Abuse, and Mental Health Administration, which should continue to operate as before, but citing section 301(d) of the Public Health Service Act as authority for the certificates. The following procedures do not apply to ADAMHA.
   2. Grant of Protection. The Assistant Secretary for Health retains authority under section 301(d), and is the only official who may grant this protection, pending issuance of permanent policies for its management. Agency heads and staff office directors who wish to provide this protection for their intramural activities, or for their grantees’ or contractors’ projects, or for other projects of interest to the agency or office, should request that the Assistant Secretary for Health grant the protection. The request should include:
      1. 1. Where the request pertains to activities outside the requesting agency or office, a copy of the correspondence that generated the request;
         2. A brief description of the research activities to be covered;
         3. An evaluation of the merits of the request, taking into account the principles set out below; and
         4. A certificate of confidentiality granting the protection, ready for signature by the Assistant Secretary.

      Requests for the protection should be submitted through the Deputy Assistant Secretary for Health (Planning and Evaluation), who will consult the Chief Counsel, Public Health Service, the Director, Office for Protection from Research Risks, NIH, and as necessary, the proponent agency. The Deputy Assistant Secretary will forward the application to the Assistant Secretary with his recommendation. Agency Heads and Directors of Staff Offices should also advise the Assistant Secretary, through the same channels, of any requests for the protection from outside the Department which in their judgment should not be granted. A copy of the request should be included.

      This central management of the protection is a temporary measure, until permanent policies are developed. It will achieve some consistency in administering the protection, and will provide valuable experience for writing the permanent policy.

   3. Guidance for Grant of the Protection. For agencies and offices other than ADAMHA, the existing ADAMHA regulations at 42 C.F.R. Part 2a, are a useful guide to exercise of this authority, and the Assistant Secretary will look to them for guidance.
   4. When the protection will be granted. The protection will be granted sparingly. Under the statute it can be granted only to research (i.e., a systematic investigation designed to develop or contribute to generalizable knowledge). The protection will be granted only when the research is of a sensitive nature where the protection is judged necessary to achieve the research objectives. Research can be considered sensitive if it involves the collection of information in any of the following categories:
      1. 1. Information relating to sexual attitudes, preferences, or practices;
         2. Information relating to the use of alcohol, drugs, or other addictive products;
         3. Information pertaining to illegal conduct;
         4. Information that if released could reasonably be damaging to an individual’s financial employability, or reputation within the community;
         5. Information that would normally be recorded in a patient’s medical record, and the disclosure of which could reasonably lead to social stigmatization or discrimination;
         6. Information pertaining to an individual’s psychological well-being or mental health.

Information in other categories, not listed here, might also be considered sensitive because of specific cultural or other factors, and protection can be granted in such cases upon appropriate justification and explanation.

In deciding whether to seek the protection, agency heads and office directors should consider, and address in their supporting material, the type of information being collected, in light of the standards set out above.

5. 5. Privacy Act. For activities which are covered by the Privacy Act and which also receive protection under section 301(d), agencies may want to note the existence of this protection in system notices for affected systems, and may want to review the system notices to determine whether routine uses and the safeguards section need to be modified.
   6. Scope. The protection is available for (a) direct Federal activities, (b) federally-funded activities, and (c) research that has no Federal funding. In considering requests for research with no Federal connection, agency heads are advised to look carefully at whether it meets the definition of research, and at its sensitivity, in light of the principles enunciated in section 4, above
   7. Form for granting Protection. Exceptions. The protection will be granted in the form of a certificate setting forth the research to be covered and the conditions or limitations upon use of the protection. The protection should generally be issued to the institution conducting the research, but may be issued to the principal investigator if the agency believes that is appropriate. For agencies other than ADAMHA, there are no regulations spelling out the conditions and requirements applicable to the protection, and the certificate will have to spell them out explicitly in each case.

The certificate should contain the following features:

1. 1. It should state that it does not authorize the holder to prevent review of records under the Federal Food, Drug, and Cosmetic Act (21 U.S.C. § 301 et seq.) or regulations promulgated there under, or, in the case of research conducted or supported by this Department, to refuse to disclose information in the course of an audit or program evaluation of the research — situations where identifiable records may be reviewed or copied by Federal investigators, but where the research subjects are not the targets of the inquiry and where their identities are irrelevant to the inquiry.

      It should also state that it cannot be used to prevent disclosure if the subject (or if he or she is legally incompetent, his or her guardian) consents in writing to disclosure of identifying information.

      (Agencies should be very cautious in seeking additional exceptions to the use of the protection, since exceptions weaken the protection and are inconsistent with its purpose.)

   2. The certificate should require the holder to use it to resist compulsory disclosure.
   3. It should require that all research subjects in the project be given a fair, clear explanation of the protection it affords, and of the limitations and exceptions to the protection. It should generally require that the research subjects be given a copy of the certificate, although this need not be required if it would be destructive to the research or harmful to the subject. It should state that the certificate does not govern the voluntary disclosure by the researcher of identifying characteristics of research subjects. (The information given to subjects will typically also describe the project’s intended policies for disclosure of information apart from the requirements of the certificate.)
   4. It should state the effective dates of the certificate, and should state that the protection afforded by it is permanent (including after death) for all persons who participated as subjects in the research during any time the certificate was in effect.
   5. If the research project is also subject to the special rules for the confidentiality of alcohol and drug abuse patient records, under sections 544 and 548 of the Public Health Service Act (42 U.S.C. § 290dd-3 and 290ee-3) and implementing regulations (42 C.F.R. Part 2), the certificate should state that.

For the convenience of agency heads and office directors, a draft certificate, incorporating these requirements, is attached. It should be modified as necessary to meet the circumstances of particular projects.

Questions about this interim guidance, about the policy-making process for the protection, or about the form and content of certificates can be directed to the Deputy Assistant Secretary for Health (Planning and Evaluation), to the Director of the Office for Protection from Research Risks, NIH, or to the Chief Counsel, Public Health Service.

5/22/89

Confidentiality Certificate

issued to

Employees of the (name of organization)

University of [name], and Other Participants

conducting research known as

[title of project]

[grant number]

In accordance with the provisions of section 301(d) of the Public Health Service Act (42 U.S.C.§ 241(d)) this Certificate is issued to protect the privacy of research subjects by withholding their identities from all persons not connected with the research.

Under authority vested in the Secretary of Health and Human Services under that section, all persons who —

1. 1. are employed by the (name of organization), University of (name), and its contractors and cooperating agencies; and
   2. have, in the course of that employment, access to the information which would identify individuals who are the subjects of a research project entitled [title of project] are hereby authorized to protect the privacy of the individuals who are the subjects of that research by withholding their names and other identifying characteristics from all persons not connected with the conduct of that research, with the exceptions and limitations set forth below.

The purpose of this research project is to [brief description]

As provided in section 301(d) of the Public Health Service Act (42 U.S.C. § 241(d)),

“Persons so authorized to protect the privacy of such individuals may not be compelled in any Federal, State, or local civil, criminal, administrative, legislative, or other proceedings to identify such individuals.”

The following conditions apply to the protection provided under this certificate:

1. 1. (1) This certificate does not authorize the [name of organization and university] to refuse to reveal identifying information concerning research subjects if any of the following conditions exist:
      1. The subject (or, if he or she is legally incompetent, his or her guardian) consents in writing to disclosure of identifying information.

INCLUDE THIS PARAGRAPH IF RESEARCH IS CONDUCTED OR SUPPORTED BY THE DEPARTMENT:
[(b) Authorized personnel of the United States Department of Health and Human Services request such information for audit or program evaluation of the research project, or for investigation of the [name of university] or their contractors or employees in carrying out the research project.]

2. 2. 2. [(c)] Release is required by the Federal Food, Drug, and Cosmetic Act (21 U.S.C. §§ 301 et seq.) or regulations promulgated there under (Title 21, Code of Federal Regulations).
   2. This certificate requires that there be no disclosures of identifying characteristics of research subjects in any Federal, State, or local civil, criminal, administrative, legislative, or other proceedings to compel disclosure of the identifying characteristics of research subjects, except as provided for in paragraph (1), above.
   3. The confidentiality certificate does not govern the voluntary disclosure of identifying characteristics of research subjects.
   4. This certificate does not represent an endorsement of the research project by the Department of Health and Human Services.
   5. All research subjects in the project will be given a fair, clear explanation of the protection this certificate affords, and of the limitations and exceptions to the protection [and will be given a copy of this certificate].
   6. This certificate is effective [on the date the research begins] (upon issuance), and will expire at the end of (month and year of anticipated end date of research), or sooner if the holder is notified of cancellation in accordance with the procedures set out in 42 C.F.R. § 2a.8. The protection afforded by this certificate of confidentiality is permanent (including after death) for persons who participated as subjects in the research during any time the certificate was in effect.

INCLUDE THIS IF APPLICABLE:
[(7) This research project is also subject to special rules for the confidentiality of alcohol and drug abuse patient records, under sections 544 and 548 of the Public Health Service Act (42 U.S.C. §§ 290dd-3 and 290ee-3), and implementing regulations at 42 C.F.R. Part 2, which restrict voluntary disclosures of information from covered patient records.]

Date: ___________________
Assistant Secretary for Health
5/22/89/T