EPIC logo

Legislative Survey of State Confidentiality Laws, with Specific Emphasis on HIV and Immunization



Final Report Presented to:

The U.S. Centers for Disease Control and Prevention
The Council of State and Territorial Epidemiologists
The Task Force for Child Survival and Development Carter Presidential Center




Professor Lawrence O. Gostin, J.D., LL.D. (Hon.),

Georgetown University Law Center and

The Johns Hopkins School of Hygiene and Public Health

Zita Lazzarini, J.D., M.P.H.,

Harvard School of Public Health

Kathleen M. Flaherty, J.D.,

Georgetown/Johns Hopkins Program on Law and Public Health

Contact:

Professor Lawrence O. Gostin

Georgetown University Law Center

600 New Jersey Avenue N.W.

Washington, D.C. 20001

phone: (202) 662-9373

fax: (202) 662-9409

E Mail: GOSTIN@LAW.GEORGETOWN.EDU




ACKNOWLEDGEMENTS

This report and the Public Health Information Privacy Project was supported by the Centers for Disease Control and Prevention (CDC), the Council of State and Territorial Epidemiologists (CSTE), and the Task Force for Child Survival and Development of the Carter Presidential Center.
We are particularly grateful to Willis Forrester (CSTE), Verla Neslund (Office of the General Counsel at CDC), William Watson (Task Force for Child Survival and Development), James Curran, George Seastrom, John Ward, James Buehler, Jose Cordero (CDC), Michael Osterholm (CSTE), and Kay Johnson (March of Dimes).
In addition to these individuals, members of the Carter Center Consultation on Public Health Information Privacy (June 1995) who contributed to the recommendations include Susan Abernathy, Cornelius Baker, Mark Barnes, Ronald Bayer, Molla Donaldson, John Fanning, David Fleming, Patricia Fleming, William Foege, Helen Fox-Fields, Cynthia Gomez, Gail Horlick, Mike Isbell, Wilma Johnson, Alan Kendal, Terry O'Brien, Dennis Perotta, Marian Secundy, Dixie Snyder, Susan Timberlake, Ronald Valdiserri, and Brian Willis. Research assistance was provided by Kathleem Maguire, Angie McGowan, Susan Timmer, and Robert Scherer.

Table of Contents

Part One: Executive Summary1

Part Two:Introduction: Draft Final Report of Legislative

Survey of State Confidentiality Laws14

I. Introduction14

II. Collection of Health Information15

III. Privacy and Health Information18

IV. Outline of Report22

Part Three: Methodology23

I.Purpose23

II.Structure of the Survey24

III. Final Report25

Part Four:Protection of Public Health Data and

Health Care Information26

I.Introduction26

II.Public Health Data27

III.State Legislation Concerning Public Health Data33

IV.Gaps in Existing Laws Protecting Public Health Data.40

V. Protection of Health Care Information44

VI. Privacy Issues and Health Care Information 45

VII. State Legislation Concerning Health Care Information48

VIII. Gaps in Existing Laws Protecting Health Care Information56

IX.Conclusion: Variation in Protection of Information in the

Public versus the Private Sector58

Part Five: Protection of HIV/AIDS-Related Information60

I. Introduction60

II.State Legislation65

III.Gaps in Existing Laws91

IV. Conclusion94

Part Six: Protection of Immunization Information96

I. Introduction96

II.Immunization as a Public Health Goal98

III. Proposals to Reduce Gaps in Immunization Coverage:

Access to Information105

IV. Privacy Issues Related to Immunization Registries112

V.State Legislation 117

VI.Gaps in the Law128

VII.Conclusion132

Part Seven: Federal Legal Protection of Health Information Privacy133

I.Introduction133

II. Constitutional Right to Informational Privacy133

III. Legislative and Regulatory Protection of Informational Privacy139

IV.Gaps in Federal Protection of Health Information Privacy148

V.Conclusion151

Part Eight: Future Options for Protection of

Health Information Privacy and Conclusion152

I.Introduction152

II.Fundamental Issues Raised by Existing Privacy Law153

III.Potential Solutions159

IV.Recommendations for Reform of Laws Governing

Health Information Systems162

V.Conclusion171

Tables

Table 1:Protection of Public Health Data after 59

Table 2:Protection of Health Care Information after 59

Table 3:Protection of HIV and AIDS Information after 95

Table 4:Protection of Immunization Information after 132

Appendices (available separately)

Appendix 1:State Summaries App.1

Appendix 2:Model Immunization Registry System Components App. 345


Part One: Executive Summary

This report examines current state and federal law protecting the confidentiality of health information. It focuses on four specific areas: public health information held by government, privately held health care information, HIV and AIDS-related information, and immunization information.
The ways in which our modern medical and public health systems collect, store, and use personally identifiable information have increased both the potential benefits from access to such information and the possible harms from improper uses and disclosures. The report examines the importance of both the collection of health information and the protection of its privacy. The collection and use of health information involves two important goals, yet sometimes competing goals: 1) gathering and disseminating accurate and timely information on the incidence and prevalence of disease, health information necessary for health care of individuals, assessment of health care and public health needs and evaluation of programs, services, institutions and providers; and 2) protecting that information from uses or disclosures that cause harm to individuals to whom the information pertains. The report reviews the current privacy safeguards under both state and federal law in order to determine whether they are adequate to protect the privacy of individuals and are consistent with effective health policy.

Public Health Information

Every state and territory provides statutory protection for some types of personal health data maintained by a government agency. Forty-nine states and territories reported protection for general public health data, forty-two specifically protect communicable disease data, and forty-two specifically protect sexually transmitted disease data.
Forty-nine states reported some provision permitting public health officials or others to disclose public health information. Common justifications include disclosure for the purposes of: statistical evaluation (43 states); contact tracing of persons exposed to an infectious disease (39 states); spousal or partner notification of a sexually transmitted disease (37 states); epidemiologic investigations (22 states); and subpoena or court order (14 states).
Forty-two states reported statutory penalties for impermissible disclosures. Of these, thirty one reported criminal penalties, eighteen reported civil penalties, and eight reported both. (see Table 1 for more details).

Health Care Information

Privately held health care information can be protected in a number of ways. Thirty-seven states impose on physicians the duty to maintain the confidentiality of medical records. Twenty-six extend this duty to other health care providers. Thirty-three states and territories require health care institutions to maintain the confidentiality of medical records they hold. The survey found that only four states have specific legislation imposing this duty on insurers, despite the vast amount of information held by insurance companies. Nine states impose a similar duty on employers or other non-health care institutions.
Because of the increase in computerization in the storage of medical data, the survey inquired about the existence of a duty to maintain the confidentiality of electronic or computerized medical records. Only twenty-two states have legislative provisions that protect computerized or electronically transferred data.
Forty-two states protect information received during the course of a physician-patient relationship from disclosure in court proceedings, with certain exceptions. States permit disclosure of health care information for various reasons, including to another health care provider (18), to epidemiologists or researchers (16), and under a subpoena or court order (22).
Twenty-eight states provide statutory penalties for unauthorized disclosure of health care information. Twelve impose criminal penalties, nineteen create civil penalties and three allow for both civil and criminal penalties (See Table 2 for more details).

HIV-Related Information

The importance of both the collection and protection of HIV-related information have been vigorously debated since the beginning of the epidemic. Virtually all states have enacted some HIV-specific statutes, many of which concern information collection and protection either directly or indirectly. Twenty-three states classify HIV/AIDS as a separate category of disease, Sixteen classify it as a communicable disease, and twelve as a sexually transmitted disease. All states require reporting of AIDS cases to the state or local health department. Forty-one states, at the time of this survey required reporting of HIV infection as well.
Thirty-nine states reported either HIV-specific privacy statutes or general privacy provisions that expressly mentioned HIV. The remaining states may protect its confidentiality under other statutes or provisions (see Public Health Data). Forty-eight states and territories allows for disclosure of HIV-related information in certain proscribed circumstances. The most commonly cited permissible disclosure are to: a health care provider involved in the patient's care (43); sexual or needle-sharing partners (37); parties with a subpoena or court order (29); blood banks or organ donors (22); epidemiologists and researchers (22); correctional facilities (14); school officials (12); HMOs, health care institutions, or mental health facilities (14); and insurance companies (8). Some disclosure provisions require that patient-identifying information be removed from the data. Most states permit the above disclosures but do not make them mandatory. Thirty-seven states have spousal/partner notification programs or policies, but very few make them mandatory. Only three states allow for the disclosure of the name of the source patient.
Thirty-eight states report statutory requirements for specific consent for HIV testing including consent to the release of information. However, the absence of an HIV-specific consent statute does not indicate that informed consent is not required in a particular state. Informed consent may be required by other statutes, common law, regulations or policies. Twenty-eight states allow minors to consent to HIV testing, although they may do so under provisions that are not HIV-specific. Forty-five states specify some situations in which informed consent for HIV testing is waived. The most common exceptions which we tabulated separately were for persons charged or convicted of specified sex offenses (33), for emergency workers who have been exposed to a patient's blood (27), for prison or jail inmates (16). Other common exceptions include testing a patient who is incapable of consenting, when the test is necessary to provide medical treatment, for research or epidemiological purposes, where all identifying information is removed from the sample, and for blood, tissue or organs provided for donation. A few states also grant relatively broad discretion to public health authorities to require involuntary testing.
Forty-five states have either criminal or civil penalties for unauthorized disclosure of HIV related information. Thirty-three states have criminal penalties, thirty-three have civil penalties and twenty-one provide for both civil and criminal penalties (See Table 3).

Immunization Information

One of the goals of collecting immunization information is assisting parents to immunize their children completely and on time. Immunization programs also seek to increase immunization coverage in populations and communities. Twenty-two states and the District of Columbia maintain or were in the process of establishing immunization registries at the time of this survey. Eleven states have functional immunization registries; the remaining states are in the process of development. Nine states have enacted statutes that specifically authorize immunization registries, four states operate registries that are not expressly authorized, nine states are currently developing registries or are considering registry bills in their legislatures.
The level of protection accorded to the information contained in the registry, and the type of information collected, differs from state to state. Six of the nine states with immunization registry legislation directly address confidentiality of immunization information in their statutes.
Most other immunization-related provisions concern mandatory immunization for school attendance. In many states, schools are the primary collector of immunization information. Virtually all states require proof of immunization status or exemption for admission to primary school. Forty-seven states mandate that immunization information be reported to the health department (32), schools (44), or child care facilities (25). Overall, forty states permit access to immunization records by the health department, health care providers, school officials, or epidemiologists and other researchers. Of the thirty states without registries, provisions grant access to immunization records by: the health department (18); health care providers (8); school officials (11); researchers (1).
Only sixteen states impose a penalty for impermissible disclosure of immunization-related information. Fifteen designate minor criminal penalties, four provide for civil liability (See Table 4).

Federal Protection of Health Information Privacy

Federal protection of health information privacy is fragmented and uncertain. The U.S. Constitution applies only to state action and, therefore, binds principally federal and state government collection of health information. More important, courts are likely to defer to reasonable governmental action for public health purposes, provided the collection of information is reasonably necessary to achieve an important health purpose and the agency provides reasonable safeguards for privacy and security.
The federal government has also implemented both legislative and regulatory protection of health information privacy. The Privacy Act and the Freedom of Information Act provide the most complete assurance of confidentiality of government records. However, the Privacy Act contains a number of exceptions that have been widely construed, particularly the "routine uses" exception. The Medical Records Confidentiality Act of 1995 (Bennett-Leahy Bill) remains in Senate committee in June 1996. The draft bill includes, inter alia, a description of individual's rights regarding health information, definitions of protected health information, safeguards for such information, restrictions on the use and disclosure of information, and criminal and civil sanctions for violation of disclosure or use provisions. Since the bill remains in committee and subject to amendment, its exact impact, if it is enacted into law, is difficult to determine.
Other federal statutes contain a highly fragmented series of privacy protections for specific diseases (e.g., substance abuse, or HIV/AIDS) or for particular activities (e.g., research).

Future Options for the Protection of Health Information Privacy and Conclusion

Policy makers considering future options for reform or revision of statutes protecting health information privacy encounter common issues in all of the areas of health information covered in this survey. Health information systems have dual goals - increasing collection and access to complete and accurate information for use by patients, health care providers, public health officials, health care institutions, and policy-makers; and protecting sensitive medical information from disclosure that can harm the individual. Policy-makers will not be able to fully realize both goals without sometimes compromising or diminishing one of them. Substantial gaps remain in current statutory privacy protection, including variation in laws from state to state, variation within each state between disease-specific statutes, and variation according to who holds the information. Policy-makers must consider whether reform should take place at the federal or state levels.
Potential solutions for future action include integration of fair information practices into legislative protection of health information; adoption, by each of the states, of model laws such as the Uniform Health Care Information Act or new laws based on the recommendations described in the report (Future Options for Protection of Health Information Privacy and Conclusion); and/or pre-emptive federal legislation that would set uniform standards for protection of health information, establish guidelines for security of information systems, and provide education regarding the requirements and procedures for protection of health information privacy.

Recommendations for laws governing public health data.

The recommendations apply only to personally-identifiable data since they raise the most acute privacy concerns.

1. Data protection review. A systematic and continuous review of privacy and security is essential to ensure a fair and effective public health information infrastructure. An independent data protection commission at the federal or state level should be established to carefully review privacy and security protocols and practices, including an examination of data collection justifications, informed consent procedures, information for subjects, fair information practices, and disclosures and secondary uses of data. The commission should be comprised of persons with experience and expertise in health care and public health, privacy and security, law and ethics, and include community representatives. To assure accountability and ongoing discussion of privacy, the commission should make public its decisions and reasoning.

2. Data collection justification. Acquisition of health information cannot be regarded as an inherent good. Rather, privacy statutes should require a clear justification for the collection of personally identifiable information by public health authorities. Statutory criteria for data collection include: (i) preventing a significant public health risk, (ii) providing a likely benefit to the subject of treatment or other services, and (iii) conducting surveillance necessary to monitor and ensure the health of populations.
Public health authorities have the burden of demonstrating that data collection is likely to achieve the stated goal. For example, public health authorities may legitimately seek to identify individuals with communicable or sexually transmitted diseases through testing, partner notification, and reporting. Yet, if resources are not provided for counseling and education, and if efficacious therapy does not exist or access to health care is not assured, the purposes of prevention and therapy are unlikely to be achieved.
Public health authorities must substantiate the need for a named identifier when collecting information. If they could achieve the public health goal as well, or better without personal identifiers, the collection of non-identifiable or aggregate data is preferable. These data collection principles recognize that government authority to acquire sensitive personal information ought to be justified by substantial public health goals that cannot be achieved by means that are less invasive of individual privacy.


3. Information for subjects. Even though the government authorizes or mandates the collection of identifiable health data in accordance with the foregoing principles, subjects are still entitled to basic information. Subjects are entitled to know the purposes for the data collection and how the information will be used; the length of time that the data will be stored and the circumstances under which it will be expunged; and the degree to which third parties (e.g., regulators, researchers, and government officials) may obtain access. Data should be acquired, stored, used, and transmitted consistent with the information provided to subjects.

4. Fair information practices. Fair information practices require that no secret data-systems should exist; subjects should have access to information about themselves and to just procedures for correcting and amending their personal record; personal data should be expunged when no longer needed for the stated purpose; and public health officials should assure the reliability of the data for their intended use and take rigorous precautions to prevent misuse of the data.

5. Privacy and security assurances. Legally binding privacy and security assurances should attach to personally identifiable public health information. The collector of public health information would be under a legal duty to maintain the confidentiality of that information and to store it in a secure system. Significant penalties would apply for breach of privacy or security assurances.
Privacy and security assurances under law would apply to all users of the information. Accordingly, when public health information is transmitted to a third party, the recipient would be required to honor the same privacy and security assurances as the record's original holder. The duty to protect data, then, would be transferred simultaneously with the data, as would liability for violation of privacy or security standards.


6. Disclosure of data. Disclosure of public health data could be made only for purposes consistent with the original collection. Thus, data could be disclosed only where clearly necessary to avert a significant health risk, for the direct therapeutic benefit of the subject, or for surveillance. For example, information gathered to prevent a significant public health risk could be shared only with those public health officials or health care professionals essential to avert the risk. This limitation would not undermine public health goals, for the principle permits sharing information, where appropriate, between programs (e.g., STD, TB, drug, alcohol, and mental health) and across systems (e.g., health agencies and health care providers).
Public health authorities must follow the least-intrusive-disclosure principle. Thus, the disclosure of information must be the least identifiable, as minimally sensitive, and to the fewest number of persons as necessary to achieve the stated purpose.

7. Secondary uses of the data. Secondary uses of data occur when information is used in ways that are incompatible with the original purposes for collection. Secondary uses of identifiable information beyond those originally intended by the data collector would be permitted only with the informed consent of the subject. Thus, information collected for a permissible purpose such as prevention, treatment, or surveillance, could not be used in other ways that might affect the person's rights, privileges, or benefits without the subject's authorization.
Secondary uses of data in aggregate or non-identifiable form would be permitted without the patient's consent where there is a strong public interest. The U.S. Department of Health and Human Services Task Force on Privacy explained: "An incompatible use is not necessarily a harmful use; in fact, it may be extremely beneficial to the individual and society. There are some incompatible uses that will produce enormous benefits and have at most a trivial effect on the individual's privacy interest."

Recommendations for laws governing immunization information systems

The following recommendations are intended to assist states in the development of fair and effective immunization information systems.

1. Objectives of registries. The purposes of an information system are to (i) provide accurate, complete, and timely information on immunizations received or due for any child to providers, parents, and public health officials to help parents obtain current immunizations for infants, pre-schoolers, and school-age children; and (ii) to protect information held in the system (through both privacy and security protections) from disclosures that may harm the child or parents, and to share the information only for substantial public health purposes.

2. Statutory protection of privacy: a uniform approach. States or localities must have in place strong legislative protections of privacy and security before collection of immunization data commences. Adequate privacy safeguards require restricted access to data, strict penalties for unauthorized disclosure, and protection of the system from court order or subpoena. In addition to statutory protection, written protocols describing the privacy and security standards should be disseminated to employees, providers, parents, and other interested parties.

3. Fair information practices. Statutory protection of privacy should be based on a set of fair information practices: immunization information systems should be known to the public, not secret; parents should have access to information about their children and know how the information is used; parents should consent to uses of information for non immunization purposes; parents should be able to correct or amend their child's immunization record; public health officials must assure the reliability of the immunization data for their intended use and take rigorous precautions to prevent misuse of the data; and adults should have the right to have personal data expunged when they are no longer necessary for immunization purposes.

4. Type of Registry Information. Early determinations about the type of information that will be contained in the immunization information system will affect the confidentiality, access, and security required in the design and operation of the system. A basic registry must contain the name, address, birth date, immunization dates, vaccines administered, as well as sufficient information to identify and locate custodial parent(s).
Registries that contain sensitive health status information must provide stronger confidentiality safeguards. Registries may include medical contraindications to immunization, adverse reactions to vaccines, allergies, and immune conditions such as HIV status. Furthermore, registries may include: information regarding welfare or medical benefits (including eligibility under the Comprehensive Childhood Immunization Act of 1993); immunization waivers based on religious beliefs; and social or medical information about siblings or other family members.
Registries are likely to contain a personal identifier. Unique identifiers created only for use in the immunization database create fewer risks to privacy. Personal identifiers, such as a social security number, that can be linked with other databases potentially could be used to access and match information in other systems (e.g., those held by social services and child welfare, Medicaid, Aid to Families with Dependent Children, and the Immigration and Naturalization Service).


5. Access to Registry Information. The planning process for deciding who should have access to immunization information should be deliberate, open, documented, and reviewed periodically. Design issues include whether the system should be accessed on-line, through closed electronic panel, by telephone/facsimile, by written request, or in person. For health care providers administering immunizations access should be as direct as possible (computer or phone/fax with security password). Requests for information from all other parties should be in writing or in person with identification.
The following criteria could be used to determine who has access to data in the immunization record: (i) Is the information necessary for purposes of providing immunization services? Under this criterion, access to identifiable data would be provided to health care providers, immunization programs, custodial parents, schools and day care, and other entities that coordinate or offer immunizations such as WIC programs. (ii) Is the information necessary to achieve other compelling public health objectives that do not conflict with the goals of the immunization program? Public health officials and researchers should gain access to personally identifiable information only where strictly necessary to achieve substantial public health purposes. If the public health purpose could be achieved as well or better with aggregate data no personally identifiable information should be disclosed. (iii) Is the information necessary to achieve important social objectives that are not compatible with the purposes of the immunization registry? Agencies concerned with criminal justice, social services, immigration, and other non-public health objectives should gain access only to aggregate information.


6. Provider, parental and community involvement. Immunization information systems are intended to help parents, providers, health officials and communities provide each child with up-to-date immunizations, while protecting children and families from privacy invasions. To achieve the support and cooperation of these primary participants, they should be involved in critical discussions about immunization system design and privacy protection. Interested parties such as insurers, employers, and non-public health agencies also have valid interests, but they should not take precedence over the main goals of the system.

Conclusion

Any efforts to modify or reform the existing system for protection of health-related information, must acknowledge the efforts that have taken place at the state level to protect information and accomplish various health care and public health goals. One way to both acknowledge this debt and engage state health officials and policy-makers in reform efforts is to begin an on-going dialogue between health officials and policy-makers in different states.
This report has outlined recommendations which can focus that dialogue on ways of removing barriers to the achievement of good health while respecting the need to protect the privacy of health information. Absolutist positions on either side will not result in health information systems that can effectively serve both goals.
The collection of information is central to the ability of public and private health systems to provide intervention, treatment, and research, but confidentiality need not be sacrificed to these goals. Much of the information collected in health care settings is profoundly personal; if patients cannot be assured that this information will be protected from further disclosure, the possibility exists that they will no longer agree to cooperate with systems on a voluntary basis.
Many gaps that exist in the current system have been discussed in this report. Future action in the area of health information privacy must consist in part of a legitimate attempt to fill those gaps in ways which will not compromise the ability of health professionals to carry out their duties. The current system not only does not fully protect individual privacy, but the variability that exists across state and local boundaries hampers the achievement of societal goals since there is often an inability to communicate needed information.
Health officials and policy-makers in all the states need to engage in a dialogue now to prevent problems that can only be exacerbated in the future as new and faster information systems are developed. Computerized storage of health information indeed provides for faster retrieval, but also presents additional problems of improper access. Fair information practices should be integrated into legislative protection of health information. Uniform standards nationwide will result in more effective protection of health information privacy.

Part Two:Introduction: Final Report

Legislative Survey of State Confidentiality Laws

I.Introduction

The ways in which our modern medical and public health systems collect, store, and use personally identifiable information have increased both the potential benefits from access to such information and the possible harms from improper uses and disclosures of that information. Understanding the complex web of state and federal laws which protect health information privacy and dictate when and under what conditions health data may be disclosed is central to understanding the strengths and weaknesses of current public policy in this area. This project surveyed state and federal law in four areas of health information privacy and analyzed existing law in the context of both the increasing transfer of health information and public and governmental concerns with privacy. This report documents both the results of the survey and the analysis of the current state and federal law regarding public health data, privately held health information, HIV/AIDS-related information, and immunization information. It concludes with a discussion of options for legislative action, including recommendations for drafting privacy laws derived from discussions at an expert consultation in June 1995. This section considers the common issues raised by the increasing collection of health information; the improvements in health status and health services which high quality information facilitates and the real concerns of citizens and privacy advocates that information contained in large health databases may be poorly protected or misused. The section concludes with an outline of the report.

II. Collection of Health Information

Many individuals and entities currently collect, store and use health information. Individual health care providers, hospitals, insurers, employers, and educational institutions collect information to meet the needs of their own practices and/or institutions, or to comply with legal mandates. Public entities including health departments, environmental departments, welfare and family services, social security, government disability, and other offices collect health information in order to achieve societal goals such as improving health, preventing pollution, or providing support for the disabled. Each of these individuals and entities has slightly different justifications for collecting and using health information. This sub-section will briefly examine the potential benefits that timely, complete and accurate information provides of the public health and health care systems.

A.Public Health Data

Collection of information is necessary for the basic public health activities of reporting, case finding, and partner notification or contact tracing. Reliable aggregate information is also vital for policy-makers and program planners responsible for resource allocation, program design, and targeting of prevention programs. Public health policy-makers and program managers need information that reveals differences in status by age, geographic area, and other risk factors. Accurate measurement of this information can help policy-makers assess the barriers in the areas of access, cost, or quality that affect health-improvement efforts. Lack of reliable information hinders program planners and public health officials trying to stop outbreaks of disease or quantify local needs.
Developing a public health information infrastructure is integral to contemporary efforts to "reinvent" the public health system. We define the public health information infrastructure as the framework that undergirds the electronic information collection, storage, use, and transmission supporting the essential functions of the public health system.

B.Health Care System

Collecting accurate and complete health information from individual patients contributes to good patient care. Lack of current information on health status presents problems when an individual sees a health care provider who does not have a comprehensive record of that person's medical history. Lack of complete information can result in a lost opportunity to provide childhood immunizations or to correctly diagnose and treat serious acute or chronic illnesses in adults.
Health care providers' collection of health information not only supports optimal care of individual patients but also facilitates achievement of systemic goals. These include assessing the quality and cost effectiveness of health services, monitoring fraud and abuse, tracking and evaluating access to health services and patterns of morbidity and mortality among underserved populations, and researching the determinants, prevention, and treatment of disease.

C.Goals of Health Information Systems

The usefulness and accessibility of information collected as part of a written or computerized medical record is limited by the nature and structure of the specific confidentiality protection accorded to that information. While no system that collects a large volume of data on individuals can avoid all possible harms due to improper disclosure or misuse of information, certain broad goals guide efforts to collect and manage information. These include ensuring:

1.the integrity of health care data so that information is accurate, complete, and trustworthy -- the integrity of information is critical to quality patient care, assessment of services, research, and public health;
2.the availability of health data so that authorized persons who need the information for legitimate health purposes have ready access to the data -- if clinical information is not readily available to health providers, the best interests of patients may be significantly compromised; and
3.the privacy of patients so that they can be assured that personal information remains private and will not be disclosed without their knowledge and permission.

D.Is it Public Health or Health Care Information?

Many public health functions are the joint responsibility of the personal health care system and the public health system. Accordingly, reliable information needs to be shared across these two health systems. For example, prevention, diagnosis, and treatment of drug and alcohol dependency, sexually transmitted diseases, AIDS, and tuberculosis are undertaken both by private health care providers and public health departments. Similarly, registries containing information about immunizations, traumas, and cancers may provide substantial advantages to both health care providers and health departments in understanding the determinants of disease and outcomes following interventions as well as provide clinical data important for patient care. Consider, as an illustration, the role of health information in the case of tuberculosis control. Persons with multi-drug-resistant tuberculosis frequently come into contact with a wide variety of agencies and organizations (e.g., jails, emergency rooms, homeless shelters, and clinics for HIV, STDs or drug dependency), each of which may be unaware that the person is infectious or may not be taking prescribed anti-tuberculosis drugs. Yet, often none of these entities has ready access to information in the personal health record or tuberculosis registry held by the state public health department. As a result, many of these individuals, who are under the jurisdiction of health, social services, or corrections authorities, are not identified and are at considerable risk of spreading the infection in the community or in congregate settings.

III. Privacy and Health Information

Concerns over patient privacy and the confidentiality of health information have a long history. From the time of the earliest surveillance systems, citizens (often with support from the medical profession) have objected on privacy grounds to governmental acquisition of health status information. Many forms of surveillance, notably reporting, require physicians to disclose patient information to health departments. Surveillance, especially that which involves personally identifiable information, raises several concerns. First, patients, often physically and mentally vulnerable, divulge intimate details of their lives to their physician; medicine's paternalistic traditions have long-recognized that the patients' weakened position compels strict confidentiality assurances even in the face of government demands.'' Second, both law and ethics in the late twentieth century emphasize autonomy as a theoretical justification for privacy; patient autonomy encompasses the right to control the dissemination of personal health information. Third, confidentiality is central to a trusting physician/patient relationship; physicians implicitly or explicitly pledge to guard patient secrets. Fourth, respecting confidences promotes patient candor about health and disease risks; failure to respect informational privacy could lead to decreased disclosures, less frank revelations, or, worse, reluctance to seek care. Finally, unauthorized disclosure of information could result in embarrassment, stigma, and discrimination.
For their part, health departments have a generally excellent history of maintaining the confidentiality of personal information. Disclosure to health departments (as opposed to family, friends, employers, or insurers) seldom produces tangible harm such as stigmatization, embarrassment, loss of employment, or denial of insurance. Yet patients may feel wronged simply because the government -- without patient permission -- maintains automated databases containing intimate and identifiable health information.
Justifications for privacy are based primarily on respect for the individual. In contrast, justifications for collecting and using health information are based mainly on attaining societal or collective goods. To the extent that a health information infrastructure promotes effective public health interventions, ethical values militate in favor of its rapid development. The very purpose of government is to obtain through collective action human goods that individuals by themselves could not realistically procure. Chief among these goods is assurance of the conditions under which people can attain (or maintain) health. Health information alone cannot ensure the community's health, but it can contribute to improved health status and effective disease control.
The American public perceives that the growth in the amount of personal medical information stored by health care providers and related bureaucracies poses a threat to their privacy. A 1993 poll on health information privacy revealed that the vast majority (80%) of respondents believed they had little control over how their personal medical information was used. This concern over the privacy of medical information has affected the debate over health care reform and the plans for a national health care system. Eighty-five percent of the poll respondents stated that maintaining the confidentiality of medical records is absolutely essential or very important in national health care reform.
Health care providers' ability to ensure the privacy of the information they obtain from a patient is critical. If a health care provider cannot assure the patient that the information he provides will not be further disclosed without his permission, the patient will likely hold back when discussing deeply personal items that may be important to his diagnosis and treatment. The patient may even provide false information if he fears that an admission may have consequences outside the doctor's office.
Threats to patient privacy and confidentiality of health information are compounded because records containing health information are held by numerous individuals and entities. One patient may see many health care providers in a lifetime (e.g., primary care physicians, specialists, hospitals, emergency rooms, testing laboratories). Each of those providers will maintain a record on the patient. Other entities (insurers, employers, schools, governmental agencies) also keep records of health data. Because of differences in organization or geographic location, these entities may not be held to the same duty of care in protecting the confidentiality of the records they maintain.
The ability of public health officials to detect and prevent communicable diseases, and provide appropriate services to those already infected, depends on cooperation with the community to encourage voluntary participation in public health programs. If persons in the community fear disclosure of their illness, or discrimination on the basis of seeking services, they will be less likely to come forward for testing, counseling, or treatment, and hesitant to participate in preventive educational programs. Public health officials recognize that protecting public health data from improper disclosure will encourage openness and honesty between individuals and health care providers or public health officials as well as voluntary participation in public health programs.

IV. Outline of Report

This report examines the importance of both the collection of health care information and the protection of privacy of individual patients and confidentiality of health information. It reviews the current privacy safeguards under both state and federal law for public health data, privately held health care information, HIV/AIDS information, and immunization information in order to determine whether they are adequate to protect the privacy of individuals and are consistent with effective health policy.

Part Three: Methodology

I.Purpose

The Centers for Disease Control and Prevention (CDC), the Council of State and Territorial Epidemiologists (CSTE), and the Task Force for Child Survival and Development, supported by the Robert Wood Johnson Foundation, have sponsored a collaborative project on privacy in health care and public health information, with particular emphasis on information related to HIV infection and immunizations. The goal of the project is to review current legal privacy safeguards for these data to determine whether they are adequate to protect the privacy of individuals and are consistent with effective health policy.
Phase I of the project included a survey, compilation and analysis of state statutes, regulations, and executive orders pertaining to privacy in four areas of health-related information (public health data, health care information, HIV/AIDS related information, and immunization information). The research team has been headed by Professor Lawrence O. Gostin, Co-Director of the Georgetown University/Johns Hopkins Program on Law and Public Health.
Phase II of the project involved a consultation held at the Carter Presidential Center, Atlanta, in June 1995 which brought together experts in public health law, epidemiology, health ethics, immunization programs, HIV/AIDS prevention and care, representatives of state and municipal health departments, and the general community. During and after the consultation these experts considered and commented on recommendations for drafting laws relating to the protection of confidentiality of health-related information.
This report details the results of both phases of the project.

II.Structure of the survey

The research team collected and analyzed state laws related to health information in fifty states, the District of Columbia, and Puerto Rico. We collected information using a questionnaire that was developed in consultation with the CDC, the CSTE, and the Task Force for Child Survival and Development and was distributed to the State and Territorial Epidemiologists. The State Epidemiologists transmitted responses to the questionnaire and copies of their state statutes for summary and analysis. We performed computer searches to collect state law for those states which did not respond to the questionnaire. We used follow-up calls to gather additional information.
We classified the data received into categories for subsequent analysis and recorded them on four master tables, devoted to public health, health care, HIV/AIDS, and immunization privacy, respectively. Briefings and phone consultations with program officials at the CDC, CSTE, and the Task Force resulted in refinement of the individual categories and the four master tables.
We also prepared state summaries based on the information submitted by the state epidemiologists. These summaries serve as a basis for the final report but also provide a quick reference for anyone seeking a more detailed description of the privacy laws of each state. In order to assure the accuracy of the information, we faxed or mailed drafts of the summaries to the state epidemiologists for approval or correction, and made follow-up calls were made to obtain final comments.

III. Final Report

This report both summarizes the survey findings on the current federal and state laws in the area of privacy protection of health-related information and presents a discussion of the issues raised and potential options for further development including recommendations for model laws governing various types of health information privacy.
The report first discusses the various protections afforded to health information, which includes both public health data and privately held health care information. Next, there are sections addressing specific laws governing HIV and AIDS-related information and immunization information, including the creation of immunization registries. The report describes the protection offered by federal law to all of these areas of health-related information.
The final section of the report presents a discussion of future options for legislation and policy in the area of health information privacy. In particular it outlines recommendations for model laws governing several areas of health-related information which are based on the consensus of opinions at the June 1995 consultation and subsequent work by research team and select experts.

Part Four:Protection of Public Health Data and Health Care Information

I.Introduction

Health information in the United States is collected and maintained by a wide variety of entities, including among others local and state health departments, disease-specific programs (TB, STD, HIV), private health care providers, hospitals, insurers, employers and educational institutions from day-care to universities. For the purposes of this report these entities will be divided into those that collect and use "public health data" and those who collect and use "health care information." As used here, "public health data" includes all health related information that is collected and maintained by a government agency. This may include data on reportable or communicable diseases; surveillance of non-communicable diseases, or behavioral risk factors; birth defects registries; or other health information databases. "Health care information" includes all health related information that is collected, held, or transferred by private entities. This can include individuals (health care providers) or institutions (hospitals, insurance companies, academic institutions).
This section discusses the particular justifications for collection of both public health data and health care information and the unique privacy concerns raised by such information; it also presents an analysis of the state laws governing protection and disclosure of public health data and health care information. Finally, the gaps in existing law will be considered and compared to other areas of health information. The following two sections will consider specific issues and concerns related to collection, storage and use of two specific types of health-related information: HIV related information and immunization information, respectively. In both cases the single type of information is maintained sometimes by private entities (physicians, hospitals), and other times by public entities (health departments). Consequently, the laws governing the privacy of the information either apply to the public institutions and agencies, or private individuals and institutions, or both.

II.Public Health Data

A.Collection of Public Health Information

The collection, storage, and use of vast amounts of information on the health of populations are among the core functions of public health. Historically, public health surveillance focused on identifying and controlling persons with communicable diseases. In the United States, legal provisions requiring reporting of diseases pre-dated the founding of the republic. A Rhode Island act of 1741 required tavern keepers to report patrons with contagious diseases to the local authorities. Publication of nation-wide data on mortality began in 1850, in the same year as the first decennial census. By the turn of the century all state and municipal laws required reporting to local authorities for some of the most common, deadly communicable diseases, including smallpox, cholera, and tuberculosis. One of the great accomplishments of public health in the twentieth century, the eradication of smallpox, was based, ultimately, on the prompt identification of local outbreaks and vaccination of all susceptible persons who might have been exposed. Recently, reports of clusters of deaths among otherwise healthy residents of the southwestern United States led to the rapid mobilization of investigators. Within months scientists had identified a new strain of hanta virus, described its mode of transmission, and means of prevention.
Increasingly, public health agencies gather data on more than communicable diseases. Concern over environmental risks requires collection of information on children's blood lead levels, the incidence of certain types of cancer, birth defects, and specific pulmonary diseases. In growing recognition of the effects of behavior on personal health, health agencies also collect and analyze information on such behaviors as smoking, alcohol and drug use, exercise, use of seatbelts and bicycle helmets, and sexual practices. Reliable information on communicable, behavioral, and environmental risks enables public health agencies to respond effectively to prevent disease and disability.
The development of a public health information infrastructure is not a distant concept, but an emerging reality. National, regional, and statewide databases are rapidly becoming repositories of a vast amount of public health information. At present, numerous health databases exist with comprehensive data on health status and population-based research. Data registries are maintained for specific diseases such as AIDS, tuberculosis, and cancer, and specific functions such as childhood immunization. The U.S. Public Health Service (PHS) maintains databases on the health status of large populations. The PHS is also funding the development of automated systems to link state and local data bases to systems across the country.' Perhaps the most ambitious public effort to create a population-based database is the National Health and Nutrition Examination Survey (NHANES) conducted by several federal agencies. NHANES systematically collects health status data in identifiable form on some 40,000 Americans in eighty one counties in twenty-six states. Some five hundred pieces of data are collected from each subject, ranging from socio-demographics, diet, bone density and blood pressure, to risk status, drug use, and sexually transmitted diseases. Additionally, NHANES tests and stores biological samples for long-term follow-up and statistical research.
The tools of surveillance and epidemiological research include testing and screening for disease, reporting of the names of active cases to state health departments and aggregate information, stripped of personal identifiers, to the CDC, notification of sexual partners and other contacts, and surveys of the prevalence of disease or risk factors in certain populations. The development of an organized system of disease surveillance and epidemiological research is essential to the success of the public health system. Carefully planned surveillance and epidemiological activities facilitate rapid identification of health needs, including clusters or outbreaks of microbial disease (e.g., HBV, cryptosporidiosis, or E. Coli), the initiation of risk behaviors in sub-populations (e.g., smoking among female adolescents or ethnic minorities), and patterns of harm (e.g., child or spousal abuse, lead poisoning, radon, iatrogenic injuries, or gunshot wounds).
Close and continuous observation of the health of populations can help achieve many of the central objectives of public health: (i) by detecting the existence of environmental, microbial, occupational and other threats to health at an early stage, surveillance can provide an early warning system; (ii) by tracking and monitoring the incidence, patterns, and trends of injury and disease in populations and making future projections, surveillance can help concentrate resources and focus interventions in areas of greatest need; (iii) by identifying modes of transmission, surveillance can provide knowledge for behavioral, social and environmental changes and public health interventions to avert the spread of disease; (iv) by evaluating the success of public health responses, surveillance can help determine their cost effectiveness; and (v) by providing accurate information on health risks to policy makers and the public, surveillance can affect funding decisions and change social norms. In short, surveillance enables public health to define the health problem, inform the public, intervene, and influence funding decisions -- all indispensable to the mission of public health.

B.Privacy Concerns Related to Public Health Data

The American people continue to express their concerns over the uses of information held by government and private individuals (see Introduction). Although public health departments generally have very good records of preventing unauthorized disclosures of health data, the level of confidentiality of public health data, perhaps even more than privately held health data, can be a source of concern for individuals and communities. Systematic collection by government of a broad range of personal health data poses a profound trade-off in loss of privacy. Americans react apprehensively when the government accumulates personally identifiable information about their lives. Health information can reveal intimate aspects about an individual or a family's life, may affect one's ability to hold a job, maintain custody of children, secure immigration status, or obtain access to insurance or public benefits.
To a certain extent, respecting confidences and promoting public health are consistent goals; public health campaigns often depend upon the community's trust and cooperation and include substantive and procedural protections for information obtained in the course of public health work. However, a basic tension exists between the need for information and the need for privacy. Realistically, significant levels of privacy cannot exist within the government's wide and complex web of data collection. Therefore, as a society, we face a vexing issue: What is the proper balance between public health information collection and privacy protection, and how might we realize it?
In many contexts public health officials have fully embraced the need for protecting the confidentiality of personal medical information. Since public health programs often depend on the voluntary participation of the public, policy-makers may prefer programs that build trust between the community and health workers rather than those that erode trust. Contact tracing programs, one of the traditional public health strategies for control of sexually transmitted diseases, traditionally prohibit the disclosure of the identity of the source patient. Reports and investigations of other communicable diseases are generally treated as confidential although their collection, storage and use may be less tightly controlled than information regarding sexually transmitted diseases or HIV.

III.State Legislation Concerning Public Health Data

Public health data, all health-related information which is collected and maintained by government agencies, are distinguishable from personal health care information; they are not gathered principally for diagnostic or therapeutic purposes, but for the aggregate good (e.g., epidemiological assessment, population-based prevention, or research). Public health data include surveillance and reporting of communicable diseases, non-communicable diseases, conditions, or behavioral risk factors, registries, and other government-maintained health information systems. State legislation governing public health data are frequently found among the statutes and regulations that establish public health officials authority to protect the public health or in provisions describing the protections and permitted or mandated disclosures of all information held by the government.

A.Privacy Protection for Data Maintained by Government Agencies

Every state and territory reported statutory or regulatory protection for some types of governmentally-maintained health data. Forty-nine states reported protections for public health information in general, forty-two reported specific protections for information related to communicable diseases, and forty-two reported protections for data related to sexually transmitted diseases (see also, Table 1). All states require reporting of certain communicable or sexually transmitted diseases. This legislation also often mandates the confidentiality of any reports or investigations of communicable or sexually transmitted diseases. States vary widely on whether they rely on disease-specific statutes to protect some publicly held data (TB, STDs, HIV/AIDS) or whether they include protection of all these conditions under their general public health data statutes. It is important to note that states without specific HIV-related confidentiality statutes may also provide equally stringent protection of HIV-related information under comprehensive public health, communicable disease, or sexually-transmitted disease statutes.
Although most, if not all, states have public records provisions which guarantee individuals access to public records, the majority of states explicitly exempt all medical records held or maintained by government agencies from classification as public records.
In many states, public health data collection is increasing through special registries and databases. Registries include information regarding, for example, congenital birth defects, cancers, drug use during pregnancy, or childhood immunizations. Some databases contain a broad range of health data. Statutes establishing these systems often specify standards for safeguarding informational integrity, which may include measures to bar unwanted or unauthorized access, and mechanisms to prevent data modification or destruction. These laws also frequently include criteria for maintaining the information's confidentiality, use, or disclosure. North Carolina, for instance, has established a Center for Health Statistics which is authorized to collect health data on behalf of government agencies and private organizations. The Center's information is held in confidence, closed to public inspection, and subject to security standards.
Residents and lawmakers in some states have expressed concern about the public health system's trend toward collecting more personally-identifiable data. The California Civil Code explicitly states that the indiscriminate collection and dissemination of personal information threatens the right to privacy, that computers have magnified privacy risks, and that governmental use of personal information must be subject to strict limits. California protects personally identifiable information in government health studies; grants public entities a limited privilege for withholding health information; allows agencies to maintain only personal information relevant to the agency's purpose; and requires agencies, whenever possible, to collect information directly from the subject rather than from secondary sources.
Other states reported protections for particular types of public health information. A few states specifically protect the results of government-sponsored scientific studies or privately conducted research based on government data. New York, notably, stipulates that information obtained in specially-designed studies is inadmissible in litigation.

B.Permissible Disclosures of Public Health Information

Forty-nine states reported some provision for divulging public health information. Common justifications include disclosure for the purposes of: statistical evaluation (43 states); contact tracing of persons exposed to an infectious disease (39 states); spousal or partner notification of a sexually transmitted disease (37 states); epidemiologic investigations (22 states); and subpoena or court order (14 states) (see Table 1 for more details).
States vary greatly in the degree of disclosure authorized. A few states have crafted strict criteria for permissible disclosures. Indiana, for example, allows the release of public health information only upon written consent, only to the extent necessary to enforce public health laws, and only in aggregate form if requested for statistical purposes.
Other states extensively list permissible disclosures, while still others rely on a broad general disclosure provision. Two states, Montana and Washington, have adopted the Uniform Health Care Information Act, which permits disclosures for statistical purposes; with written consent; to medical personnel as necessary to protect a patient's health or well-being; as provided in tuberculosis or STD laws; to other state or local health agencies for providing health services or promoting public health purposes; in child abuse proceedings; and where necessary to implement public health legislation or regulations.
The disclosure provisions in California and New York resemble those in the Uniform Act, but also include lists of additional circumstances under which information may be disclosed. California allows identifiable data to be released to the state archives, when the record possesses historical value; and to law enforcement authorities who are investigating unlawful activity involving certification, regulation, or licensing. California law also authorizes limited release of medical and background information on biological parents to adoptees, their children, or grandchildren.
At least one state stipulates that if the state or local health officer believes an individual poses a public health risk, the officer has substantial discretion to release certain kinds of data. Other states permit disclosures to certain classes of people (e.g., emergency workers or funeral home directors after being exposed to an infectious agent, or health care professionals for their own, or their patients' safety).
State statutes may accord varying degrees of protection to data on different diseases. Massachusetts requires a court order for release of information from sexually transmitted disease reports and other diseases covered by specific statutes. Only a subpoena is required for release of data on communicable diseases which are not subject to specific statutes and other public health data.

C.Penalties for Impermissible Disclosure of Public Health Data

Notwithstanding state confidentiality provisions and security arrangements to prevent unauthorized access, the possibility of negligent or intentional disclosures remains. Forty-two states reported statutory penalties for impermissible disclosures. Of these, thirty-one reported criminal penalties, eighteen reported civil penalties, and eight reported both. All states with criminal penalties designate violations as a misdemeanor. Montana's statute is typical: it provides that any person who knowingly violates the confidentiality provisions is guilty of a misdemeanor and upon conviction shall be fined not less than $500 or more than $10,000, be imprisoned in the county jail not less than 3 months or not more than one year, or both.
A typical civil penalty provision mandates that any person who discloses confidential information will be civilly liable to the person whose identity or information was disclosed -- for court costs, attorneys' fees, and exemplary damages, including any damages for economic, bodily, or psychological harm proximately caused by the disclosure. Some states specifically shield health department personnel from liability, unless the breach of confidentiality constitutes willful misconduct or gross negligence (see also Protection of HIV and AIDS Information: Spousal and Partner Notification). Other states authorize removing or impeaching public officials who violate confidentiality laws.

IV.Gaps in Existing Laws Protecting Public Health Data

The survey of state legislation revealed significant problems that affect both the development of fair and effective public health information systems and the protection of privacy. While most states have nominal safeguards of public health privacy, they are often incomplete or inadequate. Statutes may be silent about the degree of privacy protection afforded; confer weaker privacy protection to certain kinds of information; or grant health officials broad and unreviewable discretion to disseminate personal information.
Many of the gaps in existing privacy protections for public health data are similar to those described elsewhere in the report for HIV-related information and health care information. Legislative activity in the each of the states and territories has produced a rich mosaic of laws and policies which may share the same goals but reflect the specific concerns of people and legislators in each state. The independent evolution of each state's laws has also created certain characteristics which can pose problems in today's increasingly mobile society in which people and diseases are constantly on the move. This section considers these distinguishing features in the laws and the impact they have on public health efforts and individual privacy.

A. Variation in Public Health Laws from State to State

State provisions for the protection of health data maintained by government agencies reflect less variation from state to state than do some of the other areas of health information reviewed in this report (see Protection of HIV and AIDS Information, Protection of Immunization Information, and Protection of Health Care Data, below). Virtually all the states and territories have provisions to protect public health data and to limit instances in which disclosure is allowed.
There remain, however, variations from state to state which can pose difficulties. First, statutes seldom narrowly specify individuals and entities who are entitled to access or delineate precise criteria for determining who has a legitimate need for the information. Rather, statutes often provide broad definitions of who may have access. Alternatively, legislation may authorize such broad access so as to undermine the right to privacy. Second, statutes are often silent about secondary uses of information -- i.e., disclosure of data for purposes beyond those used to justify the original collection. Accordingly, the subjects of the data are uncertain about whether, or to what extent, data collected for one purpose may be used for an unrelated purpose. For example, no guidance may be provided about whether data collected for epidemiological purposes can be used for other reasons ranging from clinical diagnosis, treatment and research to uses in the welfare, immigration, and justice systems. Third, statutes often do not explicitly protect public health data from disclosure through subpoena or court order. This may render sensitive data vulnerable to disclosure in civil or criminal proceedings where required by the court. Finally, penalties for disclosure without legal authorization may be weak or non-existent or public health officials may be exempt from liability for their negligent handling of information.
In contrast to weak or erratic protections, other states restrict information access so tightly that the law thwarts public health responses to pressing health problems. Some states, for example, do not expressly permit disclosure to other state and local health departments for the control of communicable diseases. Certain state legislation can even be construed to restrict the intrastate transfer of communicable disease data to public health officials and health care professionals. Consequently, persons with HIV, STDs, or TB may be lost to follow-up when they move from state-to-state, or to different programs within the same state, due to difficulty in releasing patient-identifying information.
Independent evolution of state law has produced considerable variation and inconsistency. Variability, of course, can be a strength in a federal system of government, allowing state experimentation with solutions to complex issues. Variability in surveillance and privacy protection, however, creates problems in an increasingly mobile society in which disease outbreaks may erupt rapidly in several states requiring systematic and consistent collection of comparable data sets. Data sent from state to state do not receive reliable privacy and security protection. Moreover, individuals who relocate across state lines cannot expect continuity in privacy protections of publicly-held health information. For instance, multi-center research, often conducted simultaneously in different states, is carried out in a shifting legal environment in which some states offer data protections while others do not.

B.Differences in Laws Concerning Communicable Diseases, Sexually Transmitted Diseases and Others

The survey revealed a range of stratified legislative schemes, in which states accord particular diseases special status. Many states have enacted disease-specific statutes or provide distinct provisions for different disease categories (e.g., communicable diseases, STDs, tuberculosis, and HIV). Each statute may mandate distinct data collection and reporting procedures, separate security arrangements, discrete justifications for disclosures, and specific permissible secondary uses. In addition, while some state laws rigorously protect certain disease specific data (e.g., HIV/AIDS), they may be silent about guarding information on other conditions (e.g., non-communicable diseases). Consequently, different parts of the same health record may receive different degrees of protection under separate disease-specific statutes. Such a system is apt to confuse public health personnel, health care providers, and the public. Inconsistent protection of intimate health information may lead individuals to misunderstand or distrust public health efforts. Moreover, disease-specific legislation may thwart public health goals by generating separate policies, programs, and procedures for diseases that may share common behavioral risk factors and require a unified approach for treatment and prevention.
The problems presented by such a variation in rules are only compounded by a system that protects intimate information collected by government agencies differently than similar information collected by private entities ranging from health care providers to insurance companies. The next section examines confidentiality protections for health information gathered in the private sphere.

V. Protection of Health Care Information

Historically, the collection of health care information involved primarily two people, the patient and the physician. Occasionally, a physician might ask a family member about information that the patient could not remember, or a nurse might assist the doctor in compiling the information collected. The physician would store the paper record in a file cabinet at the physician's office, usually limiting access to the doctor and his staff.
Now, a myriad of people are involved in the collection of medical information. Patients no longer see one general physician, but instead consult a number of specialists. They may have medical tests performed at numerous locations. Insurance companies require that information from each of these visits be submitted before payment for services is approved. Much or all of this personal data is stored on computer files which may be vulnerable to access by unauthorized persons.
States have used a variety of means to provide protection for health care information collected on their citizens. State case law or statutes may impose a duty to maintain confidentiality of medical records alternately on physicians, other health care providers, health care institutions, insurers, other individuals or entities, or all of the above. In some states the law creates a special duty to maintain the confidentiality of electronic or computerized medical records. The doctrine of physician-patient privilege also affords a degree of protection in court proceedings. Statutes, case law or professional codes of conduct may limit circumstances under which disclosures of medical information are permitted and impose penalties on persons who wrongfully disclosure information.

VI. Privacy Issues and Health Care Information

A.Collection of Health Care Information

Timely and accurate collection of health care information is necessary for good patient care, for the efficient operation of health care institutions and for the fulfillment of systemic goals including quality and cost assessment, prevention of fraud and abuse, evaluating access to health care by underserved populations, and research on causes and prevention of morbidity, mortality, drug efficacy, or side effects. The potential benefits of an integrated health information infrastructure include enhanced consumer choice, improved quality of health services, a healthier population, and reduced health care costs.
When a patient seeks care from a heath care provider who does not have access to the patient's complete medical record, lack of basic information about the patient may prevent the provider from diagnosing the patient's condition quickly, or force the provider to waste precious time tracking down records from other hospitals, private doctors' offices, or public clinics. Much of modern medical care is dependent on a highly detailed record of physical examinations, laboratory tests, diagnostic procedures, and pharmacy records. Most patients cannot and do not know where every piece of information about their medical condition is stored. Therefore, they can often offer little help to the physician who needs their records in order to assess their current condition.
Hospitals and other institutions seeking payment for medical care from third-party payers (private or government insurance) must have complete and accurate information on each patient in order to receive payment. Moreover, accurate information also assists institutional policy-makers who must plan for future allocations of resources and personnel.
Increasingly, the institutions that pay for medical care, private insurance companies and the federal and state governments (through Medicaid and Medicare), are seeking information with which to assess the quality and cost effectiveness of individual providers, programs, treatments, and other interventions. Health care institutions also conduct utilization review procedures to verify the need for hospital admissions, justify the length of patients' hospital stays, the use of diagnostic tests, or other high technology. Professional licensing boards for health care providers may conduct on-going peer review of patient care and other professional activities.
The debate over health care reform revealed that accurate information about the functions of the health care system is central to any debate of the issue. Policy-makers need to know where and how Americans are receiving their health care, and how many people are making due with less than they need. Also critically important are accurate evaluations of the relative efficiencies of the various types of care that are currently being delivered, evaluations of pilot projects to care for the uninsured, and innovative programs to reduce cost while maintaining quality. Policy-makers cannot make informed decisions on these issues without accurate statistics and analysis of the information.

B.Privacy Concerns Related to Health Care Information

Citizens are concerned about both the quantity and the sensitivity of health care information collected about them, as well as the number of individuals and institutions which hold or transfer their personal medical information. The privacy issues raised by the collection of health care information include many of the same concerns discussed elsewhere in the report (see, Protection of Public Health Data, above, and Protection of HIV and AIDS Information and Protection of Immunization Information, below).
The increasing use of computers to record, store and transfer health care information, whether it is by public health departments, private physicians, or insurance companies, is problematic because of the perceived ease with which computerized information can be accessed at multiple sites, by authorized or unauthorized persons. Public fear and distrust of technology and bureaucracy are likely to increase as collection, storage, and dissemination of information becomes even more automated.
Where health care information is linked to patient identifiers, such as social security numbers, individuals may be concerned that anyone knowing their social security number and a few other facts could gain access to their medical records.'' Since social security numbers are used for a variety of purposes not related to social security many people have access to them.
Collection of health care information also raises issues specific to these kinds of health related data. Health care information is often collected and maintained by entities, such as insurance companies, that are not health care providers. Individuals may be concerned that these businesses will not be bound by the same ethical (or legal) standards as health care providers or institutions. There is a substantial market for medical information on individuals and population groups. Patients are reasonably concerned that businesses will treat the intimate details of their medical record as any other business record, to be used, evaluated, or even sold, for business purposes.

VII. State Legislation Concerning Health Care Information
Duty to maintain confidentiality

A majority of states place a duty on physicians to maintain the confidentiality of medical records in their possession. Thirty-seven states find such an obligation (see Table 2 and Appendix One: State Summaries, for more details). States that provide for the confidentiality of medical records often require prior written consent of the patient for release of the record (e.g., California). At least one state's law provides that the patient may presume information about him will be kept confidential (e.g., Minnesota). Even when a patient authorizes release of medical information for one purpose, he is not presumed to have authorized additional disclosures (see, e.g., New York).
Other states provide more limited statutory protection for health care information. Tennessee provides for confidentiality of medical records, but only when the medical information is gathered or generated as the consequence of services paid for at least in part by the state. Tennessee has no general state statute imposing a duty to protect the confidentiality of medical record information. The law does recognize the physician-patient and therapist-patient privilege and, thus, does not protect confidential information obtained in these relationships against forced disclosure in court proceedings.
Twenty six state statutes require other health care providers to keep patient medical records confidential. The duty owed by non-physician health care providers usually mirrors that owed by physicians. For example, in California written authorization of the patient or his legal representative permits disclosure by the health care provider, but does not allow further disclosure by the person who receives that information. New York law specifies that certain licensed professionals (social workers, dentists, etc.) may not reveal personally-identifiable facts, data, or information obtained without the prior consent of the patient.
Thirty-three states require that health care institutions maintain the confidentiality of patient records in their possession. In addition to requiring the facilities to keep medical information confidential, state laws or regulations may require facilities to develop and implement policies designed to assure the security of patient records. Institutions, too are often required to obtain proper authorization to disclose the information. In Colorado, the theft, disclosure, stealing, or copying of physician, health care worker, or hospital information without such authorization is a felony. The state may place limitations on the kind of information the facility may disclose: in Connecticut, institutions, hospitals and facilities of the departments of health services, mental retardation, and mental health may only release information about patients as is required to obtain support and payments from state and federal agencies for the care of such patients, or for review or auditing of federally funded programs. The law may also limit the disclosure of information about certain types of treatment. Information regarding drug or alcohol abuse treatment is protected from disclosure under federal law. Many states provide that information about mental health treatment may not be released without written informed consent (see, e.g., Illinois).
Insurers obtain medical information about patients when claims are submitted for payment. Despite the proliferation of the practice of third-party payment for medical services, only four states expressly require insurers to maintain the confidentiality of medical information that they receive. In New York, an insurance company which has received information about a patient for the purpose of determining benefits must protect the confidentiality of that information from future disclosures. Insurers may, however, be covered under general provisions that require anyone in possession of health care information to protect its confidentiality.
Nine states have specific provisions that impose the duty to maintain confidentiality of medical information on other, non-health care related institutions. Arkansas statutes concerning, among other things, peer review activities, child abuse and neglect information, records of medical examiners, reproductive health, and child sex offenders, all specifically address the issue of confidentiality of medical records. California requires employers who receive medical information to establish appropriate procedures to ensure the confidentiality of and protection from unauthorized use and disclosure of such information.


Computers and other electronic media are fast becoming the storage method of choice for medical and other personal information. Despite this fact, only twenty-two states have specific provisions regarding the protection of confidentiality of records maintained on electronic or computerized media. These provisions offer varying degrees of protection. Several states, such as Tennessee, use the same standards for confidentiality of computerized or electronic records as those applied to paper records. In other states, including Arkansas, statutes governing confidentiality of computerized health care information apply only to public health data; private physicians, hospitals and other health care facilities may or may not be held to the same definition. Oklahoma's Health Care Information System Act provides that individual forms, computer tapes or other forms of data collected by and furnished to the Division of Health Care Information or to a data processor shall be confidential. Statutory protection of computerized data may also lack specificity. Florida requires only that computerized records be kept in accordance with "sound" record-keeping practices.

Physician-Patient Privilege Regarding Health Care Information

Forty-two states recognize the doctrine of physician-patient privilege. This privilege belongs to the patient, not the physician; it may be claimed by the patient, a guardian or conservator of the patient, the personal representative of a deceased patient, or the physician, but only on behalf of the patient. The physician-patient privilege is an evidentiary rule that prevents the disclosure in court proceedings of information obtained from physician-patient interaction for the purpose of diagnosing or treating the patient. The privilege, and therefore the protection, may be waived by the patient expressly to allow the physician to testify, or it may be considered to be waived in certain circumstances, such as the hospitalization of a patient in a psychiatric facility, a court ordered examination of the patient, or when the patient's condition is at issue (as in a malpractice suit). The District of Columbia, however, absolutely prohibits the use of medical records or testimony in local court proceedings without the consent of the patient.
The scope of the privilege varies from state to state. Some states limit the privilege to communications between patients and physicians; others, such as Oklahoma, include psychotherapists; Colorado's privilege rules also cover registered professional nurses; Illinois' Medical Patient Rights Act includes all public and private inpatient and outpatient health care facilities.
Statutes delineating health care provider-patient privilege may include exceptions when the privilege does not apply. The physician-patient privilege in New York has several statutory exceptions. These include, among others, health care providers who must disclose information that a patient under the age of sixteen has been the victim of a crime, the reporting of gunshot or knife wounds, communicable disease reporting, and reporting of addicts or habitual users of narcotic drugs.
Alabama is one of the few states that does not recognize the physician-patient privilege; medical records are subject to subpoena and admission in court.
In addition to any statutory penalties (discussed below, Penalties for Impermissible Disclosure of Health Care Information) physicians who intentionally betray a professional secret or violate a privileged communication, except as otherwise provided by law, can be subject to professional sanctions (e.g., Arizona).

Permitted Disclosures of Health Care Information

In today's health care system, physicians rarely treat an individual without help from other health care providers. Few state laws have specifically recognized this reality; only eighteen expressly provide exceptions to confidentiality rules for disclosures to other health care providers. Such a disclosure is generally lawful when its purpose is to aid in the diagnosis or treatment of the patient. The decision of whether or not to make such a disclosure is often left to the professional judgment of the physician; New Jersey law allows the disclosure, even absent the patient's request, if the physician determines the disclosure to be in the patient's best interests.
Sixteen states have passed laws permitting health care providers to disclose information about their patients to epidemiologists and researchers. These rules usually require that the information be disclosed only to qualified researchers for bona fide research purposes and not be further disclosed in any way that identifies the patient.
Twenty-two states provide that physicians are permitted to disclose health care information under a subpoena or court order. However, even in states that do not expressly include exceptions for the release of information by court order or subpoena, health care providers may be forced to release medical information pursuant to an order of the court.
Many states allow for the release of medical information in various circumstances to accommodate the needs of the current health care environment. Authorization by the patient or the patient's representative will permit the release of records. Some states, such as California, have very specific requirements for consent forms; others do not specify whether the consent needs to be written or oral.
Several states (including California and New York) allow disclosure of health care information to insurers, employers, governmental authorities or anyone else responsible for paying for services rendered to the patient. They also allow disclosure of information to hospital or utilization review committees. Colorado law provides that physician disclosure of such information, in good faith, shall not "constitute libel, slander, or violation of the right to privacy, or of any privileged communication."
In certain states, including Connecticut, physicians are required to report suspected cases of child abuse, elder abuse, or abuse of a physically incompetent or mentally retarded individual. Disclosures made in good faith to law enforcement agencies are protected. Public health reporting requirements are also excepted from rules regarding the confidentiality of health care information.

Penalties for Impermissible Disclosure of Health Care Information
The penalties for impermissible disclosure can be either civil or criminal. Twelve states allow for criminal prosecution while nineteen make the person or entity who failed to maintain confidentiality of medical records liable to civil suit. Three states (California, Minnesota, and Rhode Island) allow for both civil and criminal penalties. Violations may be considered misdemeanors (as in California) or felonies (as in Colorado); punishments can range from fines of $1,000 (Illinois) to fines of not more than $10,000 and imprisonment in the county jail for not more than one year (Montana). In civil suits, plaintiffs may recover both compensatory and punitive damages, attorneys' fees and costs. Additionally, provisions in state Medical Practice Acts (as in Arkansas and Idaho) sometimes make the unauthorized release of medical information grounds for disciplinary action, such as suspension or revocation of licenses.

VIII.Gaps in Existing Laws Protecting Health Care Information

A.Variation from State to State in Laws Protecting Health Care Information

Laws protecting the confidentiality of health care information vary markedly from state to state. In some states there are little or no statutory requirements for health care providers and institutions to protect the confidentiality of health care information. Other states' statutes protect some or all health care information that is not held by government agencies. Only Montana and Washington have implemented the Uniform Health Care Information Act, which holds as its primary aim the maintenance of confidentiality of individual records. Other states may rely only on medical practices and policies to safeguard patient confidentiality. Because health care information and patients frequently move from state to state, the same information on a single patient may be protected in one state, but lose protection when it is transferred to another. Employers, insurers, and other institutions which do business in or have employees in multiple states, may have difficulty determining which standards apply for information obtained, stored, transmitted or used in different states. This may lead to improper or inadvertent disclosures of information. Alternatively, some entities may be unable to pursue systemic goals, such as cost or utilization analyses, when state laws create substantial barriers to access and transfer of health care information.
B.Variation in Protection of Electronic or Computerized Health Care Information

Fewer than one-half of the states (twenty-two) have specific rules safeguarding the confidentiality of electronic or computerized medical records. This failure of law to keep pace with technological advances in information storage creates a substantial impediment to the protection of confidentiality of private health care information. Since much of the health-care industry is now computerized, the storage of personal information in systems that are potentially vulnerable to anyone with access to computer technology (even without legitimate right to the information) is particularly troubling.

C.Variation in Protection of Health Care Information Depending on Who Holds the Information

Whether, and to what degree, laws protect the confidentiality of health care information also depends on who holds the information. Many of the rules regarding the duty to maintain the confidentiality of medical records apply to physicians and hospitals. Health care information is collected, held, transferred, and used by a large number of individual providers and institutions. Only four states, however, specifically impose upon insurers a duty to maintain confidentiality of patient information. Similarly, few states impose a duty on employers to protect information. Since insurers, employers, and other non-health related entities are increasingly involved in the administration of health benefits, the absence of specific confidentiality provisions applicable to these parties may substantially reduce (or eliminate) the effectiveness of any other state provisions protecting privately held health information.

IX.Conclusion: Variation in Protection of Information in the Public versus the Private Sector

Most existing privacy provisions impose a duty to protect information on the individual or entity which holds the record. Legal provisions which impose a duty to protect information on the holder of the information are a remnant of a time when health care information was maintained primarily in physical records that were kept either in a physician's office or the public health department. Such provisions fail to address the current situation in which a substantial amount of data is held in electronic form by parties as diverse as physicians' offices and clinics, hospitals and other health care institutions, the health department, laboratories, insurance companies, the state and federal government, academic institutions, and other researchers. Linking responsibility for the protection of the confidentiality of a record to the holder of the record can mean that a single piece of health care information on an individual is treated differently depending on the identity of the holder.
Virtually all states have in place statutory or regulatory protections for publicly held health information. In some states, however, this is in marked contrast to a relative lack of protection for information held by private health care providers, hospitals, and other institutions. This increases the opportunities for disclosure of sensitive information, misunderstandings of the protection accorded to information, and, possibly, fosters people's distrust of the system.
The current system of state laws with differing levels of protection depending on the type of health care provider or institution, the type of service rendered, and geographic location does not and cannot adequately protect the patient's right to privacy and the confidentiality of the wide variety of health-related information held by private and public entities.

Part Five: Protection of HIV/AIDS-Related Information

I. Introduction

No disease characterizes the intractable dilemma between health information and privacy as does HIV/AIDS. Its emergence as a pandemic disease has served as a continuous reminder of the need for accurate, timely, and complete public health information. Society's success or failure in combatting communicable disease is based in part on health officials' ability to identify when and where outbreaks are occurring, to determine how infection is spread, and to design possible strategies for halting or slowing further transmission. In the absence of a systematic global surveillance system, HIV infection spread silently for many years; it was present on several continents before it was detected. In the United States, reports of case clusters of unusual pneumonia and rare cancers among gay men in 1981 led to the syndrome's description.' Even before the virus was discovered epidemiological investigations determined that the condition was likely caused by a transmissible agent which was spread via the same routes as hepatitis B. Accurate collection and dissemination of information also helped dispel misconceptions about casual (e.g., air-borne and food-borne) transmission.'
This section explores the important justifications for collection and use of HIV-related information to achieve public health goals as well as the necessity of protecting the confidentiality of that information from improper disclosures; analyzes the scope and variety of state laws and regulations governing privacy of HIV-related information; and describes the problems or gaps in the current system of state and federal law.

A.Collection of HIV-Related Information: An Important Public Health Goal

From the beginning of the HIV/AIDS epidemic, the rapid and accurate collection of information has been vital to efforts to identify and then combat the disease. The collection and use of HIV-related information involves two important goals: gathering and disseminating accurate and timely information on the incidence and prevalence of HIV infection and AIDS; and protecting that information from uses or disclosures that cause harm to individuals to whom the information pertains. While these two goals may seem to be directly in conflict, they need not be. The laws and/or regulations that make possible public health programs and policies can be designed to accommodate both objectives, albeit imperfectly.

B.Privacy Concerns

From its inception, AIDS, and later HIV infection, evoked grave concerns about privacy, giving rise to early accounts of a "third epidemic" of blame, stigma, prejudice, and discrimination. Individuals diagnosed with AIDS or HIV infection have lost their jobs and homes; children have been excluded from schools and adults barred from practicing their professions. Individuals and families experience fear, hatred, and prejudice when their neighbors learn that a child, husband, wife, or partner has AIDS. A series of United Nations reports on discrimination associated with HIV world-wide revealed that it occurs at multiple levels within society: in public policy (discriminatory laws or policies); in the private sector (discrimination by private employers or providers of services); in the community (marginalization of certain groups or individuals); and in the family (rejection of family members). HIV-related discrimination has appeared virtually everywhere AIDS and HIV have been diagnosed, and it has profound negative consequences for individuals and society.'
Many countries, including the United States, have taken legal measures to decrease discrimination that arises from people's fear of HIV infection. The Americans with Disabilities Act (ADA) makes it illegal to discriminate against persons with HIV, AIDS, or other disabilities in a wide variety of public and private settings and services. Laws, however, are only a partial solution. They do not affect the roots of the discrimination, fear, prejudice and misunderstanding of the risk of HIV. Nor do they reverse the underlying discrimination that many persons at risk of HIV infection already face.
Infection with HIV continues to be associated with profoundly intimate actions, including sexual activity and drug use, the revelation of which may expose people to stigmatization, discrimination, and even rejection by family, friends, and community. In the United States, HIV and AIDS disproportionately affect populations that already experience discrimination in our society, including homosexuals, members of racial and ethnic minority groups, and those who engage in certain illegal behaviors, such as drug users and sex workers. Given the enduring nature of some of these prejudices, and the fundamentally intimate nature of the information, it is not surprising that many individuals do not want information on their HIV status to be disclosed.
Communities affected by HIV/AIDS have vociferously voiced concerns about governmental collection of sensitive information, including HIV-antibody test results; named reporting of AIDS and/or HIV infection; data generated in research studies and epidemiologic investigations; results of population-based screening (e.g., newborns, pregnant women, and sentinel hospital surveys); information about sexual practices and drug use; pharmacy records; and assorted clinical test results (e.g., CD4 cell counts, viral cultures or assays, and tests for opportunistic infections).
Consider the striking illustration of the CDC-sponsored national seroprevalence survey of newborns. To ensure the participants' privacy, the study utilized anonymous data collection. However, by stripping samples of all identifiers (blinded data), researchers were unable to notify mothers and caregivers of HIV-infected newborns, which precluded any follow-up treatment. Federal legislators subsequently introduced a bill that proscribed anonymous screening of newborns. This led the CDC to announce the program's suspension, despite the vital epidemiologic data it produced regarding the prevalence of HIV infection in women of child bearing age and the number of children born to HIV infected mothers each year.'
The AIDS epidemic also cogently exemplifies the interplay between information collection and individual privacy. Comparative studies in different locations have shown that anonymous testing correlates with increased requests for HIV testing; mandatory named reporting correlates with decreased requests for HIV testing; and persons at highest risk of infection tend to seek anonymous rather than confidential HIV testing. Despite these results, medical developments (e.g., emerging evidence that AZT can reduce the rate of perinatal transmission) and a shifting social climate (e.g., away from civil liberties protections) have sparked continued calls for mandatory HIV testing and disclosure.'

II.State Legislation

Since the beginning of the epidemic there has been a great deal of legislative activity involving HIV and AIDS. Virtually every state has passed laws dealing directly with HIV infection or AIDS, and some states have enacted legislation in a broad range of areas. Laws and regulations that specifically mention HIV or AIDS can be found in, or promulgated under, the public health statutes (also called the Public Health Code, Health and Safety Code, or many other variants); criminal statutes; government statutes; education statutes; as well as many others. Virtually all states have statutes, regulations, or policies which protect HIV-related information either directly or indirectly. Many states have enacted HIV-specific confidentiality provisions (e.g., California, Florida, Massachusetts, New York). Other states have opted to protect HIV-related information under laws protecting all public health data (e.g., Minnesota, Tennessee). Consequently, the absence of HIV-specific statutes does not necessarily indicate that HIV-related information is not protected. At the same time, medical and social developments continue to give rise to calls for mandatory testing or use of HIV test results for new purposes.,
This section describes some of the state statutes, regulations, or policies which directly concern HIV-related information: how it is obtained, how it is protected, and when it may be disclosed by either government agencies or private parties. The section and the appendices containing summaries of the HIV and AIDS information laws of each state and territory (Appendix One) are not a comprehensive description of each state's HIV-related law; they concern only the collection and uses of HIV-related information.

A.Classification: Disease-Specific Statutes

Many states' public health statutes are disease-specific; they categorize diseases as non communicable, communicable, or sexually-transmitted. Additionally, they may have separate statutes for other diseases, such as TB or HIV/AIDS. Twenty-three states classify HIV/AIDS as a separate category of disease. Sixteen states classify HIV/AIDS as a communicable disease and twelve as a sexually transmitted or venereal disease.
Classification of a disease determines crucial issues of how the disease is handled from a public health perspective: whether it is reportable (by name or anonymously); whether that information is treated as confidential; whether the health department can exercise coercive public health powers for disease control; and whether other public health measures such as contact tracing will be pursued. For example, much public health law developed in the last hundred years granted information regarding communicable disease relatively weak protection, while more stringently protecting information regarding venereal diseases (now referred to as sexually transmitted diseases, or STDs).
Some states classify HIV as a sexually transmitted disease. Public health officials and policy makers in these states must determine whether all other provisions applicable to sexually transmitted diseases should apply to persons with HIV or AIDS. Similarly, states may require reporting of dangerous communicable diseases to state or local public health authorities within a set time period (hours, days, a week) of their diagnosis. For policy reasons related to their efforts to promote HIV testing and a broad range of prevention activities, states may or may not wish to require reporting of both HIV and AIDS. Consequently, some states have chosen to classify HIV/AIDS in its own category, or to include special provisions governing disease reporting that distinguish between HIV infection and AIDS.

B.Reporting

All states currently require reporting of cases of AIDS as currently defined by the Centers for Disease Control and Prevention (CDC). Forty-one states, according to the materials obtained for this survey, also require health care providers, laboratories, blood banks, hospitals, and sometimes other institutions and individuals to report cases of HIV infection to the state or local health department.
Early in the epidemic, mandatory reporting of HIV infection was opposed by many who feared that the requirement and the fear of breaches of confidentiality would drive people at risk of infection away from being tested. There is some evidence that the availability of anonymous testing (and presumably release from the fear of any possible disclosure of identity) can increase both the number of people who seek testing and encourage testing by more people who are at high risk of infection.
When anonymous testing was introduced in Oregon, the overall demand for testing increased fifty percent, with the most marked increases among homosexual/bisexual men (125%), and female prostitutes (56%). The number of positive tests doubled in the calendar quarter immediately following introduction of testing. During the same time the number of tests sought in neighboring geographic areas and in private clinics (providing confidential, named testing) did not increase. In South Carolina, a state with mandatory named reporting of HIV infection and mandatory partner notification, one study showed that although only a relatively small number of state residents went to neighboring states for anonymous testing, those that did so were more likely to be infected than were those who were tested confidentially within the state.
In spite of these fears, the trend appears to be for states to require reporting of HIV infection. Many states require named reporting of HIV infection. In other states reporting of HIV infection is anonymous. In a few states reporting is anonymous unless set criteria are met. For example, in Oregon reporting is generally anonymous unless the person infected with HIV fits into one of seven categories. These include patients who have donated blood or tissue in the last year; have a criminal record involving sexual offenses; are children under six years of age, or under twenty-one if they qualify for special education; have tuberculosis; request assistance in notifying partners; or refuse to notify their partners and their partners fit other criteria (see Spousal or partner notification, below). In states with anonymous testing programs and laws mandating reporting of HIV infection, the reports from anonymous testing sites do not include patient identifying information (see, e.g., Indiana).

C.Consent for Testing and Exceptions Where Consent Waived

1.Informed consent for HIV testing

Policies regarding informed consent to HIV testing are fundamentally important to a consideration of privacy issues because individuals have a strong interest in maintaining the confidentiality of HIV test results and other sensitive medical information. If an individual does not have the opportunity to decide whether or not to undergo a test for HIV (where patient identity is linked to results), he has been forced to reveal potentially sensitive information. This information may, or may not, be protected from further disclosures, but the primary "disclosure," the test itself, will have occurred without the patient's consent and possibly against his wishes.
Thirty-eight states report statutory requirements for HIV-specific consent to testing. Twenty-eight states have some provision which allows minors to consent to testing for HIV. For informed consent to take place four criteria must be present. The patient must be competent, i.e., able to understand the risks and benefits of the proposed test or treatment; she must have sufficient information regarding the risks and benefits on which to base a decision; she must make the decision voluntarily, in the absence of undue coercion; and the consent must be sufficiently specific.
State statutes requiring HIV-specific informed consent provisions require a variety of procedures, documentation, and counseling. Some states require that informed consent be given in writing unless the testing is performed anonymously, in which case documented oral consent is usually sufficient. Some states create additional procedural requirements for informed consent. Oklahoma, for example, requires that the written informed consent be attached to the blood sample in order to avoid liability for testing without consent.
Other state statutes specify how informed consent must be obtained or outline the minimum pretest counseling that should be included. Illinois physicians may not delegate the responsibility for obtaining written consent, except to another physician knowledgeable about HIV infection. The Nebraska statute specifies that the consent procedure must contain an explanation of the test, the nature of HIV/AIDS, information regarding behaviors known to transmit the virus, and that testing is voluntary.
The absence of a statute requiring HIV-specific informed consent does not indicate that informed consent is not required in a particular state. Informed consent may be required by other statutes, common law, regulations or policies. Some states have policies requiring specific informed consent (see, e.g., Arkansas, New Jersey). In Nevada informed consent is required for all medical procedures, but there is no specific requirement regarding HIV testing. Other states treat testing for HIV as they do testing for other communicable or sexually transmitted diseases (see, e.g., Vermont). Texas usually requires informed consent for HIV testing; however, state statutes specifically allow testing for HIV based on a general consent for medical tests and procedures when such test results are used only for diagnosis or are directly related to medical treatment. Kentucky requires "voluntary informed consent" for testing, but notes that a general consent form is sufficient.
Most informed consent provisions and policies apply primarily to adults. Of the twenty eight states which allow minors to consent to HIV testing, some specifically allow minors over a certain age to consent (see, e.g., California, 12 years and older; North Dakota, 14 years and older). Other states provide that informed consent for testing can only be obtained from minors mature enough to make an informed decision. At a minimum this requires the youth to understand the meaning and consequences of the test.
States may allow minors to consent to HIV testing under special circumstances (other than age) or for diagnosis or treatment of certain conditions. For example, Oklahoma describes specific conditions under which a minor may consent to medical testing or treatment and imposes special duties on health care professionals who provide services to minors. The Oklahoma statute provides that a minor who is or has been pregnant, afflicted with any reportable communicable disease, or suffering from drug, substance, or alcohol abuse, may consent to testing or treatment. The consent is only valid for the prevention, diagnosis and treatment of those conditions specified by the statute. The health professional who accepts responsibility for providing care to the minor also assumes the obligation to provide counseling for the minor by a health professional. Even if testing shows the minor is not pregnant, nor suffering from a communicable disease, nor from any of the other listed conditions, the health care professional shall not reveal any information whatsoever to the minor's spouse, parent, or legal guardian without consent of the minor.
A few states which do not specifically require informed consent for HIV testing do have specific provisions for consent by a minor. Wyoming does not have a specific requirement for informed consent to HIV testing; however, it does allow minors to consent to testing and treatment for sexually transmitted diseases, including HIV. Alaska also does not have a specific consent requirement for HIV testing. Although Alaska classifies HIV as a rare disease of public health significance, state officials believe that minors may consent to testing for HIV under the state's sexually transmitted disease provisions.

2.Consent requirement waived

Forty-five states and territories specify some situations in which informed consent for HIV testing is not necessary. Notably, there are more states which have HIV specific exceptions to an informed consent requirement than those which have HIV-specific consent requirements (thirty-eight). This confirms that informed consent is required in many states which do not have an "HIV-specific" informed consent requirement by statute.
The development of the commercially available test for antibodies to HIV in 1985 has continued to generate controversy over whether it can, or ever should, be performed without consent. Testing for HIV anti-bodies is unlike most other tests performed in the medical setting. The psychological and social impacts of a positive result, including the increased risk of possible suicide, are important to consider. Pre-test counseling, recommended by the Centers for Disease Control and Prevention, cannot be adequately performed without the consent, cooperation, and understanding of the patient. If a health care provider tests a patient without consent, the provider faces a difficult ethical dilemma in deciding whether, or how, to inform the patient of the result. Advances in understanding the disease process of HIV infection and development of effective therapies for treatment of HIV which delay onset of illness, or even prevent transmission, continue to cause renewed calls for imposition of non-consensual (mandatory) testing in certain settings.
Although it is well-settled that competent patients have the right to informed consent before accepting or rejecting most medical tests, treatment or procedures, there have always been exceptions to this rule. Health care providers can render services to an unconscious or incompetent patient in emergency situations. Public health officials can require individuals to cooperate with certain disease control activities including immunization campaigns, unless participation would be medically dangerous or the individual maintains certain religious or philosophical objections.
This survey reveals that most statutes list relatively few exceptions to the requirement for informed consent to HIV testing. This is in contrast to the relatively numerous exceptions to confidentiality provisions (see Permissible or Mandatory Disclosures, below). The most common exceptions which we tabulated separately were for persons charged or convicted of specified sex offenses (at least thirty-three states); for emergency workers who have been exposed to a patient's blood or bodily fluids (twenty-nine states); for health care workers who have been exposed (twenty-seven states); and for inmates of correctional institutions (sixteen states). Other exceptions which were very common include testing of a patient who is incapable of consenting when the test is necessary to provide medical treatment; for research or epidemiological purposes, where all identifying information is removed from the sample; or for blood, tissue, or organs provided for donation, although donors are usually informed that testing will occur. Many statutes also allow testing of persons convicted of other types of crimes including prostitution, drug-related crimes, and some assaults.
A few state statutes contain additional exception provisions which grant broad discretion to public health authorities to require involuntary testing. North Dakota law waives the consent requirement when a health care provider, emergency care provider, home care provider, or patient is exposed to bodily fluids of a patient or care provider, if specified criteria are met. Consent may also be waived for persons charged with sex offenses, or convicted of sexual offenses or drug offenses involving the use of hypodermic needles and syringes, as well as any inmate in a state correctional facility for longer than fourteen days. North Dakota also provides a broad exception to the consent requirement that allows any state health officer or designee of the state health officer to order examination and testing for HIV of anyone within the officer's jurisdiction, who he or she knows or has reason to believe, because of medical or epidemiological information, has HIV infection and is a danger to the public health. North Carolina has a provision which allows the Commissioner of Health to authorize or require testing for HIV infection when necessary to protect the public health (see also Missouri).
Statutes which contain general wording or grant broad discretion may be found unconstitutional or otherwise overturned. An Alabama statute previously allowed testing without informed consent when patients presented for treatment and "based upon reasonable medical judgment" were determined by physicians to be at "high risk" for HIV infection. In Hill v. Evans a federal district court found the statute unconstitutional. The court ruled that HIV testing, while a laudable public health goal of the state, could not be performed on this group of people without first presenting them with the opportunity to give informed consent, an opportunity provided to all Alabama residents under the HIV testing statute. The classification of a group of people as "high risk" without any specific legislative definition of the term did not meet the rational basis test mandated by the U.S. Constitution. This test was satisfied for the provisions which allowed testing without consent when it would change the course of medical treatment or prevent exposure of a health care worker.
A number of states have considered what criteria are necessary for a court to order a person tested without his or her consent (this may apply to cases of worker exposure, where no pre existing blood sample exists to be tested, or in other settings). Kentucky's statute is typical of those that directly address this issue; the statute provides that a court may order an individual to be tested for HIV only if the person seeking the test results has demonstrated a compelling need for the test results which cannot be accommodated by other means.

D.Confidentiality of HIV/AIDS-related Information

1.Confidentiality protections

Thirty-nine states reported either HIV-specific privacy laws or general privacy statutes that expressly mentioned HIV. Since the development of commercial HIV antibody tests in 1985 prompted the enactment of much of this legislation, the laws primarily protect HIV test results. Yet the scope of potentially sensitive information is broader than the results of an HIV test (e.g., physical findings, sexual or social history, viral cultures, and titers). Therefore, existing laws may be under-inclusive. More recent statutes safeguard all "HIV-related" information.
Depending on the specific language of the statute, certain types of information related to a person's HIV infection may receive less protection than do the results of their HIV antibody testing. Even though both laboratory evidence of a low CD4 count and prescriptions for AZT are highly personal medical information, which when inappropriately disclosed may harm the patient, such information is often not specifically protected.
This problem may be mitigated where other statutes, policies or regulations protect other types of HIV-related information. California statutes dealing with the confidentiality of HIV related information specifically prevent any individual or institution from disclosing an individual's HIV antibody test result without the patient's or client's written authorization. Other types of health care information, including individual medical records and data held by public agencies, also receive extensive protection from disclosure in California (see Protection of Public Health Data and Health Care Information, above).
States vary considerably in how stringently they protect the confidentiality of HIV test results or other information. Some states designate HIV-related information as "super confidential," which imposes special burdens on health care providers and grants patients a high degree of control over any disclosures. These states strictly limit the sharing of HIV test results to persons with a statutorily-defined "need to know," including those within a single health care facility. Massachusetts, for instance, prohibits disclosing HIV test results without the patient's written consent, and recognizes virtually no exceptions. Other states protect HIV-related information under public health statutes that protect identifiable data on any reportable disease.
Both New York and New Jersey classify HIV/AIDS as a separate disease category. New Jersey prohibits any institution, public agency or person holding a record which contains identifying information about a person who has or is suspected of having AIDS or HIV infection from disclosing it without prior written consent of the person tested, or as otherwise permitted by law. New Jersey provides a relatively limited number of exceptions for disclosure without patient authorization. New York prohibits release of HIV-related information except with consent of the patient or as provided by law. The New York statute specifies more than one dozen exceptions for disclosure without the patient's consent. Its provisions apply to any holder of HIV-related information, the county or local health officer, the physician, as well as persons to whom confidential information is disclosed (see Permissible or Mandatory Disclosures, below, for more details on each state).
In states which have no specific statutory protections for HIV-related information, such information may be protected in a variety of other ways. Alaska has no specific statute or regulation protecting HIV test results or HIV-related information. In practice, however, HIV related information, as well as other sensitive medical information, is protected in Alaska through the state constitution's guarantee of individual privacy, strong statutory protection of confidential health care and public health data, and the governor's policy statement emphasizing that "ensuring the confidentiality of HIV-related information is critical to maintaining and promoting public confidence in the public health system."
Other states which classify HIV/AIDS as either a sexually transmitted disease or a communicable disease, such as Wyoming, Tennessee, and Vermont (STD), or South Dakota (CD), do not provide any specific statutory protection for HIV-related information, but protect it under the other applicable statutes. Vermont law also specifically prohibits courts from ordering release of HIV-related testing or counseling information unless the court finds that the person seeking the information has demonstrated a compelling need for it that cannot be accommodated by other means.

2.Permissible and mandatory disclosures

Exceptions to public health information confidentiality -- their nature, number, and extent -- determine the amount of protection afforded HIV-related information. These exceptions may be mandatory or permissible, numerous or limited, and broad or specific. The most common statutory exceptions allow disclosures to: health care providers (forty-three states); sexual or needle-sharing partners (thirty-seven states); parties with a subpoena or court order (twenty-nine states); blood banks or organ donors (twenty-two states); epidemiologists or other researchers (twenty-two states); correctional facilities (fourteen states); school officials (twelve states); HMOs, or health care or mental health facilities (fourteen states); and insurance companies (eight states). Apart from mandatory reporting of HIV test results to the health department (named - twenty eight states; anonymous - thirteen states), most states allow, rather than require, release of this information (see Table 3 and Appendix One: State Summaries for details). However, some states mandate that HIV test results be disclosed to: school officials; blood donors; correctional officials; medical directors of mental health or other facilities when a patient is committed by court order; and law enforcement authorities who are investigating criminal offenses for HIV transmission.
While a number of early HIV/AIDS-specific laws contained relatively few exceptions to confidentiality, a second wave of legislation shifts direction, by exhaustively enumerating exceptions. New York, for example, specifies sixteen general situations in which information holders may disclose HIV test results, four circumstances in which county or local health officers may do so, and a set of criteria under which physicians may disclose this information. California lists more than a dozen instances that will trigger the release of test results. This includes disclosure to victims of sexual assault; assaulted peace officers, correctional officers, or inmates; parole or probation officers; local law enforcement officers; auditors of scientific research; public health agencies; and blood and plasma banks, blood donors, and blood or organ recipients.
In many states, health care providers or first responders who have been occupationally exposed may obtain a patient's HIV test results or request that the patient be tested. Several of these states specify narrow criteria for disclosure or testing (e.g., prompt reporting of the occupational exposure; a determination that the exposure was capable of transmitting HIV; a completed incident report; and the consent of the exposed worker to baseline testing). Some states also require the exposed worker's employer to bear the costs of testing, or limit the circumstances under which the test results may be documented in the patient record.
In contrast, other jurisdictions grant broad discretion to health officials for disclosure of HIV/AIDS-related information. In these states, health officials may subjectively assess the need for "protection of third parties," "protection of public health," or "epidemiologic surveillance and investigation."

3.Partner/spousal notification provisions

Thirty-seven states either allow or require public health personnel or health care providers to warn sexual or needle-sharing partners of someone with HIV infection of their possible exposure. These provisions embrace two basic types of disclosure provisions, traditional contact-tracing/partner notification programs, and a duty to warn. For the purposes of this survey, both kinds of activity have been classified as spousal or partner notification. This section describes important issues concerning both types of activity and examines existing state law in the area.
Traditionally, public health officials have engaged in a wide range of activities including case finding, contact tracing, public vaccination campaigns, education, and treatment, as part of programs to control communicable and sexually transmitted diseases. Contact tracing, as developed in the setting of sexually transmitted disease control, entailed public health workers contacting individuals who had been exposed to a person diagnosed with an STD, informing them of their possible exposure, and offering them testing and treatment. Public health personnel did not reveal the name of the source of exposure, although in some situations it was obvious to the exposed person. Effective contact tracing was primarily dependent on the cooperation of the source patient in identifying contacts, and could be initiated at the source's request or as part of a health department program.
Critics and some public health officials have questioned the efficacy of contact tracing in the context of HIV infection and AIDS on a variety of grounds. Increasingly, however, public health organizations, commentators and advocates have endorsed contact tracing (also called partner notification) as one component of effective public health response to HIV/AIDS.'' Among populations where a high number of sexual or needle sharing partners is the norm, or where sero-prevalence is relatively high, contact tracing has been criticized for consuming too many resources while failing to discover many persons who did not already know they had been exposed.'
Development of new anti-retroviral medications and effective regimens to prevent opportunistic infections provide persuasive reasons for encouraging early counseling, testing and detection of HIV infection. These advances have also reduced the force of the argument, common early in the epidemic, that HIV was different from other communicable diseases because diagnosis with HIV infection or AIDS could not lead public health officials to offer any effective treatment. There are now clear clinical benefits to the individual from relatively early discovery of HIV infection. In addition there are substantial potential public health benefits from informing individuals that they have been exposed. Persons who know they have been exposed to someone with HIV infection can obtain testing, determine their infection status and, if necessary, take measures to prevent further transmission. Where contact tracing is not feasible, extensive, targeted education for those engaged in high risk activities still represents a vital part of effective public health policy.
Advocates of civil rights, civil liberties, and privacy have also resisted the use of traditional contact tracing for HIV/AIDS. Their concerns centered on the potential for misuse of information about individuals with HIV, or those who were potentially exposed. Implementation of programs inevitably involves creation of lists of people who may have been exposed through participation in activities which are illegal (drug use or homosexual activity in some jurisdictions), have been condemned as immoral, or are at least highly intimate.
Contact tracing in the context of HIV/AIDS has become more accepted as programs have demonstrated their ability to protect the identity of infected persons and their contacts. The Centers for Disease Control and other public health organizations also strongly endorse programs which protect patient confidentiality.
Health care providers, psychotherapists, and others sometimes confront an ethical or legal dilemma when faced with a patient who they know or reasonably should know poses an immediate danger of serious harm to an identifiable third party. On the one hand, the health care or other provider has a duty to maintain the confidentiality of information that is revealed to him or her as part of the patient-provider relationship. On the other hand, the provider may feel an ethical duty to prevent harm to the identifiable third party. Case law, originating in California and followed by other states, imposes a legal duty on some types of health care providers to warn a third party in imminent danger of harm. The lead case in this area involved a psychotherapist who failed to warn a patient's girlfriend of the patient's threats to murder her (ending in her murder). Disclosure under these or similar circumstances, performed by the health care provider or the health department at the provider's request, more often involves disclosure of the identity of the source of the threat, and does not usually involve the cooperation of the source.
In the context of HIV/AIDS, this type of partner notification has been condemned by some and supported by others. Some argue persuasively that if individuals know that their health care provider will be mandated to disclose their HIV status to their spouse or partner, individuals who suspect they are infected will avoid testing or treatment for disease, or will be less than honest with their health care providers about their current sexual or drug use activity.' Critics also note that when domestic violence is present, informing a male partner (when the woman is the first diagnosed) may expose her to abuse, injury and even death from her abusive spouse. In these situations the woman may have been infected by the man, so the consequences to her seem especially harsh. Other commentators, however, note that partner notification programs can identify persons who do not realize themselves to be at risk and can be a cost-effective means of reaching a group at relatively high risk of infection.
Based on the results of our survey, existing statutory law governing disclosure of possible exposure to communicable diseases including HIV (with or without disclosure of the identity of the source patient) is much more likely to be permissive than mandatory. Thirty-three states and territories had provisions which allowed either public health officials or health care providers to disclose to sexual or needle sharing partners of someone with HIV infection or AIDS the fact that they might have been exposed. Two states specifically permit disclosure of the name of the source patient by the health department. Ohio law specifically authorizes disclosure of HIV test results and the identity of the person tested to their spouse or any sexual partner. Michigan specifically allows disclosure of the identity of the source patient if the patient consents to the disclosure.
The mandatory provisions are far fewer in number. Only four states have statutes which require either the health department or health care provider to notify persons at risk. Of these four, Oregon's statute is unusual in that it only requires health care providers to report the names of HIV infected persons for partner notification in two situations: when the patient requests assistance in notifying partners; and without the patient's request or consent when the patient's partner is not a member of certain population groups who, based on "generally available information," believe they are at high risk of infection with HIV. The statute defines these population groups as hemophiliacs, prostitutes, users of intravenous drugs, men who have had sex with men, and sexual partners of individuals in these four groups excepting those who are unaware of the index individual's risk status. Health care providers are not required to report the identity of a person with HIV infection if that person's partner is a member of one of these population groups. Before notifying the Health Department, the health care provider must have tried and been unable to persuade the patient with HIV infection to notify his or her partners.
North Carolina's provision requires patients to notify all past (since the date of infection, if known) and future sexual intercourse partners of their infection. If the date of infection is not known, the infected person must notify all partners for the previous year. If a physician knows the identity of the spouse of an HIV-infected patient, and has not, with the consent of the infected patient, notified and counseled the spouse appropriately, the physician must notify the Health Department of the identity of the spouse. The physician's responsibility to notify exposed and potentially exposed persons is satisfied by fulfilling these statutory requirements.
Three states require certain individuals to disclose the names of their contacts. North Dakota's statute is only mandatory under certain circumstances. It provides that any individual found by a court to be a danger to the public health and infected with HIV can be required to disclose the names and addresses of any partners at risk to the court. These provisions do not address how, or whether, an individual could be compelled to disclose names.
Statutes which authorize health care providers to disclose potential exposure to the sexual or needle sharing partner of their patients often specifically state that they are permissive and protect the physician from liability for disclosure where the recommended procedures were followed in good faith. The Pennsylvania statute is typical of those which allow, but do not require, the health care provider to disclose possible exposure to partners of patients with HIV infection. It provides for disclosure by the provider as a last resort. In Pennsylvania a physician may disclose confidential HIV-related information if:

1) the disclosure is to a known sexual or needle sharing partner of the subject;
2) the physician reasonably believes disclosure is medically appropriate and there is a significant risk of future infection of the contact;
3) the physician has counseled the subject regarding the need to notify the contact and reasonably believes the subject will not inform the contact or abstain from activity which poses a significant risk of transmission;
4) the physician has informed the subject of his intent to disclose;
5) the physician shall not disclose the identity of the subject or any other contact.
6) the physician does not have a duty to identify, locate or notify any contact, and there shall be no cause of action for disclosure or non-disclosure in conformity with this section.

Other states (including, but not limited to, California, New York, and Florida) have similar statutes.
There are a few states in which case law appears to create a duty to warn for health care providers, and there is no statute protecting them from liability for failure to warn. The Vermont Supreme Court has imposed a "duty to warn" on mental health professionals who know or should know that a patient poses a serious risk of danger to an identifiable victim. Health officials in Vermont believe that this duty could, and probably would, be applied to other health care providers. Case law in Tennessee provides that there is a duty to warn identifiable third persons of the danger of exposure to a communicable disease.
Massachusetts, has very stringent statutory protection of the confidentiality of HIV-related information (see above Confidentiality Protection and Permissible or Mandatory Disclosures). Massachusetts case law, however, has recognized a "power to warn" in some situations, which permits disclosure of information regarding a person who poses a serious danger to themselves or others. This creates an apparent conflict between the HIV-specific statute and existing case law. The case law does not directly concern disclosure of information regarding HIV infection, and there are no court cases construing the power as it applies to persons with HIV infection or AIDS.

E. Penalties for Impermissible Disclosure

In spite of the existence of confidentiality statutes, regulations, policies or rules, there remains the possibility that a person legally entitled to confidential information will disclose it improperly. Impermissible disclosures may occur when a health care provider reveals a patient's HIV status in a situation in which he or she is not authorized to do so; when an unauthorized person gains access to hospital or patient records; or when a health department employee improperly releases confidential data on reportable diseases. Forty-five states reported some type of penalty for impermissible disclosure. Thirty-three states had criminal penalties, and thirty three had civil penalties, or allowed for civil causes of action. Twenty-one states provide for both criminal and civil penalties.
State statutes may provide additional sanctions beyond civil or criminal liability. Ohio specifies that the licensing board may take disciplinary action against a professional licensed by the state who wrongfully discloses HIV-related information, but shields from liability health care providers or others who act in good faith. Michigan specifically makes employers vicariously liable for improper disclosures by their employees, unless the employer had taken reasonable precautions to prevent improper access or disclosure. Maine's statute requires health care providers to have a written policy for protection of patient records containing HIV infection status information. At a minimum, the statute requires termination of employment for violations of the confidentiality policy.

III.Gaps in existing laws

A.Variability state to state

State laws governing the collection and use of HIV-related information exhibit marked variation. The laws are the product of more than a decade of action by more than fifty state and territorial legislative bodies. The level of confidentiality patients can expect differs from one state to another. One state may permit the release of HIV-related information to a specific class of people while a neighboring state may prohibit such a disclosure.
The earliest HIV-specific legislation often tightly restricted disclosure of HIV-related information and provided little latitude for health care providers or public health officials (see, e.g., Massachusetts). Others states which have stringent protections have now adopted a number of exceptions which allow disclosure of information under certain circumstances (see, e.g., Florida, New York, Connecticut). An individual patient could find her HIV test results protected in one state, but subject to disclosure in another. Statutes which provide extremely strict protection of HIV-related information may prevent individuals from receiving the appropriate health care in some settings. These statutes may discourage health care providers from warning partners of persons with HIV, even when the provider knows the identity of the partner, knows she is unlikely to know she is at risk, and could take steps to protect herself.
Extremely strict provisions in one state can create barriers to effective inter-state public health work. Different standards for reporting of diseases may complicate epidemiological comparisons between states. Informing partners in imminent danger of infection, sharing data with tuberculosis control programs, and providing information to researchers or other state and local health departments for epidemiological or disease control purposes may not be possible when it is un-authorized or specifically prohibited by law. These provisions can also cause friction among patients, health care providers, hospital and emergency workers when a single group perceives that they are being denied information that they could receive in another state.

B.Variation within a state: Disease-specific statutes

Public health law in the United States has developed largely in response to the emergence of individual diseases. Thus, state public health and communicable disease statutes often consist of tuberculosis control statutes, venereal disease statutes, childhood immunization provisions, HIV-specific statutes, and others. Each type of statute may have different standards for collection and control of information, examination and testing of individuals, and exercise of other public health powers. The advantage conferred by the gradual evolution of public health law is the tailoring of statutes to the perceived needs of public health authorities trying to control a specific disease threat. There are many disadvantages to this structure, however. The multiple layers of statutes may set up different and even conflicting procedures for public health authorities in dealing with various diseases. This can cause confusion and lead to the application of the wrong procedures or standards to deal with HIV test results or other HIV-related information.
Many of the older statutes were crafted in an era when society's ability to diagnose, treat, or control diseases was more limited than it is today. As public health and medical knowledge has advanced, there is less need, for example, to rely on quarantine or isolation to combat most diseases. Older public health laws frequently do not contain the criteria or procedures mandated by evolving constitutional standards for protection of individual liberty. Thus, communicable disease or venereal disease statutes may grant extremely board discretion to health authorities for the use of coercive public health powers without establishing criteria, standards or procedures for the exercise of that power.
In efforts to control HIV, exercise of these coercive powers is rarely necessary. Where HIV is classified as a communicable or sexually-transmitted disease, public health authorities and people with HIV may be unsure whether these powers will be exercised and concerned that, if applied, they will be imposed based on fear or prejudice rather than objective scientific data.
Finally, the level of protection of sensitive health information may be different depending on whether that information is covered by communicable disease, sexually transmitted disease, HIV-specific, or general health care provisions. Given the wide range of sensitive medical information that is collected on persons with or at risk of HIV infection, variability in the level of protection provided for different types of information may lead to disclosures that cause harm to individuals. Early HIV-specific confidentiality statutes only prohibited unauthorized disclosure of HIV anti-body test results. If this type of provision is not interpreted broadly or redefined by statute, regulation, or policy to include the full range of direct and indirect markers for HIV infection and AIDS that may be recorded in an individual's medical record, then the protection offered by the HIV-specific statute is severely compromised.

C. Variation depending on who holds the information

States which have integrated HIV into existing or revised public health (communicable disease and sexually transmitted disease) statutes may protect HIV-related information from unauthorized disclosure when it is in the possession of the health department. However, a particular challenge remains in protecting such information when it is held by hospitals, insurers, individual physician's offices, employers, or other institutions.
The majority of medical information privacy provisions are still based on an outmoded model of medical records kept in paper form and held by a single health care provider or institution (see Protection of Health Care Information, above). The existence of these provisions side by side with public health provisions may result in additional variation in the protection of HIV-related information (see Protection of Public Health Data, above). Results from HIV antibody tests or other HIV-related information may receive different protection depending on who holds the information.

IV. Conclusion

Collection and use of information relating to HIV/AIDS is important both in treating individual patients and controlling the spread of disease through education and notification. While protecting individual privacy is an important goal which must not be overlooked in order to prevent the spread of discrimination and abuse, the need to use the information to help others cannot be ignored.
The present system of state laws sometimes interferes with achievement of these two goals. Variability in the level of protection accorded to HIV-related information by different states and within the same state can lead to disclosures that cause harm to individuals, or create barriers to effective public health work. Fear of such disclosure may keep individuals away from the health care system, thus preventing treatment for themselves and possible notification to others at risk of disease. For discussion of potential solutions for reform or modification of state laws, see Future Options for Protection of Health Information Privacy and Conclusion, below.

Part Six: Protection of Immunization Information

I. Introduction

Common childhood illnesses such as measles, diphtheria, pertussis, tetanus, and polio once accounted for a substantial proportion of infant and child morbidity and mortality in the United States. Complete and timely early immunization can now effectively prevent these and other childhood diseases.'' Despite the potential to protect the health of society's most vulnerable population, approximately one-third of the four million infants born annually in the United States do not receive all of their recommended immunizations by age two.
The failure to adequately immunize pre-school-age children is costly, and poses a risk to the public health. Childhood immunization is a highly cost-effective intervention; every dollar spent on the vaccine against measles, mumps and rubella (MMR), for instance, saves $21 in future societal costs. The measles epidemic of the late 1980s powerfully illustrates the public health consequences of inadequate immunization. The epidemic produced some 50,000 cases of disease, 11,000 hospitalizations, and 130 deaths.''
Multiple obstacles exist to achieving higher levels of childhood immunization. Perhaps most importantly, health care professionals and parents cannot accurately identify children who need vaccinations and are susceptible to preventable disease. An immunization information system would enable health officials to target children in need of services, issue reminders, provide education, and conduct outreach. An information system would, in particular, identify pockets of under-immunization and direct resources where they were most needed.
In 1963, the Centers for Disease recommended that states begin implementing systems to allow identification of un-immunized or under-immunized children, through linkage with birth certificates. Early efforts were not efficient or cost-effective due to the lack of technological tools. Since 1991, however, there has been increasing interest at state and national levels in developing systems that would record all birth and immunization data, and would be accessible to health care providers, public health officials, parents, and perhaps school officials in order to determine whether a child is fully immunized, and to facilitate outreach to un-immunized or under immunized children. In 1994, the National Vaccine Advisory Committee, Subcommittee on Vaccination Registries concluded:

Currently, at the local, state, and national level, we cannot identify those infants, toddlers, and preschoolers who need vaccinations and are susceptible to preventable diseases. With an improved immunization information system, there could be targeted outreach and education to families and more efficient use of available immunization providers and vaccines.

A number of states and localities have created immunization registries to facilitate collection of individual immunization information, access to that information by health care providers, public health officials, parents and school officials, evaluation of immunization programs, and delivery of state or federally funded immunization assistance.

II.Immunization as a Public Health Goal

Immunization programs, particularly among school age children in the United States, have achieved high levels of coverage (children fully immunized against specified preventable illnesses), and substantial reductions in vaccine preventable childhood illnesses. The rate of complete immunization of school-age children in the United States (>95%) is as high, or higher, than most other developed countries.' Yet the rate of full immunization of pre-schoolers (<65%) is below that of many developed (and even some developing) countries.
While the most recent provisional data show significant improvement in specific immunizations, levels for all immunizations remain well below the Childhood Immunization Initiative's goals for 1996 -- 90% coverage for measles, DPT, polio, Hib; and 70% coverage for Hepatitis B. Immunization rates, moreover, differ substantially among different geographic areas, and socio-economic groups. Immunization rates in some large urban and rural areas, and among racial minorities are particularly low.
The U.S. Department of Health and Human Services has established the goal of having ninety percent of children fully immunized by their second birthday. Public health officials have set specific disease-reduction targets for each of the major vaccine-preventable illnesses. Disease reduction has been monitored more comprehensively than progress toward targets for immunization coverage. For example, public health officials have used measles outbreaks to measure the impact of immunization programs on disease, identify outbreaks promptly, and characterize high risk areas. Disease surveillance, however, only detects problems in immunization coverage after the harmful health effects have occurred, and may not reveal all areas with low immunization coverage. Public health and immunization policy makers and program managers need information on vaccination that is more accurate and reveals current differences in immunization status by age, geographic area, and other risk factors.
Accurate measurement of immunization coverage can help policy-makers assess the particular barriers to increasing immunization within a community. Access barriers to childhood immunization have been systematically documented.''' Inadequate access to prevention services is a principal reason for under-immunization. Lacking a primary care provider, underserved children are not regularly monitored for immunizations. One study found 17 percent of poor children had no regular source of care; and 35 percent of poor children relied on emergency rooms and community clinics as their regular source of health care.
The full series of vaccinations currently costs about $500 for private-sector patients; physician administration fees constitute 60 percent of the fee. However, many families face stark financial constraints to immunizing their children: 21 percent of children under 18 years of age live below the poverty level and one in six children lacks health insurance. Further, less than half of employer health plans cover vaccinations, in contrast to a much larger proportion of health maintenance organizations that do so. A few states mandate insurance coverage for immunizations but, due to the preemption effects of ERISA, these statutes do not apply to self insured plans. In addition, underserved children frequently fall through the welfare safety net. Medicaid coverage is uncertain due to: diverse income and other state eligibility requirements, the administrative complexity for enrollment, the variable scope of coverage for prevention services, and the limited participation by primary care providers.' Medicaid-eligible children themselves also receive fewer prevention services than privately insured children.
The Comprehensive Childhood Immunization Act of 1993, part of the President Clinton's Childhood Immunization Initiative, was designed to overcome financial barriers to immunization. Under the Act, the federal government purchases and provides to physicians (at no charge) vaccines for children who fit certain criteria: those enrolled in the Medicaid program, those whose health insurance does not cover immunization, and Native American children. Yet the Act has limits in securing access for children because economic barriers are not the principal cause of under-immunization; low immunization rates have been documented even when vaccines are provided without cost to families. In addition, some physicians may be unwilling to participate in the federal program because of the administrative costs and the record-keeping requirements in determining which children are eligible for free vaccination.
Efforts to improve immunization rates require not only expanding access to vaccines but also creating an efficient system to distribute them. Approximately half of all U.S. children receive their vaccines in public facilities (city or county health departments, federally-funded community health centers, or public hospital clinics), a situation which parents and children regard as confusing and burdensome. In reality, the public system for vaccine administration often entails linguistically and culturally inappropriate services and educational materials, distant locations, long waiting times, and inconvenient office hours. By contrast, immunization practice standards for the public sector advise "user-friendly, family centered, culturally sensitive comprehensive primary health care that can provide rapid, efficient, and consumer-oriented services to users."
Parents' lack of knowledge, or concerns about the safety, of vaccinations also contribute to low immunization rates.' Parents are indispensable partners in ensuring that children are immunized. Yet many parents are unaware of or do not understand the complex vaccination schedule now recommended, encounter difficulties taking time from work or obtaining transportation, and, in the past, have been confused by complex informed consent forms. For some families, the overriding need to secure adequate nutrition, housing, and health care renders immunization a relatively low priority. Federal law requires health care professionals to provide written information about immunization to parents before administering vaccines. Since 1994, the immunization information has been simplified to be easier to understand and provide a balanced discussion of the risks and benefits of each vaccine. Immunization information is available in many different languages. Parents are no longer required to sign a consent form for these vaccines.
The CDC has emphasized that health care providers miss opportunities to vaccinate children who visit physician offices, clinics, emergency rooms, and hospitals, when the providers fail to assess vaccination needs.'' Yet even if all health care providers elicited immunization histories, their efforts would likely be hindered by incomplete and inaccurate information. Immunization information that parents impart to health care providers -- whether from recall or from vaccination cards -- is frequently incorrect or insufficient, and seldom provides a reliable basis for immunization decisions.'
These issues demonstrate the need for more accurate and comprehensive means to collect and use immunization information.

III. Proposals to Reduce Gaps in Immunization Coverage: Access to Information

A.Immunization Coverage: Alternatives for Collecting Information

Currently, comprehensive national, state or local data systems that can track all children and identify those who need to be vaccinated do not exist. Although many immunization programs are developing immunization information systems that serve these purposes at the state and local level, these systems still contain data on a minority of U.S. children. The medical and public health communities widely recommend the development of information systems to monitor childhood immunization status and to generate notices when a child's vaccinations are due or past due.'' Evaluative research suggests that tracking and reminder systems significantly increase immunization rates.''''''' Primary health care providers need an accurate source of immunization information, particularly if the child has no comprehensive record of care. The increasingly complicated recommended immunization schedule challenges both the physician and the family in keeping abreast of the child's immunizations. At the community level, program planners and public health officials do not possess adequate population-based data, which confounds immunization surveillance and intervention. Without this information, public health officials cannot reliably detect low immunization rates in specific geographic areas or populations, cannot effectively develop outreach and other prevention programs, and cannot adequately prevent disease outbreaks in schools, day care centers, or communities.
Alternate methods of collecting immunization information, while important, are inadequate for planning and evaluating immunization programs, or for protecting individual children. These methods include sporadic use of local immunization registries, birth cohort comparison studies (in which public health officials compare the number and type of each administered vaccine to the expected size and distribution of each year's newborn population), community-based sample surveys, and individual clinic audits. In addition, disease surveillance is inadequate because it identifies health problems retroactively.
While national, regional, state or local systems of collecting immunization information create the opportunity to provide more effective health care and disease prevention, the establishment of immunization registries also raises specific privacy concerns (see below, Privacy Issues Posed by Registries).

B. Immunization Registries: Characteristics

Based on the experience gained from the alternative methods of measuring immunization coverage and federal and private pilot projects to create population-based immunization databases (registries), a panel of experts convened by the CDC outlined the basic characteristics of an effective Immunization Registry (see also Appendix Two: Model Immunization Registry System Components): (i) enrolling all children at birth or when entering care as new resident; (ii) collecting a core data set, including a unique personal identifier; the vaccine dose, lot number, and type; the vaccination date; and the vaccine provider; (iii) securing access to, and promoting interactive communication among, health care providers; and (iv) developing mechanisms for aggregating data nationally and state-wide. In addition, the system should facilitate public health outreach -- by notifying parents, physicians, and public health officials of missed immunizations -- and should have the capacity to include other health promotion and disease prevention data.

C.Efforts to develop immunization registries

1.Federal support

The concept, as well as the need for a universal, computerized system to collect, track, and exchange immunization data has existed for several decades. As early as the 1960s, the CDC posited that automated and accessible immunization records could facilitate "national follow-up of births for maintenance of immunization levels." The CDC has distributed limited funding for immunization information projects for more than a decade. The Automated Immunization Management System (AIMS) projects, established in 1980 and 1985, were designed to perform tracking, vaccine inventory, immunization coverage surveillance, and program evaluation. In fiscal year 1993-94, the CDC began to provide grants to states for immunization registries. These funds have helped states to inventory existing tracking projects within their state and assess the feasibility of statewide approaches. During 1994 and 1995 the CDC awarded more than $16 million to states for the planning, development, and implementation of immunization information systems. The CDC also supports states in developing related public health information systems. During 1994 1995, CDC provided more than $8 million to twelve states for development of Information Networks for Public Health Officials (INPHO), to enhance the ability of public health officials to exchange information. This system will assist states and localities developing immunization information systems.
Finally, there has been the Comprehensive Childhood Immunization Act of 1993, pursuant to which the federal government will purchase vaccine and provide it at no charge to physicians for use in children insured by Medicaid and others who lack health insurance that covers immunizations. The final version of the Act, however, did not include provisions for a national tracking and reminder system which had been included in earlier versions. The CDC's National Immunization Program (NIP) has opted to support development of state and local immunization information systems. These systems can fulfil some of the important functions of immunization registries: to remind parents when their children are due or overdue for scheduled immunizations; to assist providers in evaluating immunization needs of individual clients; and to facilitate exchange of information among providers in the same state or locality. Additionally, because immunizations are provided to persons in the community by local health departments and other private and public providers, systems designed and developed at the community level may be most responsive to local situations and preferences.
State- or locality-based registries are less well-equipped to accommodate other goals of a comprehensive immunization registry. Increasingly families are mobile and health care is provided by organizations which operate in many states. State or local systems may not be able to provide accurate immunization information on children who move to another state or locality. For example, if a managed care provider, or other network of health care providers which operate in multiple states, seek information on the immunization status of a child held in another state, that information may not be easily transferable from one state's or locality's system to the next. Also, if the confidentiality of information in a registry is governed by various state and local laws, these laws may provide insufficient guidance concerning which state's laws apply, which courts have jurisdiction to settle disputes, and which standard of confidentiality a multi-state organization should enforce. Commentators have noted that for state or local immunization registries to accomplish the full range of goals, they would have to be fully compatible with one another for national coordination of collection, tracking and recall to be feasible, and state or national law would have to provide clear standards for confidentiality of information transferred across state borders. If, on the other hand, data are to be used inter-state or at the national level only to determine immunization rates and areas in need of focused immunization efforts, then aggregate (non-identifiable) data could be reported from disparate state and local systems to the national program.

2.State approaches

A number of states have begun development of immunization registries (see State Legislation, below, for discussion of the particular state statutes).

3.Private support

The private sector has also funded registry development. The Task Force for Child Survival and Development's "All Kids Count" (AKC) program (supported by The Robert Wood Johnson Foundation, the Annie E. Casey Foundation, and other private funders) has invested in immunization monitoring and follow-up projects in numerous states and localities. Each AKC project is developing an automated data base that will monitor immunization status, identify service gaps and barriers, and establish follow-up and referral mechanisms.
Other private initiatives in support of immunization collection systems have included development by private companies of software packages to facilitate immunization tracking and recall activities. The goal of such projects is to develop a prototype system that would provide comprehensive immunization information management, yet be flexible enough for use by many states or the federal government.

IV. Privacy Issues Related to Immunization Registries

A.Potential Privacy Problems

1.Introduction

Although immunization registries offer the potential for providing accurate and up-to-date immunization information to health care providers, public health officials and others, collection of the information involves some diminution in privacy for children and families. A coherent national policy does not exist to protect the confidentiality of immunization data. The collection and use of immunization information is often covered by two sets of statutes: (i) those governing immunization for admission to school or day care, and (ii) those establishing a registry. Devised in different eras, these two legislative schemes reflect distinct purposes, structures, and protections.
The degree of the invasion of privacy and the potential for negative consequences from authorized or unauthorized use of the information depend to a significant degree on two fundamental aspects of registry design: 1) the type of information contained in the registry; and 2) who will have access to the information and in what form. Many of the specific privacy concerns about immunization registries arise from the basic structural and legal elements of a particular registry.

2. The type of information collected in a registry

The type of information that is collected and maintained by a registry is important in the context of privacy issues. It would be a mistake to assume that an immunization registry will only contain harmless or innocuous information that does not require both confidentiality protection and a security system. At a minimum, registries include some confidential personal and medical data, and they may contain medical and social information that is sensitive for the child and family. A basic registry would have to contain the name, address, date of birth, immunization dates, vaccines administered to the child, as well as adequate information to identify and locate the custodial parent(s) in order to issue reminders for future immunizations. Registries may also include other confidential medical information such as: medical contraindications to immunization; adverse reactions to immunizations; allergies; and the child's HIV infection status. Some registries include information on social services the child or parents are eligible for or receive, and social or medical information on other family members.
When confidential medical information on the child or family members is contained in the registry there is the possibility that its disclosure will harm the child or family. Disclosure of details of the child's, parents' or siblings' confidential medical information can cause harms similar to those resulting from any breach of medical confidentiality. Disclosure of HIV status to relatives, insurers, or others may result in stigmatization, denial of insurance, employment, or loss of child custody.

3. Access to information contained in a registry

A vast universe of parties may seek access to the information contained in immunization registries. Guardians or parents (custodial, foster, or estranged), relatives, friends, and lawyers may attempt to obtain immunization information to ensure the child's health care needs or to gather information for a custody dispute. Health care professionals (e.g., nurses, midwives, physician assistants), managers (e.g., administrators, utilization reviewers), and third party payers (e.g., health insurers, employer sponsored health plans, managed care plans) may seek the information for purposes ranging from service delivery and third party payment to utilization review. Day care providers, educators, and school nurses may want to access the information for educational or health and hygiene purposes. Federal and state agencies (e.g., Head Start programs, health departments, child protection services, social services, and criminal justice facilities) may seek the information for purposes as diverse as determining eligibility for program assistance, or preparing for child neglect or abuse proceedings. Finally, health officials, researchers, and other academics may want the data for public health purposes (e.g., program development, evaluation, or community health assessment).
Immunization data may adversely affect the family if they are inappropriately disclosed (e.g., the parents' employment or insurance status; family eligibility for public benefits, services, or privileges; or parental rights). For instance, if the registry includes immigration status, or if immigration authorities gain access to comprehensive demographic family data, the information could be used to detect undocumented immigrants and migrant workers or to deny them benefits.
A custodial parent may also fear that an estranged parent will use the registry to discover a child's home address. In this circumstance, access to location data could lead to harassment, stalking, abduction, violation of a restraining order, or violence directed at the child or custodial parent.
Parents may be concerned that failure to immunize a child may form the basis for an investigation by child protection authorities. Recently, a New York family court made a finding of child neglect based, in part, on a parent's refusal to have his three-year old daughter immunized during a measles outbreak. Although the information in this case was not obtained from the immunization registry, the existence of a registry could facilitate both individual investigations and "surveys" of the registry to identify all children whose parents have not immunized them on schedule.
Information in the registry may be made available in individual form -- complete with personal identifiers -- or it may be made available in aggregate form stripped of identifiers. The potential for harm to children and families from disclosure to many entities can be avoided or reduced by limiting disclosure of personally identifying information to specific entities whose goals are the same as those of the registry. All other parties could receive aggregate information with relevant general demographic information.

4. Security of information in a registry

In addition to issues concerning use by those with authorized access to the registry, there are questions of security of the registry. These concerns may be especially acute where the system is designed for on-line access or where access is linked to a non-private identifier, such as a social security number. Parents may be concerned that a registry which uses the child's or parent's social security number as the unique identifier will make information accessible to all those individuals and institutions who already have the social security number, or that authorized users of the registry will use it to gain access to other databases containing personal information and linked to the social security number (see Protection of Health Care Information, above). Unauthorized access can also occur through inappropriate use of terminals in local physician's offices, health departments, or other remote sites.
Many states operate dual systems for collecting and using immunization data, each with discrete legal requirements. Disparate rules for data held inside, and outside, of official registries can confuse all parties and create opportunities for error and improper disclosure. Additionally, states may afford lower levels of confidentiality protection to immunization data (than for other health information), based on the unfounded conclusion that immunization information is less sensitive.
While enlightened federalism may welcome state variation as experimentation with local solutions to complex social problems, the mobility of the population and the development of on line systems call for a coherent and unified approach. Parents and children move freely from state to-state and automated systems are designed to transmit information rapidly across state lines. Both public health and privacy goals are undermined if each state uses its own core data set (introducing compatibility problems during information transfer), establishes unique rules for access and privacy, or restricts the flow of health information beyond the state.

5. Development of a registry

Privacy concerns about the registry may arise during the development process. Excluding parents, health care providers, or some other group with an interest in the immunization status of children from the planning process for the registry can lead to distrust or misunderstanding of the purpose and uses of the registry. If the participants in the planning process perceive it as rushed, perfunctory or otherwise inadequate, they may withhold their support from the final product or avoid cooperation with the program.
Finally, problems may stem from a lack of established procedures within the registry. Registries may have inadequate standards for determining what information they should contain and who should have access. They may lack procedures for settling disputes over inclusion or accuracy of information. There may be no opportunity to review privacy concerns as they arise, and make modifications to the procedures and structure of the registry as needed.

V.State Legislation

A. Registries

Twenty-two states and the District of Columbia either currently maintain, or are in the process of establishing, immunization registries. (See Table 4). At least nine of these states have enacted statutes that specifically authorize immunization registries; four states operate active registries that are not expressly authorized by law. Nine states are currently developing registries or are considering registry bills that are pending in their legislatures. In the District of Columbia, the Board of Health has requested the authority to establish a registry. Tennessee, which has not yet established a registry, reports that it possesses the power to establish a registry despite the lack of specific statutory authorization.
The sources of registry information differ from state-to-state. Some registries are electronically linked to the state's birth registry or birth certificate issuance system (e.g., Nevada). Others registries use birth data collected by the division of vital statistics (e.g., North Dakota). Still others depend on immunization reporting by health care providers (e.g., New York City). For example, the Connecticut registry statute requires health care professionals to report the identity of each child who is immunized; the name and date of each dose given; and any contraindications or grants of waiver from immunization.
States demonstrate various stages in registry development. Initially, health care providers or school officials use registries to verify immunization records, and health departments perform audits. Registries that are more fully operational provide follow-up, generate vaccination reminders, and target health education and outreach to populations that have low immunization rates. The state of Oregon offers a useful model. Oregon's tracking system requires health officials to register all children, collect immunization data, and notify and personally contact parents whose children have missed scheduled immunizations.
The variety in structure and stage of development among the registries are illustrated by a brief description of several state models:
Colorado's health department has been granted statutory authority to create a registry. The state epidemiologist reports that immunization data is being reported and collected in some regions of the state. Although the State Board of Health has sufficient authority to require reporting of all immunizations, it has decided not to enforce such a requirement until the health department is prepared to handle the information and all those who deliver immunization services have commented on the plan.
Connecticut law authorizes establishment of a registry, but it is not yet functional. Under the provisions of the statute, health care providers will be required to report to the state health department information on the identity of each child receiving immunizations, the name and date of each vaccine dose given, or when appropriate, contraindications or exemptions to immunization. Health care providers and parents shall have access to information contained in the registry on the immunization status of the child. School officials will not have direct access, but any health care provider working for the school can have access to immunization records. Except as provided in the statute, all personal information contained in the registry is confidential. Connecticut also has provisions requiring outreach by state health officials.
Delaware has a functional registry. According to the state epidemiologist, the registry is less than fully useful because the data are treated as confidential medical information. Parental or guardian consent is required for access to the records. The Department of Health has submitted legislation allowing for greater sharing of the data contained in the registry.
Mississippi authorized the establishment of a state-wide childhood immunization registry in 1994. All health care providers are required to report administration of childhood immunizations. Information regarding the immunization status of children in the registry is made available to parents/guardians of the child, health care providers, and individuals or organizations required to report on the immunization status of children in their care.
Montana law authorizes the establishment of an immunization registry. Once established, the release of information from, or access to, such a registry would be governed by the existing statutes protecting confidentiality (the Government Health Care Information Act and the Uniform Health Care Information Act).
Nevada is in the process of establishing an immunization registry linked to the electronic birth certificate system. Nevada has not fully addressed nor determined the question of who would have access to the information contained in the registry. Since the registry will be administered by the State Health Division, public health officials will presumably have access.
New York State has legislation which establishes an immunization registry demonstration project. The demonstration sites will be chosen in the spring of 1995. New York City has already established an immunization registry. Designated providers who give immunizations to children under age seven must report the name and immunization to the department of health. All information included in the registry is confidential and will not be subject to inspection by persons other than those authorized by the department or the corporation counsel of the city. The department may disclose information for specific reasons, such as to allow confirmation of children's health status by school officials, and when it is necessary in the best interests of the child, or for the protection of public health.
Although North Dakota law does not specifically establish an immunization registry, the state has had one since 1988. Birth data from the Division of Vital Records is used by the Department of Health. Information from births to unwed mothers may only be used with the mother's consent. Access to immunization records held by the state Department of Health is allowed by health care providers, school, day care facilities, parents, and other persons with a legitimate need for the information. Only immunization history and status are provided.
Like North Dakota and Delaware, South Carolina has an active registry without specific legislative authorization. The South Carolina registry currently includes all children immunized at public health clinic sites and those whose immunizations are paid for by Medicaid. In the future, the registry also plans to include children whose immunizations are paid for privately. All local health departments and the authority which tracks Medicaid payments must report immunizations by paper to the state centralized registry. Central health department officials and health care providers at public health clinics have access to information in the registry for departmental work or to update and check a child's immunization status. In theory, a private provider who sees children on Medicaid will also have access, but there is currently limited computer access for these providers.

B.Reporting

States without registries or universal immunization programs may also collect large amounts of information on immunizations. Virtually all states require proof of certain immunizations as a condition of enrolling in school. The Supreme Court has found compulsory immunization to be constitutional, and lower courts have validated the state's power to require vaccination of school children.' Many state statutes permit parents with sincere religious beliefs to exempt their children from vaccination requirements; these religious exemption clauses are infrequently challenged and, where they are, the exemption has been upheld.' However, one court has found that an exemption provision that requires parents to be "bona fide members of a recognized religious organization" violates the establishment clause. While states have the constitutional authority to create a religious exemption to compulsory immunization, not all states actually grant an exemption. Failure to grant a religious exemption probably does not violate the constitutional right to the free exercise of religion.
States that require proof of immunization as a requisite to school entry often require schools to keep immunization records. At least forty-seven states mandate that at least some immunization information is reported to either the health department, schools, or child care facilities. Of the states that have reporting requirements, thirty-two require that certain types of immunizations are reported to state or local health departments; forty-four require schools to receive proof of each student's immunizations and to maintain individual immunization records; and twenty-five extend that duty to child day care centers or other early childhood institutions.

C.Confidentiality of Immunization Information, Access to Information and Disclosure

1. Introduction

The collection and use of immunization information in some states is covered by two separate sets of statutes and/or regulations - those governing immunization for admission to schools or day-care centers and those establishing a registry or creating reporting and confidentiality requirements for a registry. These two types of provisions were developed in different eras and reflect different purposes, structure and procedures. School immunization statutes mandate that parents (accompanied by proof of immunization from a health care provider) report immunizations to the school or day care center. The reporting is decentralized, records are kept in paper form, and summary reports are usually sent to the health department. While some expectation exists that schools will not disclose immunization records, health departments usually retain the right to review or inspect records, and schools routinely forward immunization data when students transfer to another school.
Since immunization registries have been designed and implemented more recently, they more often directly address confidentiality and access. Health care professionals report directly to the registry, which is usually centralized by city or state. Most fully functioning registries depend on computers to store information, to provide access, and to generate reminders.

2.Confidentiality protections for information in registries

State statutes authorizing immunization registries provide varying levels of detail regarding the confidentiality of information contained in the registry. Six of the nine states that have enacted statutes authorizing immunization registries directly address confidentiality: Colorado, California, Connecticut, New York, and Oregon explicitly protect immunization data; and Rhode Island expressly incorporates state confidentiality law into its registry statute. The remainder have no explicit confidentiality protections or have not completed the rules governing their registries.
States face difficult choices when deciding the permissible scope of access to immunization data. Stringent confidentiality protections can impede access, thereby diminishing the registry's usefulness for public health purposes. Delaware, for instance, reported that the state registry is less than fully functional because the data are treated as confidential medical information. To access the records requires parental consent. Other states grant freer access to immunization records. For example, Mississippi explicitly exempts immunization information from protection as confidential patient records. Parents, health care providers, and individuals or organizations that are required to report the immunization status of children in their care, or that have a legitimate and tangible interest in the information, have access to immunization information contained in the registry. Similarly, North Dakota permits access to parents, schools, day care facilities, health care providers, and other persons with a legitimate need for immunization records. North Carolina grants access to immunization information to state and local health departments, the child's attending physician, schools, licensed and registered day care facilities, Head Start Programs, and colleges and universities. In addition, the state department of health is authorized to issue regulations granting other entities access to immunization information. The New York City Department of Health and the Corporation Counsel have discretion to disclose information to enable school officials to confirm a child's health status, to promote the best interests of the child, or to protect the public health.
In some cases state statutes establishing immunization registries do not contain specific confidentiality provisions. In these states information in the registry may be protected through other statutes protecting other health information in the public and private sectors. Montana, for example, has adopted model statutes protecting health information held by government and private parties. Information contained in Montana's immunization registry will be protected by existing confidentiality provisions covering health care information and public health data. Other states do not directly address the issue by statute. In these states immunization information may be covered by existing general public health confidentiality provisions or the data may receive a lesser degree of protection (see, e.g., North Dakota).

3.Confidentiality protections for information not in registries

Immunization information that is not part of a registry may receive variable degrees of protection. Most states impose some duty on schools to maintain the confidentiality of student records, which often include immunization data. The majority of states also specify who may have access to a child's immunization records. At least forty states expressly grant access to the health department, health care providers, school officials, or epidemiologists and other researchers. Of the thirty states without registries, eighteen allow access to the health department; eight give access to health care providers; eleven grant access to school officials; and one permits access to researchers.
At least twelve states operate universal immunization programs, whereby the state supplies all or most of the vaccines administered by distributing them to participating providers. In each of these states, health providers must comply with specific record-keeping requirements. The Department of Health uses the reported information to track the number of doses dispensed and to whom. The program officials also may view the information collected.
It is likely, however, that the list of states which specifically authorize access to immunization records may actually understate the number of jurisdictions in which schools (the primary place, outside of individual medical records, where immunization information is collected) allow the health department, health care providers, or researchers access to immunization information. For example, during an outbreak of highly communicable and transmissible disease such as measles, public health powers may be construed very broadly to allow release of information to the health department, as long as there is no explicit statutory prohibition on release of immunization information. Similarly, it is likely that a child's immunization record, as part of his or her student record, is frequently transferred from one school to another without specific legislative authorization.
In California, which did not have an immunization registry at the time of the survey, access to immunization records is controlled by the governing authority of each school or institution, and the records are not protected from subpoena. Thus, the governing authority of the school apparently has broad discretion to permit disclosure of immunization information. By contrast, in Oregon, prior to the enactment of the statute authorizing the current immunization registry, written parental consent was required for the release of any data contained in a child's immunization record. One of the stated purposes for creating a registry in Oregon was to abolish the consent requirement for the release of immunization information for use in tracking immunizations by the health department and for use by school officials or health care providers.

D.Penalties for Unauthorized Disclosure

At least sixteen states impose penalties for impermissibly disclosing immunization data. Of these, fifteen designate minor criminal penalties, while four specify civil liability. Unauthorized disclosure by a health care provider may also represent a breach of professional ethics and result in sanctions by a state licensing board (e.g., Tennessee).

VI.Gaps in the Law

Registries can improve immunization coverage by providing accurate, complete, and current information to health care providers, public health officials, educators, and parents. However, the systematic collection of large amounts of automated health data poses a privacy risk.' Ensuring privacy of the data is critical, both to achieve public health purposes and to protect parents' and children's individual rights. Parents and children whose immunization information is contained in the registry have a right not to have sensitive health information disclosed in ways that might stigmatize or harm them. Fear of unauthorized disclosure might lead some parents to avoid contact with primary care providers, which would undermine public health efforts to increase immunization rates and offer other preventive services. Elected officials also are not likely to authorize automated immunization data banks unless they gain the public's confidence that the registry will not unnecessarily invade citizens' privacy.
Currently, considerable variation on privacy protection exists among states, and also within states. At the extremes, state legislation either too easily permits disclosure of immunization information (undermining privacy interests) or is overly restrictive (undermining public health objectives). Many states fail to specify who shall have access to immunization information; grant broad discretion to health officials to make disclosures; do not adequately protect against subpoena or court order; and do not provide clear penalties for unauthorized disclosure. Some states, however, are overly restrictive, requiring parental consent before any disclosure. This approach may impede the flow of information necessary to promote child health.

A. Variation From State to State

State laws regarding collection and use of immunization information vary widely. This variation has produced a rich body of law that explores many of possible options for controlling immunization information. However, the differences from state to state also create inconsistencies which can leave gaps in the protection of immunization-related information, erect barriers to use and exchange of information, or create opportunities for disclosure. In some states, health officials have broad discretion to disclose immunization records. In practice, this may mean that information related to immunizations receive little protection. Weak standards of protection of the confidentiality of immunization registries or school-based records may also lead to disclosure of sensitive medical information. This could create a double standard for health information which would not fully protect sensitive information if it is part of an immunization record.
Statutes can also create barriers to setting up an immunization registry, or prevent the registry from achieving some of its goals. In some states vital record provisions prohibit use of birth certificate data for any other purpose (see, e.g., Pennsylvania). Other states may restrict the ability of public health officials to transfer immunization information to other states.
Additionally, variation from state to state in the way immunization information is collected and stored may create purely technical barriers to its inter-state transfer. One state-based registry may not store data in a form that is compatible with another state's registry. This prevents registries from achieving one of their goals -- to provide a record of each child's immunizations that will be available to the child's parents, health care providers, and health department officials, regardless of where the child lives, goes to school, or receives health care.

B.Variation Within a State

Within a state immunization-related information may be accorded protection different from that given to other personal or medical information. The bulk of information contained in immunization records concerns predominantly healthy children who have received routine shots, perhaps accompanied by information on adverse reactions, and medical history. Because of the "routine" nature of immunization information, strong confidentiality protections or standards for disclosure have not always developed at the state level. This may be because immunization information does not appear to be as sensitive or personal as other medical information, such as diagnoses of sexually transmitted diseases. Standards for release of the data may be vague, as in a provision allowing for the release of information to persons with a legitimate reason to seek the information. States justify looser standards on the basis that release of the data does not appear to "harm" anyone (see, e.g., North Dakota).
As a result, immunization records may not be protected as rigorously as other medical or public health information. Disclosure of immunization related information to parties and institutions with different primary goals can cause substantial harms to and complications for the child and the family (see Privacy issues related to immunization registries, above).

C.Gaps specific to registries

In the absence of formal statutory limitation on the disclosure of immunization information, state agencies have broad discretion to collect and use information for the "promotion and protection of public health" (see, e.g., Alaska). This may allow for the relatively easy establishment of an immunization registry (or other system to facilitate sharing of immunization data, in order to increase immunization coverage) in these jurisdictions. Systems established without specific statutory authorization or governed only by general public health statutes or health care provisions may not provide this data with confidentiality protection that is comparable to other medical records.
Registries, whether or not legislatively authorized, often do not address important issues that are the source of many privacy concerns about registries. From the outset it may be unclear exactly what kinds of information will be contained in the registry, who will have access to it, and in what form information will be disclosed. Registry provisions often do not define standards for determining what information will be included and determining access. They do not always include procedures for settling disputes over information, requirements for parental consent for secondary uses of information, adequate security arrangements, or penalties for impermissible disclosure of information. Absence of appropriate procedures can cause difficulty for public health officials in accessing, reviewing, and updating the data; frustration for parents unable to consent to release of the data; and the possibility of unauthorized disclosure of immunization information.

VII.Conclusion

Collection and use of accurate immunization data is vitally important for immunization programs to meet present goals of 90% or greater coverage of pre-schoolers by the year 2000. In many ways, privacy concerns are supportive rather than contradictory to this goal because public health programs to reach preschoolers require public cooperation and consent. Nevertheless there will be certain times when the goals conflict. In these cases well-designed laws may offer the highest possible degree of protection for sensitive information while still aiding, rather than thwarting public health efforts.
Finally, the increasing interest in state or federally subsidized immunization programs aimed at achieving high levels of immunization of two-year-olds ultimately requires state and local health departments to collect and use large amount of personal medical information, and to share that information with health care providers, school and day care facilities. At this time, the degree of protection which that information receives varies depending on the particularities of the law in each state. When states authorize and implement immunization registries or universal immunization programs, or when they undertake reform of public health statutes, they may also choose to rethink and revise how information on immunizations is collected, protected and disclosed.

Part Seven: Federal Legal Protection of Health Information Privacy

I.Introduction

Federal legal protection of health information privacy is based on constitutional law, statutes and regulations. Constitutional protection is applicable to data collected and used by governmental entities, both federal and state. Statutory protection is limited to that specifically provided by Congress and federal agencies in legislation or regulations. As the Work Group for Electronic Data Interchange observed, there is no national level policy on privacy and security of health information. Rather, there exists a series of disparate and incomplete safeguards that neither fully protect individual privacy nor enumerate carefully when health information may legitimately be collected, used, and disseminated. The Senate began consideration of the first attempt to draft comprehensive federal legislation, the Medical Records Confidentiality Act of 1995, in October 1995. The draft provisions of the Act are discussed below (Medical Records Confidentiality Act 1995). This section of the report provides an account of existing constitutional and legislative protection of health information privacy at the federal level.

II. Constitutional Right to Informational Privacy

A considerable literature has emerged on the existence and extent of a constitutional right to informational privacy independent of the Fourth Amendment prohibition on unreasonable searches and seizures., To some, judicial recognition of a constitutional right to informational privacy is particularly important since the government is the principal collector and disseminator of information. The Constitution, of course, does not expressly provide a right to privacy, and the Supreme Court appears to be in a period of retrenchment of constitutional protection both for decisional and informational privacy.
A body of case law does suggest judicial recognition of a limited right to informational privacy as a liberty interest within the Fifth and Fourteenth Amendments to the Constitution. Whalen v. Roe is the major case in which the Supreme Court squarely faced the question of whether the constitutional right to privacy encompasses the collection, storage, and dissemination of health information in government data banks. In Whalen, a New York statute required physicians to disclose to the state information about prescriptions for certain drugs with a high potential for abuse, and provided for the storage of those data in a central computer. In dicta the court acknowledged "the threat to privacy implicit in the accumulation of vast amounts of personal information in computerized data banks or other massive government files."
Justice Stevens, writing for a unanimous court, recognized that "in some circumstances" the duty to avoid unwarranted disclosures "arguably has its roots in the Constitution." The court found no violation in Whalen where the state had adequate standards and procedures for protecting the privacy of sensitive medical information. The court observed that data on dangerous prescription drugs were afforded careful protection by the Health Department: computer tapes were kept in a locked cabinet; the computer was run off-line to avoid accessibility by others; and the information was disclosed only to a limited number of officials.
In Nixon v. Administrator of General Services, decided four months after Whalen, the court also hesitantly acknowledged a narrow right to privacy. The former President of the United States challenged the constitutionality of a statute directing the Administrator of GSA to take custody of Presidential materials and to have them screened by Government archivists. The court granted that the former President had a legitimate expectation of privacy in his personal communications. However, it upheld the constitutionality of the statute due to the limited intrusion of the screening process, the appellant's status as a public figure, his lack of expectation of privacy in the overwhelming majority of materials, and the virtual impossibility of segregating the small quantity of private materials without comprehensive screening. The court also emphasized the Act's sensitivity to legitimate privacy interests and the unblemished record of the archivists for discretion.
Most lower courts have read Whalen and Nixon as affording a tightly circumscribed right to informational privacy, or have grounded the right on state constitutional provisions. Courts have employed a flexible test balancing the government invasion of privacy against the strength of the government interest. Judicial deference to government expression of the need to acquire and use information is an unmistakable theme running through the caselaw. Provided the government articulates a valid societal purpose and employs reasonable security over the data, courts have seldom interfered with traditional governmental activities of information collection in the realm of public health.
The Third Circuit in United States v. Westinghouse enunciated five factors to be balanced in determining the scope of the constitutional right to informational privacy: (i) the type of record and the information it contains, (ii) the potential for harm in any unauthorized disclosure, (iii) the injury from disclosure to the relationship in which the record was generated, (iv) the adequacy of safeguards to prevent non-consensual disclosure, and (v) the degree of need for access -- i.e., a recognizable public interest.
The right to privacy under the U.S. Constitution is, of course, limited to state action. Since the 1970s, more than a dozen states have adopted constitutional amendments designed to protect a variety of privacy interests, including limitations on access to personal information. Although most of the state constitutional provisions only protect against breaches of privacy by government, some courts have also applied their guarantees to private parties.
The usual state action limitation renders constitutional claims uncertain in many cases. Provided the federal or state government itself collects information or requires other entities to collect it, state action will not become the central obstacle to constitutional protection. Yet, several versions of a health information infrastructure envisage private or quasi-private health data organizations, health plans, and insurers collecting a great deal of information. In these cases the applicability of constitutional privacy protection would remain in doubt, particularly if database organizations were essentially unregulated by government.
Even in cases where government unambiguously is the collector of data, constitutional limitations may be nominal. Courts allow states wide latitude in protecting the public health; and courts are certain to see government purposes of preventing morbidity and premature mortality or health research as substantial if not compelling. Since policy development on health information has emphasized privacy and security concerns, the government is likely to prevail on a flexible balancing approach. Absent an unlikely shift in the courts' approach to privacy, affording it a decidedly higher level of scrutiny, issues of health informational privacy will, for the most part, be settled in the legislative and executive branches of government.

III.Legislative and Regulatory Protection of Informational Privacy

A growing number of statutes and regulations are designed to protect privacy in a developing information society. The most important federal statutes and regulations with relevance to health data are the Privacy Act (construed consistently with the Freedom of Information Act), the drug and alcohol privacy regulations, and research regulations.

A. Privacy Act

The federal Privacy Act of 1974 is designed to ensure that federal agencies utilize fair information practices with regard to the collection, use, or dissemination of "any record" which is contained in "a system of records." First, subject to a number of exceptions, the Act prohibits agencies from disclosing information to any person or to another agency without the prior written consent of the individual to whom the record pertains. However, the Act also grants substantial discretion to federal agencies to identify disclosures for "routine uses" which may be made without consent (see below). Second, each agency that maintains a system of records must also, upon request, permit the individual to review and copy the record. Third, the Act provides a procedure by which an individual may request the correction or amendment of the record. Finally, the Act requires agencies to maintain in their records only personal information that is relevant and necessary to accomplish the agency's purpose. The Computer Matching and Privacy Protection Act of 1988, which amends the Privacy Act, regulates the practice of "matching" files pertaining to the same person through the use of a personal identifier.
Hospitals operated by the federal government or health care or research institutions operated pursuant to federal contract must maintain patient records in compliance with the Act. The Act, however, does not apply to the vast majority of entities that collect health information outside of the federal government.
Even agencies that collect information within the purview of the Act are permitted to disclose information for "routine uses." Agencies may disclose information for "routine uses," meaning that they can use health records for any "purpose which is compatible with the purpose for which it [the information] was collected. Courts have generally interpreted "routine uses" broadly when confronted with agency disclosures. Health agencies have used this concept to justify many further uses of personally identifiable information.

B. Freedom of Information Act

In enacting the Privacy Act, Congress did not seek to interfere with the right of the public to obtain access to information in federal agency records under the Freedom of Information Act of 1966 (FOIA). Accordingly, information that is required to be disclosed under FOIA has no protection under the Privacy Act. The FOIA contains nine exemptions which permit agencies to withhold disclosure. Exemption 3 covers data specifically excluded from FOIA disclosure requirements by statute. This exclusion has been utilized by the Department of Health and Human Services and other agencies to protect health data.
Exemption 4 concerns "privileged or confidential" data. Federal health agencies, such as the Centers for Disease Control and Prevention, have sought to rely on this exemption to resist discovery of confidential patient or research records in cases such as those involving toxic shock, Reyes syndrome, and cancer registry data. The prevailing judicial view, however, is that information that is privileged from disclosure under the FOIA may nevertheless be subject to discovery. For a further discussion of discovery, see below.
Exemption 6 covers only government records that can be identified as applying to an individual. When a FOIA disclosure is sought from personally identifiable government records, courts must balance the individual's privacy interest with the public's interest in the information. Exemption 6 protects "personnel and medical files and similar files the disclosures of which would constitute a clearly unwarranted invasion of personal privacy." Courts have adopted a broad construction of this exemption, allowing federal agencies to protect information from disclosure when public access to the information in question would violate a viable privacy interest of the subject of such information. In 1989 the Supreme Court stressed that "both the common law and the literal understandings of privacy encompass the individual's control of information concerning his or her person." Moreover, a federal appeals court has clarified that in determining whether the threat to privacy posed by disclosure is "real" rather than "speculative" an agency or court must consider both the harm substantially likely to arise from the disclosure itself and the probable harm from "secondary effects" of the disclosure, interferences with personal privacy linked to the disclosure by "two or three links in the causal chain." .
FOIA exemptions can be useful in protecting personal data, but suffer from several limitations. Assuming the data come within one of the listed exemptions, the agency itself has the discretion, but not the duty, to withhold disclosure. Further, the judgement of the agency is subject to judicial review under an unpredictable balancing test that is not always favorable to the individual's assertion of privacy. Accordingly, health care, epidemiological, or research data held by the agency may not be assured protection either from an FOIA request for disclosure or discovery in civil litigation.

C.The Medical Records Confidentiality Act of 1995 (Bennett-Leahy Bill)

Under debate by Congress in the spring of 1996, the Bennett-Leahy Bill is the first comprehensive effort to establish national standards for the protection of health information. A stated purpose of the bill is "to promote the efficiency and security of the health information infrastructure so that members of the health care community may more effectively exchange and transfer health information in a manner that will insure the confidentiality of personally identifiable health information." The bill defines individuals' rights regarding their personal health information (Title I); reviews and defines "protected health information" by subject (Subtitle A); establishes safeguards for such information (Subtitle B); delineates restrictions on the use and disclosure of protected health information (Title II); provides for sanctions for violation of the provisions of the Act (Title III), including civil sanctions (Subtitle A) and criminal sanctions (Subtitle B); as well as other provisions (Title IV, Miscellaneous). Title I, individual rights, incorporates many "fair information practices" including the right of an individual to inspect, correct or amend protected health information related to that individual and the obligation of entities that maintain protected health information to establish administrative, technical and physical safeguards for the information, and to maintain records of disclosure not related to treatment of the individual. Title II, restrictions on use and disclosure, prohibits disclosure except as specified in the Act, or for reasons compatible with the purpose for which the information was obtained, and in the minimum amount necessary to accomplish the disclosure's purpose. Title II specifically permits disclosure to a public health authority for surveillance, disease or injury report, or public health investigation or intervention.
The bill would, inter alia, make it illegal for companies to use medical records to create marketing lists and would grant patients access to their medical records in states that do not already do so. It would also shield from liability persons or agencies which make disclosures as permitted under the Act. Opponents of the bill argue that it will promote the creation of huge health care databases and will permit access to these databases by too many individuals and private entities. Since the Act remains in committee and subject to amendment, it is difficult to determine what the overall impact will be if the bill is enacted into law.

D.Discovery of Confidential Health Information from Federal Agencies

Public health agencies such as the Centers for Disease Control and Prevention have claimed a general confidential privilege for information it holds on grounds of the Privacy Act and the Freedom of Information Act. The CDC forbids its officers and employees from testifying in court proceedings pursuant to this asserted privilege. While health agencies cannot put a blanket ban on all requests for testimony, courts have recognized that the time of researchers is valuable and the judiciary has often upheld agency denials of requests for depositions.
Most courts have not found it necessary to determine the exact boundaries of the privilege of confidentiality asserted by health agencies. Instead, courts have used Rule 26 of the Federal Rules of Civil Procedure to determine the scope of permissible discovery in civil litigation. The courts balance privacy interests of individuals whose identity may be disclosed in the litigation against the party's interests in the administration of justice; Rule 24 allows the courts to fashion creative protective orders that permit necessary discovery while limiting infringements on privacy.,,, Some courts find that information obtained by health departments is personal and sensitive so that identifiable information may not be discoverable under the Federal Rules of Procedure.,

E.Drug and Alcohol Treatment Records

Federal law prescribes special privacy rules for the records of patients receiving care for drug or alcohol dependency in federally assisted facilities. Strict confidentiality rules apply to oral and written communications of "records of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance" of any educational, rehabilitative, research, training or treatment program relating to drug or alcohol abuse. The confidentiality rules apply to any program or activity conducted, regulated, or directly or indirectly assisted by a federal agency. Subject to certain exceptions, the content of a drug or alcohol treatment record can be disclosed only with the consent of the patient.

F. Department of Veterans' Affairs Regulations

In addition to providing confidentiality protection to information regarding drug or alcohol abuse, regulations for the Department of Veterans' Affairs also provide protection for any records containing information related to HIV infection, AIDS or sickle cell anemia. These records can be disclosed only with the consent of the patient, or without consent only in the event of a "bona fide medical emergency," for research, to comply with state requirements for disease reporting or partner notification, or under court order. Penalties for impermissible disclosures consist of fines.

G.Research Regulations

Human subject research which is conducted or supported by a federal department or agency must comply with regulations designed to protect human subjects. Applicable research must, inter alia, be approved by a validly constituted Institutional Review Board (IRB). One of the conditions of approval by the IRB is that "When appropriate, there are adequate provisions to protect the privacy of subjects and to maintaining the confidentiality of data." Further, except where provided in the rules, no investigator can involve a human being as a subject without legally effective informed consent. In seeking informed consent, the investigator must provide the subject with a statement describing the extent, if any, to which confidentiality of records identifying the subject will be maintained. Federal human research rules include important exceptions to this informed consent requirement for health information-based research. Federal rules permit IRBs to waive or modify informed consent requirements when the research involves minimal risk to the subject; the waiver of informed consent will not adversely affect the subjects; the research could not be practicably carried out; and, whenever appropriate, subjects will receive pertinent information after completion of the study.

H. Certificate of Confidentiality

Under section 301(d) of the Public Health Service Act the Secretary can authorize persons engaged in biomedical, behavioral, clinical, or other research to protect the privacy of research subjects by withholding from all persons not connected with the conduct of the research the names or other identifying characteristics of the subjects. Persons authorized to protect the privacy of research subjects cannot be compelled in any civil, criminal, administrative, legislative or other proceedings to identify research subjects.
Protection is available upon application from a named project, and is conferred in the form of a "certificate of confidentiality" issued directly by the Assistant Secretary for Health. The certificate provides legal authority to resist compulsory demands for identifiable research subject information. An investigator with a certificate has a legal defense against subpoena or court order similar to the physician-patient privilege. The defense applies only to information about subjects, not aggregate data.
While certificates of confidentiality provide strong protections of privacy, they have some limitations. Confidentiality assurances are available for all research projects, and federal funding is not required. Since researchers must apply for protection of data from each project separately, the procedure for obtaining a certificate imposes burdens on the time and resources of researchers and scientists who, as a consequence, may not seek protection for every study involving confidential medical information. In fact, the policy of the Assistant Secretary is that issuance is granted "sparingly", i.e., "only when the research is of a sensitive nature where the protection is judged necessary to achieve the research objectives." Even if certificates are rarely denied in practice, this stated policy and the application process may create a chilling effect on researchers' efforts to protect the privacy of all their human subjects. Additionally, the researcher retains the discretion to seek confidentiality protection for his or her data and is not bound to do so. Finally, although the certificate of confidentiality protects the data from compelled disclosure by a court, it does not create any specific obligation on the researcher to protect the information in other ways.

IV.Gaps in Federal Protection of Health Information Privacy

The U.S. Constitution and federal legislation provide fragmented and uncertain protection of health information privacy. The U.S. Constitution applies only to state action and, therefore, binds principally federal and state government collection of health information. Constitutional protection of privacy would not, for example, cover private health care facilities that receive federal or state funding and would not cover many quasi-public entities such as the American Red Cross. More important, courts are likely to defer to reasonable governmental action for public health purposes. Provided the collection of information is reasonably necessary to achieve an important health purpose, and the agency provides reasonable safeguards of privacy and security, the courts are unlikely to find constitutional violations. By contrast, if the disclosure of personal information is simply careless and achieves no sound health purpose and/or if there are insufficient protections of privacy and security, courts may well find infringements of constitutional rights of individuals.
The Privacy Act and the Freedom of Information Act provide the most complete assurance of the confidentiality of government records. The protection of data depends on whether data are deemed to be "records" within government "systems of records." Accordingly, there may be no protection of private notes or data that are not organized as a record system. More importantly, the Privacy Act has a number of exceptions that have been widely construed. In particular, the "routine uses" exception may permit disclosure of data for purposes consistent with the original collection of the data. Agencies and courts may have variable interpretations of the "routine uses" and other exceptions, leading to a permissive approach to the release of confidential information.
Judicially compelled disclosure has concerned many health authorities and researchers because of the possibility that courts will find that the government's interest in the administration of justice outweighs the individual's or agency's interest in privacy. For the most part, courts have accepted the arguments of the CDC and others of the overriding importance of privacy, but, in the absence of a statute, no solid assurances exist that courts will not require disclosure in future cases.
Beyond the Privacy Act and the Freedom of Information Act, there exists a highly fragmented series of privacy protections. Focusing special protection on specific diseases (e.g., substance abuse, or HIV/AIDS) or on particular activities (e.g., research) can certainly be valuable. It marks society's particular concern with the confidentiality of sensitive health information.
Still, disease-specific confidentiality statutes create inconsistencies in the rules for the dissemination of information. Different standards apply to data held by the same health care facility depending on whether the patient is receiving treatment for substance abuse, HIV, or some other disease. Further, there is no reason to believe that data relating to certain diseases are always more sensitive or deserving of protection than other data. For example, it is possible that for some patients data about breast cancer, epilepsy, or Huntingtons is just as intimate as data about HIV infection, AIDS, alcohol dependence or a sexually transmitted disease. Overly strict confidentiality rules, moreover, could impede the dissemination of data relating to treatment for drug or alcohol dependency, HIV infection or AIDS for valid purposes such as billing, research, or public health. The creation of strict disease-specific standards means that the dissemination of data in some systems and for some diseases is so restricted that legitimate health goals are undermined, while other data receive insufficient protection.

V.Conclusion

National reviews of privacy policy have consistently argued for more uniform protection of health information privacy. The Department of Health and Human Services, the Institute of Medicine, and the Congressional Office of Technology Assessment have all pointed to the principles of fair information practices as a starting point for further policy development. Certainly, there exist no easy answers to the potential conflicts between the need to collect and use sensitive health information and the need to safeguard individual privacy. Yet sound health policy demands that careful consideration be given to the privacy and security of identifiable data as the health care and public health systems move toward the development of a health information infrastructure.

Part Eight: Future Options for Protection of Health Information Privacy and Conclusion

I.Introduction

Powerful reasons justify the need for the broad collection and use of health data. High quality data are needed by public health officials, health care providers, patients and health policy makers. Adequate access to information helps consumers make informed choices among health plans and providers; assists health care providers deliver more effective clinical care; allows system managers to assess the quality and cost effectiveness of health services; monitor fraud and abuse; track and evaluate access to health services and patterns of morbidity and mortality among underserved populations; and research the determinants, prevention, and treatment of disease.
Aggressive collection of a broad range of personal data, of course, has a significant trade off in loss of privacy. American society places a high value on individual rights, autonomous decision making, and the protection of the private sphere from governmental or other intrusion. Concerns about privacy transcend the health care setting.'' Health information is perhaps the most intimate, personal, and sensitive of any information maintained about an individual. As the U.S. health care system grows in size, scope, and integration, the susceptibility of that information to disclosure will also increase. This section reviews the fundamental issues raised by existing privacy laws at the state and federal level, describes a range of possible legislative solutions including, state reform of privacy laws, adoption of existing model legislation, or federal reform, and presents recommendations for drafting laws governing health information derived from the June 1995 expert consultation. Finally, the section emphasizes the importance of fostering an on-going dialogue between health and health policy-makers in all the states.

II.Fundamental Issues Raised by Existing Privacy Law

A.Dual Goals of Health Information Privacy Systems

Thoughtful scholarship in the area of informational privacy''''' sometimes assumes that some significant level of privacy can exist within the development of a comprehensive health information infrastructure. Some commentators suggest that we can have it both ways -- viz., there is no need to significantly limit the collection of data provided there is adequate legal protection for informational privacy. This report describes some of the potential benefits to individual and public health that could follow collection and access to more complete and accurate health information. It also recognizes the potential harms to individuals and society that may result from the accumulation and use of such data.
The growing collection of health-related data and the potential for improper disclosure, secondary use, and security breeches within computerized systems, suggests, however, that the resolution of the conflict between the need for information and the privacy of patients will not be simple. The law at present neither adequately protects privacy, nor does it ensure fair information practices. Those engaged in legislative or policy reform must, ultimately, confront the hard choice of whether the systematic collection of identifiable health care data should be sharply limited in order to achieve reasonable levels of informational privacy. The result of that choice would be to reduce considerably the social good that would be achieved from the thoughtful use of data. Alternatively, policy-makers may decide that the value of information collection is so important to the achievement of societal aspirations for health that the law ought not to promise absolute or even significant levels of privacy at all, but rather to require that the data be used only for authorized and limited purposes.
Fortunately, regarding many areas of existing law, the choice is not mutually exclusive. Often the interests of those implementing particular programs, public health and health care personnel, and individual patients lie in both protecting information from improper use or disclosure and making it accessible to health care providers, patients and policy-makers who show a legitimate need for it. Creation of confidentiality protections that are clearly defined and not inconsistent with one another will increase public confidence in the reliability of the protections and promote understanding of public health efforts. Where greater cooperation and public participation results from these efforts, policy-makers can both increase the usefulness of data and encourage trust between members of the public, health care providers, and government health officials.
B.Gaps in Existing Laws

1.Variation from state to state

For the most part every state and territory has developed its own laws concerning health related information. This has resulted in a rich and complex variety of confidentiality laws, regulations, and policies that reflect the legislative and policy-making priorities of the individual states, as well as addressing common public health and health care goals. As this reports illustrates, however, there are certain gaps in existing laws.
State laws on health information privacy vary substantially from state to state. This can mean that the same information on an individual, collected and maintained in two states, may receive different levels of protection. Information regarding childhood immunizations received in one state may be treated as confidential and protected from release without parental consent. In another state the same information may be accessible to a wide range of individuals, institutions and programs, with or without a specific showing of a legitimate need for the information. This type of variation in laws from state to state can result in confusion on the part of the public and health personnel as to whether medical and immunization information is protected, and create barriers to interstate transfer of information for public health and health care purposes such as facilitating communicable disease control and maintaining up-to-date immunization information for health care providers and educational institutions.

2.Variation in disease-specific statutes

Within a single state disease-specific statutes may demand different levels of privacy protection for health information. Many states have separate standards for confidentiality of information regarding various classifications of disease: communicable, non-communicable, sexually transmitted, or HIV/AIDS. As a result, personal information collected on an individual regarding a case of cryptosporidiosis may receive less protection than information on a person with gonorrhea. In the same state, HIV-related information may receive a distinct and even higher degree of protection, entailing specific standards and procedures for collection and maintenance of information.
Separate privacy standards linked to disease classifications have resulted from independent evolution of the law in each area. They also reflect intrinsic differences in the sensitivity of the information involved or the nature of diseases. Multiple privacy standards have several drawbacks, however. They promote confusion among the public, health care providers and public health personnel. They increase the possibilities for improper disclosure of certain types of information through the application of the wrong standard for protection or disclosure. They also, frequently, do not reflect the reality that almost all health information can be sensitive, and disclosure can have multiple implications. In the example above, although three different levels of protection may apply to the personal information collected on persons with the three different conditions, disclosure of any of the three -cryptosporidiosis, gonorrhea, and HIV - may harm or embarrass individuals. Information regarding non-communicable diseases, cancer, or inheritable conditions can be equally sensitive in some situations.
3.Variation in state law depending on who holds the information

The duty to maintain confidentiality of information imposed by state law may also depend on whether it is held by a government agency, private health care provider, health care institution, or non-health related institution. While almost all states have confidentiality provisions that apply to information maintained by the health department or other state agencies, fewer states have comprehensive legislative protection for medical information maintained by private practitioners and institutions. An even smaller number have provisions which specifically impose a duty to maintain confidentiality on the numerous non-health related institutions (employers, insurance companies, colleges, universities and other educational institutions) that currently hold large amounts of health information. In such situations, personal medical information that a patient gives to her doctor may not be protected by statute when it is recorded either in the doctor's office or her hospital record, transferred to her insurance company, supplied to her college, or forwarded to her employer. In these states, such records may, or may not, be protected by common law, professional licensing standards, or diverse institutional policies.
The lack of consistent statutory protection for information held by different entities is problematic for several reasons. The diverse parties that hold health information may not be aware of which standards, if any, apply to them. Where there are no statutory remedies for improper disclosure, persons who are injured by disclosure or transfer of their information must rely on the court system for damages; leading to long delays and inconsistent results. Administrative remedies or proceedings before professional licensure boards may not provide a sufficient deterrent to disclosure.

4.Gaps in federal law

Federal legislation and the United States Constitution provide fragmented and uncertain protection of health information privacy. Constitutional protection only applies to violations of privacy caused by state action. As a result it only covers actions by public agencies. Consequently, health information held by health care providers, most hospitals, employers, insurers, or educational institutions are not covered. In interpreting constitutional protections courts are also likely to defer to reasonable government action to protect the public health.
The Federal Privacy Act and Freedom of Information Act only protect information that fits the statutory definition of "government records." The Privacy Act also includes exceptions that have been interpreted very broadly, including allowing release of information by agencies for a variety of "routine uses."
Information that is otherwise protected at the federal level is also susceptible to judicially compelled disclosures. Such disclosures are of concern to privacy advocates because they do not depend on a consistent set of standards, produce variable results, and provide no reliable foundation for future protection.
In addition to the Privacy Act and Freedom of Information Act, there are a patchwork of protections provided to information regarding specific diseases and conditions, or particular activities. These include protection for information on substance abuse or HIV/AIDS in certain settings; and that obtained in research that receives federal funds. These disease-specific or activity specific protections reflect all the benefits and problems discussed above in the section on state legislation. The adoption of disease-specific standards can result in the restriction of use of information concerning some diseases that is so strict that public health goals cannot be reached, while other information, which is equally sensitive, receives little protection.
Thus, under both state and federal standards, health information receives variable protection depending on the nature of the information, and the holder of the information. The variability has negative consequences to both individuals and public health.

III.Potential Solutions

Phase I of this project surveyed and analyzed the existing system of state and federal privacy protections for health information and proposed possible solutions for law reform. Phase II of the project brought together experts from many fields -- health care, public health, law, and ethics -- for a consultation in June 1995 at the Carter Presidential Center to discuss the current status of health information privacy laws and consider proposals for reform of laws governing public health data, HIV-related information and immunization information. These proposals and the other issues raised in this section of the report are relevant to law and policy-makers considering review or reform of health information privacy laws at either the state or federal level.

A.State or Federal Health Information Privacy Laws?

Public health policy-makers and other law-makers can seek to reform each area of health information privacy laws at the federal level or in individual state legislatures. The federal system of the United States favors state sovereignty in areas of law and policy not explicitly controlled by the central government. Thus, issues relating to health care, public health, or disease control activities which have traditionally been subject to state laws remain under state control absent some pressing need. Historically each state has crafted means to protect health information that best suits its needs and traditions. Experimentation at the state level with legislative solutions to complex problems is part of our federal system, however, development of more than fifty different state and territorial approaches to law reform is likely to result in the persistence of the inconsistencies and even conflicts among state privacy laws described by this report. The mobile nature of individuals and families, the increasing growth of health care organizations that operate in multiple states, and the failure of diseases to respect state (or national) borders demands a more unified approach to law reform.
Federal reform of health information privacy laws would create a uniform standard for protection of information in the various areas of health information considered in this survey and ensure that information is transferrable from state to state to achieve public health and health care goals. Federal statutory reform could eliminate or reduce the existing gaps in current federal protection of health information privacy. Federal legislation could also provide needed standards for security of health information systems and guidance on other issues (see Federal Legal Protection of Health Information Privacy, above). Programs to establish and maintain education of consumers, health care providers, and policy-makers about the standards and guidelines for protection of health information privacy could be incorporated into federal law or regulations, ensuring an increased level of awareness of health information privacy provisions.
Action at the federal level also has its disadvantages. Imposing reform through federal provisions could eliminate the opportunity for states to experiment and perhaps improve upon current concepts of a uniform standard. Pre-emptive federal provisions would also be at odds with much public health and health care legislation which has generally been within the authority of the states. Finally, federal reform may not be politically feasible, whereas reform of state laws might encounter fewer political barriers.

B.Existing Model Laws

The Uniform Health Care Information Act provides one model for states enacting legislation to protect patients' interests in their medical records. Legislation based on the Uniform Act has been adopted by at least two states (Montana, Washington). The Act imposes on each health care provider the duty to establish reasonable safeguards for the security of all health information in its possession. Health information is defined by the Act as any information, whether oral or recorded in any form or medium, that identifies or can be readily associated with the identity of the patient and relates to the patient's health care. Although the Act does not expressly mention electronic or computerized records, they are included in the Act's purview. Health information held or maintained by governmental agencies is protected by the Government Health Care Information Act, which imparts similar duties to maintain confidentiality on public entities.
Basing proposals for reform of health information privacy provisions on model statutes would allow the states to retain some flexibility in their approaches while still achieving a uniform basic level of protection. Existing model laws may not fully meet the need of those designing or implementing some health information systems, such as immunization registries. Enactment of a Uniform Act requires legislative or public initiatives in each of the more than fifty states and territories. Until such standards are adopted in all jurisdictions there will continue to be problems caused by variability of laws from state to state. Even after universal adoption, variability could persist if some states opt to impose stricter standards for privacy protection than those in the model statute.

IV.Recommendations for Reform of Laws Governing Health Information Systems

At the June 1995 consultation at the Carter Presidential Center, a multi-disciplinary group of experts discussed the results of the national survey of health information privacy laws, the perspectives of participants from public health, health care, AIDS service organizations, childhood immunization advocates and others on the issues of privacy of health information and the need for access to information. The group broke into two sessions to discuss specific issues related to immunization information systems or registries and those posed by collection of public health data, particularly HIV-related data. Based on the discussions of these sessions and the following plenary session, the authors of this report drafted recommendations for review and reform of health information privacy provisions. These recommendations were circulated to the participants of the consultation and other experts for their review and comments. The recommendations contained in this report build on the work done at the consultation in June 1995 at the Carter Presidential Center and additional work by the authors and others who reviewed and commented on the work; they do not represent the official position of the participating organizations.

A.Publicly Held Health Data

The recommendations apply only to personally-identifiable data since they raise the most acute privacy concerns. The inclusion of any uniquely identifiable characteristic, such as a name, social security number, fingerprint, or genetic link, classifies data as identifiable.
The recommendations do not apply to anonymous, unlinkable data because they pose minimal privacy concerns. Data that have all identifiers stripped, with no means to associate the information with a specific person, are anonymous. Blind epidemiological research and statistical applications of aggregate data provide examples of anonymous research that provide strong public health benefits with negligible effects on individual privacy.
Anonymous data can also be linked to an identifiable person with the use of a highly confidential code. Data remain linked to permit future disclosure of information deemed vital to the health or safety of the patient or others -- for example, to inform the patient of an infectious disease or available treatment. Anonymous, linkable data present an intermediate level of privacy concern.
1. Data protection review. A systematic and continuous review of privacy and security is essential to ensure a fair and effective public health information infrastructure. An independent data protection commission at the federal or state level should be established to carefully review privacy and security protocols and practices, including an examination of data collection justifications, informed consent procedures, information for subjects, fair information practices, and disclosures and secondary uses of data. The commission should be comprised of persons with experience and expertise in health care and public health, privacy and security, law and ethics, and include community representatives. To assure accountability and ongoing discussion of privacy, the commission should make public its decisions and reasoning.
2. Data collection justification. Acquisition of health information cannot be regarded as an inherent good. Rather, privacy statutes should require a clear justification for the collection of personally identifiable information by public health authorities. Statutory criteria for data collection include: (i) preventing a significant public health risk, (ii) providing a likely benefit to the subject of treatment or other services, and (iii) conducting surveillance necessary to monitor and ensure the health of populations.
Public health authorities have the burden of demonstrating that data collection is likely to achieve the stated goal. For example, public health authorities may legitimately seek to identify individuals with communicable or sexually transmitted diseases through testing, partner notification, and reporting. Yet, if resources are not provided for counseling and education, and if efficacious therapy does not exist or access to health care is not assured, the purposes of prevention and therapy are unlikely to be achieved.
Public health authorities must substantiate the need for a named identifier when collecting information. If they could achieve the public health goal as well, or better without personal identifiers, the collection of non-identifiable or aggregate data is preferable. These data collection principles recognize that government authority to acquire sensitive personal information ought to be justified by substantial public health goals that cannot be achieved by means that are less invasive of individual privacy.
3. Information for subjects. Even though the government authorizes or mandates the collection of identifiable health data in accordance with the foregoing principles, subjects are still entitled to basic information. Subjects are entitled to know the purposes for the data collection and how the information will be used; the length of time that the data will be stored and the circumstances under which it will be expunged; and the degree to which third parties (e.g., regulators, researchers, and government officials) may obtain access. Data should be acquired, stored, used, and transmitted consistent with the information provided to subjects.
4. Fair information practices. Fair information practices require that no secret data-systems should exist; subjects should have access to information about themselves and to just procedures for correcting and amending their personal record; personal data should be expunged when no longer needed for the stated purpose; and public health officials should assure the reliability of the data for their intended use and take rigorous precautions to prevent misuse of the data.
5. Privacy and security assurances. Legally binding privacy and security assurances should attach to personally identifiable public health information. The collector of public health information would be under a legal duty to maintain the confidentiality of that information and to store it in a secure system. Significant penalties would apply for breach of privacy or security assurances.
Privacy and security assurances under law would apply to all users of the information. Accordingly, when public health information is transmitted to a third party, the recipient would be required to honor the same privacy and security assurances as the record's original holder. The duty to protect data, then, would be transferred simultaneously with the data, as would liability for violation of privacy or security standards.
6. Disclosure of data. Disclosure of public health data could be made only for purposes consistent with the original collection. Thus, data could be disclosed only where clearly necessary to avert a significant health risk, for the direct therapeutic benefit of the subject, or for surveillance. For example, information gathered to prevent a significant public health risk could be shared only with those public health officials or health care professionals essential to avert the risk. This limitation would not undermine public health goals, for the principle permits sharing information, where appropriate, between programs (e.g., STD, TB, drug, alcohol, and mental health) and across systems (e.g., health agencies and health care providers).
Public health authorities must follow the least-intrusive-disclosure principle. Thus, the disclosure of information must be the least identifiable, as minimally sensitive, and to the fewest number of persons as necessary to achieve the stated purpose.
7. Secondary uses of the data. Secondary uses of data occur when information is used in ways that are incompatible with the original purposes for collection. Secondary uses of identifiable information beyond those originally intended by the data collector would be permitted only with the informed consent of the subject. Thus, information collected for a permissible purpose such as prevention, treatment, or surveillance, could not be used in other ways that might affect the person's rights, privileges, or benefits without the subject's authorization.
Secondary uses of data in aggregate or non-identifiable form would be permitted without the patient's consent where there is a strong public interest. The U.S. Department of Health and Human Services Task Force on Privacy explained: "An incompatible use is not necessarily a harmful use; in fact, it may be extremely beneficial to the individual and society. There are some incompatible uses that will produce enormous benefits and have at most a trivial effect on the individual's privacy interest."

B.Recommendations for Immunization Information Systems

The following recommendations are intended to assist states in the development of fair and effective immunization information systems.
1. Objectives of registries. The purposes of an information system are to (i) provide accurate, complete, and timely information on immunizations received or due for any child to providers, parents, and public health officials to help parents obtain current immunizations for infants, pre schoolers, and school-age children; and (ii) to protect information held in the system (through both privacy and security protections) from disclosures that may harm the child or parents, and to share the information only for substantial public health purposes.
2. Statutory protection of privacy: a uniform approach. States or localities must have in place strong legislative protections of privacy and security before collection of immunization data commences. Adequate privacy safeguards require restricted access to data, strict penalties for unauthorized disclosure, and protection of the system from court order or subpoena. In addition to statutory protection, written protocols describing the privacy and security standards should be disseminated to employees, providers, parents, and other interested parties.
3. Fair information practices. Statutory protection of privacy should be based on a set of fair information practices: immunization information systems should be known to the public, not secret; parents should have access to information about their children and know how the information is used; parents should consent to uses of information for non-immunization purposes; parents should be able to correct or amend their child's immunization record; public health officials must assure the reliability of the immunization data for their intended use and take rigorous precautions to prevent misuse of the data; and adults should have the right to have personal data expunged when they are no longer necessary for immunization purposes.
4. Type of Registry Information. Early determinations about the type of information that will be contained in the immunization information system will affect the confidentiality, access, and security required in the design and operation of the system. A basic registry must contain the name, address, birth date, immunization dates, vaccines administered, as well as sufficient information to identify and locate custodial parent(s).
Registries that contain sensitive health status information must provide stronger confidentiality safeguards. Registries may include medical contraindications to immunization, adverse reactions to vaccines, allergies, and immune conditions such as HIV status. Furthermore, registries may include: information regarding welfare or medical benefits (including eligibility under the Comprehensive Childhood Immunization Act of 1993); immunization waivers based on religious beliefs; and social or medical information about siblings or other family members.
Registries are likely to contain a personal identifier. Unique identifiers created only for use in the immunization database create fewer risks to privacy. Personal identifiers, such as a social security number, that can be linked with other databases potentially could be used to access and match information in other systems (e.g., those held by social services and child welfare, Medicaid, Aid to Families with Dependent Children, and the Immigration and Naturalization Service).
5. Access to Registry Information. The planning process for deciding who should have access to immunization information should be deliberate, open, documented, and reviewed periodically. Design issues include whether the system should be accessed on-line, through closed electronic panel, by telephone/facsimile, by written request, or in person. For health care providers administering immunizations access should be as direct as possible (computer or phone/fax with security password). Requests for information from all other parties should be in writing or in person with identification.
The following criteria could be used to determine who has access to data in the immunization record: (i) Is the information necessary for purposes of providing immunization services? Under this criterion, access to identifiable data would be provided to health care providers, immunization programs, custodial parents, schools and day care, and other entities that coordinate or offer immunizations such as WIC programs. (ii) Is the information necessary to achieve other compelling public health objectives that do not conflict with the goals of the immunization program? Public health officials and researchers should gain access to personally identifiable information only where strictly necessary to achieve substantial public health purposes. If the public health purpose could be achieved as well or better with aggregate data no personally identifiable information should be disclosed. (iii) Is the information necessary to achieve important social objectives that are not compatible with the purposes of the immunization registry? Agencies concerned with criminal justice, social services, immigration, and other non-public health objectives should gain access only to aggregate information.
6. Provider, parental and community involvement. Immunization information systems are intended to help parents, providers, health officials and communities provide each child with up-to date immunizations, while protecting children and families from privacy invasions. To achieve the support and cooperation of these primary participants, they should be involved in critical discussions about immunization system design and privacy protection. Interested parties such as insurers, employers, and non-public health agencies also have valid interests, but they should not take precedence over the main goals of the system.

V.Conclusion

Any efforts to modify or reform the existing system for protection of health-related information, must acknowledge the efforts that have taken place at the state level to protect information and accomplish various health care and public health goals. One way to both acknowledge this debt and engage state health officials and policy-makers in reform efforts is to begin an on-going dialogue between health officials and policy-makers in different states.
This report has outlined recommendations which can focus that dialogue on ways of removing barriers to the achievement of good health while respecting the need to protect the privacy of health information. Absolutist positions on either side will not result in health information systems that can effectively serve both goals.
The collection of information is central to the ability of public and private health systems to provide intervention, treatment, and research, but confidentiality need not be sacrificed to these goals. Much of the information collected in health care settings is profoundly personal; if patients cannot be assured that this information will be protected from further disclosure, the possibility exists that they will no longer agree to cooperate with systems on a voluntary basis.
Many gaps that exist in the current system have been discussed in this report. Future action in the area of health information privacy must consist in part of a legitimate attempt to fill those gaps in ways which will not compromise the ability of health professionals to carry out their duties. The current system not only does not fully protect individual privacy, but the variability that exists across state and local boundaries hampers the achievement of societal goals since there is often an inability to communicate needed information.
Health officials and policy-makers in all the states need to engage in a dialogue now to prevent problems that can only be exacerbated in the future as new and faster information systems are developed. Computerized storage of health information indeed provides for faster retrieval, but also presents additional problems of improper access. Fair information practices should be integrated into legislative protection of health information. Uniform standards nationwide will result in more effective protection of health information privacy.