ACKNOWLEDGEMENTS
This report and the Public Health Information Privacy Project was supported by the Centers for Disease Control and Prevention (CDC), the Council of State and Territorial Epidemiologists (CSTE), and the Task Force for Child Survival and Development of the Carter Presidential Center.
We are particularly grateful to Willis Forrester (CSTE), Verla Neslund (Office of the General Counsel at CDC), William Watson (Task Force for Child Survival and Development), James Curran, George Seastrom, John Ward, James Buehler, Jose Cordero (CDC), Michael Osterholm (CSTE), and Kay Johnson (March of Dimes).
In addition to these individuals, members of the Carter Center Consultation on Public Health Information Privacy (June 1995) who contributed to the recommendations include Susan Abernathy, Cornelius Baker, Mark Barnes, Ronald Bayer, Molla Donaldson, John Fanning, David Fleming, Patricia Fleming, William Foege, Helen Fox-Fields, Cynthia Gomez, Gail Horlick, Mike Isbell, Wilma Johnson, Alan Kendal, Terry O'Brien, Dennis Perotta, Marian Secundy, Dixie Snyder, Susan Timberlake, Ronald Valdiserri, and Brian Willis. Research assistance was provided by Kathleem Maguire, Angie McGowan, Susan Timmer, and Robert Scherer.
Table of Contents
Part One: Executive Summary1
Part Two:Introduction: Draft Final Report of Legislative
I. Introduction14
II. Collection of Health Information15
III. Privacy and Health Information18
IV. Outline of Report22
Part Three: Methodology23
I.Purpose23
II.Structure of the Survey24
III. Final Report25
Part Four:Protection of Public Health Data and
26
I.Introduction26
II.Public Health Data27
III.State Legislation Concerning Public Health Data33
IV.Gaps in Existing Laws Protecting Public Health Data.40
V. Protection of Health Care Information44
VI. Privacy Issues and Health Care Information 45
VII. State Legislation Concerning Health Care Information48
VIII. Gaps in Existing Laws Protecting Health Care Information56
IX.Conclusion: Variation in Protection of Information in the
Part Five: Protection of HIV/AIDS-Related Information60
I. Introduction60
II.State Legislation65
III.Gaps in Existing Laws91
IV. Conclusion94
Part Six: Protection of Immunization Information96
I. Introduction96
II.Immunization as a Public Health Goal98
III. Proposals to Reduce Gaps in Immunization Coverage:
IV. Privacy Issues Related to Immunization Registries112
V.State Legislation 117
VI.Gaps in the Law128
VII.Conclusion132
Part Seven: Federal Legal Protection of Health Information Privacy133
I.Introduction133
II. Constitutional Right to Informational Privacy133
III. Legislative and Regulatory Protection of Informational Privacy139
IV.Gaps in Federal Protection of Health Information Privacy148
V.Conclusion151
Part Eight: Future Options for Protection of
152
I.Introduction152
II.Fundamental Issues Raised by Existing Privacy Law153
III.Potential Solutions159
IV.Recommendations for Reform of Laws Governing
V.Conclusion171
Tables
Table 1:Protection of Public Health Data after 59
Table 2:Protection of Health Care Information after 59
Table 3:Protection of HIV and AIDS Information after 95
Table 4:Protection of Immunization Information after 132
Appendices (available separately)
Appendix 1:State Summaries App.1
Appendix 2:Model Immunization Registry System Components App. 345
Part One: Executive Summary
This report examines current state and federal law protecting the confidentiality of health information. It focuses on four specific areas: public health information held by government, privately held health care information, HIV and AIDS-related information, and immunization information.
The ways in which our modern medical and public health systems collect, store, and use personally identifiable information have increased both the potential benefits from access to such information and the possible harms from improper uses and disclosures. The report examines the importance of both the collection of health information and the protection of its privacy. The collection and use of health information involves two important goals, yet sometimes competing goals: 1) gathering and disseminating accurate and timely information on the incidence and prevalence of disease, health information necessary for health care of individuals, assessment of health care and public health needs and evaluation of programs, services, institutions and providers; and 2) protecting that information from uses or disclosures that cause harm to individuals to whom the information pertains. The report reviews the current privacy safeguards under both state and federal law in order to determine whether they are adequate to protect the privacy of individuals and are consistent with effective health policy.
Public Health Information
Every state and territory provides statutory protection for some types of personal health data maintained by a government agency. Forty-nine states and territories reported protection for general public health data, forty-two specifically protect communicable disease data, and forty-two specifically protect sexually transmitted disease data.
Forty-nine states reported some provision permitting public health officials or others to disclose public health information. Common justifications include disclosure for the purposes of: statistical evaluation (43 states); contact tracing of persons exposed to an infectious disease (39 states); spousal or partner notification of a sexually transmitted disease (37 states); epidemiologic investigations (22 states); and subpoena or court order (14 states).
Forty-two states reported statutory penalties for impermissible disclosures. Of these, thirty one reported criminal penalties, eighteen reported civil penalties, and eight reported both. (see Table 1 for more details).
Health Care Information
Privately held health care information can be protected in a number of ways. Thirty-seven states impose on physicians the duty to maintain the confidentiality of medical records. Twenty-six extend this duty to other health care providers. Thirty-three states and territories require health care institutions to maintain the confidentiality of medical records they hold. The survey found that only four states have specific legislation imposing this duty on insurers, despite the vast amount of information held by insurance companies. Nine states impose a similar duty on employers or other non-health care institutions.
Because of the increase in computerization in the storage of medical data, the survey inquired about the existence of a duty to maintain the confidentiality of electronic or computerized medical records. Only twenty-two states have legislative provisions that protect computerized or electronically transferred data.
Forty-two states protect information received during the course of a physician-patient relationship from disclosure in court proceedings, with certain exceptions. States permit disclosure of health care information for various reasons, including to another health care provider (18), to epidemiologists or researchers (16), and under a subpoena or court order (22).
Twenty-eight states provide statutory penalties for unauthorized disclosure of health care information. Twelve impose criminal penalties, nineteen create civil penalties and three allow for both civil and criminal penalties (See Table 2 for more details).
HIV-Related Information
The importance of both the collection and protection of HIV-related information have been vigorously debated since the beginning of the epidemic. Virtually all states have enacted some HIV-specific statutes, many of which concern information collection and protection either directly or indirectly. Twenty-three states classify HIV/AIDS as a separate category of disease, Sixteen classify it as a communicable disease, and twelve as a sexually transmitted disease. All states require reporting of AIDS cases to the state or local health department. Forty-one states, at the time of this survey required reporting of HIV infection as well.
Thirty-nine states reported either HIV-specific privacy statutes or general privacy provisions that expressly mentioned HIV. The remaining states may protect its confidentiality under other statutes or provisions (see Public Health Data). Forty-eight states and territories allows for disclosure of HIV-related information in certain proscribed circumstances. The most commonly cited permissible disclosure are to: a health care provider involved in the patient's care (43); sexual or needle-sharing partners (37); parties with a subpoena or court order (29); blood banks or organ donors (22); epidemiologists and researchers (22); correctional facilities (14); school officials (12); HMOs, health care institutions, or mental health facilities (14); and insurance companies (8). Some disclosure provisions require that patient-identifying information be removed from the data. Most states permit the above disclosures but do not make them mandatory. Thirty-seven states have spousal/partner notification programs or policies, but very few make them mandatory. Only three states allow for the disclosure of the name of the source patient.
Thirty-eight states report statutory requirements for specific consent for HIV testing including consent to the release of information. However, the absence of an HIV-specific consent statute does not indicate that informed consent is not required in a particular state. Informed consent may be required by other statutes, common law, regulations or policies. Twenty-eight states allow minors to consent to HIV testing, although they may do so under provisions that are not HIV-specific. Forty-five states specify some situations in which informed consent for HIV testing is waived. The most common exceptions which we tabulated separately were for persons charged or convicted of specified sex offenses (33), for emergency workers who have been exposed to a patient's blood (27), for prison or jail inmates (16). Other common exceptions include testing a patient who is incapable of consenting, when the test is necessary to provide medical treatment, for research or epidemiological purposes, where all identifying information is removed from the sample, and for blood, tissue or organs provided for donation. A few states also grant relatively broad discretion to public health authorities to require involuntary testing.
Forty-five states have either criminal or civil penalties for unauthorized disclosure of HIV related information. Thirty-three states have criminal penalties, thirty-three have civil penalties and twenty-one provide for both civil and criminal penalties (See Table 3).
Immunization Information
One of the goals of collecting immunization information is assisting parents to immunize their children completely and on time. Immunization programs also seek to increase immunization coverage in populations and communities. Twenty-two states and the District of Columbia maintain or were in the process of establishing immunization registries at the time of this survey. Eleven states have functional immunization registries; the remaining states are in the process of development. Nine states have enacted statutes that specifically authorize immunization registries, four states operate registries that are not expressly authorized, nine states are currently developing registries or are considering registry bills in their legislatures.
The level of protection accorded to the information contained in the registry, and the type of information collected, differs from state to state. Six of the nine states with immunization registry legislation directly address confidentiality of immunization information in their statutes.
Most other immunization-related provisions concern mandatory immunization for school attendance. In many states, schools are the primary collector of immunization information. Virtually all states require proof of immunization status or exemption for admission to primary school. Forty-seven states mandate that immunization information be reported to the health department (32), schools (44), or child care facilities (25). Overall, forty states permit access to immunization records by the health department, health care providers, school officials, or epidemiologists and other researchers. Of the thirty states without registries, provisions grant access to immunization records by: the health department (18); health care providers (8); school officials (11); researchers (1).
Only sixteen states impose a penalty for impermissible disclosure of immunization-related information. Fifteen designate minor criminal penalties, four provide for civil liability (See Table 4).
Federal Protection of Health Information Privacy
Federal protection of health information privacy is fragmented and uncertain. The U.S. Constitution applies only to state action and, therefore, binds principally federal and state government collection of health information. More important, courts are likely to defer to reasonable governmental action for public health purposes, provided the collection of information is reasonably necessary to achieve an important health purpose and the agency provides reasonable safeguards for privacy and security.
The federal government has also implemented both legislative and regulatory protection of health information privacy. The Privacy Act and the Freedom of Information Act provide the most complete assurance of confidentiality of government records. However, the Privacy Act contains a number of exceptions that have been widely construed, particularly the "routine uses" exception. The Medical Records Confidentiality Act of 1995 (Bennett-Leahy Bill) remains in Senate committee in June 1996. The draft bill includes, inter alia, a description of individual's rights regarding health information, definitions of protected health information, safeguards for such information, restrictions on the use and disclosure of information, and criminal and civil sanctions for violation of disclosure or use provisions. Since the bill remains in committee and subject to amendment, its exact impact, if it is enacted into law, is difficult to determine.
Other federal statutes contain a highly fragmented series of privacy protections for specific diseases (e.g., substance abuse, or HIV/AIDS) or for particular activities (e.g., research).
Future Options for the Protection of Health Information Privacy and Conclusion
Policy makers considering future options for reform or revision of statutes protecting health information privacy encounter common issues in all of the areas of health information covered in this survey. Health information systems have dual goals - increasing collection and access to complete and accurate information for use by patients, health care providers, public health officials, health care institutions, and policy-makers; and protecting sensitive medical information from disclosure that can harm the individual. Policy-makers will not be able to fully realize both goals without sometimes compromising or diminishing one of them. Substantial gaps remain in current statutory privacy protection, including variation in laws from state to state, variation within each state between disease-specific statutes, and variation according to who holds the information. Policy-makers must consider whether reform should take place at the federal or state levels.
Potential solutions for future action include integration of fair information practices into legislative protection of health information; adoption, by each of the states, of model laws such as the Uniform Health Care Information Act or new laws based on the recommendations described in the report (Future Options for Protection of Health Information Privacy and Conclusion); and/or pre-emptive federal legislation that would set uniform standards for protection of health information, establish guidelines for security of information systems, and provide education regarding the requirements and procedures for protection of health information privacy.
2. Data collection justification. Acquisition of health information cannot be regarded as an inherent good. Rather, privacy statutes should require a clear justification for the collection of personally identifiable information by public health authorities. Statutory criteria for data collection include: (i) preventing a significant public health risk, (ii) providing a likely benefit to the subject of treatment or other services, and (iii) conducting surveillance necessary to monitor and ensure the health of populations.
Public health authorities have the burden of demonstrating that data collection is likely to achieve the stated goal. For example, public health authorities may legitimately seek to identify individuals with communicable or sexually transmitted diseases through testing, partner notification, and reporting. Yet, if resources are not provided for counseling and education, and if efficacious therapy does not exist or access to health care is not assured, the purposes of prevention and therapy are unlikely to be achieved.
Public health authorities must substantiate the need for a named identifier when collecting information. If they could achieve the public health goal as well, or better without personal identifiers, the collection of non-identifiable or aggregate data is preferable. These data collection principles recognize that government authority to acquire sensitive personal information ought to be justified by substantial public health goals that cannot be achieved by means that are less invasive of individual privacy.
3. Information for subjects. Even though the government authorizes or mandates the collection of identifiable health data in accordance with the foregoing principles, subjects are still entitled to basic information. Subjects are entitled to know the purposes for the data collection and how the information will be used; the length of time that the data will be stored and the circumstances under which it will be expunged; and the degree to which third parties (e.g., regulators, researchers, and government officials) may obtain access. Data should be acquired, stored, used, and transmitted consistent with the information provided to subjects.
4. Fair information practices. Fair information practices require that no secret data-systems should exist; subjects should have access to information about themselves and to just procedures for correcting and amending their personal record; personal data should be expunged when no longer needed for the stated purpose; and public health officials should assure the reliability of the data for their intended use and take rigorous precautions to prevent misuse of the data.
5. Privacy and security assurances. Legally binding privacy and security assurances should attach to personally identifiable public health information. The collector of public health information would be under a legal duty to maintain the confidentiality of that information and to store it in a secure system. Significant penalties would apply for breach of privacy or security assurances.
Privacy and security assurances under law would apply to all users of the information. Accordingly, when public health information is transmitted to a third party, the recipient would be required to honor the same privacy and security assurances as the record's original holder. The duty to protect data, then, would be transferred simultaneously with the data, as would liability for violation of privacy or security standards.
6. Disclosure of data. Disclosure of public health data could be made only for purposes consistent with the original collection. Thus, data could be disclosed only where clearly necessary to avert a significant health risk, for the direct therapeutic benefit of the subject, or for surveillance. For example, information gathered to prevent a significant public health risk could be shared only with those public health officials or health care professionals essential to avert the risk. This limitation would not undermine public health goals, for the principle permits sharing information, where appropriate, between programs (e.g., STD, TB, drug, alcohol, and mental health) and across systems (e.g., health agencies and health care providers).
Public health authorities must follow the least-intrusive-disclosure principle. Thus, the disclosure of information must be the least identifiable, as minimally sensitive, and to the fewest number of persons as necessary to achieve the stated purpose.
7. Secondary uses of the data. Secondary uses of data occur when information is used in ways that are incompatible with the original purposes for collection. Secondary uses of identifiable information beyond those originally intended by the data collector would be permitted only with the informed consent of the subject. Thus, information collected for a permissible purpose such as prevention, treatment, or surveillance, could not be used in other ways that might affect the person's rights, privileges, or benefits without the subject's authorization.
Secondary uses of data in aggregate or non-identifiable form would be permitted without the patient's consent where there is a strong public interest. The U.S. Department of Health and Human Services Task Force on Privacy explained: "An incompatible use is not necessarily a harmful use; in fact, it may be extremely beneficial to the individual and society. There are some incompatible uses that will produce enormous benefits and have at most a trivial effect on the individual's privacy interest."
The following recommendations are intended to assist states in the development of fair and effective immunization information systems.
1. Objectives of registries. The purposes of an information system are to (i) provide accurate, complete, and timely information on immunizations received or due for any child to providers, parents, and public health officials to help parents obtain current immunizations for infants, pre-schoolers, and school-age children; and (ii) to protect information held in the system (through both privacy and security protections) from disclosures that may harm the child or parents, and to share the information only for substantial public health purposes.
2. Statutory protection of privacy: a uniform approach. States or localities must have in place strong legislative protections of privacy and security before collection of immunization data commences. Adequate privacy safeguards require restricted access to data, strict penalties for unauthorized disclosure, and protection of the system from court order or subpoena. In addition to statutory protection, written protocols describing the privacy and security standards should be disseminated to employees, providers, parents, and other interested parties.
3. Fair information practices. Statutory protection of privacy should be based on a set of fair information practices: immunization information systems should be known to the public, not secret; parents should have access to information about their children and know how the information is used; parents should consent to uses of information for non immunization purposes; parents should be able to correct or amend their child's immunization record; public health officials must assure the reliability of the immunization data for their intended use and take rigorous precautions to prevent misuse of the data; and adults should have the right to have personal data expunged when they are no longer necessary for immunization purposes.
4. Type of Registry Information. Early determinations about the type of information that will be contained in the immunization information system will affect the confidentiality, access, and security required in the design and operation of the system. A basic registry must contain the name, address, birth date, immunization dates, vaccines administered, as well as sufficient information to identify and locate custodial parent(s).
Registries that contain sensitive health status information must provide stronger confidentiality safeguards. Registries may include medical contraindications to immunization, adverse reactions to vaccines, allergies, and immune conditions such as HIV status. Furthermore, registries may include: information regarding welfare or medical benefits (including eligibility under the Comprehensive Childhood Immunization Act of 1993); immunization waivers based on religious beliefs; and social or medical information about siblings or other family members.
Registries are likely to contain a personal identifier. Unique identifiers created only for use in the immunization database create fewer risks to privacy. Personal identifiers, such as a social security number, that can be linked with other databases potentially could be used to access and match information in other systems (e.g., those held by social services and child welfare, Medicaid, Aid to Families with Dependent Children, and the Immigration and Naturalization Service).
5. Access to Registry Information. The planning process for deciding who should have access to immunization information should be deliberate, open, documented, and reviewed periodically. Design issues include whether the system should be accessed on-line, through closed electronic panel, by telephone/facsimile, by written request, or in person. For health care providers administering immunizations access should be as direct as possible (computer or phone/fax with security password). Requests for information from all other parties should be in writing or in person with identification.
The following criteria could be used to determine who has access to data in the immunization record: (i) Is the information necessary for purposes of providing immunization services? Under this criterion, access to identifiable data would be provided to health care providers, immunization programs, custodial parents, schools and day care, and other entities that coordinate or offer immunizations such as WIC programs. (ii) Is the information necessary to achieve other compelling public health objectives that do not conflict with the goals of the immunization program? Public health officials and researchers should gain access to personally identifiable information only where strictly necessary to achieve substantial public health purposes. If the public health purpose could be achieved as well or better with aggregate data no personally identifiable information should be disclosed. (iii) Is the information necessary to achieve important social objectives that are not compatible with the purposes of the immunization registry? Agencies concerned with criminal justice, social services, immigration, and other non-public health objectives should gain access only to aggregate information.
6. Provider, parental and community involvement. Immunization information systems are intended to help parents, providers, health officials and communities provide each child with up-to-date immunizations, while protecting children and families from privacy invasions. To achieve the support and cooperation of these primary participants, they should be involved in critical discussions about immunization system design and privacy protection. Interested parties such as insurers, employers, and non-public health agencies also have valid interests, but they should not take precedence over the main goals of the system.
Conclusion
Any efforts to modify or reform the existing system for protection of health-related information, must acknowledge the efforts that have taken place at the state level to protect information and accomplish various health care and public health goals. One way to both acknowledge this debt and engage state health officials and policy-makers in reform efforts is to begin an on-going dialogue between health officials and policy-makers in different states.
This report has outlined recommendations which can focus that dialogue on ways of removing barriers to the achievement of good health while respecting the need to protect the privacy of health information. Absolutist positions on either side will not result in health information systems that can effectively serve both goals.
The collection of information is central to the ability of public and private health systems to provide intervention, treatment, and research, but confidentiality need not be sacrificed to these goals. Much of the information collected in health care settings is profoundly personal; if patients cannot be assured that this information will be protected from further disclosure, the possibility exists that they will no longer agree to cooperate with systems on a voluntary basis.
Many gaps that exist in the current system have been discussed in this report. Future action in the area of health information privacy must consist in part of a legitimate attempt to fill those gaps in ways which will not compromise the ability of health professionals to carry out their duties. The current system not only does not fully protect individual privacy, but the variability that exists across state and local boundaries hampers the achievement of societal goals since there is often an inability to communicate needed information.
Health officials and policy-makers in all the states need to engage in a dialogue now to prevent problems that can only be exacerbated in the future as new and faster information systems are developed. Computerized storage of health information indeed provides for faster retrieval, but also presents additional problems of improper access. Fair information practices should be integrated into legislative protection of health information. Uniform standards nationwide will result in more effective protection of health information privacy.
Part Two:Introduction: Final Report
III. Privacy and Health Information
Concerns over patient privacy and the confidentiality of health information have a long history. From the time of the earliest surveillance systems, citizens (often with support from the medical profession) have objected on privacy grounds to governmental acquisition of health status information. Many forms of surveillance, notably reporting, require physicians to disclose patient information to health departments. Surveillance, especially that which involves personally identifiable information, raises several concerns. First, patients, often physically and mentally vulnerable, divulge intimate details of their lives to their physician; medicine's paternalistic traditions have long-recognized that the patients' weakened position compels strict confidentiality assurances even in the face of government demands.'' Second, both law and ethics in the late twentieth century emphasize autonomy as a theoretical justification for privacy; patient autonomy encompasses the right to control the dissemination of personal health information. Third, confidentiality is central to a trusting physician/patient relationship; physicians implicitly or explicitly pledge to guard patient secrets. Fourth, respecting confidences promotes patient candor about health and disease risks; failure to respect informational privacy could lead to decreased disclosures, less frank revelations, or, worse, reluctance to seek care. Finally, unauthorized disclosure of information could result in embarrassment, stigma, and discrimination.
For their part, health departments have a generally excellent history of maintaining the confidentiality of personal information. Disclosure to health departments (as opposed to family, friends, employers, or insurers) seldom produces tangible harm such as stigmatization, embarrassment, loss of employment, or denial of insurance. Yet patients may feel wronged simply because the government -- without patient permission -- maintains automated databases containing intimate and identifiable health information.
Justifications for privacy are based primarily on respect for the individual. In contrast, justifications for collecting and using health information are based mainly on attaining societal or collective goods. To the extent that a health information infrastructure promotes effective public health interventions, ethical values militate in favor of its rapid development. The very purpose of government is to obtain through collective action human goods that individuals by themselves could not realistically procure. Chief among these goods is assurance of the conditions under which people can attain (or maintain) health. Health information alone cannot ensure the community's health, but it can contribute to improved health status and effective disease control.
The American public perceives that the growth in the amount of personal medical information stored by health care providers and related bureaucracies poses a threat to their privacy. A 1993 poll on health information privacy revealed that the vast majority (80%) of respondents believed they had little control over how their personal medical information was used. This concern over the privacy of medical information has affected the debate over health care reform and the plans for a national health care system. Eighty-five percent of the poll respondents stated that maintaining the confidentiality of medical records is absolutely essential or very important in national health care reform.
Health care providers' ability to ensure the privacy of the information they obtain from a patient is critical. If a health care provider cannot assure the patient that the information he provides will not be further disclosed without his permission, the patient will likely hold back when discussing deeply personal items that may be important to his diagnosis and treatment. The patient may even provide false information if he fears that an admission may have consequences outside the doctor's office.
Threats to patient privacy and confidentiality of health information are compounded because records containing health information are held by numerous individuals and entities. One patient may see many health care providers in a lifetime (e.g., primary care physicians, specialists, hospitals, emergency rooms, testing laboratories). Each of those providers will maintain a record on the patient. Other entities (insurers, employers, schools, governmental agencies) also keep records of health data. Because of differences in organization or geographic location, these entities may not be held to the same duty of care in protecting the confidentiality of the records they maintain.
The ability of public health officials to detect and prevent communicable diseases, and provide appropriate services to those already infected, depends on cooperation with the community to encourage voluntary participation in public health programs. If persons in the community fear disclosure of their illness, or discrimination on the basis of seeking services, they will be less likely to come forward for testing, counseling, or treatment, and hesitant to participate in preventive educational programs. Public health officials recognize that protecting public health data from improper disclosure will encourage openness and honesty between individuals and health care providers or public health officials as well as voluntary participation in public health programs.
IV. Outline of Report
This report examines the importance of both the collection of health care information and the protection of privacy of individual patients and confidentiality of health information. It reviews the current privacy safeguards under both state and federal law for public health data, privately held health care information, HIV/AIDS information, and immunization information in order to determine whether they are adequate to protect the privacy of individuals and are consistent with effective health policy.
Part Three: Methodology
I.Purpose
The Centers for Disease Control and Prevention (CDC), the Council of State and Territorial Epidemiologists (CSTE), and the Task Force for Child Survival and Development, supported by the Robert Wood Johnson Foundation, have sponsored a collaborative project on privacy in health care and public health information, with particular emphasis on information related to HIV infection and immunizations. The goal of the project is to review current legal privacy safeguards for these data to determine whether they are adequate to protect the privacy of individuals and are consistent with effective health policy.
Phase I of the project included a survey, compilation and analysis of state statutes, regulations, and executive orders pertaining to privacy in four areas of health-related information (public health data, health care information, HIV/AIDS related information, and immunization information). The research team has been headed by Professor Lawrence O. Gostin, Co-Director of the Georgetown University/Johns Hopkins Program on Law and Public Health.
Phase II of the project involved a consultation held at the Carter Presidential Center, Atlanta, in June 1995 which brought together experts in public health law, epidemiology, health ethics, immunization programs, HIV/AIDS prevention and care, representatives of state and municipal health departments, and the general community. During and after the consultation these experts considered and commented on recommendations for drafting laws relating to the protection of confidentiality of health-related information.
This report details the results of both phases of the project.
II.Structure of the survey
The research team collected and analyzed state laws related to health information in fifty states, the District of Columbia, and Puerto Rico. We collected information using a questionnaire that was developed in consultation with the CDC, the CSTE, and the Task Force for Child Survival and Development and was distributed to the State and Territorial Epidemiologists. The State Epidemiologists transmitted responses to the questionnaire and copies of their state statutes for summary and analysis. We performed computer searches to collect state law for those states which did not respond to the questionnaire. We used follow-up calls to gather additional information.
We classified the data received into categories for subsequent analysis and recorded them on four master tables, devoted to public health, health care, HIV/AIDS, and immunization privacy, respectively. Briefings and phone consultations with program officials at the CDC, CSTE, and the Task Force resulted in refinement of the individual categories and the four master tables.
We also prepared state summaries based on the information submitted by the state epidemiologists. These summaries serve as a basis for the final report but also provide a quick reference for anyone seeking a more detailed description of the privacy laws of each state. In order to assure the accuracy of the information, we faxed or mailed drafts of the summaries to the state epidemiologists for approval or correction, and made follow-up calls were made to obtain final comments.
III. Final Report
This report both summarizes the survey findings on the current federal and state laws in the area of privacy protection of health-related information and presents a discussion of the issues raised and potential options for further development including recommendations for model laws governing various types of health information privacy.
The report first discusses the various protections afforded to health information, which includes both public health data and privately held health care information. Next, there are sections addressing specific laws governing HIV and AIDS-related information and immunization information, including the creation of immunization registries. The report describes the protection offered by federal law to all of these areas of health-related information.
The final section of the report presents a discussion of future options for legislation and policy in the area of health information privacy. In particular it outlines recommendations for model laws governing several areas of health-related information which are based on the consensus of opinions at the June 1995 consultation and subsequent work by research team and select experts.
Part Four:Protection of Public Health Data and Health Care Information
I.Introduction
Health information in the United States is collected and maintained by a wide variety of entities, including among others local and state health departments, disease-specific programs (TB, STD, HIV), private health care providers, hospitals, insurers, employers and educational institutions from day-care to universities. For the purposes of this report these entities will be divided into those that collect and use "public health data" and those who collect and use "health care information." As used here, "public health data" includes all health related information that is collected and maintained by a government agency. This may include data on reportable or communicable diseases; surveillance of non-communicable diseases, or behavioral risk factors; birth defects registries; or other health information databases. "Health care information" includes all health related information that is collected, held, or transferred by private entities. This can include individuals (health care providers) or institutions (hospitals, insurance companies, academic institutions).
This section discusses the particular justifications for collection of both public health data and health care information and the unique privacy concerns raised by such information; it also presents an analysis of the state laws governing protection and disclosure of public health data and health care information. Finally, the gaps in existing law will be considered and compared to other areas of health information. The following two sections will consider specific issues and concerns related to collection, storage and use of two specific types of health-related information: HIV related information and immunization information, respectively. In both cases the single type of information is maintained sometimes by private entities (physicians, hospitals), and other times by public entities (health departments). Consequently, the laws governing the privacy of the information either apply to the public institutions and agencies, or private individuals and institutions, or both.
II.Public Health Data
The collection, storage, and use of vast amounts of information on the health of populations are among the core functions of public health. Historically, public health surveillance focused on identifying and controlling persons with communicable diseases. In the United States, legal provisions requiring reporting of diseases pre-dated the founding of the republic. A Rhode Island act of 1741 required tavern keepers to report patrons with contagious diseases to the local authorities. Publication of nation-wide data on mortality began in 1850, in the same year as the first decennial census. By the turn of the century all state and municipal laws required reporting to local authorities for some of the most common, deadly communicable diseases, including smallpox, cholera, and tuberculosis. One of the great accomplishments of public health in the twentieth century, the eradication of smallpox, was based, ultimately, on the prompt identification of local outbreaks and vaccination of all susceptible persons who might have been exposed. Recently, reports of clusters of deaths among otherwise healthy residents of the southwestern United States led to the rapid mobilization of investigators. Within months scientists had identified a new strain of hanta virus, described its mode of transmission, and means of prevention.
Increasingly, public health agencies gather data on more than communicable diseases. Concern over environmental risks requires collection of information on children's blood lead levels, the incidence of certain types of cancer, birth defects, and specific pulmonary diseases. In growing recognition of the effects of behavior on personal health, health agencies also collect and analyze information on such behaviors as smoking, alcohol and drug use, exercise, use of seatbelts and bicycle helmets, and sexual practices. Reliable information on communicable, behavioral, and environmental risks enables public health agencies to respond effectively to prevent disease and disability.
The development of a public health information infrastructure is not a distant concept, but an emerging reality. National, regional, and statewide databases are rapidly becoming repositories of a vast amount of public health information. At present, numerous health databases exist with comprehensive data on health status and population-based research. Data registries are maintained for specific diseases such as AIDS, tuberculosis, and cancer, and specific functions such as childhood immunization. The U.S. Public Health Service (PHS) maintains databases on the health status of large populations. The PHS is also funding the development of automated systems to link state and local data bases to systems across the country.' Perhaps the most ambitious public effort to create a population-based database is the National Health and Nutrition Examination Survey (NHANES) conducted by several federal agencies. NHANES systematically collects health status data in identifiable form on some 40,000 Americans in eighty one counties in twenty-six states. Some five hundred pieces of data are collected from each subject, ranging from socio-demographics, diet, bone density and blood pressure, to risk status, drug use, and sexually transmitted diseases. Additionally, NHANES tests and stores biological samples for long-term follow-up and statistical research.
The tools of surveillance and epidemiological research include testing and screening for disease, reporting of the names of active cases to state health departments and aggregate information, stripped of personal identifiers, to the CDC, notification of sexual partners and other contacts, and surveys of the prevalence of disease or risk factors in certain populations. The development of an organized system of disease surveillance and epidemiological research is essential to the success of the public health system. Carefully planned surveillance and epidemiological activities facilitate rapid identification of health needs, including clusters or outbreaks of microbial disease (e.g., HBV, cryptosporidiosis, or E. Coli), the initiation of risk behaviors in sub-populations (e.g., smoking among female adolescents or ethnic minorities), and patterns of harm (e.g., child or spousal abuse, lead poisoning, radon, iatrogenic injuries, or gunshot wounds).
Close and continuous observation of the health of populations can help achieve many of the central objectives of public health: (i) by detecting the existence of environmental, microbial, occupational and other threats to health at an early stage, surveillance can provide an early warning system; (ii) by tracking and monitoring the incidence, patterns, and trends of injury and disease in populations and making future projections, surveillance can help concentrate resources and focus interventions in areas of greatest need; (iii) by identifying modes of transmission, surveillance can provide knowledge for behavioral, social and environmental changes and public health interventions to avert the spread of disease; (iv) by evaluating the success of public health responses, surveillance can help determine their cost effectiveness; and (v) by providing accurate information on health risks to policy makers and the public, surveillance can affect funding decisions and change social norms. In short, surveillance enables public health to define the health problem, inform the public, intervene, and influence funding decisions -- all indispensable to the mission of public health.
III.State Legislation Concerning Public Health Data
Public health data, all health-related information which is collected and maintained by government agencies, are distinguishable from personal health care information; they are not gathered principally for diagnostic or therapeutic purposes, but for the aggregate good (e.g., epidemiological assessment, population-based prevention, or research). Public health data include surveillance and reporting of communicable diseases, non-communicable diseases, conditions, or behavioral risk factors, registries, and other government-maintained health information systems. State legislation governing public health data are frequently found among the statutes and regulations that establish public health officials authority to protect the public health or in provisions describing the protections and permitted or mandated disclosures of all information held by the government.
A.Privacy Protection for Data Maintained by Government Agencies
Every state and territory reported statutory or regulatory protection for some types of governmentally-maintained health data. Forty-nine states reported protections for public health information in general, forty-two reported specific protections for information related to communicable diseases, and forty-two reported protections for data related to sexually transmitted diseases (see also, Table 1). All states require reporting of certain communicable or sexually transmitted diseases. This legislation also often mandates the confidentiality of any reports or investigations of communicable or sexually transmitted diseases. States vary widely on whether they rely on disease-specific statutes to protect some publicly held data (TB, STDs, HIV/AIDS) or whether they include protection of all these conditions under their general public health data statutes. It is important to note that states without specific HIV-related confidentiality statutes may also provide equally stringent protection of HIV-related information under comprehensive public health, communicable disease, or sexually-transmitted disease statutes.
Although most, if not all, states have public records provisions which guarantee individuals access to public records, the majority of states explicitly exempt all medical records held or maintained by government agencies from classification as public records.
In many states, public health data collection is increasing through special registries and databases. Registries include information regarding, for example, congenital birth defects, cancers, drug use during pregnancy, or childhood immunizations. Some databases contain a broad range of health data. Statutes establishing these systems often specify standards for safeguarding informational integrity, which may include measures to bar unwanted or unauthorized access, and mechanisms to prevent data modification or destruction. These laws also frequently include criteria for maintaining the information's confidentiality, use, or disclosure. North Carolina, for instance, has established a Center for Health Statistics which is authorized to collect health data on behalf of government agencies and private organizations. The Center's information is held in confidence, closed to public inspection, and subject to security standards.
Residents and lawmakers in some states have expressed concern about the public health system's trend toward collecting more personally-identifiable data. The California Civil Code explicitly states that the indiscriminate collection and dissemination of personal information threatens the right to privacy, that computers have magnified privacy risks, and that governmental use of personal information must be subject to strict limits. California protects personally identifiable information in government health studies; grants public entities a limited privilege for withholding health information; allows agencies to maintain only personal information relevant to the agency's purpose; and requires agencies, whenever possible, to collect information directly from the subject rather than from secondary sources.
Other states reported protections for particular types of public health information. A few states specifically protect the results of government-sponsored scientific studies or privately conducted research based on government data. New York, notably, stipulates that information obtained in specially-designed studies is inadmissible in litigation.
IV.Gaps in Existing Laws Protecting Public Health Data
The survey of state legislation revealed significant problems that affect both the development of fair and effective public health information systems and the protection of privacy. While most states have nominal safeguards of public health privacy, they are often incomplete or inadequate. Statutes may be silent about the degree of privacy protection afforded; confer weaker privacy protection to certain kinds of information; or grant health officials broad and unreviewable discretion to disseminate personal information.
Many of the gaps in existing privacy protections for public health data are similar to those described elsewhere in the report for HIV-related information and health care information. Legislative activity in the each of the states and territories has produced a rich mosaic of laws and policies which may share the same goals but reflect the specific concerns of people and legislators in each state. The independent evolution of each state's laws has also created certain characteristics which can pose problems in today's increasingly mobile society in which people and diseases are constantly on the move. This section considers these distinguishing features in the laws and the impact they have on public health efforts and individual privacy.
VI. Privacy Issues and Health Care Information
VII. State Legislation Concerning Health Care Information
Duty to maintain confidentiality
A majority of states place a duty on physicians to maintain the confidentiality of medical records in their possession. Thirty-seven states find such an obligation (see Table 2 and Appendix One: State Summaries, for more details). States that provide for the confidentiality of medical records often require prior written consent of the patient for release of the record (e.g., California). At least one state's law provides that the patient may presume information about him will be kept confidential (e.g., Minnesota). Even when a patient authorizes release of medical information for one purpose, he is not presumed to have authorized additional disclosures (see, e.g., New York).
Other states provide more limited statutory protection for health care information. Tennessee provides for confidentiality of medical records, but only when the medical information is gathered or generated as the consequence of services paid for at least in part by the state. Tennessee has no general state statute imposing a duty to protect the confidentiality of medical record information. The law does recognize the physician-patient and therapist-patient privilege and, thus, does not protect confidential information obtained in these relationships against forced disclosure in court proceedings.
Twenty six state statutes require other health care providers to keep patient medical records confidential. The duty owed by non-physician health care providers usually mirrors that owed by physicians. For example, in California written authorization of the patient or his legal representative permits disclosure by the health care provider, but does not allow further disclosure by the person who receives that information. New York law specifies that certain licensed professionals (social workers, dentists, etc.) may not reveal personally-identifiable facts, data, or information obtained without the prior consent of the patient.
Thirty-three states require that health care institutions maintain the confidentiality of patient records in their possession. In addition to requiring the facilities to keep medical information confidential, state laws or regulations may require facilities to develop and implement policies designed to assure the security of patient records. Institutions, too are often required to obtain proper authorization to disclose the information. In Colorado, the theft, disclosure, stealing, or copying of physician, health care worker, or hospital information without such authorization is a felony. The state may place limitations on the kind of information the facility may disclose: in Connecticut, institutions, hospitals and facilities of the departments of health services, mental retardation, and mental health may only release information about patients as is required to obtain support and payments from state and federal agencies for the care of such patients, or for review or auditing of federally funded programs. The law may also limit the disclosure of information about certain types of treatment. Information regarding drug or alcohol abuse treatment is protected from disclosure under federal law. Many states provide that information about mental health treatment may not be released without written informed consent (see, e.g., Illinois).
Insurers obtain medical information about patients when claims are submitted for payment. Despite the proliferation of the practice of third-party payment for medical services, only four states expressly require insurers to maintain the confidentiality of medical information that they receive. In New York, an insurance company which has received information about a patient for the purpose of determining benefits must protect the confidentiality of that information from future disclosures. Insurers may, however, be covered under general provisions that require anyone in possession of health care information to protect its confidentiality.
Nine states have specific provisions that impose the duty to maintain confidentiality of medical information on other, non-health care related institutions. Arkansas statutes concerning, among other things, peer review activities, child abuse and neglect information, records of medical examiners, reproductive health, and child sex offenders, all specifically address the issue of confidentiality of medical records. California requires employers who receive medical information to establish appropriate procedures to ensure the confidentiality of and protection from unauthorized use and disclosure of such information.
Computers and other electronic media are fast becoming the storage method of choice for medical and other personal information. Despite this fact, only twenty-two states have specific provisions regarding the protection of confidentiality of records maintained on electronic or computerized media. These provisions offer varying degrees of protection. Several states, such as Tennessee, use the same standards for confidentiality of computerized or electronic records as those applied to paper records. In other states, including Arkansas, statutes governing confidentiality of computerized health care information apply only to public health data; private physicians, hospitals and other health care facilities may or may not be held to the same definition. Oklahoma's Health Care Information System Act provides that individual forms, computer tapes or other forms of data collected by and furnished to the Division of Health Care Information or to a data processor shall be confidential. Statutory protection of computerized data may also lack specificity. Florida requires only that computerized records be kept in accordance with "sound" record-keeping practices.
Physician-Patient Privilege Regarding Health Care Information
Forty-two states recognize the doctrine of physician-patient privilege. This privilege belongs to the patient, not the physician; it may be claimed by the patient, a guardian or conservator of the patient, the personal representative of a deceased patient, or the physician, but only on behalf of the patient. The physician-patient privilege is an evidentiary rule that prevents the disclosure in court proceedings of information obtained from physician-patient interaction for the purpose of diagnosing or treating the patient. The privilege, and therefore the protection, may be waived by the patient expressly to allow the physician to testify, or it may be considered to be waived in certain circumstances, such as the hospitalization of a patient in a psychiatric facility, a court ordered examination of the patient, or when the patient's condition is at issue (as in a malpractice suit). The District of Columbia, however, absolutely prohibits the use of medical records or testimony in local court proceedings without the consent of the patient.
The scope of the privilege varies from state to state. Some states limit the privilege to communications between patients and physicians; others, such as Oklahoma, include psychotherapists; Colorado's privilege rules also cover registered professional nurses; Illinois' Medical Patient Rights Act includes all public and private inpatient and outpatient health care facilities.
Statutes delineating health care provider-patient privilege may include exceptions when the privilege does not apply. The physician-patient privilege in New York has several statutory exceptions. These include, among others, health care providers who must disclose information that a patient under the age of sixteen has been the victim of a crime, the reporting of gunshot or knife wounds, communicable disease reporting, and reporting of addicts or habitual users of narcotic drugs.
Alabama is one of the few states that does not recognize the physician-patient privilege; medical records are subject to subpoena and admission in court.
In addition to any statutory penalties (discussed below, Penalties for Impermissible Disclosure of Health Care Information) physicians who intentionally betray a professional secret or violate a privileged communication, except as otherwise provided by law, can be subject to professional sanctions (e.g., Arizona).
Permitted Disclosures of Health Care Information
In today's health care system, physicians rarely treat an individual without help from other health care providers. Few state laws have specifically recognized this reality; only eighteen expressly provide exceptions to confidentiality rules for disclosures to other health care providers. Such a disclosure is generally lawful when its purpose is to aid in the diagnosis or treatment of the patient. The decision of whether or not to make such a disclosure is often left to the professional judgment of the physician; New Jersey law allows the disclosure, even absent the patient's request, if the physician determines the disclosure to be in the patient's best interests.
Sixteen states have passed laws permitting health care providers to disclose information about their patients to epidemiologists and researchers. These rules usually require that the information be disclosed only to qualified researchers for bona fide research purposes and not be further disclosed in any way that identifies the patient.
Twenty-two states provide that physicians are permitted to disclose health care information under a subpoena or court order. However, even in states that do not expressly include exceptions for the release of information by court order or subpoena, health care providers may be forced to release medical information pursuant to an order of the court.
Many states allow for the release of medical information in various circumstances to accommodate the needs of the current health care environment. Authorization by the patient or the patient's representative will permit the release of records. Some states, such as California, have very specific requirements for consent forms; others do not specify whether the consent needs to be written or oral.
Several states (including California and New York) allow disclosure of health care information to insurers, employers, governmental authorities or anyone else responsible for paying for services rendered to the patient. They also allow disclosure of information to hospital or utilization review committees. Colorado law provides that physician disclosure of such information, in good faith, shall not "constitute libel, slander, or violation of the right to privacy, or of any privileged communication."
In certain states, including Connecticut, physicians are required to report suspected cases of child abuse, elder abuse, or abuse of a physically incompetent or mentally retarded individual. Disclosures made in good faith to law enforcement agencies are protected. Public health reporting requirements are also excepted from rules regarding the confidentiality of health care information.
Penalties for Impermissible Disclosure of Health Care Information
The penalties for impermissible disclosure can be either civil or criminal. Twelve states allow for criminal prosecution while nineteen make the person or entity who failed to maintain confidentiality of medical records liable to civil suit. Three states (California, Minnesota, and Rhode Island) allow for both civil and criminal penalties. Violations may be considered misdemeanors (as in California) or felonies (as in Colorado); punishments can range from fines of $1,000 (Illinois) to fines of not more than $10,000 and imprisonment in the county jail for not more than one year (Montana). In civil suits, plaintiffs may recover both compensatory and punitive damages, attorneys' fees and costs. Additionally, provisions in state Medical Practice Acts (as in Arkansas and Idaho) sometimes make the unauthorized release of medical information grounds for disciplinary action, such as suspension or revocation of licenses.
VIII.Gaps in Existing Laws Protecting Health Care Information
IX.Conclusion: Variation in Protection of Information in the Public versus the Private Sector
Most existing privacy provisions impose a duty to protect information on the individual or entity which holds the record. Legal provisions which impose a duty to protect information on the holder of the information are a remnant of a time when health care information was maintained primarily in physical records that were kept either in a physician's office or the public health department. Such provisions fail to address the current situation in which a substantial amount of data is held in electronic form by parties as diverse as physicians' offices and clinics, hospitals and other health care institutions, the health department, laboratories, insurance companies, the state and federal government, academic institutions, and other researchers. Linking responsibility for the protection of the confidentiality of a record to the holder of the record can mean that a single piece of health care information on an individual is treated differently depending on the identity of the holder.
Virtually all states have in place statutory or regulatory protections for publicly held health information. In some states, however, this is in marked contrast to a relative lack of protection for information held by private health care providers, hospitals, and other institutions. This increases the opportunities for disclosure of sensitive information, misunderstandings of the protection accorded to information, and, possibly, fosters people's distrust of the system.
The current system of state laws with differing levels of protection depending on the type of health care provider or institution, the type of service rendered, and geographic location does not and cannot adequately protect the patient's right to privacy and the confidentiality of the wide variety of health-related information held by private and public entities.
Part Five: Protection of HIV/AIDS-Related Information
I. Introduction
No disease characterizes the intractable dilemma between health information and privacy as does HIV/AIDS. Its emergence as a pandemic disease has served as a continuous reminder of the need for accurate, timely, and complete public health information. Society's success or failure in combatting communicable disease is based in part on health officials' ability to identify when and where outbreaks are occurring, to determine how infection is spread, and to design possible strategies for halting or slowing further transmission. In the absence of a systematic global surveillance system, HIV infection spread silently for many years; it was present on several continents before it was detected. In the United States, reports of case clusters of unusual pneumonia and rare cancers among gay men in 1981 led to the syndrome's description.' Even before the virus was discovered epidemiological investigations determined that the condition was likely caused by a transmissible agent which was spread via the same routes as hepatitis B. Accurate collection and dissemination of information also helped dispel misconceptions about casual (e.g., air-borne and food-borne) transmission.'
This section explores the important justifications for collection and use of HIV-related information to achieve public health goals as well as the necessity of protecting the confidentiality of that information from improper disclosures; analyzes the scope and variety of state laws and regulations governing privacy of HIV-related information; and describes the problems or gaps in the current system of state and federal law.
II.State Legislation
Since the beginning of the epidemic there has been a great deal of legislative activity involving HIV and AIDS. Virtually every state has passed laws dealing directly with HIV infection or AIDS, and some states have enacted legislation in a broad range of areas. Laws and regulations that specifically mention HIV or AIDS can be found in, or promulgated under, the public health statutes (also called the Public Health Code, Health and Safety Code, or many other variants); criminal statutes; government statutes; education statutes; as well as many others. Virtually all states have statutes, regulations, or policies which protect HIV-related information either directly or indirectly. Many states have enacted HIV-specific confidentiality provisions (e.g., California, Florida, Massachusetts, New York). Other states have opted to protect HIV-related information under laws protecting all public health data (e.g., Minnesota, Tennessee). Consequently, the absence of HIV-specific statutes does not necessarily indicate that HIV-related information is not protected. At the same time, medical and social developments continue to give rise to calls for mandatory testing or use of HIV test results for new purposes.,
This section describes some of the state statutes, regulations, or policies which directly concern HIV-related information: how it is obtained, how it is protected, and when it may be disclosed by either government agencies or private parties. The section and the appendices containing summaries of the HIV and AIDS information laws of each state and territory (Appendix One) are not a comprehensive description of each state's HIV-related law; they concern only the collection and uses of HIV-related information.
Many states' public health statutes are disease-specific; they categorize diseases as non communicable, communicable, or sexually-transmitted. Additionally, they may have separate statutes for other diseases, such as TB or HIV/AIDS. Twenty-three states classify HIV/AIDS as a separate category of disease. Sixteen states classify HIV/AIDS as a communicable disease and twelve as a sexually transmitted or venereal disease.
Classification of a disease determines crucial issues of how the disease is handled from a public health perspective: whether it is reportable (by name or anonymously); whether that information is treated as confidential; whether the health department can exercise coercive public health powers for disease control; and whether other public health measures such as contact tracing will be pursued. For example, much public health law developed in the last hundred years granted information regarding communicable disease relatively weak protection, while more stringently protecting information regarding venereal diseases (now referred to as sexually transmitted diseases, or STDs).
Some states classify HIV as a sexually transmitted disease. Public health officials and policy makers in these states must determine whether all other provisions applicable to sexually transmitted diseases should apply to persons with HIV or AIDS. Similarly, states may require reporting of dangerous communicable diseases to state or local public health authorities within a set time period (hours, days, a week) of their diagnosis. For policy reasons related to their efforts to promote HIV testing and a broad range of prevention activities, states may or may not wish to require reporting of both HIV and AIDS. Consequently, some states have chosen to classify HIV/AIDS in its own category, or to include special provisions governing disease reporting that distinguish between HIV infection and AIDS.
All states currently require reporting of cases of AIDS as currently defined by the Centers for Disease Control and Prevention (CDC). Forty-one states, according to the materials obtained for this survey, also require health care providers, laboratories, blood banks, hospitals, and sometimes other institutions and individuals to report cases of HIV infection to the state or local health department.
Early in the epidemic, mandatory reporting of HIV infection was opposed by many who feared that the requirement and the fear of breaches of confidentiality would drive people at risk of infection away from being tested. There is some evidence that the availability of anonymous testing (and presumably release from the fear of any possible disclosure of identity) can increase both the number of people who seek testing and encourage testing by more people who are at high risk of infection.
When anonymous testing was introduced in Oregon, the overall demand for testing increased fifty percent, with the most marked increases among homosexual/bisexual men (125%), and female prostitutes (56%). The number of positive tests doubled in the calendar quarter immediately following introduction of testing. During the same time the number of tests sought in neighboring geographic areas and in private clinics (providing confidential, named testing) did not increase. In South Carolina, a state with mandatory named reporting of HIV infection and mandatory partner notification, one study showed that although only a relatively small number of state residents went to neighboring states for anonymous testing, those that did so were more likely to be infected than were those who were tested confidentially within the state.
In spite of these fears, the trend appears to be for states to require reporting of HIV infection. Many states require named reporting of HIV infection. In other states reporting of HIV infection is anonymous. In a few states reporting is anonymous unless set criteria are met. For example, in Oregon reporting is generally anonymous unless the person infected with HIV fits into one of seven categories. These include patients who have donated blood or tissue in the last year; have a criminal record involving sexual offenses; are children under six years of age, or under twenty-one if they qualify for special education; have tuberculosis; request assistance in notifying partners; or refuse to notify their partners and their partners fit other criteria (see Spousal or partner notification, below). In states with anonymous testing programs and laws mandating reporting of HIV infection, the reports from anonymous testing sites do not include patient identifying information (see, e.g., Indiana).
3.Partner/spousal notification provisions
Thirty-seven states either allow or require public health personnel or health care providers to warn sexual or needle-sharing partners of someone with HIV infection of their possible exposure. These provisions embrace two basic types of disclosure provisions, traditional contact-tracing/partner notification programs, and a duty to warn. For the purposes of this survey, both kinds of activity have been classified as spousal or partner notification. This section describes important issues concerning both types of activity and examines existing state law in the area.
Traditionally, public health officials have engaged in a wide range of activities including case finding, contact tracing, public vaccination campaigns, education, and treatment, as part of programs to control communicable and sexually transmitted diseases. Contact tracing, as developed in the setting of sexually transmitted disease control, entailed public health workers contacting individuals who had been exposed to a person diagnosed with an STD, informing them of their possible exposure, and offering them testing and treatment. Public health personnel did not reveal the name of the source of exposure, although in some situations it was obvious to the exposed person. Effective contact tracing was primarily dependent on the cooperation of the source patient in identifying contacts, and could be initiated at the source's request or as part of a health department program.
Critics and some public health officials have questioned the efficacy of contact tracing in the context of HIV infection and AIDS on a variety of grounds. Increasingly, however, public health organizations, commentators and advocates have endorsed contact tracing (also called partner notification) as one component of effective public health response to HIV/AIDS.'' Among populations where a high number of sexual or needle sharing partners is the norm, or where sero-prevalence is relatively high, contact tracing has been criticized for consuming too many resources while failing to discover many persons who did not already know they had been exposed.'
Development of new anti-retroviral medications and effective regimens to prevent opportunistic infections provide persuasive reasons for encouraging early counseling, testing and detection of HIV infection. These advances have also reduced the force of the argument, common early in the epidemic, that HIV was different from other communicable diseases because diagnosis with HIV infection or AIDS could not lead public health officials to offer any effective treatment. There are now clear clinical benefits to the individual from relatively early discovery of HIV infection. In addition there are substantial potential public health benefits from informing individuals that they have been exposed. Persons who know they have been exposed to someone with HIV infection can obtain testing, determine their infection status and, if necessary, take measures to prevent further transmission. Where contact tracing is not feasible, extensive, targeted education for those engaged in high risk activities still represents a vital part of effective public health policy.
Advocates of civil rights, civil liberties, and privacy have also resisted the use of traditional contact tracing for HIV/AIDS. Their concerns centered on the potential for misuse of information about individuals with HIV, or those who were potentially exposed. Implementation of programs inevitably involves creation of lists of people who may have been exposed through participation in activities which are illegal (drug use or homosexual activity in some jurisdictions), have been condemned as immoral, or are at least highly intimate.
Contact tracing in the context of HIV/AIDS has become more accepted as programs have demonstrated their ability to protect the identity of infected persons and their contacts. The Centers for Disease Control and other public health organizations also strongly endorse programs which protect patient confidentiality.
Health care providers, psychotherapists, and others sometimes confront an ethical or legal dilemma when faced with a patient who they know or reasonably should know poses an immediate danger of serious harm to an identifiable third party. On the one hand, the health care or other provider has a duty to maintain the confidentiality of information that is revealed to him or her as part of the patient-provider relationship. On the other hand, the provider may feel an ethical duty to prevent harm to the identifiable third party. Case law, originating in California and followed by other states, imposes a legal duty on some types of health care providers to warn a third party in imminent danger of harm. The lead case in this area involved a psychotherapist who failed to warn a patient's girlfriend of the patient's threats to murder her (ending in her murder). Disclosure under these or similar circumstances, performed by the health care provider or the health department at the provider's request, more often involves disclosure of the identity of the source of the threat, and does not usually involve the cooperation of the source.
In the context of HIV/AIDS, this type of partner notification has been condemned by some and supported by others. Some argue persuasively that if individuals know that their health care provider will be mandated to disclose their HIV status to their spouse or partner, individuals who suspect they are infected will avoid testing or treatment for disease, or will be less than honest with their health care providers about their current sexual or drug use activity.' Critics also note that when domestic violence is present, informing a male partner (when the woman is the first diagnosed) may expose her to abuse, injury and even death from her abusive spouse. In these situations the woman may have been infected by the man, so the consequences to her seem especially harsh. Other commentators, however, note that partner notification programs can identify persons who do not realize themselves to be at risk and can be a cost-effective means of reaching a group at relatively high risk of infection.
Based on the results of our survey, existing statutory law governing disclosure of possible exposure to communicable diseases including HIV (with or without disclosure of the identity of the source patient) is much more likely to be permissive than mandatory. Thirty-three states and territories had provisions which allowed either public health officials or health care providers to disclose to sexual or needle sharing partners of someone with HIV infection or AIDS the fact that they might have been exposed. Two states specifically permit disclosure of the name of the source patient by the health department. Ohio law specifically authorizes disclosure of HIV test results and the identity of the person tested to their spouse or any sexual partner. Michigan specifically allows disclosure of the identity of the source patient if the patient consents to the disclosure.
The mandatory provisions are far fewer in number. Only four states have statutes which require either the health department or health care provider to notify persons at risk. Of these four, Oregon's statute is unusual in that it only requires health care providers to report the names of HIV infected persons for partner notification in two situations: when the patient requests assistance in notifying partners; and without the patient's request or consent when the patient's partner is not a member of certain population groups who, based on "generally available information," believe they are at high risk of infection with HIV. The statute defines these population groups as hemophiliacs, prostitutes, users of intravenous drugs, men who have had sex with men, and sexual partners of individuals in these four groups excepting those who are unaware of the index individual's risk status. Health care providers are not required to report the identity of a person with HIV infection if that person's partner is a member of one of these population groups. Before notifying the Health Department, the health care provider must have tried and been unable to persuade the patient with HIV infection to notify his or her partners.
North Carolina's provision requires patients to notify all past (since the date of infection, if known) and future sexual intercourse partners of their infection. If the date of infection is not known, the infected person must notify all partners for the previous year. If a physician knows the identity of the spouse of an HIV-infected patient, and has not, with the consent of the infected patient, notified and counseled the spouse appropriately, the physician must notify the Health Department of the identity of the spouse. The physician's responsibility to notify exposed and potentially exposed persons is satisfied by fulfilling these statutory requirements.
Three states require certain individuals to disclose the names of their contacts. North Dakota's statute is only mandatory under certain circumstances. It provides that any individual found by a court to be a danger to the public health and infected with HIV can be required to disclose the names and addresses of any partners at risk to the court. These provisions do not address how, or whether, an individual could be compelled to disclose names.
Statutes which authorize health care providers to disclose potential exposure to the sexual or needle sharing partner of their patients often specifically state that they are permissive and protect the physician from liability for disclosure where the recommended procedures were followed in good faith. The Pennsylvania statute is typical of those which allow, but do not require, the health care provider to disclose possible exposure to partners of patients with HIV infection. It provides for disclosure by the provider as a last resort. In Pennsylvania a physician may disclose confidential HIV-related information if:
Other states (including, but not limited to, California, New York, and Florida) have similar statutes.
There are a few states in which case law appears to create a duty to warn for health care providers, and there is no statute protecting them from liability for failure to warn. The Vermont Supreme Court has imposed a "duty to warn" on mental health professionals who know or should know that a patient poses a serious risk of danger to an identifiable victim. Health officials in Vermont believe that this duty could, and probably would, be applied to other health care providers. Case law in Tennessee provides that there is a duty to warn identifiable third persons of the danger of exposure to a communicable disease.
Massachusetts, has very stringent statutory protection of the confidentiality of HIV-related information (see above Confidentiality Protection and Permissible or Mandatory Disclosures). Massachusetts case law, however, has recognized a "power to warn" in some situations, which permits disclosure of information regarding a person who poses a serious danger to themselves or others. This creates an apparent conflict between the HIV-specific statute and existing case law. The case law does not directly concern disclosure of information regarding HIV infection, and there are no court cases construing the power as it applies to persons with HIV infection or AIDS.
E. Penalties for Impermissible Disclosure
In spite of the existence of confidentiality statutes, regulations, policies or rules, there remains the possibility that a person legally entitled to confidential information will disclose it improperly. Impermissible disclosures may occur when a health care provider reveals a patient's HIV status in a situation in which he or she is not authorized to do so; when an unauthorized person gains access to hospital or patient records; or when a health department employee improperly releases confidential data on reportable diseases. Forty-five states reported some type of penalty for impermissible disclosure. Thirty-three states had criminal penalties, and thirty three had civil penalties, or allowed for civil causes of action. Twenty-one states provide for both criminal and civil penalties.
State statutes may provide additional sanctions beyond civil or criminal liability. Ohio specifies that the licensing board may take disciplinary action against a professional licensed by the state who wrongfully discloses HIV-related information, but shields from liability health care providers or others who act in good faith. Michigan specifically makes employers vicariously liable for improper disclosures by their employees, unless the employer had taken reasonable precautions to prevent improper access or disclosure. Maine's statute requires health care providers to have a written policy for protection of patient records containing HIV infection status information. At a minimum, the statute requires termination of employment for violations of the confidentiality policy.
III.Gaps in existing laws
C. Variation depending on who holds the information
States which have integrated HIV into existing or revised public health (communicable disease and sexually transmitted disease) statutes may protect HIV-related information from unauthorized disclosure when it is in the possession of the health department. However, a particular challenge remains in protecting such information when it is held by hospitals, insurers, individual physician's offices, employers, or other institutions.
The majority of medical information privacy provisions are still based on an outmoded model of medical records kept in paper form and held by a single health care provider or institution (see Protection of Health Care Information, above). The existence of these provisions side by side with public health provisions may result in additional variation in the protection of HIV-related information (see Protection of Public Health Data, above). Results from HIV antibody tests or other HIV-related information may receive different protection depending on who holds the information.
IV. Conclusion
Collection and use of information relating to HIV/AIDS is important both in treating individual patients and controlling the spread of disease through education and notification. While protecting individual privacy is an important goal which must not be overlooked in order to prevent the spread of discrimination and abuse, the need to use the information to help others cannot be ignored.
The present system of state laws sometimes interferes with achievement of these two goals. Variability in the level of protection accorded to HIV-related information by different states and within the same state can lead to disclosures that cause harm to individuals, or create barriers to effective public health work. Fear of such disclosure may keep individuals away from the health care system, thus preventing treatment for themselves and possible notification to others at risk of disease. For discussion of potential solutions for reform or modification of state laws, see Future Options for Protection of Health Information Privacy and Conclusion, below.
Part Six: Protection of Immunization Information
I. Introduction
Common childhood illnesses such as measles, diphtheria, pertussis, tetanus, and polio once accounted for a substantial proportion of infant and child morbidity and mortality in the United States. Complete and timely early immunization can now effectively prevent these and other childhood diseases.'' Despite the potential to protect the health of society's most vulnerable population, approximately one-third of the four million infants born annually in the United States do not receive all of their recommended immunizations by age two.
The failure to adequately immunize pre-school-age children is costly, and poses a risk to the public health. Childhood immunization is a highly cost-effective intervention; every dollar spent on the vaccine against measles, mumps and rubella (MMR), for instance, saves $21 in future societal costs. The measles epidemic of the late 1980s powerfully illustrates the public health consequences of inadequate immunization. The epidemic produced some 50,000 cases of disease, 11,000 hospitalizations, and 130 deaths.''
Multiple obstacles exist to achieving higher levels of childhood immunization. Perhaps most importantly, health care professionals and parents cannot accurately identify children who need vaccinations and are susceptible to preventable disease. An immunization information system would enable health officials to target children in need of services, issue reminders, provide education, and conduct outreach. An information system would, in particular, identify pockets of under-immunization and direct resources where they were most needed.
In 1963, the Centers for Disease recommended that states begin implementing systems to allow identification of un-immunized or under-immunized children, through linkage with birth certificates. Early efforts were not efficient or cost-effective due to the lack of technological tools. Since 1991, however, there has been increasing interest at state and national levels in developing systems that would record all birth and immunization data, and would be accessible to health care providers, public health officials, parents, and perhaps school officials in order to determine whether a child is fully immunized, and to facilitate outreach to un-immunized or under immunized children. In 1994, the National Vaccine Advisory Committee, Subcommittee on Vaccination Registries concluded:
II.Immunization as a Public Health Goal
Immunization programs, particularly among school age children in the United States, have achieved high levels of coverage (children fully immunized against specified preventable illnesses), and substantial reductions in vaccine preventable childhood illnesses. The rate of complete immunization of school-age children in the United States (>95%) is as high, or higher, than most other developed countries.' Yet the rate of full immunization of pre-schoolers (<65%) is below that of many developed (and even some developing) countries.
While the most recent provisional data show significant improvement in specific immunizations, levels for all immunizations remain well below the Childhood Immunization Initiative's goals for 1996 -- 90% coverage for measles, DPT, polio, Hib; and 70% coverage for Hepatitis B. Immunization rates, moreover, differ substantially among different geographic areas, and socio-economic groups. Immunization rates in some large urban and rural areas, and among racial minorities are particularly low.
The U.S. Department of Health and Human Services has established the goal of having ninety percent of children fully immunized by their second birthday. Public health officials have set specific disease-reduction targets for each of the major vaccine-preventable illnesses. Disease reduction has been monitored more comprehensively than progress toward targets for immunization coverage. For example, public health officials have used measles outbreaks to measure the impact of immunization programs on disease, identify outbreaks promptly, and characterize high risk areas. Disease surveillance, however, only detects problems in immunization coverage after the harmful health effects have occurred, and may not reveal all areas with low immunization coverage. Public health and immunization policy makers and program managers need information on vaccination that is more accurate and reveals current differences in immunization status by age, geographic area, and other risk factors.
Accurate measurement of immunization coverage can help policy-makers assess the particular barriers to increasing immunization within a community. Access barriers to childhood immunization have been systematically documented.''' Inadequate access to prevention services is a principal reason for under-immunization. Lacking a primary care provider, underserved children are not regularly monitored for immunizations. One study found 17 percent of poor children had no regular source of care; and 35 percent of poor children relied on emergency rooms and community clinics as their regular source of health care.
The full series of vaccinations currently costs about $500 for private-sector patients; physician administration fees constitute 60 percent of the fee. However, many families face stark financial constraints to immunizing their children: 21 percent of children under 18 years of age live below the poverty level and one in six children lacks health insurance. Further, less than half of employer health plans cover vaccinations, in contrast to a much larger proportion of health maintenance organizations that do so. A few states mandate insurance coverage for immunizations but, due to the preemption effects of ERISA, these statutes do not apply to self insured plans. In addition, underserved children frequently fall through the welfare safety net. Medicaid coverage is uncertain due to: diverse income and other state eligibility requirements, the administrative complexity for enrollment, the variable scope of coverage for prevention services, and the limited participation by primary care providers.' Medicaid-eligible children themselves also receive fewer prevention services than privately insured children.
The Comprehensive Childhood Immunization Act of 1993, part of the President Clinton's Childhood Immunization Initiative, was designed to overcome financial barriers to immunization. Under the Act, the federal government purchases and provides to physicians (at no charge) vaccines for children who fit certain criteria: those enrolled in the Medicaid program, those whose health insurance does not cover immunization, and Native American children. Yet the Act has limits in securing access for children because economic barriers are not the principal cause of under-immunization; low immunization rates have been documented even when vaccines are provided without cost to families. In addition, some physicians may be unwilling to participate in the federal program because of the administrative costs and the record-keeping requirements in determining which children are eligible for free vaccination.
Efforts to improve immunization rates require not only expanding access to vaccines but also creating an efficient system to distribute them. Approximately half of all U.S. children receive their vaccines in public facilities (city or county health departments, federally-funded community health centers, or public hospital clinics), a situation which parents and children regard as confusing and burdensome. In reality, the public system for vaccine administration often entails linguistically and culturally inappropriate services and educational materials, distant locations, long waiting times, and inconvenient office hours. By contrast, immunization practice standards for the public sector advise "user-friendly, family centered, culturally sensitive comprehensive primary health care that can provide rapid, efficient, and consumer-oriented services to users."
Parents' lack of knowledge, or concerns about the safety, of vaccinations also contribute to low immunization rates.' Parents are indispensable partners in ensuring that children are immunized. Yet many parents are unaware of or do not understand the complex vaccination schedule now recommended, encounter difficulties taking time from work or obtaining transportation, and, in the past, have been confused by complex informed consent forms. For some families, the overriding need to secure adequate nutrition, housing, and health care renders immunization a relatively low priority. Federal law requires health care professionals to provide written information about immunization to parents before administering vaccines. Since 1994, the immunization information has been simplified to be easier to understand and provide a balanced discussion of the risks and benefits of each vaccine. Immunization information is available in many different languages. Parents are no longer required to sign a consent form for these vaccines.
The CDC has emphasized that health care providers miss opportunities to vaccinate children who visit physician offices, clinics, emergency rooms, and hospitals, when the providers fail to assess vaccination needs.'' Yet even if all health care providers elicited immunization histories, their efforts would likely be hindered by incomplete and inaccurate information. Immunization information that parents impart to health care providers -- whether from recall or from vaccination cards -- is frequently incorrect or insufficient, and seldom provides a reliable basis for immunization decisions.'
These issues demonstrate the need for more accurate and comprehensive means to collect and use immunization information.
III. Proposals to Reduce Gaps in Immunization Coverage: Access to Information
A.Immunization Coverage: Alternatives for Collecting Information
Currently, comprehensive national, state or local data systems that can track all children and identify those who need to be vaccinated do not exist. Although many immunization programs are developing immunization information systems that serve these purposes at the state and local level, these systems still contain data on a minority of U.S. children. The medical and public health communities widely recommend the development of information systems to monitor childhood immunization status and to generate notices when a child's vaccinations are due or past due.'' Evaluative research suggests that tracking and reminder systems significantly increase immunization rates.''''''' Primary health care providers need an accurate source of immunization information, particularly if the child has no comprehensive record of care. The increasingly complicated recommended immunization schedule challenges both the physician and the family in keeping abreast of the child's immunizations. At the community level, program planners and public health officials do not possess adequate population-based data, which confounds immunization surveillance and intervention. Without this information, public health officials cannot reliably detect low immunization rates in specific geographic areas or populations, cannot effectively develop outreach and other prevention programs, and cannot adequately prevent disease outbreaks in schools, day care centers, or communities.
Alternate methods of collecting immunization information, while important, are inadequate for planning and evaluating immunization programs, or for protecting individual children. These methods include sporadic use of local immunization registries, birth cohort comparison studies (in which public health officials compare the number and type of each administered vaccine to the expected size and distribution of each year's newborn population), community-based sample surveys, and individual clinic audits. In addition, disease surveillance is inadequate because it identifies health problems retroactively.
While national, regional, state or local systems of collecting immunization information create the opportunity to provide more effective health care and disease prevention, the establishment of immunization registries also raises specific privacy concerns (see below, Privacy Issues Posed by Registries).
B. Immunization Registries: Characteristics
Based on the experience gained from the alternative methods of measuring immunization coverage and federal and private pilot projects to create population-based immunization databases (registries), a panel of experts convened by the CDC outlined the basic characteristics of an effective Immunization Registry (see also Appendix Two: Model Immunization Registry System Components): (i) enrolling all children at birth or when entering care as new resident; (ii) collecting a core data set, including a unique personal identifier; the vaccine dose, lot number, and type; the vaccination date; and the vaccine provider; (iii) securing access to, and promoting interactive communication among, health care providers; and (iv) developing mechanisms for aggregating data nationally and state-wide. In addition, the system should facilitate public health outreach -- by notifying parents, physicians, and public health officials of missed immunizations -- and should have the capacity to include other health promotion and disease prevention data.
C.Efforts to develop immunization registries
The concept, as well as the need for a universal, computerized system to collect, track, and exchange immunization data has existed for several decades. As early as the 1960s, the CDC posited that automated and accessible immunization records could facilitate "national follow-up of births for maintenance of immunization levels." The CDC has distributed limited funding for immunization information projects for more than a decade. The Automated Immunization Management System (AIMS) projects, established in 1980 and 1985, were designed to perform tracking, vaccine inventory, immunization coverage surveillance, and program evaluation. In fiscal year 1993-94, the CDC began to provide grants to states for immunization registries. These funds have helped states to inventory existing tracking projects within their state and assess the feasibility of statewide approaches. During 1994 and 1995 the CDC awarded more than $16 million to states for the planning, development, and implementation of immunization information systems. The CDC also supports states in developing related public health information systems. During 1994 1995, CDC provided more than $8 million to twelve states for development of Information Networks for Public Health Officials (INPHO), to enhance the ability of public health officials to exchange information. This system will assist states and localities developing immunization information systems.
Finally, there has been the Comprehensive Childhood Immunization Act of 1993, pursuant to which the federal government will purchase vaccine and provide it at no charge to physicians for use in children insured by Medicaid and others who lack health insurance that covers immunizations. The final version of the Act, however, did not include provisions for a national tracking and reminder system which had been included in earlier versions. The CDC's National Immunization Program (NIP) has opted to support development of state and local immunization information systems. These systems can fulfil some of the important functions of immunization registries: to remind parents when their children are due or overdue for scheduled immunizations; to assist providers in evaluating immunization needs of individual clients; and to facilitate exchange of information among providers in the same state or locality. Additionally, because immunizations are provided to persons in the community by local health departments and other private and public providers, systems designed and developed at the community level may be most responsive to local situations and preferences.
State- or locality-based registries are less well-equipped to accommodate other goals of a comprehensive immunization registry. Increasingly families are mobile and health care is provided by organizations which operate in many states. State or local systems may not be able to provide accurate immunization information on children who move to another state or locality. For example, if a managed care provider, or other network of health care providers which operate in multiple states, seek information on the immunization status of a child held in another state, that information may not be easily transferable from one state's or locality's system to the next. Also, if the confidentiality of information in a registry is governed by various state and local laws, these laws may provide insufficient guidance concerning which state's laws apply, which courts have jurisdiction to settle disputes, and which standard of confidentiality a multi-state organization should enforce. Commentators have noted that for state or local immunization registries to accomplish the full range of goals, they would have to be fully compatible with one another for national coordination of collection, tracking and recall to be feasible, and state or national law would have to provide clear standards for confidentiality of information transferred across state borders. If, on the other hand, data are to be used inter-state or at the national level only to determine immunization rates and areas in need of focused immunization efforts, then aggregate (non-identifiable) data could be reported from disparate state and local systems to the national program.
2.State approaches
A number of states have begun development of immunization registries (see State Legislation, below, for discussion of the particular state statutes).
3.Private support
The private sector has also funded registry development. The Task Force for Child Survival and Development's "All Kids Count" (AKC) program (supported by The Robert Wood Johnson Foundation, the Annie E. Casey Foundation, and other private funders) has invested in immunization monitoring and follow-up projects in numerous states and localities. Each AKC project is developing an automated data base that will monitor immunization status, identify service gaps and barriers, and establish follow-up and referral mechanisms.
Other private initiatives in support of immunization collection systems have included development by private companies of software packages to facilitate immunization tracking and recall activities. The goal of such projects is to develop a prototype system that would provide comprehensive immunization information management, yet be flexible enough for use by many states or the federal government.
IV. Privacy Issues Related to Immunization Registries
2. The type of information collected in a registry
The type of information that is collected and maintained by a registry is important in the context of privacy issues. It would be a mistake to assume that an immunization registry will only contain harmless or innocuous information that does not require both confidentiality protection and a security system. At a minimum, registries include some confidential personal and medical data, and they may contain medical and social information that is sensitive for the child and family. A basic registry would have to contain the name, address, date of birth, immunization dates, vaccines administered to the child, as well as adequate information to identify and locate the custodial parent(s) in order to issue reminders for future immunizations. Registries may also include other confidential medical information such as: medical contraindications to immunization; adverse reactions to immunizations; allergies; and the child's HIV infection status. Some registries include information on social services the child or parents are eligible for or receive, and social or medical information on other family members.
When confidential medical information on the child or family members is contained in the registry there is the possibility that its disclosure will harm the child or family. Disclosure of details of the child's, parents' or siblings' confidential medical information can cause harms similar to those resulting from any breach of medical confidentiality. Disclosure of HIV status to relatives, insurers, or others may result in stigmatization, denial of insurance, employment, or loss of child custody.
3. Access to information contained in a registry
A vast universe of parties may seek access to the information contained in immunization registries. Guardians or parents (custodial, foster, or estranged), relatives, friends, and lawyers may attempt to obtain immunization information to ensure the child's health care needs or to gather information for a custody dispute. Health care professionals (e.g., nurses, midwives, physician assistants), managers (e.g., administrators, utilization reviewers), and third party payers (e.g., health insurers, employer sponsored health plans, managed care plans) may seek the information for purposes ranging from service delivery and third party payment to utilization review. Day care providers, educators, and school nurses may want to access the information for educational or health and hygiene purposes. Federal and state agencies (e.g., Head Start programs, health departments, child protection services, social services, and criminal justice facilities) may seek the information for purposes as diverse as determining eligibility for program assistance, or preparing for child neglect or abuse proceedings. Finally, health officials, researchers, and other academics may want the data for public health purposes (e.g., program development, evaluation, or community health assessment).
Immunization data may adversely affect the family if they are inappropriately disclosed (e.g., the parents' employment or insurance status; family eligibility for public benefits, services, or privileges; or parental rights). For instance, if the registry includes immigration status, or if immigration authorities gain access to comprehensive demographic family data, the information could be used to detect undocumented immigrants and migrant workers or to deny them benefits.
A custodial parent may also fear that an estranged parent will use the registry to discover a child's home address. In this circumstance, access to location data could lead to harassment, stalking, abduction, violation of a restraining order, or violence directed at the child or custodial parent.
Parents may be concerned that failure to immunize a child may form the basis for an investigation by child protection authorities. Recently, a New York family court made a finding of child neglect based, in part, on a parent's refusal to have his three-year old daughter immunized during a measles outbreak. Although the information in this case was not obtained from the immunization registry, the existence of a registry could facilitate both individual investigations and "surveys" of the registry to identify all children whose parents have not immunized them on schedule.
Information in the registry may be made available in individual form -- complete with personal identifiers -- or it may be made available in aggregate form stripped of identifiers. The potential for harm to children and families from disclosure to many entities can be avoided or reduced by limiting disclosure of personally identifying information to specific entities whose goals are the same as those of the registry. All other parties could receive aggregate information with relevant general demographic information.
4. Security of information in a registry
In addition to issues concerning use by those with authorized access to the registry, there are questions of security of the registry. These concerns may be especially acute where the system is designed for on-line access or where access is linked to a non-private identifier, such as a social security number. Parents may be concerned that a registry which uses the child's or parent's social security number as the unique identifier will make information accessible to all those individuals and institutions who already have the social security number, or that authorized users of the registry will use it to gain access to other databases containing personal information and linked to the social security number (see Protection of Health Care Information, above). Unauthorized access can also occur through inappropriate use of terminals in local physician's offices, health departments, or other remote sites.
Many states operate dual systems for collecting and using immunization data, each with discrete legal requirements. Disparate rules for data held inside, and outside, of official registries can confuse all parties and create opportunities for error and improper disclosure. Additionally, states may afford lower levels of confidentiality protection to immunization data (than for other health information), based on the unfounded conclusion that immunization information is less sensitive.
While enlightened federalism may welcome state variation as experimentation with local solutions to complex social problems, the mobility of the population and the development of on line systems call for a coherent and unified approach. Parents and children move freely from state to-state and automated systems are designed to transmit information rapidly across state lines. Both public health and privacy goals are undermined if each state uses its own core data set (introducing compatibility problems during information transfer), establishes unique rules for access and privacy, or restricts the flow of health information beyond the state.
5. Development of a registry
Privacy concerns about the registry may arise during the development process. Excluding parents, health care providers, or some other group with an interest in the immunization status of children from the planning process for the registry can lead to distrust or misunderstanding of the purpose and uses of the registry. If the participants in the planning process perceive it as rushed, perfunctory or otherwise inadequate, they may withhold their support from the final product or avoid cooperation with the program.
Finally, problems may stem from a lack of established procedures within the registry. Registries may have inadequate standards for determining what information they should contain and who should have access. They may lack procedures for settling disputes over inclusion or accuracy of information. There may be no opportunity to review privacy concerns as they arise, and make modifications to the procedures and structure of the registry as needed.
V.State Legislation
C.Confidentiality of Immunization Information, Access to Information and Disclosure
1. Introduction
The collection and use of immunization information in some states is covered by two separate sets of statutes and/or regulations - those governing immunization for admission to schools or day-care centers and those establishing a registry or creating reporting and confidentiality requirements for a registry. These two types of provisions were developed in different eras and reflect different purposes, structure and procedures. School immunization statutes mandate that parents (accompanied by proof of immunization from a health care provider) report immunizations to the school or day care center. The reporting is decentralized, records are kept in paper form, and summary reports are usually sent to the health department. While some expectation exists that schools will not disclose immunization records, health departments usually retain the right to review or inspect records, and schools routinely forward immunization data when students transfer to another school.
Since immunization registries have been designed and implemented more recently, they more often directly address confidentiality and access. Health care professionals report directly to the registry, which is usually centralized by city or state. Most fully functioning registries depend on computers to store information, to provide access, and to generate reminders.
VI.Gaps in the Law
Registries can improve immunization coverage by providing accurate, complete, and current information to health care providers, public health officials, educators, and parents. However, the systematic collection of large amounts of automated health data poses a privacy risk.' Ensuring privacy of the data is critical, both to achieve public health purposes and to protect parents' and children's individual rights. Parents and children whose immunization information is contained in the registry have a right not to have sensitive health information disclosed in ways that might stigmatize or harm them. Fear of unauthorized disclosure might lead some parents to avoid contact with primary care providers, which would undermine public health efforts to increase immunization rates and offer other preventive services. Elected officials also are not likely to authorize automated immunization data banks unless they gain the public's confidence that the registry will not unnecessarily invade citizens' privacy.
Currently, considerable variation on privacy protection exists among states, and also within states. At the extremes, state legislation either too easily permits disclosure of immunization information (undermining privacy interests) or is overly restrictive (undermining public health objectives). Many states fail to specify who shall have access to immunization information; grant broad discretion to health officials to make disclosures; do not adequately protect against subpoena or court order; and do not provide clear penalties for unauthorized disclosure. Some states, however, are overly restrictive, requiring parental consent before any disclosure. This approach may impede the flow of information necessary to promote child health.
State laws regarding collection and use of immunization information vary widely. This variation has produced a rich body of law that explores many of possible options for controlling immunization information. However, the differences from state to state also create inconsistencies which can leave gaps in the protection of immunization-related information, erect barriers to use and exchange of information, or create opportunities for disclosure. In some states, health officials have broad discretion to disclose immunization records. In practice, this may mean that information related to immunizations receive little protection. Weak standards of protection of the confidentiality of immunization registries or school-based records may also lead to disclosure of sensitive medical information. This could create a double standard for health information which would not fully protect sensitive information if it is part of an immunization record.
Statutes can also create barriers to setting up an immunization registry, or prevent the registry from achieving some of its goals. In some states vital record provisions prohibit use of birth certificate data for any other purpose (see, e.g., Pennsylvania). Other states may restrict the ability of public health officials to transfer immunization information to other states.
Additionally, variation from state to state in the way immunization information is collected and stored may create purely technical barriers to its inter-state transfer. One state-based registry may not store data in a form that is compatible with another state's registry. This prevents registries from achieving one of their goals -- to provide a record of each child's immunizations that will be available to the child's parents, health care providers, and health department officials, regardless of where the child lives, goes to school, or receives health care.
VII.Conclusion
Collection and use of accurate immunization data is vitally important for immunization programs to meet present goals of 90% or greater coverage of pre-schoolers by the year 2000. In many ways, privacy concerns are supportive rather than contradictory to this goal because public health programs to reach preschoolers require public cooperation and consent. Nevertheless there will be certain times when the goals conflict. In these cases well-designed laws may offer the highest possible degree of protection for sensitive information while still aiding, rather than thwarting public health efforts.
Finally, the increasing interest in state or federally subsidized immunization programs aimed at achieving high levels of immunization of two-year-olds ultimately requires state and local health departments to collect and use large amount of personal medical information, and to share that information with health care providers, school and day care facilities. At this time, the degree of protection which that information receives varies depending on the particularities of the law in each state. When states authorize and implement immunization registries or universal immunization programs, or when they undertake reform of public health statutes, they may also choose to rethink and revise how information on immunizations is collected, protected and disclosed.
Part Seven: Federal Legal Protection of Health Information Privacy
I.Introduction
Federal legal protection of health information privacy is based on constitutional law, statutes and regulations. Constitutional protection is applicable to data collected and used by governmental entities, both federal and state. Statutory protection is limited to that specifically provided by Congress and federal agencies in legislation or regulations. As the Work Group for Electronic Data Interchange observed, there is no national level policy on privacy and security of health information. Rather, there exists a series of disparate and incomplete safeguards that neither fully protect individual privacy nor enumerate carefully when health information may legitimately be collected, used, and disseminated. The Senate began consideration of the first attempt to draft comprehensive federal legislation, the Medical Records Confidentiality Act of 1995, in October 1995. The draft provisions of the Act are discussed below (Medical Records Confidentiality Act 1995). This section of the report provides an account of existing constitutional and legislative protection of health information privacy at the federal level.
II. Constitutional Right to Informational Privacy
A considerable literature has emerged on the existence and extent of a constitutional right to informational privacy independent of the Fourth Amendment prohibition on unreasonable searches and seizures., To some, judicial recognition of a constitutional right to informational privacy is particularly important since the government is the principal collector and disseminator of information. The Constitution, of course, does not expressly provide a right to privacy, and the Supreme Court appears to be in a period of retrenchment of constitutional protection both for decisional and informational privacy.
A body of case law does suggest judicial recognition of a limited right to informational privacy as a liberty interest within the Fifth and Fourteenth Amendments to the Constitution. Whalen v. Roe is the major case in which the Supreme Court squarely faced the question of whether the constitutional right to privacy encompasses the collection, storage, and dissemination of health information in government data banks. In Whalen, a New York statute required physicians to disclose to the state information about prescriptions for certain drugs with a high potential for abuse, and provided for the storage of those data in a central computer. In dicta the court acknowledged "the threat to privacy implicit in the accumulation of vast amounts of personal information in computerized data banks or other massive government files."
Justice Stevens, writing for a unanimous court, recognized that "in some circumstances" the duty to avoid unwarranted disclosures "arguably has its roots in the Constitution." The court found no violation in Whalen where the state had adequate standards and procedures for protecting the privacy of sensitive medical information. The court observed that data on dangerous prescription drugs were afforded careful protection by the Health Department: computer tapes were kept in a locked cabinet; the computer was run off-line to avoid accessibility by others; and the information was disclosed only to a limited number of officials.
In Nixon v. Administrator of General Services, decided four months after Whalen, the court also hesitantly acknowledged a narrow right to privacy. The former President of the United States challenged the constitutionality of a statute directing the Administrator of GSA to take custody of Presidential materials and to have them screened by Government archivists. The court granted that the former President had a legitimate expectation of privacy in his personal communications. However, it upheld the constitutionality of the statute due to the limited intrusion of the screening process, the appellant's status as a public figure, his lack of expectation of privacy in the overwhelming majority of materials, and the virtual impossibility of segregating the small quantity of private materials without comprehensive screening. The court also emphasized the Act's sensitivity to legitimate privacy interests and the unblemished record of the archivists for discretion.
Most lower courts have read Whalen and Nixon as affording a tightly circumscribed right to informational privacy, or have grounded the right on state constitutional provisions. Courts have employed a flexible test balancing the government invasion of privacy against the strength of the government interest. Judicial deference to government expression of the need to acquire and use information is an unmistakable theme running through the caselaw. Provided the government articulates a valid societal purpose and employs reasonable security over the data, courts have seldom interfered with traditional governmental activities of information collection in the realm of public health.
The Third Circuit in United States v. Westinghouse enunciated five factors to be balanced in determining the scope of the constitutional right to informational privacy: (i) the type of record and the information it contains, (ii) the potential for harm in any unauthorized disclosure, (iii) the injury from disclosure to the relationship in which the record was generated, (iv) the adequacy of safeguards to prevent non-consensual disclosure, and (v) the degree of need for access -- i.e., a recognizable public interest.
The right to privacy under the U.S. Constitution is, of course, limited to state action. Since the 1970s, more than a dozen states have adopted constitutional amendments designed to protect a variety of privacy interests, including limitations on access to personal information. Although most of the state constitutional provisions only protect against breaches of privacy by government, some courts have also applied their guarantees to private parties.
The usual state action limitation renders constitutional claims uncertain in many cases. Provided the federal or state government itself collects information or requires other entities to collect it, state action will not become the central obstacle to constitutional protection. Yet, several versions of a health information infrastructure envisage private or quasi-private health data organizations, health plans, and insurers collecting a great deal of information. In these cases the applicability of constitutional privacy protection would remain in doubt, particularly if database organizations were essentially unregulated by government.
Even in cases where government unambiguously is the collector of data, constitutional limitations may be nominal. Courts allow states wide latitude in protecting the public health; and courts are certain to see government purposes of preventing morbidity and premature mortality or health research as substantial if not compelling. Since policy development on health information has emphasized privacy and security concerns, the government is likely to prevail on a flexible balancing approach. Absent an unlikely shift in the courts' approach to privacy, affording it a decidedly higher level of scrutiny, issues of health informational privacy will, for the most part, be settled in the legislative and executive branches of government.
III.Legislative and Regulatory Protection of Informational Privacy
A growing number of statutes and regulations are designed to protect privacy in a developing information society. The most important federal statutes and regulations with relevance to health data are the Privacy Act (construed consistently with the Freedom of Information Act), the drug and alcohol privacy regulations, and research regulations.
A. Privacy Act
The federal Privacy Act of 1974 is designed to ensure that federal agencies utilize fair information practices with regard to the collection, use, or dissemination of "any record" which is contained in "a system of records." First, subject to a number of exceptions, the Act prohibits agencies from disclosing information to any person or to another agency without the prior written consent of the individual to whom the record pertains. However, the Act also grants substantial discretion to federal agencies to identify disclosures for "routine uses" which may be made without consent (see below). Second, each agency that maintains a system of records must also, upon request, permit the individual to review and copy the record. Third, the Act provides a procedure by which an individual may request the correction or amendment of the record. Finally, the Act requires agencies to maintain in their records only personal information that is relevant and necessary to accomplish the agency's purpose. The Computer Matching and Privacy Protection Act of 1988, which amends the Privacy Act, regulates the practice of "matching" files pertaining to the same person through the use of a personal identifier.
Hospitals operated by the federal government or health care or research institutions operated pursuant to federal contract must maintain patient records in compliance with the Act. The Act, however, does not apply to the vast majority of entities that collect health information outside of the federal government.
Even agencies that collect information within the purview of the Act are permitted to disclose information for "routine uses." Agencies may disclose information for "routine uses," meaning that they can use health records for any "purpose which is compatible with the purpose for which it [the information] was collected. Courts have generally interpreted "routine uses" broadly when confronted with agency disclosures. Health agencies have used this concept to justify many further uses of personally identifiable information.
D.Discovery of Confidential Health Information from Federal Agencies
Public health agencies such as the Centers for Disease Control and Prevention have claimed a general confidential privilege for information it holds on grounds of the Privacy Act and the Freedom of Information Act. The CDC forbids its officers and employees from testifying in court proceedings pursuant to this asserted privilege. While health agencies cannot put a blanket ban on all requests for testimony, courts have recognized that the time of researchers is valuable and the judiciary has often upheld agency denials of requests for depositions.
Most courts have not found it necessary to determine the exact boundaries of the privilege of confidentiality asserted by health agencies. Instead, courts have used Rule 26 of the Federal Rules of Civil Procedure to determine the scope of permissible discovery in civil litigation. The courts balance privacy interests of individuals whose identity may be disclosed in the litigation against the party's interests in the administration of justice; Rule 24 allows the courts to fashion creative protective orders that permit necessary discovery while limiting infringements on privacy.,,, Some courts find that information obtained by health departments is personal and sensitive so that identifiable information may not be discoverable under the Federal Rules of Procedure.,
E.Drug and Alcohol Treatment Records
Federal law prescribes special privacy rules for the records of patients receiving care for drug or alcohol dependency in federally assisted facilities. Strict confidentiality rules apply to oral and written communications of "records of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance" of any educational, rehabilitative, research, training or treatment program relating to drug or alcohol abuse. The confidentiality rules apply to any program or activity conducted, regulated, or directly or indirectly assisted by a federal agency. Subject to certain exceptions, the content of a drug or alcohol treatment record can be disclosed only with the consent of the patient.
F. Department of Veterans' Affairs Regulations
In addition to providing confidentiality protection to information regarding drug or alcohol abuse, regulations for the Department of Veterans' Affairs also provide protection for any records containing information related to HIV infection, AIDS or sickle cell anemia. These records can be disclosed only with the consent of the patient, or without consent only in the event of a "bona fide medical emergency," for research, to comply with state requirements for disease reporting or partner notification, or under court order. Penalties for impermissible disclosures consist of fines.
G.Research Regulations
Human subject research which is conducted or supported by a federal department or agency must comply with regulations designed to protect human subjects. Applicable research must, inter alia, be approved by a validly constituted Institutional Review Board (IRB). One of the conditions of approval by the IRB is that "When appropriate, there are adequate provisions to protect the privacy of subjects and to maintaining the confidentiality of data." Further, except where provided in the rules, no investigator can involve a human being as a subject without legally effective informed consent. In seeking informed consent, the investigator must provide the subject with a statement describing the extent, if any, to which confidentiality of records identifying the subject will be maintained. Federal human research rules include important exceptions to this informed consent requirement for health information-based research. Federal rules permit IRBs to waive or modify informed consent requirements when the research involves minimal risk to the subject; the waiver of informed consent will not adversely affect the subjects; the research could not be practicably carried out; and, whenever appropriate, subjects will receive pertinent information after completion of the study.
H. Certificate of Confidentiality
Under section 301(d) of the Public Health Service Act the Secretary can authorize persons engaged in biomedical, behavioral, clinical, or other research to protect the privacy of research subjects by withholding from all persons not connected with the conduct of the research the names or other identifying characteristics of the subjects. Persons authorized to protect the privacy of research subjects cannot be compelled in any civil, criminal, administrative, legislative or other proceedings to identify research subjects.
Protection is available upon application from a named project, and is conferred in the form of a "certificate of confidentiality" issued directly by the Assistant Secretary for Health. The certificate provides legal authority to resist compulsory demands for identifiable research subject information. An investigator with a certificate has a legal defense against subpoena or court order similar to the physician-patient privilege. The defense applies only to information about subjects, not aggregate data.
While certificates of confidentiality provide strong protections of privacy, they have some limitations. Confidentiality assurances are available for all research projects, and federal funding is not required. Since researchers must apply for protection of data from each project separately, the procedure for obtaining a certificate imposes burdens on the time and resources of researchers and scientists who, as a consequence, may not seek protection for every study involving confidential medical information. In fact, the policy of the Assistant Secretary is that issuance is granted "sparingly", i.e., "only when the research is of a sensitive nature where the protection is judged necessary to achieve the research objectives." Even if certificates are rarely denied in practice, this stated policy and the application process may create a chilling effect on researchers' efforts to protect the privacy of all their human subjects. Additionally, the researcher retains the discretion to seek confidentiality protection for his or her data and is not bound to do so. Finally, although the certificate of confidentiality protects the data from compelled disclosure by a court, it does not create any specific obligation on the researcher to protect the information in other ways.
IV.Gaps in Federal Protection of Health Information Privacy
The U.S. Constitution and federal legislation provide fragmented and uncertain protection of health information privacy. The U.S. Constitution applies only to state action and, therefore, binds principally federal and state government collection of health information. Constitutional protection of privacy would not, for example, cover private health care facilities that receive federal or state funding and would not cover many quasi-public entities such as the American Red Cross. More important, courts are likely to defer to reasonable governmental action for public health purposes. Provided the collection of information is reasonably necessary to achieve an important health purpose, and the agency provides reasonable safeguards of privacy and security, the courts are unlikely to find constitutional violations. By contrast, if the disclosure of personal information is simply careless and achieves no sound health purpose and/or if there are insufficient protections of privacy and security, courts may well find infringements of constitutional rights of individuals.
The Privacy Act and the Freedom of Information Act provide the most complete assurance of the confidentiality of government records. The protection of data depends on whether data are deemed to be "records" within government "systems of records." Accordingly, there may be no protection of private notes or data that are not organized as a record system. More importantly, the Privacy Act has a number of exceptions that have been widely construed. In particular, the "routine uses" exception may permit disclosure of data for purposes consistent with the original collection of the data. Agencies and courts may have variable interpretations of the "routine uses" and other exceptions, leading to a permissive approach to the release of confidential information.
Judicially compelled disclosure has concerned many health authorities and researchers because of the possibility that courts will find that the government's interest in the administration of justice outweighs the individual's or agency's interest in privacy. For the most part, courts have accepted the arguments of the CDC and others of the overriding importance of privacy, but, in the absence of a statute, no solid assurances exist that courts will not require disclosure in future cases.
Beyond the Privacy Act and the Freedom of Information Act, there exists a highly fragmented series of privacy protections. Focusing special protection on specific diseases (e.g., substance abuse, or HIV/AIDS) or on particular activities (e.g., research) can certainly be valuable. It marks society's particular concern with the confidentiality of sensitive health information.
Still, disease-specific confidentiality statutes create inconsistencies in the rules for the dissemination of information. Different standards apply to data held by the same health care facility depending on whether the patient is receiving treatment for substance abuse, HIV, or some other disease. Further, there is no reason to believe that data relating to certain diseases are always more sensitive or deserving of protection than other data. For example, it is possible that for some patients data about breast cancer, epilepsy, or Huntingtons is just as intimate as data about HIV infection, AIDS, alcohol dependence or a sexually transmitted disease. Overly strict confidentiality rules, moreover, could impede the dissemination of data relating to treatment for drug or alcohol dependency, HIV infection or AIDS for valid purposes such as billing, research, or public health. The creation of strict disease-specific standards means that the dissemination of data in some systems and for some diseases is so restricted that legitimate health goals are undermined, while other data receive insufficient protection.
V.Conclusion
National reviews of privacy policy have consistently argued for more uniform protection of health information privacy. The Department of Health and Human Services, the Institute of Medicine, and the Congressional Office of Technology Assessment have all pointed to the principles of fair information practices as a starting point for further policy development. Certainly, there exist no easy answers to the potential conflicts between the need to collect and use sensitive health information and the need to safeguard individual privacy. Yet sound health policy demands that careful consideration be given to the privacy and security of identifiable data as the health care and public health systems move toward the development of a health information infrastructure.
Part Eight: Future Options for Protection of Health Information Privacy and Conclusion
I.Introduction
Powerful reasons justify the need for the broad collection and use of health data. High quality data are needed by public health officials, health care providers, patients and health policy makers. Adequate access to information helps consumers make informed choices among health plans and providers; assists health care providers deliver more effective clinical care; allows system managers to assess the quality and cost effectiveness of health services; monitor fraud and abuse; track and evaluate access to health services and patterns of morbidity and mortality among underserved populations; and research the determinants, prevention, and treatment of disease.
Aggressive collection of a broad range of personal data, of course, has a significant trade off in loss of privacy. American society places a high value on individual rights, autonomous decision making, and the protection of the private sphere from governmental or other intrusion. Concerns about privacy transcend the health care setting.'' Health information is perhaps the most intimate, personal, and sensitive of any information maintained about an individual. As the U.S. health care system grows in size, scope, and integration, the susceptibility of that information to disclosure will also increase. This section reviews the fundamental issues raised by existing privacy laws at the state and federal level, describes a range of possible legislative solutions including, state reform of privacy laws, adoption of existing model legislation, or federal reform, and presents recommendations for drafting laws governing health information derived from the June 1995 expert consultation. Finally, the section emphasizes the importance of fostering an on-going dialogue between health and health policy-makers in all the states.
II.Fundamental Issues Raised by Existing Privacy Law
Thoughtful scholarship in the area of informational privacy''''' sometimes assumes that some significant level of privacy can exist within the development of a comprehensive health information infrastructure. Some commentators suggest that we can have it both ways -- viz., there is no need to significantly limit the collection of data provided there is adequate legal protection for informational privacy. This report describes some of the potential benefits to individual and public health that could follow collection and access to more complete and accurate health information. It also recognizes the potential harms to individuals and society that may result from the accumulation and use of such data.
The growing collection of health-related data and the potential for improper disclosure, secondary use, and security breeches within computerized systems, suggests, however, that the resolution of the conflict between the need for information and the privacy of patients will not be simple. The law at present neither adequately protects privacy, nor does it ensure fair information practices. Those engaged in legislative or policy reform must, ultimately, confront the hard choice of whether the systematic collection of identifiable health care data should be sharply limited in order to achieve reasonable levels of informational privacy. The result of that choice would be to reduce considerably the social good that would be achieved from the thoughtful use of data. Alternatively, policy-makers may decide that the value of information collection is so important to the achievement of societal aspirations for health that the law ought not to promise absolute or even significant levels of privacy at all, but rather to require that the data be used only for authorized and limited purposes.
Fortunately, regarding many areas of existing law, the choice is not mutually exclusive. Often the interests of those implementing particular programs, public health and health care personnel, and individual patients lie in both protecting information from improper use or disclosure and making it accessible to health care providers, patients and policy-makers who show a legitimate need for it. Creation of confidentiality protections that are clearly defined and not inconsistent with one another will increase public confidence in the reliability of the protections and promote understanding of public health efforts. Where greater cooperation and public participation results from these efforts, policy-makers can both increase the usefulness of data and encourage trust between members of the public, health care providers, and government health officials.
Within a single state disease-specific statutes may demand different levels of privacy protection for health information. Many states have separate standards for confidentiality of information regarding various classifications of disease: communicable, non-communicable, sexually transmitted, or HIV/AIDS. As a result, personal information collected on an individual regarding a case of cryptosporidiosis may receive less protection than information on a person with gonorrhea. In the same state, HIV-related information may receive a distinct and even higher degree of protection, entailing specific standards and procedures for collection and maintenance of information.
Separate privacy standards linked to disease classifications have resulted from independent evolution of the law in each area. They also reflect intrinsic differences in the sensitivity of the information involved or the nature of diseases. Multiple privacy standards have several drawbacks, however. They promote confusion among the public, health care providers and public health personnel. They increase the possibilities for improper disclosure of certain types of information through the application of the wrong standard for protection or disclosure. They also, frequently, do not reflect the reality that almost all health information can be sensitive, and disclosure can have multiple implications. In the example above, although three different levels of protection may apply to the personal information collected on persons with the three different conditions, disclosure of any of the three -cryptosporidiosis, gonorrhea, and HIV - may harm or embarrass individuals. Information regarding non-communicable diseases, cancer, or inheritable conditions can be equally sensitive in some situations.
III.Potential Solutions
Phase I of this project surveyed and analyzed the existing system of state and federal privacy protections for health information and proposed possible solutions for law reform. Phase II of the project brought together experts from many fields -- health care, public health, law, and ethics -- for a consultation in June 1995 at the Carter Presidential Center to discuss the current status of health information privacy laws and consider proposals for reform of laws governing public health data, HIV-related information and immunization information. These proposals and the other issues raised in this section of the report are relevant to law and policy-makers considering review or reform of health information privacy laws at either the state or federal level.
B.Existing Model Laws
The Uniform Health Care Information Act provides one model for states enacting legislation to protect patients' interests in their medical records. Legislation based on the Uniform Act has been adopted by at least two states (Montana, Washington). The Act imposes on each health care provider the duty to establish reasonable safeguards for the security of all health information in its possession. Health information is defined by the Act as any information, whether oral or recorded in any form or medium, that identifies or can be readily associated with the identity of the patient and relates to the patient's health care. Although the Act does not expressly mention electronic or computerized records, they are included in the Act's purview. Health information held or maintained by governmental agencies is protected by the Government Health Care Information Act, which imparts similar duties to maintain confidentiality on public entities.
Basing proposals for reform of health information privacy provisions on model statutes would allow the states to retain some flexibility in their approaches while still achieving a uniform basic level of protection. Existing model laws may not fully meet the need of those designing or implementing some health information systems, such as immunization registries. Enactment of a Uniform Act requires legislative or public initiatives in each of the more than fifty states and territories. Until such standards are adopted in all jurisdictions there will continue to be problems caused by variability of laws from state to state. Even after universal adoption, variability could persist if some states opt to impose stricter standards for privacy protection than those in the model statute.
IV.Recommendations for Reform of Laws Governing Health Information Systems
At the June 1995 consultation at the Carter Presidential Center, a multi-disciplinary group of experts discussed the results of the national survey of health information privacy laws, the perspectives of participants from public health, health care, AIDS service organizations, childhood immunization advocates and others on the issues of privacy of health information and the need for access to information. The group broke into two sessions to discuss specific issues related to immunization information systems or registries and those posed by collection of public health data, particularly HIV-related data. Based on the discussions of these sessions and the following plenary session, the authors of this report drafted recommendations for review and reform of health information privacy provisions. These recommendations were circulated to the participants of the consultation and other experts for their review and comments. The recommendations contained in this report build on the work done at the consultation in June 1995 at the Carter Presidential Center and additional work by the authors and others who reviewed and commented on the work; they do not represent the official position of the participating organizations.
V.Conclusion
Any efforts to modify or reform the existing system for protection of health-related information, must acknowledge the efforts that have taken place at the state level to protect information and accomplish various health care and public health goals. One way to both acknowledge this debt and engage state health officials and policy-makers in reform efforts is to begin an on-going dialogue between health officials and policy-makers in different states.
This report has outlined recommendations which can focus that dialogue on ways of removing barriers to the achievement of good health while respecting the need to protect the privacy of health information. Absolutist positions on either side will not result in health information systems that can effectively serve both goals.
The collection of information is central to the ability of public and private health systems to provide intervention, treatment, and research, but confidentiality need not be sacrificed to these goals. Much of the information collected in health care settings is profoundly personal; if patients cannot be assured that this information will be protected from further disclosure, the possibility exists that they will no longer agree to cooperate with systems on a voluntary basis.
Many gaps that exist in the current system have been discussed in this report. Future action in the area of health information privacy must consist in part of a legitimate attempt to fill those gaps in ways which will not compromise the ability of health professionals to carry out their duties. The current system not only does not fully protect individual privacy, but the variability that exists across state and local boundaries hampers the achievement of societal goals since there is often an inability to communicate needed information.
Health officials and policy-makers in all the states need to engage in a dialogue now to prevent problems that can only be exacerbated in the future as new and faster information systems are developed. Computerized storage of health information indeed provides for faster retrieval, but also presents additional problems of improper access. Fair information practices should be integrated into legislative protection of health information. Uniform standards nationwide will result in more effective protection of health information privacy.