Memorandum on Statutory Confidentiality Protection of Research Data

Information about confidentiality of sensitive data in research projects collected by AHRQ.

Date: April 16, 2001
To: Nancy Foster, Coordinator for Quality Activities, Center for Quality Improvement and Patient Safety, AHRQ
From: Susan Greene Merewitz, Senior Attorney for AHRQ
Subject: Statutory Confidentiality Protection of Identifiable Research Data Collected with AHRQ Support

The following legal analysis is offered to be of assistance in responding to questions and concerns raised at recent agency meetings by potential offerors and grant applicants regarding the confidentiality of sensitive data collected for the Agency for Healthcare Research and Quality (AHRQ) research projects.

All identifiable research data obtained by AHRQ, or by its contractors and grantees, is protected by the statutory confidentiality provision found at 42 U.S.C. § 299c-3(c). That statute provides:

(c) Limitation on use of certain information

No information, if an establishment or person supplying the information or described in it is identifiable, obtained in the course of activities undertaken or supported under this subchapter may be used for any purpose other than the purpose for which it was supplied unless such establishment or person has consented (as determined under regulations of the Director) to its use for such other purpose. Such information may not be published or released in other form if the person who supplied the information or who is described in it is identifiable unless such person has consented (as determined under regulations of the Director) to its publication or release in other form.

We read this Federal mandate, to keep confidential all identifiable research data collected pursuant to AHRQ's authorizing legislation (Title IX of the Public Health Service [PHS] Act; 42 U.S.C. § 299 et seq.) and not to disclose any of this identifiable data without the consent of the supplier of the data or of the subject individuals, as applying to anyone with access to that collected data. The statute's terms are not limited to AHRQ officials or contractors or grantees. Nor are its terms time limited (1). Accordingly, we read the statutory restrictions as attaching to and traveling with any identifiable research data once it has been collected pursuant to AHRQ-supported programs or projects.

Violation of the statute's strictures to use the identifiable data solely for the purpose supplied and not to make any disclosures other than those previously consented to is punishable by a civil monetary penalty of up to $10,000. See 42 U.S.C. § 299c-3(d), which states:

(d) Penalty

Any person who violates subsection (c) shall be subject to a civil monetary penalty of not more than $10,000 for each such violation involved. Such penalty shall be imposed and collected in the same manner as civil money penalties under subsection (a) of section 1320a-7a of this title are imposed and collected (2).

Neither AHRQ's confidentiality statute nor the identical predecessor provision applicable to AHCPR-supported research records (referenced in footnote 1) has ever been challenged in court. A few challenges have arisen with respect to research data, protected by the forerunner statute, 42 U.S.C. § 242m(d), that was obtained from the National Center for Health Statistics (NCHS)/Centers for Disease Control and Prevention (CDC) by outside health researchers pursuant to confidentiality agreements prohibiting any further redisclosures. These legal skirmishes were resolved in keeping with the statute, but not explicitly by any opinion citing the statute. As soon as CDC, the concerned Health and Human Services component agency, was informed of a potential legal problem, steps were taken to set forth the law for the parties or the court and to work out solutions that did not violate the statutorily-based confidentiality restrictions governing the research data in question. Some resolutions were informal, e.g., negotiated with counsel for the parties by local Assistant United States Attorneys and some were determined by judges based upon the confidentiality requirements of agreements under which the research data was obtained (3).

Like CDC, AHRQ considers adherence to its confidentiality statute by researchers who obtain identifiable data for AHRQ-supported research essential to the continued successful conduct of its research mission. Therefore, guidance and technical assistance from AHRQ's legal advisor is available to its contractors and grantees seeking to protect identifiable research data from legal process or discovery in litigation. Accordingly, contractors and grantees would be well advised to inform AHRQ immediately if information protected by the statute is sought in any legal proceedings.

In sum, 42 U.S.C. § 299c-3(c), the confidentiality statute that is part of AHRQ's authorizing legislation, grounded in judicially recognized public policies intended to foster participation in and the conduct of research, provides a respected form of Federal statutory protection for all identifiable data submitted to the Agency, its grantees and contractors, for research purposes and permits no disclosures or uses of it, other than those consented to by the suppliers of the data or by the research subjects (4). 

(1) Identifiable research data collected while protected under essentially identical prior statutes continue to be protected by HHS agencies, its contractors and grantees, with no termination of that obligation, even when the original statute has been replaced. Prior to December 6, 1999, when AHRQ was created by statute, the identifiable research records of the predecessor Agency for Health Care Policy and Research (AHCPR) and its grantees and contractors were protected by 42 U.S.C. § 299a-1(c). Prior to December 1989, when AHCPR was created, the identifiable research data of the predecessor National Center for Health Services Research, its contractors and grantees, was protected by an essentially identical statute, 42 U.S.C. § 242m(d). This statute also applied and still applies to identifiable research data obtained under the aegis of the National Center for Health Statistics (NCHS), a component of the Centers for Disease Control and Prevention (CDC). 

(2) This penalty provision was enacted in 1999, to reinforce the obligation to maintain the confidentiality of all the data collected for the research that AHRQ supports. There is no corresponding penalty provision applicable to the essentially identical confidentiality statutes cited in footnote 1. However, other enforcement measures would be considered and carried out as appropriate. Possible enforcement measures include criminal actions for intentionally false promises of confidentiality under 18 U.S.C. § 1001, or debarment from further participation in Federal agency programs. 

(3) We also note that in Farnsworth v. Procter & Gamble, 758 F. 2d 1545, 1547 (11th Circuit, 1985), though statutory confidentiality was not before the court, CDC confidentiality promises and policies were nonetheless upheld. In that case, the identifiable research data that was sought to challenge CDC conclusions regarding toxic shock syndrome was not protected by the confidentiality statute, 42 U.S.C. § 242m(d). Instead, a Federal District Court had applied a balancing test developed by Federal courts based on Rule 26(c) of the Federal Rules of Civil Procedure. This rule allows a court for good cause to protect individuals from burdensome disclosures. The appellate opinion, cited above, noted with approval the facts that the lower court considered: i.e, the efforts made by the agency to obtain consent of subject individuals to disclose their names and the substantial amount of nonidentifiable aggregate data made available to defendants. It therefore upheld the reasonableness of the lower court's conclusion that the public policy reasons for fostering confidentiality protection practices outweighed the discovery need for more data. Had CDC's confidentiality statute been applicable to the data, it could only have strengthened the weight of the arguments for protecting the requested data.

The validity and importance of protecting confidentiality practices which are intended to encourage participation in research and thereby enable the conduct of research, recognized by the courts in the Farnsworth case, are exactly the protective practices required by CDC's and AHRQ's statutory confidentiality mandates. The research objectives and public policies that were upheld are the same as the statutes'. These same public policies and the Farnsworth case were cited and relied on fairly recently in a Massachusetts State court case as a basis for protecting identifiable research data. In the Matter of the Deposition of Richard Clapp, Civ. Act. No. 98-2090-C (Suffolk Superior Ct., 1999) 

(4) Ironically, certain confidential information such as information about medical mistakes discussed in hospital morbidity and mortality conferences, that is 'privileged' and protected against discovery in litigation under particular State laws, loses its privileged nature and its protection against legal process (court orders), we are told, if it is shared with any outside individual or entity. Thus, while identifiable medical error data reported by hospital or clinic staff to AHRQ researchers is protected by the AHRQ confidentiality statute from court-ordered disclosures of that data by the AHRQ-supported researchers, giving information to AHRQ researchers, even under strictly confidential terms, we understand, would make the reporters of the information vulnerable to court disclosure orders, such as subpoenas to be deposed.

Arguably, if individuals inside a health care institution are gathering identifiable medical error information as part of AHRQ-supported grant or contract research, and it is conveyed outside the institution, e.g., for analysis in an AHRQ-supported central databank, even if the reporters lost their protection against being subpoenaed to testify under State law, the Federal statute would cover and protect the identifiable information they acquired pursuant to AHRQ's statutory research authority. While workable on a limited basis, this incorporation of hospital staff onto a research team would not provide a realistic long term system of gathering data on medical errors for research. Accordingly, AHRQ has a contractor currently researching State laws to determine the scope of this dilemma and to suggest what Federal legislation, if any, would permit error information to be shared on a confidential basis with AHRQ-supported researchers without losing its prior privilege or confidentiality under State laws.

AHRQ staff and its legal advisor would be pleased to hear from individuals around the country about pertinent State laws as well as any related legislation under development. If there are State laws under which a confidentiality privilege would not be lost when error information is released to researchers outside an institution, or is released subject to prohibitions against any redisclosure, that would be of considerable interest to the agency. (Please send information to SMerewit@ahrq.gov.)

Current as of April 2001
Internet Citation: Memorandum on Statutory Confidentiality Protection of Research Data. April 2001. Agency for Healthcare Research and Quality, Rockville, MD. http://www.ahrq.gov/funding/policies/polnotice/datamemo.html