Legislative Survey of State Confidentiality Laws, with Specific Emphasis on HIV and Immunization

This report and the Public Health Information Privacy Project was supported by the Centers for Disease Control and Prevention (CDC), the Council of State and Territorial Epidemiologists (CSTE), and the Task Force for Child Survival and Development of the Carter Presidential Center.
We are particularly grateful to Willis Forrester (CSTE), Verla Neslund (Office of the General Counsel at CDC), William Watson (Task Force for Child Survival and Development), James Curran, George Seastrom, John Ward, James Buehler, Jose Cordero (CDC), Michael Osterholm (CSTE), and Kay Johnson (March of Dimes).
In addition to these individuals, members of the Carter Center Consultation on Public Health Information Privacy (June 1995) who contributed to the recommendations include Susan Abernathy, Cornelius Baker, Mark Barnes, Ronald Bayer, Molla Donaldson, John Fanning, David Fleming, Patricia Fleming, William Foege, Helen Fox-Fields, Cynthia Gomez, Gail Horlick, Mike Isbell, Wilma Johnson, Alan Kendal, Terry O'Brien, Dennis Perotta, Marian Secundy, Dixie Snyder, Susan Timberlake, Ronald Valdiserri, and Brian Willis. Research assistance was provided by Kathleem Maguire, Angie McGowan, Susan Timmer, and Robert Scherer.

Part One: Executive Summary

This report examines current state and federal law protecting the confidentiality of health information. It focuses on four specific areas: public health information held by government, privately held health care information, HIV and AIDS-related information, and immunization information.
The ways in which our modern medical and public health systems collect, store, and use personally identifiable information have increased both the potential benefits from access to such information and the possible harms from improper uses and disclosures. The report examines the importance of both the collection of health information and the protection of its privacy. The collection and use of health information involves two important goals, yet sometimes competing goals: 1) gathering and disseminating accurate and timely information on the incidence and prevalence of disease, health information necessary for health care of individuals, assessment of health care and public health needs and evaluation of programs, services, institutions and providers; and 2) protecting that information from uses or disclosures that cause harm to individuals to whom the information pertains. The report reviews the current privacy safeguards under both state and federal law in order to determine whether they are adequate to protect the privacy of individuals and are consistent with effective health policy.

Public Health Information

Every state and territory provides statutory protection for some types of personal health data maintained by a government agency. Forty-nine states and territories reported protection for general public health data, forty-two specifically protect communicable disease data, and forty-two specifically protect sexually transmitted disease data.
Forty-nine states reported some provision permitting public health officials or others to disclose public health information. Common justifications include disclosure for the purposes of: statistical evaluation (43 states); contact tracing of persons exposed to an infectious disease (39 states); spousal or partner notification of a sexually transmitted disease (37 states); epidemiologic investigations (22 states); and subpoena or court order (14 states).
Forty-two states reported statutory penalties for impermissible disclosures. Of these, thirty one reported criminal penalties, eighteen reported civil penalties, and eight reported both. (see Table 1 for more details).

Health Care Information

Privately held health care information can be protected in a number of ways. Thirty-seven states impose on physicians the duty to maintain the confidentiality of medical records. Twenty-six extend this duty to other health care providers. Thirty-three states and territories require health care institutions to maintain the confidentiality of medical records they hold. The survey found that only four states have specific legislation imposing this duty on insurers, despite the vast amount of information held by insurance companies. Nine states impose a similar duty on employers or other non-health care institutions.
Because of the increase in computerization in the storage of medical data, the survey inquired about the existence of a duty to maintain the confidentiality of electronic or computerized medical records. Only twenty-two states have legislative provisions that protect computerized or electronically transferred data.
Forty-two states protect information received during the course of a physician-patient relationship from disclosure in court proceedings, with certain exceptions. States permit disclosure of health care information for various reasons, including to another health care provider (18), to epidemiologists or researchers (16), and under a subpoena or court order (22).
Twenty-eight states provide statutory penalties for unauthorized disclosure of health care information. Twelve impose criminal penalties, nineteen create civil penalties and three allow for both civil and criminal penalties (See Table 2 for more details).

HIV-Related Information

The importance of both the collection and protection of HIV-related information have been vigorously debated since the beginning of the epidemic. Virtually all states have enacted some HIV-specific statutes, many of which concern information collection and protection either directly or indirectly. Twenty-three states classify HIV/AIDS as a separate category of disease, Sixteen classify it as a communicable disease, and twelve as a sexually transmitted disease. All states require reporting of AIDS cases to the state or local health department. Forty-one states, at the time of this survey required reporting of HIV infection as well.
Thirty-nine states reported either HIV-specific privacy statutes or general privacy provisions that expressly mentioned HIV. The remaining states may protect its confidentiality under other statutes or provisions (see Public Health Data). Forty-eight states and territories allows for disclosure of HIV-related information in certain proscribed circumstances. The most commonly cited permissible disclosure are to: a health care provider involved in the patient's care (43); sexual or needle-sharing partners (37); parties with a subpoena or court order (29); blood banks or organ donors (22); epidemiologists and researchers (22); correctional facilities (14); school officials (12); HMOs, health care institutions, or mental health facilities (14); and insurance companies (8). Some disclosure provisions require that patient-identifying information be removed from the data. Most states permit the above disclosures but do not make them mandatory. Thirty-seven states have spousal/partner notification programs or policies, but very few make them mandatory. Only three states allow for the disclosure of the name of the source patient.
Thirty-eight states report statutory requirements for specific consent for HIV testing including consent to the release of information. However, the absence of an HIV-specific consent statute does not indicate that informed consent is not required in a particular state. Informed consent may be required by other statutes, common law, regulations or policies. Twenty-eight states allow minors to consent to HIV testing, although they may do so under provisions that are not HIV-specific. Forty-five states specify some situations in which informed consent for HIV testing is waived. The most common exceptions which we tabulated separately were for persons charged or convicted of specified sex offenses (33), for emergency workers who have been exposed to a patient's blood (27), for prison or jail inmates (16). Other common exceptions include testing a patient who is incapable of consenting, when the test is necessary to provide medical treatment, for research or epidemiological purposes, where all identifying information is removed from the sample, and for blood, tissue or organs provided for donation. A few states also grant relatively broad discretion to public health authorities to require involuntary testing.
Forty-five states have either criminal or civil penalties for unauthorized disclosure of HIV related information. Thirty-three states have criminal penalties, thirty-three have civil penalties and twenty-one provide for both civil and criminal penalties (See Table 3).

Immunization Information

One of the goals of collecting immunization information is assisting parents to immunize their children completely and on time. Immunization programs also seek to increase immunization coverage in populations and communities. Twenty-two states and the District of Columbia maintain or were in the process of establishing immunization registries at the time of this survey. Eleven states have functional immunization registries; the remaining states are in the process of development. Nine states have enacted statutes that specifically authorize immunization registries, four states operate registries that are not expressly authorized, nine states are currently developing registries or are considering registry bills in their legislatures.
The level of protection accorded to the information contained in the registry, and the type of information collected, differs from state to state. Six of the nine states with immunization registry legislation directly address confidentiality of immunization information in their statutes.
Most other immunization-related provisions concern mandatory immunization for school attendance. In many states, schools are the primary collector of immunization information. Virtually all states require proof of immunization status or exemption for admission to primary school. Forty-seven states mandate that immunization information be reported to the health department (32), schools (44), or child care facilities (25). Overall, forty states permit access to immunization records by the health department, health care providers, school officials, or epidemiologists and other researchers. Of the thirty states without registries, provisions grant access to immunization records by: the health department (18); health care providers (8); school officials (11); researchers (1).
Only sixteen states impose a penalty for impermissible disclosure of immunization-related information. Fifteen designate minor criminal penalties, four provide for civil liability (See Table 4).

Federal Protection of Health Information Privacy

Federal protection of health information privacy is fragmented and uncertain. The U.S. Constitution applies only to state action and, therefore, binds principally federal and state government collection of health information. More important, courts are likely to defer to reasonable governmental action for public health purposes, provided the collection of information is reasonably necessary to achieve an important health purpose and the agency provides reasonable safeguards for privacy and security.
The federal government has also implemented both legislative and regulatory protection of health information privacy. The Privacy Act and the Freedom of Information Act provide the most complete assurance of confidentiality of government records. However, the Privacy Act contains a number of exceptions that have been widely construed, particularly the "routine uses" exception. The Medical Records Confidentiality Act of 1995 (Bennett-Leahy Bill) remains in Senate committee in June 1996. The draft bill includes, inter alia, a description of individual's rights regarding health information, definitions of protected health information, safeguards for such information, restrictions on the use and disclosure of information, and criminal and civil sanctions for violation of disclosure or use provisions. Since the bill remains in committee and subject to amendment, its exact impact, if it is enacted into law, is difficult to determine.
Other federal statutes contain a highly fragmented series of privacy protections for specific diseases (e.g., substance abuse, or HIV/AIDS) or for particular activities (e.g., research).

Future Options for the Protection of Health Information Privacy and Conclusion

Policy makers considering future options for reform or revision of statutes protecting health information privacy encounter common issues in all of the areas of health information covered in this survey. Health information systems have dual goals - increasing collection and access to complete and accurate information for use by patients, health care providers, public health officials, health care institutions, and policy-makers; and protecting sensitive medical information from disclosure that can harm the individual. Policy-makers will not be able to fully realize both goals without sometimes compromising or diminishing one of them. Substantial gaps remain in current statutory privacy protection, including variation in laws from state to state, variation within each state between disease-specific statutes, and variation according to who holds the information. Policy-makers must consider whether reform should take place at the federal or state levels.
Potential solutions for future action include integration of fair information practices into legislative protection of health information; adoption, by each of the states, of model laws such as the Uniform Health Care Information Act or new laws based on the recommendations described in the report (Future Options for Protection of Health Information Privacy and Conclusion); and/or pre-emptive federal legislation that would set uniform standards for protection of health information, establish guidelines for security of information systems, and provide education regarding the requirements and procedures for protection of health information privacy.

Recommendations for laws governing public health data.

The recommendations apply only to personally-identifiable data since they raise the most acute privacy concerns.

1. Data protection review. A systematic and continuous review of privacy and security is essential to ensure a fair and effective public health information infrastructure. An independent data protection commission at the federal or state level should be established to carefully review privacy and security protocols and practices, including an examination of data collection justifications, informed consent procedures, information for subjects, fair information practices, and disclosures and secondary uses of data. The commission should be comprised of persons with experience and expertise in health care and public health, privacy and security, law and ethics, and include community representatives. To assure accountability and ongoing discussion of privacy, the commission should make public its decisions and reasoning.

2. Data collection justification. Acquisition of health information cannot be regarded as an inherent good. Rather, privacy statutes should require a clear justification for the collection of personally identifiable information by public health authorities. Statutory criteria for data collection include: (i) preventing a significant public health risk, (ii) providing a likely benefit to the subject of treatment or other services, and (iii) conducting surveillance necessary to monitor and ensure the health of populations.
Public health authorities have the burden of demonstrating that data collection is likely to achieve the stated goal. For example, public health authorities may legitimately seek to identify individuals with communicable or sexually transmitted diseases through testing, partner notification, and reporting. Yet, if resources are not provided for counseling and education, and if efficacious therapy does not exist or access to health care is not assured, the purposes of prevention and therapy are unlikely to be achieved.
Public health authorities must substantiate the need for a named identifier when collecting information. If they could achieve the public health goal as well, or better without personal identifiers, the collection of non-identifiable or aggregate data is preferable. These data collection principles recognize that government authority to acquire sensitive personal information ought to be justified by substantial public health goals that cannot be achieved by means that are less invasive of individual privacy.

3. Information for subjects. Even though the government authorizes or mandates the collection of identifiable health data in accordance with the foregoing principles, subjects are still entitled to basic information. Subjects are entitled to know the purposes for the data collection and how the information will be used; the length of time that the data will be stored and the circumstances under which it will be expunged; and the degree to which third parties (e.g., regulators, researchers, and government officials) may obtain access. Data should be acquired, stored, used, and transmitted consistent with the information provided to subjects.

4. Fair information practices. Fair information practices require that no secret data-systems should exist; subjects should have access to information about themselves and to just procedures for correcting and amending their personal record; personal data should be expunged when no longer needed for the stated purpose; and public health officials should assure the reliability of the data for their intended use and take rigorous precautions to prevent misuse of the data.

5. Privacy and security assurances. Legally binding privacy and security assurances should attach to personally identifiable public health information. The collector of public health information would be under a legal duty to maintain the confidentiality of that information and to store it in a secure system. Significant penalties would apply for breach of privacy or security assurances.
Privacy and security assurances under law would apply to all users of the information. Accordingly, when public health information is transmitted to a third party, the recipient would be required to honor the same privacy and security assurances as the record's original holder. The duty to protect data, then, would be transferred simultaneously with the data, as would liability for violation of privacy or security standards.

6. Disclosure of data. Disclosure of public health data could be made only for purposes consistent with the original collection. Thus, data could be disclosed only where clearly necessary to avert a significant health risk, for the direct therapeutic benefit of the subject, or for surveillance. For example, information gathered to prevent a significant public health risk could be shared only with those public health officials or health care professionals essential to avert the risk. This limitation would not undermine public health goals, for the principle permits sharing information, where appropriate, between programs (e.g., STD, TB, drug, alcohol, and mental health) and across systems (e.g., health agencies and health care providers).
Public health authorities must follow the least-intrusive-disclosure principle. Thus, the disclosure of information must be the least identifiable, as minimally sensitive, and to the fewest number of persons as necessary to achieve the stated purpose.

7. Secondary uses of the data. Secondary uses of data occur when information is used in ways that are incompatible with the original purposes for collection. Secondary uses of identifiable information beyond those originally intended by the data collector would be permitted only with the informed consent of the subject. Thus, information collected for a permissible purpose such as prevention, treatment, or surveillance, could not be used in other ways that might affect the person's rights, privileges, or benefits without the subject's authorization.
Secondary uses of data in aggregate or non-identifiable form would be permitted without the patient's consent where there is a strong public interest. The U.S. Department of Health and Human Services Task Force on Privacy explained: "An incompatible use is not necessarily a harmful use; in fact, it may be extremely beneficial to the individual and society. There are some incompatible uses that will produce enormous benefits and have at most a trivial effect on the individual's privacy interest."

Recommendations for laws governing immunization information systems

The following recommendations are intended to assist states in the development of fair and effective immunization information systems.

1. Objectives of registries. The purposes of an information system are to (i) provide accurate, complete, and timely information on immunizations received or due for any child to providers, parents, and public health officials to help parents obtain current immunizations for infants, pre-schoolers, and school-age children; and (ii) to protect information held in the system (through both privacy and security protections) from disclosures that may harm the child or parents, and to share the information only for substantial public health purposes.

2. Statutory protection of privacy: a uniform approach. States or localities must have in place strong legislative protections of privacy and security before collection of immunization data commences. Adequate privacy safeguards require restricted access to data, strict penalties for unauthorized disclosure, and protection of the system from court order or subpoena. In addition to statutory protection, written protocols describing the privacy and security standards should be disseminated to employees, providers, parents, and other interested parties.

3. Fair information practices. Statutory protection of privacy should be based on a set of fair information practices: immunization information systems should be known to the public, not secret; parents should have access to information about their children and know how the information is used; parents should consent to uses of information for non immunization purposes; parents should be able to correct or amend their child's immunization record; public health officials must assure the reliability of the immunization data for their intended use and take rigorous precautions to prevent misuse of the data; and adults should have the right to have personal data expunged when they are no longer necessary for immunization purposes.

4. Type of Registry Information. Early determinations about the type of information that will be contained in the immunization information system will affect the confidentiality, access, and security required in the design and operation of the system. A basic registry must contain the name, address, birth date, immunization dates, vaccines administered, as well as sufficient information to identify and locate custodial parent(s).
Registries that contain sensitive health status information must provide stronger confidentiality safeguards. Registries may include medical contraindications to immunization, adverse reactions to vaccines, allergies, and immune conditions such as HIV status. Furthermore, registries may include: information regarding welfare or medical benefits (including eligibility under the Comprehensive Childhood Immunization Act of 1993); immunization waivers based on religious beliefs; and social or medical information about siblings or other family members.
Registries are likely to contain a personal identifier. Unique identifiers created only for use in the immunization database create fewer risks to privacy. Personal identifiers, such as a social security number, that can be linked with other databases potentially could be used to access and match information in other systems (e.g., those held by social services and child welfare, Medicaid, Aid to Families with Dependent Children, and the Immigration and Naturalization Service).

5. Access to Registry Information. The planning process for deciding who should have access to immunization information should be deliberate, open, documented, and reviewed periodically. Design issues include whether the system should be accessed on-line, through closed electronic panel, by telephone/facsimile, by written request, or in person. For health care providers administering immunizations access should be as direct as possible (computer or phone/fax with security password). Requests for information from all other parties should be in writing or in person with identification.
The following criteria could be used to determine who has access to data in the immunization record: (i) Is the information necessary for purposes of providing immunization services? Under this criterion, access to identifiable data would be provided to health care providers, immunization programs, custodial parents, schools and day care, and other entities that coordinate or offer immunizations such as WIC programs. (ii) Is the information necessary to achieve other compelling public health objectives that do not conflict with the goals of the immunization program? Public health officials and researchers should gain access to personally identifiable information only where strictly necessary to achieve substantial public health purposes. If the public health purpose could be achieved as well or better with aggregate data no personally identifiable information should be disclosed. (iii) Is the information necessary to achieve important social objectives that are not compatible with the purposes of the immunization registry? Agencies concerned with criminal justice, social services, immigration, and other non-public health objectives should gain access only to aggregate information.

6. Provider, parental and community involvement. Immunization information systems are intended to help parents, providers, health officials and communities provide each child with up-to-date immunizations, while protecting children and families from privacy invasions. To achieve the support and cooperation of these primary participants, they should be involved in critical discussions about immunization system design and privacy protection. Interested parties such as insurers, employers, and non-public health agencies also have valid interests, but they should not take precedence over the main goals of the system.

Conclusion

Any efforts to modify or reform the existing system for protection of health-related information, must acknowledge the efforts that have taken place at the state level to protect information and accomplish various health care and public health goals. One way to both acknowledge this debt and engage state health officials and policy-makers in reform efforts is to begin an on-going dialogue between health officials and policy-makers in different states.
This report has outlined recommendations which can focus that dialogue on ways of removing barriers to the achievement of good health while respecting the need to protect the privacy of health information. Absolutist positions on either side will not result in health information systems that can effectively serve both goals.
The collection of information is central to the ability of public and private health systems to provide intervention, treatment, and research, but confidentiality need not be sacrificed to these goals. Much of the information collected in health care settings is profoundly personal; if patients cannot be assured that this information will be protected from further disclosure, the possibility exists that they will no longer agree to cooperate with systems on a voluntary basis.
Many gaps that exist in the current system have been discussed in this report. Future action in the area of health information privacy must consist in part of a legitimate attempt to fill those gaps in ways which will not compromise the ability of health professionals to carry out their duties. The current system not only does not fully protect individual privacy, but the variability that exists across state and local boundaries hampers the achievement of societal goals since there is often an inability to communicate needed information.
Health officials and policy-makers in all the states need to engage in a dialogue now to prevent problems that can only be exacerbated in the future as new and faster information systems are developed. Computerized storage of health information indeed provides for faster retrieval, but also presents additional problems of improper access. Fair information practices should be integrated into legislative protection of health information. Uniform standards nationwide will result in more effective protection of health information privacy.

Part Two:Introduction: Final Report

Legislative Survey of State Confidentiality Laws

I.Introduction

The ways in which our modern medical and public health systems collect, store, and use personally identifiable information have increased both the potential benefits from access to such information and the possible harms from improper uses and disclosures of that information. Understanding the complex web of state and federal laws which protect health information privacy and dictate when and under what conditions health data may be disclosed is central to understanding the strengths and weaknesses of current public policy in this area. This project surveyed state and federal law in four areas of health information privacy and analyzed existing law in the context of both the increasing transfer of health information and public and governmental concerns with privacy. This report documents both the results of the survey and the analysis of the current state and federal law regarding public health data, privately held health information, HIV/AIDS-related information, and immunization information. It concludes with a discussion of options for legislative action, including recommendations for drafting privacy laws derived from discussions at an expert consultation in June 1995. This section considers the common issues raised by the increasing collection of health information; the improvements in health status and health services which high quality information facilitates and the real concerns of citizens and privacy advocates that information contained in large health databases may be poorly protected or misused. The section concludes with an outline of the report.

II. Collection of Health Information

Many individuals and entities currently collect, store and use health information. Individual health care providers, hospitals, insurers, employers, and educational institutions collect information to meet the needs of their own practices and/or institutions, or to comply with legal mandates. Public entities including health departments, environmental departments, welfare and family services, social security, government disability, and other offices collect health information in order to achieve societal goals such as improving health, preventing pollution, or providing support for the disabled. Each of these individuals and entities has slightly different justifications for collecting and using health information. This sub-section will briefly examine the potential benefits that timely, complete and accurate information provides of the public health and health care systems.

A.Public Health Data

Collection of information is necessary for the basic public health activities of reporting, case finding, and partner notification or contact tracing. Reliable aggregate information is also vital for policy-makers and program planners responsible for resource allocation, program design, and targeting of prevention programs. Public health policy-makers and program managers need information that reveals differences in status by age, geographic area, and other risk factors. Accurate measurement of this information can help policy-makers assess the barriers in the areas of access, cost, or quality that affect health-improvement efforts. Lack of reliable information hinders program planners and public health officials trying to stop outbreaks of disease or quantify local needs.
Developing a public health information infrastructure is integral to contemporary efforts to "reinvent" the public health system. We define the public health information infrastructure as the framework that undergirds the electronic information collection, storage, use, and transmission supporting the essential functions of the public health system.

B.Health Care System

Collecting accurate and complete health information from individual patients contributes to good patient care. Lack of current information on health status presents problems when an individual sees a health care provider who does not have a comprehensive record of that person's medical history. Lack of complete information can result in a lost opportunity to provide childhood immunizations or to correctly diagnose and treat serious acute or chronic illnesses in adults.
Health care providers' collection of health information not only supports optimal care of individual patients but also facilitates achievement of systemic goals. These include assessing the quality and cost effectiveness of health services, monitoring fraud and abuse, tracking and evaluating access to health services and patterns of morbidity and mortality among underserved populations, and researching the determinants, prevention, and treatment of disease.

C.Goals of Health Information Systems

The usefulness and accessibility of information collected as part of a written or computerized medical record is limited by the nature and structure of the specific confidentiality protection accorded to that information. While no system that collects a large volume of data on individuals can avoid all possible harms due to improper disclosure or misuse of information, certain broad goals guide efforts to collect and manage information. These include ensuring:

1.the integrity of health care data so that information is accurate, complete, and trustworthy -- the integrity of information is critical to quality patient care, assessment of services, research, and public health;

2.the availability of health data so that authorized persons who need the information for legitimate health purposes have ready access to the data -- if clinical information is not readily available to health providers, the best interests of patients may be significantly compromised; and

3.the privacy of patients so that they can be assured that personal information remains private and will not be disclosed without their knowledge and permission.

D.Is it Public Health or Health Care Information?

Many public health functions are the joint responsibility of the personal health care system and the public health system. Accordingly, reliable information needs to be shared across these two health systems. For example, prevention, diagnosis, and treatment of drug and alcohol dependency, sexually transmitted diseases, AIDS, and tuberculosis are undertaken both by private health care providers and public health departments. Similarly, registries containing information about immunizations, traumas, and cancers may provide substantial advantages to both health care providers and health departments in understanding the determinants of disease and outcomes following interventions as well as provide clinical data important for patient care. Consider, as an illustration, the role of health information in the case of tuberculosis control. Persons with multi-drug-resistant tuberculosis frequently come into contact with a wide variety of agencies and organizations (e.g., jails, emergency rooms, homeless shelters, and clinics for HIV, STDs or drug dependency), each of which may be unaware that the person is infectious or may not be taking prescribed anti-tuberculosis drugs. Yet, often none of these entities has ready access to information in the personal health record or tuberculosis registry held by the state public health department. As a result, many of these individuals, who are under the jurisdiction of health, social services, or corrections authorities, are not identified and are at considerable risk of spreading the infection in the community or in congregate settings.

III. Privacy and Health Information

Concerns over patient privacy and the confidentiality of health information have a long history. From the time of the earliest surveillance systems, citizens (often with support from the medical profession) have objected on privacy grounds to governmental acquisition of health status information. Many forms of surveillance, notably reporting, require physicians to disclose patient information to health departments. Surveillance, especially that which involves personally identifiable information, raises several concerns. First, patients, often physically and mentally vulnerable, divulge intimate details of their lives to their physician; medicine's paternalistic traditions have long-recognized that the patients' weakened position compels strict confidentiality assurances even in the face of government demands.'' Second, both law and ethics in the late twentieth century emphasize autonomy as a theoretical justification for privacy; patient autonomy encompasses the right to control the dissemination of personal health information. Third, confidentiality is central to a trusting physician/patient relationship; physicians implicitly or explicitly pledge to guard patient secrets. Fourth, respecting confidences promotes patient candor about health and disease risks; failure to respect informational privacy could lead to decreased disclosures, less frank revelations, or, worse, reluctance to seek care. Finally, unauthorized disclosure of information could result in embarrassment, stigma, and discrimination.
For their part, health departments have a generally excellent history of maintaining the confidentiality of personal information. Disclosure to health departments (as opposed to family, friends, employers, or insurers) seldom produces tangible harm such as stigmatization, embarrassment, loss of employment, or denial of insurance. Yet patients may feel wronged simply because the government -- without patient permission -- maintains automated databases containing intimate and identifiable health information.
Justifications for privacy are based primarily on respect for the individual. In contrast, justifications for collecting and using health information are based mainly on attaining societal or collective goods. To the extent that a health information infrastructure promotes effective public health interventions, ethical values militate in favor of its rapid development. The very purpose of government is to obtain through collective action human goods that individuals by themselves could not realistically procure. Chief among these goods is assurance of the conditions under which people can attain (or maintain) health. Health information alone cannot ensure the community's health, but it can contribute to improved health status and effective disease control.
The American public perceives that the growth in the amount of personal medical information stored by health care providers and related bureaucracies poses a threat to their privacy. A 1993 poll on health information privacy revealed that the vast majority (80%) of respondents believed they had little control over how their personal medical information was used. This concern over the privacy of medical information has affected the debate over health care reform and the plans for a national health care system. Eighty-five percent of the poll respondents stated that maintaining the confidentiality of medical records is absolutely essential or very important in national health care reform.
Health care providers' ability to ensure the privacy of the information they obtain from a patient is critical. If a health care provider cannot assure the patient that the information he provides will not be further disclosed without his permission, the patient will likely hold back when discussing deeply personal items that may be important to his diagnosis and treatment. The patient may even provide false information if he fears that an admission may have consequences outside the doctor's office.
Threats to patient privacy and confidentiality of health information are compounded because records containing health information are held by numerous individuals and entities. One patient may see many health care providers in a lifetime (e.g., primary care physicians, specialists, hospitals, emergency rooms, testing laboratories). Each of those providers will maintain a record on the patient. Other entities (insurers, employers, schools, governmental agencies) also keep records of health data. Because of differences in organization or geographic location, these entities may not be held to the same duty of care in protecting the confidentiality of the records they maintain.
The ability of public health officials to detect and prevent communicable diseases, and provide appropriate services to those already infected, depends on cooperation with the community to encourage voluntary participation in public health programs. If persons in the community fear disclosure of their illness, or discrimination on the basis of seeking services, they will be less likely to come forward for testing, counseling, or treatment, and hesitant to participate in preventive educational programs. Public health officials recognize that protecting public health data from improper disclosure will encourage openness and honesty between individuals and health care providers or public health officials as well as voluntary participation in public health programs.

IV. Outline of Report

This report examines the importance of both the collection of health care information and the protection of privacy of individual patients and confidentiality of health information. It reviews the current privacy safeguards under both state and federal law for public health data, privately held health care information, HIV/AIDS information, and immunization information in order to determine whether they are adequate to protect the privacy of individuals and are consistent with effective health policy.

Part Three: Methodology

I.Purpose

The Centers for Disease Control and Prevention (CDC), the Council of State and Territorial Epidemiologists (CSTE), and the Task Force for Child Survival and Development, supported by the Robert Wood Johnson Foundation, have sponsored a collaborative project on privacy in health care and public health information, with particular emphasis on information related to HIV infection and immunizations. The goal of the project is to review current legal privacy safeguards for these data to determine whether they are adequate to protect the privacy of individuals and are consistent with effective health policy.
Phase I of the project included a survey, compilation and analysis of state statutes, regulations, and executive orders pertaining to privacy in four areas of health-related information (public health data, health care information, HIV/AIDS related information, and immunization information). The research team has been headed by Professor Lawrence O. Gostin, Co-Director of the Georgetown University/Johns Hopkins Program on Law and Public Health.
Phase II of the project involved a consultation held at the Carter Presidential Center, Atlanta, in June 1995 which brought together experts in public health law, epidemiology, health ethics, immunization programs, HIV/AIDS prevention and care, representatives of state and municipal health departments, and the general community. During and after the consultation these experts considered and commented on recommendations for drafting laws relating to the protection of confidentiality of health-related information.
This report details the results of both phases of the project.

II.Structure of the survey

The research team collected and analyzed state laws related to health information in fifty states, the District of Columbia, and Puerto Rico. We collected information using a questionnaire that was developed in consultation with the CDC, the CSTE, and the Task Force for Child Survival and Development and was distributed to the State and Territorial Epidemiologists. The State Epidemiologists transmitted responses to the questionnaire and copies of their state statutes for summary and analysis. We performed computer searches to collect state law for those states which did not respond to the questionnaire. We used follow-up calls to gather additional information.
We classified the data received into categories for subsequent analysis and recorded them on four master tables, devoted to public health, health care, HIV/AIDS, and immunization privacy, respectively. Briefings and phone consultations with program officials at the CDC, CSTE, and the Task Force resulted in refinement of the individual categories and the four master tables.
We also prepared state summaries based on the information submitted by the state epidemiologists. These summaries serve as a basis for the final report but also provide a quick reference for anyone seeking a more detailed description of the privacy laws of each state. In order to assure the accuracy of the information, we faxed or mailed drafts of the summaries to the state epidemiologists for approval or correction, and made follow-up calls were made to obtain final comments.

III. Final Report

This report both summarizes the survey findings on the current federal and state laws in the area of privacy protection of health-related information and presents a discussion of the issues raised and potential options for further development including recommendations for model laws governing various types of health information privacy.
The report first discusses the various protections afforded to health information, which includes both public health data and privately held health care information. Next, there are sections addressing specific laws governing HIV and AIDS-related information and immunization information, including the creation of immunization registries. The report describes the protection offered by federal law to all of these areas of health-related information.
The final section of the report presents a discussion of future options for legislation and policy in the area of health information privacy. In particular it outlines recommendations for model laws governing several areas of health-related information which are based on the consensus of opinions at the June 1995 consultation and subsequent work by research team and select experts.

Part Four:Protection of Public Health Data and Health Care Information

I.Introduction

Health information in the United States is collected and maintained by a wide variety of entities, including among others local and state health departments, disease-specific programs (TB, STD, HIV), private health care providers, hospitals, insurers, employers and educational institutions from day-care to universities. For the purposes of this report these entities will be divided into those that collect and use "public health data" and those who collect and use "health care information." As used here, "public health data" includes all health related information that is collected and maintained by a government agency. This may include data on reportable or communicable diseases; surveillance of non-communicable diseases, or behavioral risk factors; birth defects registries; or other health information databases. "Health care information" includes all health related information that is collected, held, or transferred by private entities. This can include individuals (health care providers) or institutions (hospitals, insurance companies, academic institutions).
This section discusses the particular justifications for collection of both public health data and health care information and the unique privacy concerns raised by such information; it also presents an analysis of the state laws governing protection and disclosure of public health data and health care information. Finally, the gaps in existing law will be considered and compared to other areas of health information. The following two sections will consider specific issues and concerns related to collection, storage and use of two specific types of health-related information: HIV related information and immunization information, respectively. In both cases the single type of information is maintained sometimes by private entities (physicians, hospitals), and other times by public entities (health departments). Consequently, the laws governing the privacy of the information either apply to the public institutions and agencies, or private individuals and institutions, or both.

II.Public Health Data

A.Collection of Public Health Information

The collection, storage, and use of vast amounts of information on the health of populations are among the core functions of public health. Historically, public health surveillance focused on identifying and controlling persons with communicable diseases. In the United States, legal provisions requiring reporting of diseases pre-dated the founding of the republic. A Rhode Island act of 1741 required tavern keepers to report patrons with contagious diseases to the local authorities. Publication of nation-wide data on mortality began in 1850, in the same year as the first decennial census. By the turn of the century all state and municipal laws required reporting to local authorities for some of the most common, deadly communicable diseases, including smallpox, cholera, and tuberculosis. One of the great accomplishments of public health in the twentieth century, the eradication of smallpox, was based, ultimately, on the prompt identification of local outbreaks and vaccination of all susceptible persons who might have been exposed. Recently, reports of clusters of deaths among otherwise healthy residents of the southwestern United States led to the rapid mobilization of investigators. Within months scientists had identified a new strain of hanta virus, described its mode of transmission, and means of prevention.
Increasingly, public health agencies gather data on more than communicable diseases. Concern over environmental risks requires collection of information on children's blood lead levels, the incidence of certain types of cancer, birth defects, and specific pulmonary diseases. In growing recognition of the effects of behavior on personal health, health agencies also collect and analyze information on such behaviors as smoking, alcohol and drug use, exercise, use of seatbelts and bicycle helmets, and sexual practices. Reliable information on communicable, behavioral, and environmental risks enables public health agencies to respond effectively to prevent disease and disability.
The development of a public health information infrastructure is not a distant concept, but an emerging reality. National, regional, and statewide databases are rapidly becoming repositories of a vast amount of public health information. At present, numerous health databases exist with comprehensive data on health status and population-based research. Data registries are maintained for specific diseases such as AIDS, tuberculosis, and cancer, and specific functions such as childhood immunization. The U.S. Public Health Service (PHS) maintains databases on the health status of large populations. The PHS is also funding the development of automated systems to link state and local data bases to systems across the country.' Perhaps the most ambitious public effort to create a population-based database is the National Health and Nutrition Examination Survey (NHANES) conducted by several federal agencies. NHANES systematically collects health status data in identifiable form on some 40,000 Americans in eighty one counties in twenty-six states. Some five hundred pieces of data are collected from each subject, ranging from socio-demographics, diet, bone density and blood pressure, to risk status, drug use, and sexually transmitted diseases. Additionally, NHANES tests and stores biological samples for long-term follow-up and statistical research.
The tools of surveillance and epidemiological research include testing and screening for disease, reporting of the names of active cases to state health departments and aggregate information, stripped of personal identifiers, to the CDC, notification of sexual partners and other contacts, and surveys of the prevalence of disease or risk factors in certain populations. The development of an organized system of disease surveillance and epidemiological research is essential to the success of the public health system. Carefully planned surveillance and epidemiological activities facilitate rapid identification of health needs, including clusters or outbreaks of microbial disease (e.g., HBV, cryptosporidiosis, or E. Coli), the initiation of risk behaviors in sub-populations (e.g., smoking among female adolescents or ethnic minorities), and patterns of harm (e.g., child or spousal abuse, lead poisoning, radon, iatrogenic injuries, or gunshot wounds).
Close and continuous observation of the health of populations can help achieve many of the central objectives of public health: (i) by detecting the existence of environmental, microbial, occupational and other threats to health at an early stage, surveillance can provide an early warning system; (ii) by tracking and monitoring the incidence, patterns, and trends of injury and disease in populations and making future projections, surveillance can help concentrate resources and focus interventions in areas of greatest need; (iii) by identifying modes of transmission, surveillance can provide knowledge for behavioral, social and environmental changes and public health interventions to avert the spread of disease; (iv) by evaluating the success of public health responses, surveillance can help determine their cost effectiveness; and (v) by providing accurate information on health risks to policy makers and the public, surveillance can affect funding decisions and change social norms. In short, surveillance enables public health to define the health problem, inform the public, intervene, and influence funding decisions -- all indispensable to the mission of public health.

B.Privacy Concerns Related to Public Health Data

The American people continue to express their concerns over the uses of information held by government and private individuals (see Introduction). Although public health departments generally have very good records of preventing unauthorized disclosures of health data, the level of confidentiality of public health data, perhaps even more than privately held health data, can be a source of concern for individuals and communities. Systematic collection by government of a broad range of personal health data poses a profound trade-off in loss of privacy. Americans react apprehensively when the government accumulates personally identifiable information about their lives. Health information can reveal intimate aspects about an individual or a family's life, may affect one's ability to hold a job, maintain custody of children, secure immigration status, or obtain access to insurance or public benefits.
To a certain extent, respecting confidences and promoting public health are consistent goals; public health campaigns often depend upon the community's trust and cooperation and include substantive and procedural protections for information obtained in the course of public health work. However, a basic tension exists between the need for information and the need for privacy. Realistically, significant levels of privacy cannot exist within the government's wide and complex web of data collection. Therefore, as a society, we face a vexing issue: What is the proper balance between public health information collection and privacy protection, and how might we realize it?
In many contexts public health officials have fully embraced the need for protecting the confidentiality of personal medical information. Since public health programs often depend on the voluntary participation of the public, policy-makers may prefer programs that build trust between the community and health workers rather than those that erode trust. Contact tracing programs, one of the traditional public health strategies for control of sexually transmitted diseases, traditionally prohibit the disclosure of the identity of the source patient. Reports and investigations of other communicable diseases are generally treated as confidential although their collection, storage and use may be less tightly controlled than information regarding sexually transmitted diseases or HIV.

III.State Legislation Concerning Public Health Data

Public health data, all health-related information which is collected and maintained by government agencies, are distinguishable from personal health care information; they are not gathered principally for diagnostic or therapeutic purposes, but for the aggregate good (e.g., epidemiological assessment, population-based prevention, or research). Public health data include surveillance and reporting of communicable diseases, non-communicable diseases, conditions, or behavioral risk factors, registries, and other government-maintained health information systems. State legislation governing public health data are frequently found among the statutes and regulations that establish public health officials authority to protect the public health or in provisions describing the protections and permitted or mandated disclosures of all information held by the government.

A.Privacy Protection for Data Maintained by Government Agencies

Every state and territory reported statutory or regulatory protection for some types of governmentally-maintained health data. Forty-nine states reported protections for public health information in general, forty-two reported specific protections for information related to communicable diseases, and forty-two reported protections for data related to sexually transmitted diseases (see also, Table 1). All states require reporting of certain communicable or sexually transmitted diseases. This legislation also often mandates the confidentiality of any reports or investigations of communicable or sexually transmitted diseases. States vary widely on whether they rely on disease-specific statutes to protect some publicly held data (TB, STDs, HIV/AIDS) or whether they include protection of all these conditions under their general public health data statutes. It is important to note that states without specific HIV-related confidentiality statutes may also provide equally stringent protection of HIV-related information under comprehensive public health, communicable disease, or sexually-transmitted disease statutes.
Although most, if not all, states have public records provisions which guarantee individuals access to public records, the majority of states explicitly exempt all medical records held or maintained by government agencies from classification as public records.
In many states, public health data collection is increasing through special registries and databases. Registries include information regarding, for example, congenital birth defects, cancers, drug use during pregnancy, or childhood immunizations. Some databases contain a broad range of health data. Statutes establishing these systems often specify standards for safeguarding informational integrity, which may include measures to bar unwanted or unauthorized access, and mechanisms to prevent data modification or destruction. These laws also frequently include criteria for maintaining the information's confidentiality, use, or disclosure. North Carolina, for instance, has established a Center for Health Statistics which is authorized to collect health data on behalf of government agencies and private organizations. The Center's information is held in confidence, closed to public inspection, and subject to security standards.
Residents and lawmakers in some states have expressed concern about the public health system's trend toward collecting more personally-identifiable data. The California Civil Code explicitly states that the indiscriminate collection and dissemination of personal information threatens the right to privacy, that computers have magnified privacy risks, and that governmental use of personal information must be subject to strict limits. California protects personally identifiable information in government health studies; grants public entities a limited privilege for withholding health information; allows agencies to maintain only personal information relevant to the agency's purpose; and requires agencies, whenever possible, to collect information directly from the subject rather than from secondary sources.
Other states reported protections for particular types of public health information. A few states specifically protect the results of government-sponsored scientific studies or privately conducted research based on government data. New York, notably, stipulates that information obtained in specially-designed studies is inadmissible in litigation.

B.Permissible Disclosures of Public Health Information

Forty-nine states reported some provision for divulging public health information. Common justifications include disclosure for the purposes of: statistical evaluation (43 states); contact tracing of persons exposed to an infectious disease (39 states); spousal or partner notification of a sexually transmitted disease (37 states); epidemiologic investigations (22 states); and subpoena or court order (14 states) (see Table 1 for more details).
States vary greatly in the degree of disclosure authorized. A few states have crafted strict criteria for permissible disclosures. Indiana, for example, allows the release of public health information only upon written consent, only to the extent necessary to enforce public health laws, and only in aggregate form if requested for statistical purposes.
Other states extensively list permissible disclosures, while still others rely on a broad general disclosure provision. Two states, Montana and Washington, have adopted the Uniform Health Care Information Act, which permits disclosures for statistical purposes; with written consent; to medical personnel as necessary to protect a patient's health or well-being; as provided in tuberculosis or STD laws; to other state or local health agencies for providing health services or promoting public health purposes; in child abuse proceedings; and where necessary to implement public health legislation or regulations.
The disclosure provisions in California and New York resemble those in the Uniform Act, but also include lists of additional circumstances under which information may be disclosed. California allows identifiable data to be released to the state archives, when the record possesses historical value; and to law enforcement authorities who are investigating unlawful activity involving certification, regulation, or licensing. California law also authorizes limited release of medical and background information on biological parents to adoptees, their children, or grandchildren.
At least one state stipulates that if the state or local health officer believes an individual poses a public health risk, the officer has substantial discretion to release certain kinds of data. Other states permit disclosures to certain classes of people (e.g., emergency workers or funeral home directors after being exposed to an infectious agent, or health care professionals for their own, or their patients' safety).
State statutes may accord varying degrees of protection to data on different diseases. Massachusetts requires a court order for release of information from sexually transmitted disease reports and other diseases covered by specific statutes. Only a subpoena is required for release of data on communicable diseases which are not subject to specific statutes and other public health data.

C.Penalties for Impermissible Disclosure of Public Health Data

Notwithstanding state confidentiality provisions and security arrangements to prevent unauthorized access, the possibility of negligent or intentional disclosures remains. Forty-two states reported statutory penalties for impermissible disclosures. Of these, thirty-one reported criminal penalties, eighteen reported civil penalties, and eight reported both. All states with criminal penalties designate violations as a misdemeanor. Montana's statute is typical: it provides that any person who knowingly violates the confidentiality provisions is guilty of a misdemeanor and upon conviction shall be fined not less than $500 or more than $10,000, be imprisoned in the county jail not less than 3 months or not more than one year, or both.
A typical civil penalty provision mandates that any person who discloses confidential information will be civilly liable to the person whose identity or information was disclosed -- for court costs, attorneys' fees, and exemplary damages, including any damages for economic, bodily, or psychological harm proximately caused by the disclosure. Some states specifically shield health department personnel from liability, unless the breach of confidentiality constitutes willful misconduct or gross negligence (see also Protection of HIV and AIDS Information: Spousal and Partner Notification). Other states authorize removing or impeaching public officials who violate confidentiality laws.

IV.Gaps in Existing Laws Protecting Public Health Data

The survey of state legislation revealed significant problems that affect both the development of fair and effective public health information systems and the protection of privacy. While most states have nominal safeguards of public health privacy, they are often incomplete or inadequate. Statutes may be silent about the degree of privacy protection afforded; confer weaker privacy protection to certain kinds of information; or grant health officials broad and unreviewable discretion to disseminate personal information.
Many of the gaps in existing privacy protections for public health data are similar to those described elsewhere in the report for HIV-related information and health care information. Legislative activity in the each of the states and territories has produced a rich mosaic of laws and policies which may share the same goals but reflect the specific concerns of people and legislators in each state. The independent evolution of each state's laws has also created certain characteristics which can pose problems in today's increasingly mobile society in which people and diseases are constantly on the move. This section considers these distinguishing features in the laws and the impact they have on public health efforts and individual privacy.

A. Variation in Public Health Laws from State to State

State provisions for the protection of health data maintained by government agencies reflect less variation from state to state than do some of the other areas of health information reviewed in this report (see Protection of HIV and AIDS Information, Protection of Immunization Information, and Protection of Health Care Data, below). Virtually all the states and territories have provisions to protect public health data and to limit instances in which disclosure is allowed.
There remain, however, variations from state to state which can pose difficulties. First, statutes seldom narrowly specify individuals and entities who are entitled to access or delineate precise criteria for determining who has a legitimate need for the information. Rather, statutes often provide broad definitions of who may have access. Alternatively, legislation may authorize such broad access so as to undermine the right to privacy. Second, statutes are often silent about secondary uses of information -- i.e., disclosure of data for purposes beyond those used to justify the original collection. Accordingly, the subjects of the data are uncertain about whether, or to what extent, data collected for one purpose may be used for an unrelated purpose. For example, no guidance may be provided about whether data collected for epidemiological purposes can be used for other reasons ranging from clinical diagnosis, treatment and research to uses in the welfare, immigration, and justice systems. Third, statutes often do not explicitly protect public health data from disclosure through subpoena or court order. This may render sensitive data vulnerable to disclosure in civil or criminal proceedings where required by the court. Finally, penalties for disclosure without legal authorization may be weak or non-existent or public health officials may be exempt from liability for their negligent handling of information.
In contrast to weak or erratic protections, other states restrict information access so tightly that the law thwarts public health responses to pressing health problems. Some states, for example, do not expressly permit disclosure to other state and local health departments for the control of communicable diseases. Certain state legislation can even be construed to restrict the intrastate transfer of communicable disease data to public health officials and health care professionals. Consequently, persons with HIV, STDs, or TB may be lost to follow-up when they move from state-to-state, or to different programs within the same state, due to difficulty in releasing patient-identifying information.
Independent evolution of state law has produced considerable variation and inconsistency. Variability, of course, can be a strength in a federal system of government, allowing state experimentation with solutions to complex issues. Variability in surveillance and privacy protection, however, creates problems in an increasingly mobile society in which disease outbreaks may erupt rapidly in several states requiring systematic and consistent collection of comparable data sets. Data sent from state to state do not receive reliable privacy and security protection. Moreover, individuals who relocate across state lines cannot expect continuity in privacy protections of publicly-held health information. For instance, multi-center research, often conducted simultaneously in different states, is carried out in a shifting legal environment in which some states offer data protections while others do not.

B.Differences in Laws Concerning Communicable Diseases, Sexually Transmitted Diseases and Others

The survey revealed a range of stratified legislative schemes, in which states accord particular diseases special status. Many states have enacted disease-specific statutes or provide distinct provisions for different disease categories (e.g., communicable diseases, STDs, tuberculosis, and HIV). Each statute may mandate distinct data collection and reporting procedures, separate security arrangements, discrete justifications for disclosures, and specific permissible secondary uses. In addition, while some state laws rigorously protect certain disease specific data (e.g., HIV/AIDS), they may be silent about guarding information on other conditions (e.g., non-communicable diseases). Consequently, different parts of the same health record may receive different degrees of protection under separate disease-specific statutes. Such a system is apt to confuse public health personnel, health care providers, and the public. Inconsistent protection of intimate health information may lead individuals to misunderstand or distrust public health efforts. Moreover, disease-specific legislation may thwart public health goals by generating separate policies, programs, and procedures for diseases that may share common behavioral risk factors and require a unified approach for treatment and prevention.
The problems presented by such a variation in rules are only compounded by a system that protects intimate information collected by government agencies differently than similar information collected by private entities ranging from health care providers to insurance companies. The next section examines confidentiality protections for health information gathered in the private sphere.

V. Protection of Health Care Information

Historically, the collection of health care information involved primarily two people, the patient and the physician. Occasionally, a physician might ask a family member about information that the patient could not remember, or a nurse might assist the doctor in compiling the information collected. The physician would store the paper record in a file cabinet at the physician's office, usually limiting access to the doctor and his staff.
Now, a myriad of people are involved in the collection of medical information. Patients no longer see one general physician, but instead consult a number of specialists. They may have medical tests performed at numerous locations. Insurance companies require that information from each of these visits be submitted before payment for services is approved. Much or all of this personal data is stored on computer files which may be vulnerable to access by unauthorized persons.
States have used a variety of means to provide protection for health care information collected on their citizens. State case law or statutes may impose a duty to maintain confidentiality of medical records alternately on physicians, other health care providers, health care institutions, insurers, other individuals or entities, or all of the above. In some states the law creates a special duty to maintain the confidentiality of electronic or computerized medical records. The doctrine of physician-patient privilege also affords a degree of protection in court proceedings. Statutes, case law or professional codes of conduct may limit circumstances under which disclosures of medical information are permitted and impose penalties on persons who wrongfully disclosure information.

VI. Privacy Issues and Health Care Information

A.Collection of Health Care Information

Timely and accurate collection of health care information is necessary for good patient care, for the efficient operation of health care institutions and for the fulfillment of systemic goals including quality and cost assessment, prevention of fraud and abuse, evaluating access to health care by underserved populations, and research on causes and prevention of morbidity, mortality, drug efficacy, or side effects. The potential benefits of an integrated health information infrastructure include enhanced consumer choice, improved quality of health services, a healthier population, and reduced health care costs.
When a patient seeks care from a heath care provider who does not have access to the patient's complete medical record, lack of basic information about the patient may prevent the provider from diagnosing the patient's condition quickly, or force the provider to waste precious time tracking down records from other hospitals, private doctors' offices, or public clinics. Much of modern medical care is dependent on a highly detailed record of physical examinations, laboratory tests, diagnostic procedures, and pharmacy records. Most patients cannot and do not know where every piece of information about their medical condition is stored. Therefore, they can often offer little help to the physician who needs their records in order to assess their current condition.
Hospitals and other institutions seeking payment for medical care from third-party payers (private or government insurance) must have complete and accurate information on each patient in order to receive payment. Moreover, accurate information also assists institutional policy-makers who must plan for future allocations of resources and personnel.
Increasingly, the institutions that pay for medical care, private insurance companies and the federal and state governments (through Medicaid and Medicare), are seeking information with which to assess the quality and cost effectiveness of individual providers, programs, treatments, and other interventions. Health care institutions also conduct utilization review procedures to verify the need for hospital admissions, justify the length of patients' hospital stays, the use of diagnostic tests, or other high technology. Professional licensing boards for health care providers may conduct on-going peer review of patient care and other professional activities.
The debate over health care reform revealed that accurate information about the functions of the health care system is central to any debate of the issue. Policy-makers need to know where and how Americans are receiving their health care, and how many people are making due with less than they need. Also critically important are accurate evaluations of the relative efficiencies of the various types of care that are currently being delivered, evaluations of pilot projects to care for the uninsured, and innovative programs to reduce cost while maintaining quality. Policy-makers cannot make informed decisions on these issues without accurate statistics and analysis of the information.

B.Privacy Concerns Related to Health Care Information

Citizens are concerned about both the quantity and the sensitivity of health care information collected about them, as well as the number of individuals and institutions which hold or transfer their personal medical information. The privacy issues raised by the collection of health care information include many of the same concerns discussed elsewhere in the report (see, Protection of Public Health Data, above, and Protection of HIV and AIDS Information and Protection of Immunization Information, below).
The increasing use of computers to record, store and transfer health care information, whether it is by public health departments, private physicians, or insurance companies, is problematic because of the perceived ease with which computerized information can be accessed at multiple sites, by authorized or unauthorized persons. Public fear and distrust of technology and bureaucracy are likely to increase as collection, storage, and dissemination of information becomes even more automated.
Where health care information is linked to patient identifiers, such as social security numbers, individuals may be concerned that anyone knowing their social security number and a few other facts could gain access to their medical records.'' Since social security numbers are used for a variety of purposes not related to social security many people have access to them.
Collection of health care information also raises issues specific to these kinds of health related data. Health care information is often collected and maintained by entities, such as insurance companies, that are not health care providers. Individuals may be concerned that these businesses will not be bound by the same ethical (or legal) standards as health care providers or institutions. There is a substantial market for medical information on individuals and population groups. Patients are reasonably concerned that businesses will treat the intimate details of their medical record as any other business record, to be used, evaluated, or even sold, for business purposes.

VII. State Legislation Concerning Health Care Information
Duty to maintain confidentiality

A majority of states place a duty on physicians to maintain the confidentiality of medical records in their possession. Thirty-seven states find such an obligation (see Table 2 and Appendix One: State Summaries, for more details). States that provide for the confidentiality of medical records often require prior written consent of the patient for release of the record (e.g., California). At least one state's law provides that the patient may presume information about him will be kept confidential (e.g., Minnesota). Even when a patient authorizes release of medical information for one purpose, he is not presumed to have authorized additional disclosures (see, e.g., New York).
Other states provide more limited statutory protection for health care information. Tennessee provides for confidentiality of medical records, but only when the medical information is gathered or generated as the consequence of services paid for at least in part by the state. Tennessee has no general state statute imposing a duty to protect the confidentiality of medical record information. The law does recognize the physician-patient and therapist-patient privilege and, thus, does not protect confidential information obtained in these relationships against forced disclosure in court proceedings.
Twenty six state statutes require other health care providers to keep patient medical records confidential. The duty owed by non-physician health care providers usually mirrors that owed by physicians. For example, in California written authorization of the patient or his legal representative permits disclosure by the health care provider, but does not allow further disclosure by the person who receives that information. New York law specifies that certain licensed professionals (social workers, dentists, etc.) may not reveal personally-identifiable facts, data, or information obtained without the prior consent of the patient.
Thirty-three states require that health care institutions maintain the confidentiality of patient records in their possession. In addition to requiring the facilities to keep medical information confidential, state laws or regulations may require facilities to develop and implement policies designed to assure the security of patient records. Institutions, too are often required to obtain proper authorization to disclose the information. In Colorado, the theft, disclosure, stealing, or copying of physician, health care worker, or hospital information without such authorization is a felony. The state may place limitations on the kind of information the facility may disclose: in Connecticut, institutions, hospitals and facilities of the departments of health services, mental retardation, and mental health may only release information about patients as is required to obtain support and payments from state and federal agencies for the care of such patients, or for review or auditing of federally funded programs. The law may also limit the disclosure of information about certain types of treatment. Information regarding drug or alcohol abuse treatment is protected from disclosure under federal law. Many states provide that information about mental health treatment may not be released without written informed consent (see, e.g., Illinois).
Insurers obtain medical information about patients when claims are submitted for payment. Despite the proliferation of the practice of third-party payment for medical services, only four states expressly require insurers to maintain the confidentiality of medical information that they receive. In New York, an insurance company which has received information about a patient for the purpose of determining benefits must protect the confidentiality of that information from future disclosures. Insurers may, however, be covered under general provisions that require anyone in possession of health care information to protect its confidentiality.
Nine states have specific provisions that impose the duty to maintain confidentiality of medical information on other, non-health care related institutions. Arkansas statutes concerning, among other things, peer review activities, child abuse and neglect information, records of medical examiners, reproductive health, and child sex offenders, all specifically address the issue of confidentiality of medical records. California requires employers who receive medical information to establish appropriate procedures to ensure the confidentiality of and protection from unauthorized use and disclosure of such information.

Duty to maintain confidentiality of electronic or computerized medical records

Computers and other electronic media are fast becoming the storage method of choice for medical and other personal information. Despite this fact, only twenty-two states have specific provisions regarding the protection of confidentiality of records maintained on electronic or computerized media. These provisions offer varying degrees of protection. Several states, such as Tennessee, use the same standards for confidentiality of computerized or electronic records as those applied to paper records. In other states, including Arkansas, statutes governing confidentiality of computerized health care information apply only to public health data; private physicians, hospitals and other health care facilities may or may not be held to the same definition. Oklahoma's Health Care Information System Act provides that individual forms, computer tapes or other forms of data collected by and furnished to the Division of Health Care Information or to a data processor shall be confidential. Statutory protection of computerized data may also lack specificity. Florida requires only that computerized records be kept in accordance with "sound" record-keeping practices.

Physician-Patient Privilege Regarding Health Care Information

Forty-two states recognize the doctrine of physician-patient privilege. This privilege belongs to the patient, not the physician; it may be claimed by the patient, a guardian or conservator of the patient, the personal representative of a deceased patient, or the physician, but only on behalf of the patient. The physician-patient privilege is an evidentiary rule that prevents the disclosure in court proceedings of information obtained from physician-patient interaction for the purpose of diagnosing or treating the patient. The privilege, and therefore the protection, may be waived by the patient expressly to allow the physician to testify, or it may be considered to be waived in certain circumstances, such as the hospitalization of a patient in a psychiatric facility, a court ordered examination of the patient, or when the patient's condition is at issue (as in a malpractice suit). The District of Columbia, however, absolutely prohibits the use of medical records or testimony in local court proceedings without the consent of the patient.
The scope of the privilege varies from state to state. Some states limit the privilege to communications between patients and physicians; others, such as Oklahoma, include psychotherapists; Colorado's privilege rules also cover registered professional nurses; Illinois' Medical Patient Rights Act includes all public and private inpatient and outpatient health care facilities.
Statutes delineating health care provider-patient privilege may include exceptions when the privilege does not apply. The physician-patient privilege in New York has several statutory exceptions. These include, among others, health care providers who must disclose information that a patient under the age of sixteen has been the victim of a crime, the reporting of gunshot or knife wounds, communicable disease reporting, and reporting of addicts or habitual users of narcotic drugs.
Alabama is one of the few states that does not recognize the physician-patient privilege; medical records are subject to subpoena and admission in court.
In addition to any statutory penalties (discussed below, Penalties for Impermissible Disclosure of Health Care Information) physicians who intentionally betray a professional secret or violate a privileged communication, except as otherwise provided by law, can be subject to professional sanctions (e.g., Arizona).

Permitted Disclosures of Health Care Information

In today's health care system, physicians rarely treat an individual without help from other health care providers. Few state laws have specifically recognized this reality; only eighteen expressly provide exceptions to confidentiality rules for disclosures to other health care providers. Such a disclosure is generally lawful when its purpose is to aid in the diagnosis or treatment of the patient. The decision of whether or not to make such a disclosure is often left to the professional judgment of the physician; New Jersey law allows the disclosure, even absent the patient's request, if the physician determines the disclosure to be in the patient's best interests.
Sixteen states have passed laws permitting health care providers to disclose information about their patients to epidemiologists and researchers. These rules usually require that the information be disclosed only to qualified researchers for bona fide research purposes and not be further disclosed in any way that identifies the patient.
Twenty-two states provide that physicians are permitted to disclose health care information under a subpoena or court order. However, even in states that do not expressly include exceptions for the release of information by court order or subpoena, health care providers may be forced to release medical information pursuant to an order of the court.
Many states allow for the release of medical information in various circumstances to accommodate the needs of the current health care environment. Authorization by the patient or the patient's representative will permit the release of records. Some states, such as California, have very specific requirements for consent forms; others do not specify whether the consent needs to be written or oral.
Several states (including California and New York) allow disclosure of health care information to insurers, employers, governmental authorities or anyone else responsible for paying for services rendered to the patient. They also allow disclosure of information to hospital or utilization review committees. Colorado law provides that physician disclosure of such information, in good faith, shall not "constitute libel, slander, or violation of the right to privacy, or of any privileged communication."
In certain states, including Connecticut, physicians are required to report suspected cases of child abuse, elder abuse, or abuse of a physically incompetent or mentally retarded individual. Disclosures made in good faith to law enforcement agencies are protected. Public health reporting requirements are also excepted from rules regarding the confidentiality of health care information.

Penalties for Impermissible Disclosure of Health Care Information
The penalties for impermissible disclosure can be either civil or criminal. Twelve states allow for criminal prosecution while nineteen make the person or entity who failed to maintain confidentiality of medical records liable to civil suit. Three states (California, Minnesota, and Rhode Island) allow for both civil and criminal penalties. Violations may be considered misdemeanors (as in California) or felonies (as in Colorado); punishments can range from fines of $1,000 (Illinois) to fines of not more than $10,000 and imprisonment in the county jail for not more than one year (Montana). In civil suits, plaintiffs may recover both compensatory and punitive damages, attorneys' fees and costs. Additionally, provisions in state Medical Practice Acts (as in Arkansas and Idaho) sometimes make the unauthorized release of medical information grounds for disciplinary action, such as suspension or revocation of licenses.

VIII.Gaps in Existing Laws Protecting Health Care Information

A.Variation from State to State in Laws Protecting Health Care Information

Laws protecting the confidentiality of health care information vary markedly from state to state. In some states there are little or no statutory requirements for health care providers and institutions to protect the confidentiality of health care information. Other states' statutes protect some or all health care information that is not held by government agencies. Only Montana and Washington have implemented the Uniform Health Care Information Act, which holds as its primary aim the maintenance of confidentiality of individual records. Other states may rely only on medical practices and policies to safeguard patient confidentiality. Because health care information and patients frequently move from state to state, the same information on a single patient may be protected in one state, but lose protection when it is transferred to another. Employers, insurers, and other institutions which do business in or have employees in multiple states, may have difficulty determining which standards apply for information obtained, stored, transmitted or used in different states. This may lead to improper or inadvertent disclosures of information. Alternatively, some entities may be unable to pursue systemic goals, such as cost or utilization analyses, when state laws create substantial barriers to access and transfer of health care information.

B.Variation in Protection of Electronic or Computerized Health Care Information

Fewer than one-half of the states (twenty-two) have specific rules safeguarding the confidentiality of electronic or computerized medical records. This failure of law to keep pace with technological advances in information storage creates a substantial impediment to the protection of confidentiality of private health care information. Since much of the health-care industry is now computerized, the storage of personal information in systems that are potentially vulnerable to anyone with access to computer technology (even without legitimate right to the information) is particularly troubling.

C.Variation in Protection of Health Care Information Depending on Who Holds the Information

Whether, and to what degree, laws protect the confidentiality of health care information also depends on who holds the information. Many of the rules regarding the duty to maintain the confidentiality of medical records apply to physicians and hospitals. Health care information is collected, held, transferred, and used by a large number of individual providers and institutions. Only four states, however, specifically impose upon insurers a duty to maintain confidentiality of patient information. Similarly, few states impose a duty on employers to protect information. Since insurers, employers, and other non-health related entities are increasingly involved in the administration of health benefits, the absence of specific confidentiality provisions applicable to these parties may substantially reduce (or eliminate) the effectiveness of any other state provisions protecting privately held health information.

IX.Conclusion: Variation in Protection of Information in the Public versus the Private Sector

Most existing privacy provisions impose a duty to protect information on the individual or entity which holds the record. Legal provisions which impose a duty to protect information on the holder of the information are a remnant of a time when health care information was maintained primarily in physical records that were kept either in a physician's office or the public health department. Such provisions fail to address the current situation in which a substantial amount of data is held in electronic form by parties as diverse as physicians' offices and clinics, hospitals and other health care institutions, the health department, laboratories, insurance companies, the state and federal government, academic institutions, and other researchers. Linking responsibility for the protection of the confidentiality of a record to the holder of the record can mean that a single piece of health care information on an individual is treated differently depending on the identity of the holder.
Virtually all states have in place statutory or regulatory protections for publicly held health information. In some states, however, this is in marked contrast to a relative lack of protection for information held by private health care providers, hospitals, and other institutions. This increases the opportunities for disclosure of sensitive information, misunderstandings of the protection accorded to information, and, possibly, fosters people's distrust of the system.
The current system of state laws with differing levels of protection depending on the type of health c

Legislative Survey of State Confidentiality Laws, with Specific Emphasis on HIV and Immunization

Final Report Presented to:

The U.S. Centers for Disease Control and Prevention The Council of State and Territorial Epidemiologists The Task Force for Child Survival and Development Carter Presidential Center

http://www.epic.org/

Professor Lawrence O. Gostin, J.D., LL.D. (Hon.),

Georgetown University Law Center and

The Johns Hopkins School of Hygiene and Public Health

Zita Lazzarini, J.D., M.P.H.,

Harvard School of Public Health

Kathleen M. Flaherty, J.D.,

Georgetown/Johns Hopkins Program on Law and Public Health

Contact:

Professor Lawrence O. Gostin

Georgetown University Law Center

600 New Jersey Avenue N.W.

Washington, D.C. 20001

phone: (202) 662-9373

fax: (202) 662-9409

E Mail: GOSTIN@LAW.GEORGETOWN.EDU ACKNOWLEDGEMENTS

The U.S. Centers for Disease Control and Prevention
The Council of State and Territorial Epidemiologists
The Task Force for Child Survival and Development Carter Presidential Center

E Mail: GOSTIN@LAW.GEORGETOWN.EDU

ACKNOWLEDGEMENTS