Biobanking, Consent, and Certificates of Confidentiality: Does the ANPRM Muddy the Water?
Biobanking, Consent, and Certificates of Confidentiality: Does the ANPRM Muddy the Water?
Abstract and Keywords
Certificates of Confidentiality, a legal tool for protecting sensitive, identifiable research data, are recommended for genetic, genomics, and other biospecimen research. The proposed changes to the US federal regulations governing human subjects research under the Advance Notice of Proposed Rule Making may make it more difficult for researchers to obtain a Certificate protections for this type of research. This chapter explores the potentially conflicting requirements of the ANPRM proposals and Certificates and makes recommendations to achieve the dual goals of appropriate consent and adequate confidentiality protections.
As Davis and Hurley detail in their chapter, the ANPRM proposes sub-stantial changes to human subjects research regulations, including major proposed changes concerning the use of biospecimens in research. Under the current regulations, much biospecimen research may be conducted without consent. The ANPRM would require written consent for most of this research (DHHS 2011, 44519).
This ANPRM proposal responds to criticisms that the current regulations do not account for scientific advances that present risks in bio-specimens research not contemplated when the Common Rule was last amended (McGuire 2008; Wolf 2010). Because the DNA in biospecimens makes them inherently identifiable, the ANPRM argues that consent should be required for such research (DHHS 2011, 44519, 44524).
The recognition of these risks is consistent with recommendations from the National Institutes of Health (NIH) that research projects involving genetics, genomics, or development of biospecimen repositories should consider getting a Certificate of Confidentiality (Certificate) to protect participants (OPRR 1997; NIH 2007). Breach of confidentiality is typically the primary risk in biospecimen research. Ironically, the ANPRM may make it more difficult to provide these protections to re-search participants. As Ellen Wright Clayton explains in chapter 12 of this volume, the ANPRM contemplates a brief consent form that may be obtained outside a specific research project or repository and even outside the research setting, for example, if biospecimens are collected during clinical care (DHHS 2011, 44519). However, Certificates are only available for research projects and require specific disclosures to research participants (NIH 2003). In this chapter we explore the implications of these potentially conflicting requirements by examining the current regulatory approach to biobanking, the proposed changes under the AN-PRM, and the circumstances in which a Certificate of Confidentiality is (p.208) available. We then propose several approaches to achieve the dual goals of appropriate consent and adequate confidentiality protections. These approaches include technical amendments to either the ANPRM or to the Certificate application process, as well as a more significant change to protect all research data.
13.1 Current Regulatory Approach to Biobanking
Research that involves collecting biological materials by interacting with individuals falls squarely within the human subjects research regulatory framework known as the “Common Rule,” which, as Amy Davis and Elisa Hurley describe in chapter 1 of this volume, applies to research conducted or funded by DHHS and other signatory agencies and departments (45 CFR 46). However, as described in more detail below, much biospecimens research may fall within exemptions and exceptions to the Common Rule.
13.1.1 Basic Requirements under the Common Rule
The basic requirements of the Common Rule are covered in great depth throughout this book. Most relevant here is that the regulations specify the information that must be disclosed in the consent document, including a description of the procedures, purposes, expected participant duration of the study, the reasonably foreseeable risks of participation, any benefits to the participants or others from the research, potential alternative procedures or treatments, how confidentiality of identifiable records will be maintained, contact information for questions related to the re-search, and a statement that participation is voluntary (46.116).
13.1.2 Exceptions to the Consent Requirement
Despite these general provisions of the Common Rule, as Carol Weil et al. also describe in chapter 14 of this volume, much research involving biospecimens may be undertaken without the knowledge or consent of the individuals who donated the materials. When tissue samples are pro-spectively obtained from living individuals for research purposes, such collection involves “human subjects research” and guidance from the Office for Human Research Protections (OHRP), which oversees the DHHS human subjects research regulations, affirms this position (OHRP 2008). According to that guidance, specimens are considered “individually identifiable” when researchers can link them directly or through coding (p.209) systems to specific individuals. However, research involving only coded specimens does not involve human subjects if (1) they were not collected for the current research project through an “interaction or intervention with living individuals” and (2) the researchers cannot “readily” identify the donors of the specimens because the investigators do not have access to the key through agreement, IRB approved policies or procedures, or by law (OHRP 2008).
Thus the guidance permits an “honest broker” agreement, where one investigator shares specimens she has already collected with another investigator. Because the second investigator does not obtain the specimens through interaction or intervention with the specimen donors and does not have access to identifiable information, this is not “human subjects research.” Similarly investigators who obtain specimens from a central repository that houses biological materials or that collects the materials and ensures that such materials are maintained in conformance with the regulatory requirements, including agreements prohibiting release of identifiable information, are not conducting “human subjects research.” The regulations also contain exemptions from IRB review for certain types of research that would otherwise qualify as “human subjects re-search.” Research involving the collection or study of existing specimens may be exempt if the “information is recorded by the investigator in such a manner that subjects cannot be identified, directly or through identifiers linked to the subjects” (45 CFR 46.101(b)(4); italics added). Here the researchers may have access to identifiable private information but can avoid the “human subjects research” regulatory requirements simply by not recording that identifiable information. Importantly, the regulatory language refers to “pathological specimens” or “diagnostic specimens” (§46.101(b)(4)), thus allowing materials collected for clinical purposes to be used for research without consent or any of the other regulatory
As Barbara Evans explains in more detail in chapter 17, even research that does not fall within the exemptions may be conducted without con-sent if it meets certain criteria. The regulations permit waiver of consent if:
1. the research involves no more than minimal risk to the subjects;
2. the waiver … will not adversely affect the [subjects’] rights and welfare;
3. the research could not practicably be carried out without the waiver … ; and
4. whenever appropriate, the subjects will be provided with additional pertinent information after participation. (45 CFR 46.116(d)(1)–(4))
13.2 Advanced Notice of Proposed Rulemaking: Changes to Consent of Biospecimen Collection
As discussed, there are many contexts under the current regulations in which consent for research is not required for biospecimens research. The ANPRM (DHHS 2011) addresses some of the gaps in the current regulations.
The ANPRM's primary change is generally to require written consent for biospecimen research (DHHS 2011, 44515). As Clayton discusses in her chapter, the ANPRM authors conclude that “most individuals want to be able to decide whether their biospecimens are available for research, they often do not desire to have control over which specific researchers use their samples, for which diseases, at which institutions” (44524). The ANPRM would require written consent regardless of identifiability for preexisting biospecimens for research, whereas written consent would only be required for identifiable biospecimens if originally collected for nonresearch purposes (44519). This proposed change nullifies “the …
current practice of telling … subjects … that [their biospecimens] will be used for one purpose, and then after stripping identifiers, allowing it to be used for a new purpose to which the subjects never consented” (44519). Weil et al. provide useful background regarding these changes in their chapter.
To avoid unnecessary restrictions on secondary use of biospecimens (although Suzanne Rivera suggests it fails in this regard in chapter 16 of this volume), the ANPRM suggests use of a “standard, brief general con-sent form allowing for broad, future research” to meet the new requirements (DHHS 2011, 44519). Rather than project-specific consent, the ANPRM recommends broad consent that “cover[s] all … biospecimens to be collected related to a particular set of encounters with an institution (e.g., hospitalization) or … collected at anytime by the institution” (44519). Thus the common form would grant consent for all future re-search, although it would allow subjects to opt out of future research. (p.211) Additionally subjects could express preferences using check boxes regarding select research categories to which they may object (e.g., cell line creation or reproductive research) (44519–20).
The ANPRM also responds to the myriad of criticisms about consent forms and IRB review of them and proposes a simplified consent (DHHS 2011, 44522). As Davis and Hurley describe in chapter 1, the ANPRM proposes a number of changes to consent requirements. These recommendations limit IRB oversight over biospecimen research consent forms.
Last, as Davis and Hurley note in their chapter, the ANPRM addresses the informational risks posed by identifiable data, including secondary analyses (DHHS 2011, 44524). As the ANPRM explains, “what constitutes ‘identifiable’ and ‘de-identifiable’ data is fluid” and technological advances and increases in available data “may soon allow [individual] identification … from data[, particularly DNA,] that is currently de-identified” (44524; Lowrance and Collins 2007). Concluding that IRB review may not be best suited for protecting against informational risks, the ANPRM proposes three requirements to strengthen protections from informational research risks.
First, as Rivera discusses in her chapter, the ANPRM looks to the privacy and security rules of the Health Insurance Portability and Affordability Act (HIPAA) as a model for protecting identifiable information (DHHS 2011, 44526; 45 CFR 160, 164). It would adopt common data security standards, including electronic data encryption and “strong physical safeguards for [paper] information … audit trails” and controls that limit who can access to the information (44526). Second, the AN-PRM would consider data deidentified or a limited data set “if investigators see the identifiers but do not record them” provided that they follow common data security and information protection standards, eliminating the need for third-party arrangements (44526). Third, the ANPRM proposes “periodic random retrospective audits” to ensure enforcement (44526).
13.3 History and Purpose of Certificates
Certificates authorize researchers to refuse to provide research participants' names and other identifying characteristics in any “Federal, State, or local civil, criminal, administrative, legislative, or other proceeding” (DHHS 2011; 42 USC 241(d)). They were originally adopted in 1970 to protect research participants involved in drug abuse and addiction research, who were at legal risk, including arrest (Federal Drug Abuse Act (p.212) 1970). Over time, Congress expanded the Certificates' scope to “biomedical, behavioral, clinical, or other research (including research on mental health, including research on the use and effect of alcohol and other psychoactive drugs)” (42 USC 241(d)).
Certificates are intended “to reduce impediments to … subject recruitment” (NIH 2003). Certificates permit research participants and investigators to voluntarily disclose identifiable information (NIH 2002a). These nuanced distinctions must be described accurately in the consent form.
13.3.1 Obtaining and Using a Certificate
Certificates are only granted to single, well-defined research projects, al-though the projects do not have to be federally funded (NIH 2002a). Although federal agencies other than NIH issue Certificates, we focus on NIH because it has taken a leading role in educating researchers about Certificates through its “kiosk” website (NIH 2011). To apply for a Certificate, a researcher must first obtain IRB approval (NIH 2002b). The application must contain the beginning date and expected end date of the research project. The Certificate's protection extends to any research subject while the Certificate is in effect and does not end with the project.
The application must also contain a description of the project's aims and research methods. It must also include information about the study population, their anticipated number, and how they will be recruited. The application must describe how the research participants' identities will be protected, such as through coding strategies, maintaining linking information in locked files, or destroying all identifiers when the study is completed. Additionally the application must include the reasons the investigator needs a Certificate and what sensitive, identifying information the investigator will collect.
Last, the researcher must include the IRB-approved consent form. The consent form must not only explain the Certificate's protections but also caution participants that their participation in the study will not be protected if they or one of their family members voluntarily discloses their participation. The form must detail the situations in which an investigator may choose to voluntarily disclose a subject's identity or participation in the study, such as in situations of suspected child abuse, harm to self or others, or reportable communicable diseases.
13.3.2 Use of Certificates for Biospecimen Research and Repositories
The ANPRM proposals regarding biospecimen research recognize the increasing identifiability of biospecimens due to scientific advances and (p.213) increasing development of DNA databases. In such research, breach of confidentiality is not only typically the primary risk, but also study participants' main concern (Goddard et al. 2009, 120). The ANPRM's view is consistent with several federal recommendations. The Office for Protection from Research Risks (OPRR) (the predecessor to OHRP) issued a guidance for DHHS-sponsored or -funded human biospecimen repositories recommending that “[a] Certificate … should be obtained to protect the confidentiality of repository specimens and data” (OPRR 1997). NIH also recommends that research projects involving genetics, genomics, or the development of biospecimen repositories should consider getting a Certificate (NIH 2007; NCI 2011). Additionally the National Cancer Institute (NCI) suggests that “Certificates … should be considered by the biospecimen resource and/or the recipient investigator depending on the level of privacy protection indicated by the study design” (NCI 2011).
NIH has further acknowledged that law enforcement may target repositories to search for DNA matches (NIH 2007). As Clayton explains, law enforcement officers frequently use DNA data, which is stored in the Federal Combined DNA Index System (CODIS) as well as in state data-bases, as evidence in their investigative work. DNA may also be collected upon arrest under federal law and the law in twenty-five states (e.g., see 42 USC 14135a(a)(1)(A); Kan. Stat. Ann. 21–2511(e)(2); NC Gen. Stat. 15A–266.3A(b)). While NIH encourages sharing of de-identified data, it warns repositories that law enforcement may later request the identify-ing information connected to any DNA shared (NIH 2007). Thus NIH advocates the use of a Certificate to protect against compelled disclosure of this identifying information (NIH 2007).
NIH also recognizes that emerging technologies have made re-identifying genetic data increasingly easier over time and data that was once considered solidly de-identified can no longer be labeled as such (NIH 2007). Recent studies have shown that a researcher can identify an individual based on only seventy-five nucleotide polymorphisms (SNPs) (McGuire and Gibbs 2006). In another recent study scientists described a statistical method for determining individual genotypes within a mix of DNA samples or data sets containing aggregate SNPs (Homer et al. 2008). While re-identification from an SNP collection requires identified or “reference” samples (Homer et al. 2008), their availability increases with the proliferation of repositories and DNA databases. Although Clayton and Rivera both challenge its position in their chapters, studies like these led NIH to conclude that “[t]echnologies available within the public domain today, and technological advances expected over the next (p.214) few years, make the identification of specific individuals from raw genotype-phenotype data feasible and increasingly straightforward” (NIH 2007, 6). Thus the need for a Certificate for repositories to protect donors' identities similarly increases.
13.3.3 Disconnect between the ANPRM and the Use of Certificates
While the ANPRM and Certificates seek to protect against informational risks, ironically, the ANPRM's suggested changes may make it more difficult to do so fully. The recommendations make it difficult, if not impossible, for researchers to comply with the Certificate's application re-quirements, thereby cutting off their studies from a widely recommended protection for such research.
As explained above, a Certificate is available to a “single, well-de-scribed” research study. Accordingly a Certificate may not be available to cover the myriad of research projects contemplated by the broad, single consent the ANPRM proposes, especially when specimens are collect-ed during a clinical encounter. Certificates originated to protect study participants, not patients (Brown and Lowenberg 2010; Eiseman et al. 2003, 134). However, given that repositories have received Certificates for broad research goals, perhaps this inconsistency can be resolved.
The problem arising from the ANPRM consent proposals may be more difficult to overcome. (Here we focus on the problems concerning Certificates, leaving the questions about the adequacy of the approach in general to others in this book.) As described, to obtain a Certificate, a researcher must craft a consent form that not only explains the Certificate's protections but also warns participants about the limits of those protections, for example, if they voluntarily disclose their research participation. The consent form must be tailored to the research project's aims and risks so that participants may be fully aware of the need for confidentiality protections and weigh these considerations in deciding about participation. These requirements vary greatly from the ANPRM's consent proposals for a standard, brief consent form that covers all potential future research uses of materials collected. Unless Certificates are mandated for all repositories, the required language is likely not going to be included, and certainly not in the same detail required in the Certificate application. Moreover, even if the standardized consent form included the required Certificate language, doing so may conflict with the ANPRM goals of shortening and simplifying consent. Empirical studies have suggested that NIH-recommended Certificate language can be con-fusing to participants (Catania et al. 2007). Finally, these consent forms (p.215) also will not have the requisite IRB approval, creating another barrier to obtaining a Certificate (Wolf, Zandecki, and Lo 2004).
The ANPRM also seeks to move the handling of informational risk related to repository studies outside the IRB process. Although it acknowledges the increasing informational risks relating to data once considered de-identified (DHHS 2011, 44524; Ohm 2010, 1704), the ANPRM suggests that these risks should be regulated through common data security standards, rather than through IRB review. Thus there would be no project-specific IRB evaluation of informational risks and methods to reduce them, as required by the Certificate application process. Addition-ally, without IRB review, the need for a Certificate may not even surface, which could leave projects vulnerable to compelled disclosure of identifying information (Eiseman et al. 2003; Beskow et al. 2012).
Overall, the changes proposed by the ANPRM are a step in the right direction. Gaps in the current regulations create informational risks and privacy concerns for biospecimens research. The ANPRM seeks to ad-dress these gaps. However, the ANPRM's proposed changes need to be considered in context with other rules and best practices that have been developed to protect human subjects and examined for unintended con-sequences, such as the conflicts between the ANPRM and the Certificates requirements we have highlighted. A broader review is required to ensure that any regulatory changes have the hoped for effect.
In this particular context, the conflict between the ANPRM and Cer-tificates may be resolved, without sacrificing the ANPRM's beneficial aspects, through changes to the proposed rules. First, the proposed sim-plified, standardized consent form for biospecimen research could be pro-mulgated as a model consent form, rather than a mandated form. Thus IRB approval of the consent form would still be required—to satisfy the requirements of the Certificate application process—and the form itself could be shorter and more uniform to fulfill the purpose set forth in the ANPRM. This would also allow the IRB to weigh the risks and benefits of recommending a Certificate for the project and approve any necessary Certificate consent language. A model biobanking consent form created under the ANPRM should include optional Certificate language to signal the availability of this Confidentiality protection and help address NIH's requirement that the consent form include Certificate language as part of the application process.
(p.216) While considering how the Certificate could work within the ANPRM, it would be appropriate to reconsider the recommended Certificate con-sent language. As the ANPRM states, consent forms have become highly complex and confusing documents (DHHS 2011, 44522), and scholars analyzing Certificate language have echoed this sentiment (Catania et al. 2007). One study found that a majority of consent forms fall in the more difficult, higher grade level readability category, despite IRB's desire and attempts to target lower reading levels (PaascheOrlow, Taylor, and Brancati 2003). Interestingly, institutions that had compliance issues resulting in OHRP oversight were more likely to have consent forms that met the desired readability level, suggesting a positive role for federal involvement (PaascheOrlow, Taylor, and Brancati 2003). Using the Flesch–Kincaid Readability scale, which is included in Microsoft Word and was used by PaascheOrlow, Taylor, and Brancati, we found the current NIH-recommended Certificate language scores at a twelfthgrade reading level—the maximum score, which may underestimate actual reading level—while almost half of American adults read at or below an eighth-grade reading level (Paasche-Orlow, Taylor, and Brancati 2003). Developing standardized, simplified Certificate consent language could ease the tension with the ANPRM, as well as promote human subjects protection goals.
Alternatively, the conflict between the Certificate requirements and the ANPRM may be addressed by changing the Certificate application process. Because the relevant parts of the Certificate application process are not governed by 42 USC 241(d) nor the accompanying regulations, changes to the process itself could avoid some of the requirements of formal rulemaking. Instead, NIH may consider an adjustment to the Certificate application process for biorepositories in light of the ANPRM. This adjustment could include the acceptance of the ANPRM's proposed standardized consent form to fulfill the Certificate application require-ment, even without IRB approval.
The justification for an adjustment to the Certificate application process for biorepositories is twofold. First, NIH has identified “[g]enetic studies, including those that collect and store biological samples for fu-ture use” as eligible for Certificate protection (NIH 2011). Second, various NIH components have recommended Certificates for biorepositories, as well as publishing best practices for repositories, and most biorepositories operate similarly. Thus a process that is consistent with the AN-PRM and facilitates getting a Certificate makes sense for biorepositories, where it may not make sense for studies with widely varying procedures and risks, such as HIV prevention studies or drug abuse studies. Such (p.217) studies may address “sensitive” topics but can range from anonymous surveys to randomized clinical trials testing medical interventions.
These technical changes might resolve the tension between the AN-PRM and the NIH Certificates application process, but a bolder option is also available. While Certificates are an important tool to protect confidentiality of sensitive, identifiable research data, researchers—particularly researchers working with biorepositories—may not be aware of them (Beskow et al. 2012; Wolf et al. 2012). Indeed only about one-quarter of IRB reviews require or recommend Certificates for biobanks, and legal demands for research data may arise unexpectedly and be only tangentially related to the project (Beskow et al. 2012). Perhaps the AN-PRM provides the opportunity to substitute the piecemeal approach of the Certificate program for a more comprehensive protection against compelled disclosure for research data. Incorporating Certificate-like protection into the general human subjects protections would ensure that such protections are not overlooked and treat all participants equally with respect to confidentiality. The ethical rationale is simple—research participants share their information to benefit others; both the principles of respect for persons and beneficence suggest that that information should not be available to be used against them. There is legal precedent for protecting research data for entire programs, rather than on a project-by-project basis (e.g., 42 USC 299c-3; 42 USC 242m). While such a move would be controversial and may not be able to be accomplished through the regulatory process alone, it is worth considering.
The proposals contained in the ANPRM are a step in the right direction and should be encouraged. However, using the example of Certificates for biobanking, we have demonstrated that aspects of the ANPRM may clash with other legal requirements or best practices. There are numerous avenues through which such conflicts may be resolved. Doing so requires looking at the ANPRM in the broader research ethics context to ensure that, in the end, any changes to the regulatory scheme live up to the goal of protecting of human subjects.
The project described was supported in part by Award Number R01HG005087 (PI: Laura Beskow) from the National Human Genome Research Institute (p.218) (NHGRI). The content is solely the responsibility of the authors and does not necessarily represent the official views of NHGRI or the National Institutes of Health. This chapter is adapted from Williams and Wolf (2013). We thank the Journal of Law, Medicine and Ethics for the permission to adapt the work.
Beskow, Laura M., Devon K. Check, Emily E. Namey, Lauren A. Dame, Li Lin, Alexandra Cooper, Kevin P. Weinfurt, and Leslie E. Wolf. 2012. Institutional review boards' use and understanding of Certificates of Confidentiality. PLoS ONE 7 (9): e44050. doi:10.1371/journal.pone.0044050.
Brown, Teneille, and Kelly Lowenberg. 2010. Biobanks, privacy, and the subpoena power. Stanford Journal of Law, Science and Policy 1: 88–101.
Catania, Joseph, Leslie E. Wolf, Stacey Wertleib, Bernard Lo, and Jeff Henne. 2007. Research participants' perceptions of the Certificate of Confidentiality's assurances and limitations. Journal of Empirical Research on Human Research Ethics 2: 53–59.
Department of Health and Human Services (DHHS). 2011. Advance Notice of Proposed Rulemaking. Human subjects research protections: Enhancing protections for research subjects and reducing burden, delay, and ambiguity for investigators. Federal Register 76 (143): 44512.
Eiseman, Elisa, Gabrielle Bloom, Jennifer Brower, Noreen Clancy, and Stuart S. Olmstead. 2003. Case Studies of Human Tissue Repositories: Best Practices for a Biospecimen Resource for the Genomic and Proteomic Era. Arlington, VA: Rand.
Federal Drug Abuse and Dependence Prevention, Treatment, and Rehabilitation Act. 1970. Part I: Hearings on S. 3562, S. 3246, and S. 2785 before the Special Subcommitte on Alcohol and Narcotics of the Special Committee on Labor and Public Welfare (Federal Drug Abuse Act). 1970. 91st Cong.
Goddard, Katrina A.B, Sabina Smith, Chuhe Chen, Carmit McMullen, and Cheryl Johnson. 2009. Biobank recruitment: Motivations for nonparticipation. Biopreservation and Biobanking 7: 119–21.
Homer, Nils, Szabolcs Szelinger, Margot Redman, David Duggan, Waibhav Tembe, Jill Muehling, John V. Pearson, Dietrich A. Stephan, Stanley F. Nelson, and David W. Craig. 2008. Resolving individuals contributing trace amounts of DNA to highly complex mixtures using high-density SNP genotyping microarrays. PLOS Genetics 4 (8): e1000167. doi:10.1371/journal.pgen.1000167.
Lowrance, William W., and Francis S. Collins. 2007. Identifiability in genomics research. Science 317: 600–602.
McGuire, Amy L. 2008. Identifiability of DNA data: The need for consistent federal policy. American Journal of Bioethics 8: 75–76.
McGuire, Amy L., and Richard A. Gibbs. 2006. No longer de-identified. Science 312: 370–71.
National Cancer Institute (NCI). 2011. Office of Biorepositories and Biospecimen Research: National Cancer Institute best practices for biospecimen resources. (p.219) Accessed December 19, 2012. http://biospecimens.cancer.gov/bestpractices/2011-NCIBestPractices.pdf.
National Institutes of Health (NIH). 2002b. Detailed application instructions for Certificate of Confidentiality: Extramural research projects. Accessed December 19, 2012. http://grants.nih.gov/grants/policy/coc/appl_extramural.htm.
National Institutes of Health (NIH). 2007. Policy for sharing of data obtained in NIH supported or conducted genome-wide association studies. Accessed December 19, 2012. http://grants.nih.gov/grants/guide/notice-files/NOT-OD-07-088.html#protection.
Office for Human Research Protections (OHRP). 2008. Guidance on research involving coded private information or biological specimens. Accessed December 18, 2012. http://www.hhs.gov/ohrp/policy/cdebiol.html.
Ohm, Paul. 2010. Broken promises of privacy: Responding to the surprising failure of anonymization. UCLA Law Review 57: 1701–77.
Paasche-Orlow, Michael K., Holly A. Taylor, and Frederick L. Brancati. 2003. Readability standards for informed consent forms as compared to actual readability. New England Journal of Medicine 348: 721–26.
Williams, Brett A., and Leslie E. Wolf. 2013. Biobanking, consent and certificates of confidentiality: Does the ANPRM muddy the water? Journal of Law, Medicine & Ethics 41 (2):440–453.
Wolf, Leslie E. 2010. Advancing research on stored biological materials, reconciling law, ethics, and practice. Minnesota Journal of Law Science and Technology 11: 99–156.
Wolf, Leslie E., Lauren A. Dame, Mayank J. Patel, Brett A. Williams, Jeffrey L. Austin, and Laura M. Beskow. 2012. Certificates of Confidentiality: Legal counsels' experiences with and perspectives on legal demands for research data. Journal of Empirical Research on Human Research Ethics 7 (4): 1–9.