Model
State Public Health Privacy Act, with comments
PRIVACY AND
SECURITY OF PUBLIC HEALTH INFORMATION
Lawrence
O. Gostin, Professor of Law
Georgetown University Law Center,
Principal Investigator
James
G. Hodge, Jr., Adjunct Professor of Law
Georgetown University Law Center,
Project Director
Model
State Public Health Privacy Act, with comments
[as of October 1,
1999]
PREFATORY NOTES
The
purpose of the Model State Public Health Privacy Act project
is to develop a model state law [hereinafter the “Act”]
addressing privacy and security issues arising from the
acquisition, use, disclosure, and storage of identifiable
health information by public health agencies at the state
and local levels. The Act regulates the acquisition, use,
disclosure, and storage of identifiable, health-related
information by public health agencies without significantly
limiting the ability of agencies to use such information for
legitimate public health purposes.
The
Act is divided into eight (8) Articles with various Sections
[please see the Table of Contents below]. The organizational content of the Act is summarized as
follows [please refer
to the text of the Act itself for precise language and
comments].
ARTICLE
I, FINDINGS AND DEFINITIONS, sets forth legislative
findings and purposes, as well as key definitions in the
context of the Act, including (1) what it means to “acquire,” “use,” “disclose,”
and “store” information; (2) “protected
health information” -- to include only identifiable
information regarding an individual’s health status; and
(3) “legitimate
public health purposes” -- referring to those
population-based activities or individual efforts primarily
aimed at the prevention of injury, disease, or premature
mortality, or the promotion of health in the community.
Other key terms frequently mentioned in the Act are also
defined, including “non-identifiable
health information,” “public
health agency,”and “public
health official.”
These
and other definitions underlie the scope of the Act. Specifically, the Act protects the privacy and security of
identifiable health-related information about individuals
through various measures concerning the acquisition, use,
disclosure, and storage of such information by public health
agencies or public health officials.
Critical to these objectives is the definition of
"protected health
information." For the purposes of the Act, this
term means any information, whether oral, written,
electronic, visual, pictorial, physical, or any other form,
that relates to an individual’s past, present, or future
physical or mental health status, condition, treatment,
service, products purchased, or provision of care, and which
(a) reveals the identity of the individual whose health care
is the subject of the information, or (b) where there is a
reasonable basis to believe such information could be
utilized (either alone or with other information that is, or
should reasonably be known to be, available to predictable
recipients of such information) to reveal the identity of
that individual. Since
non-identifiable health information does not implicate
serious privacy and anti-discrimination concerns at the
individual level, information which cannot freely be
identified or linked with the identity of any individual is
not subject to the Act's provisions.
ARTICLE
II, ACQUISITION OF PROTECTED HEALTH INFORMATION, sets
forth fundamental requirements concerning the acquisition of
protected health information by public health agencies.
Sections within Article II: (1) restrict the
acquisition of protected health information to that
information which is directly related to achieving
legitimate public health purposes; (2) prohibit the
secretive acquisition of protected health information; (3)
require public notice and comment, accomplished in a
confidential manner, prior to acquiring protected health
information; and (4) require that public health agencies
meet the same requirements for acquisitions of existing
protected health information between agencies.
ARTICLE
III, USES OF PROTECTED HEALTH INFORMATION, addresses the
uses of protected health information by public health
agencies. Uses of such information must be (1) directly
related to the legitimate public health purpose for which
the information was acquired; or (2) for public health,
epidemiological, medical, or health services research
provided that several requirements as stated in Section
3-101[c] of the Act are met.
Subsequent uses of the information are allowed
provided the agency can justify them under the standards for
acquisition stated in Article II.
The Act encourages the use of non-identifiable
information whenever possible and requires the minimum
amount of information to be used in the reasonable judgment
of the public health official.
Commercial uses of protected health information are
prohibited. Protected
health information whose use no longer furthers any
legitimate public health purpose must be expunged in a
confidential manner.
ARTICLE
IV, DISCLOSURES OF PROTECTED HEALTH INFORMATION,
generally concerns the disclosure of protected health
information by public health agencies to persons outside the
agency. Protected
health information is deemed non-public information, which
cannot be disclosed without the informed consent of the
person who is the subject of the information (or the
person’s lawful representative) unless otherwise allowed
via narrow exceptions stated in the Act.
The
Act specifically defines informed consent for the purposes
of disclosures of protected health information from public
health agencies. Protected
health information shall be disclosed for any purpose and to
any person for which the disclosure is authorized via
informed consent. Unless
disclosure of protected health information is specifically
authorized via informed consent or pursuant to the Act,
non-identifiable health information shall be disclosed.
When protected health information must be disclosed,
it shall be limited to the minimum amount of information
needed in the reasonable judgment of the person making the
disclosure. Any
disclosure of protected health information, with or without
informed consent, must be accompanied by a written statement
of the public health agency’s policy on disclosures.
While
the Act generally prohibits disclosures without informed
consent, such disclosures may be allowed for narrow
exceptions including (1) to individuals who are the subjects
of the information; (2) to appropriate federal agencies
pursuant to federal or state law; (3) to health care
personnel in the event of an emergency to protect the health
or life of the individual to whom the information relates;
(4) pursuant to a court order authorizing the disclosure
through subpoena, compelled testimony, in a civil, criminal,
administrative, or other legal proceeding; (5) to health
oversight agencies to perform oversight functions concerning
the public health agency; or (6) for the purpose of
identifying a deceased individual, the deceased’s manner
of death, or provide necessary information about a deceased
person who is a donor or prospective donor of an anatomical
gift.
The
dilemma of secondary
disclosures of protected health information by persons
who receive the information from public health agencies is
resolved by prohibiting the subsequent disclosure of the
information to other persons unless authorized by the Act.
Finally, public health agencies are required to
establish written records of disclosures of protected health
information.
ARTICLE
V, SECURITY SAFEGUARDS AND RECORD RETENTION, imposes the
general duty on public health agencies to acquire, use,
disclose, and store protected health information in a
confidential manner. Specific security measures concerning
protected health information are set forth, including a
requirement that CDC security recommendations concerning
HIV/AIDS information be followed.
The Act proposes the appointment of a new or existing
public health official as a public health information
officer in each public health agency. This individual is
responsible for overseeing the administration of security
and privacy issues inherent in government collection and use
of identifiable protected health information. This
individual is also responsible for preparing and circulating
reports concerning the status of protected health
information privacy on at least an annual basis.
ARTICLE
VI, FAIR INFORMATION PRACTICES, sets forth basic fair
information practices designed to allow individuals the
opportunity to inspect and copy their protected health
information in the possession of public health agencies
(subject to minimal limitations), as well as request that
information that is erroneous, incomplete, or false be
corrected, amended, or deleted.
Denials of rights to inspect, copy, or revise
incorrect or incomplete information by the public health
agency must be in writing.
Individuals may appeal such determinations.
ARTICLE
VII, CRIMINAL SANCTIONS AND CIVIL REMEDIES, sets forth
various criminal penalties and civil enforcement mechanisms
to protect individuals who are harmed by violations of the
Act by public health agencies, public health officials, and
other persons. Several
forms of immunity are provided.
The State’s Administrative Procedure Act generally
applies to actions taken by public health agencies pursuant
to this Act.
ARTICLE
VIII contains MISCELLANEOUS
PROVISIONS, including (1) the short title of the act
(the Model State Public Health Privacy Act); (2) a
uniformity of the law provision; (3) a severability clause;
(4) a clause for repeals of existing state law; (5) a saving
clause concerning preemption; (6) a provision concerning
unintended conflicts of federal and existing state laws; and
(7) a provision setting forth an effective date of the Act
if passed.
COMMENTS
explaining the various provisions of the Act follow Sections
of each Article where appropriate.
These Comments are explanatory, not legally binding.
ARTICLE
I
FINDINGS
AND DEFINITIONS
Section 1-101. Legislative
Findings
The
[State Legislative
Body] finds that:
(1)
Public health agencies acquire, use, disclose, or
store an increasing amount of health-related information
about individuals, some of which is highly-sensitive, in
paper-based and electronic forms for legitimate public
health purposes;
(2)
Uses of health-related information for legitimate
public health purposes are critically important to
preserving, monitoring, and improving population-based
health as well as personal health of individuals;
(3)
Individuals have significant privacy interests with
respect to health-related information which can be
identified to them;
(4)
Individual privacy interests in health-related
information justify duties and limitations concerning (a)
the acquisition, use, disclosure, and storage of such
information; (b) individual access to such information in
the possession of public health agencies;
and (c) security protections for such information;
(5)
Individual interests in the privacy of health-related
information are significantly reduced when the information
is acquired, used, disclosed, or stored in non-identifiable
forms;
(6)
Public health agencies have a significant interest in
protecting the privacy of health-related information in
their possession where protecting the privacy of such
information encourages individuals to participate in public
health programs and objectives; and
(7)
While public health agencies generally have an
excellent record of protecting the privacy interests of
individuals in health-related information possessed by the
agencies, additional statutory protections will further
clarify and protect individual privacy interests while
facilitating, without jeopardizing, legitimate public health
purposes.
COMMENTS
________________________________________________
The
inclusion of a statement of legislative findings and
purposes [see §
1-102] is a common feature of health information privacy
legislation, whether federal or state.
These findings and purposes serve as useful guides
for officials, courts, and the public to understand the
bases for which the Act was drafted and enacted.
These statements should not be read to provide
substantive protections like the remainder of the Act.
Thus, while these statements do not compel or
prohibit conduct nor provide authority for certain actions
or inactions, they help to illustrate some of the principles
which underlie the purposes and objectives of the Act.
Section 1-102. Purposes
The
[State Legislative
Body] states that the purposes of this Act are to:
(1)
Address privacy and security issues arising from the
acquisition, use, disclosure, and storage of protected
health information by public health agencies at the State
and local levels;
(2)
Protect health-related information in the possession
of public health agencies against unauthorized disclosures
without significantly limiting the ability of agencies to
use such information for legitimate public health purposes;
(3)
Encourage wide use and disclosure of non-identifiable
health information because this information does not
implicate privacy and security concerns at the individual
level and may greatly facilitate the accomplishment of
legitimate public health purposes;
(4)
Require the acquisition and uses of protected health
information to be consistent with legitimate public health
purposes;
(5)
Prohibit disclosures of protected health information
without the informed consent of the individual who is the
subject of the information, with specified, narrow
exceptions;
(6)
Impose the duty on public health agencies to hold and
use protected health information securely;
(7)
Impose a general duty on public health agencies to
ensure the accuracy of protected health information;
(8)
Allow individuals access to their protected health
information in the possession of public health agencies
through inspection and copying privileges;
(9)
Provide individuals the opportunity to request the
correction, amendment, or deletion of erroneous, incomplete,
or false protected health information; and
(10)
Prescribe various criminal penalties and civil
enforcement mechanisms to protect individuals who are harmed
by violations of the Act by public health agencies, public
health officials, and other persons.
Section 1-103. Definitions
As
used in this Act, these terms shall be defined as follows:
(1)
“Acquire,” “Acquired,”or “Acquisition”
means to collect or gain possession or control of any part
of protected health information for legitimate public health
purposes.
(2)
"Act"
means the Model State Public Health Privacy Act.
(3)
"Amend"
means to indicate one or more disputed entries in protected
health information or to change the entry without
obliterating the original information.
(4)
"Confidentiality
statement" means a written statement dated and
signed by an applicable individual which certifies the
individual's agreement to abide by the security policy of a
public health agency, as well as this Act.
(5)
“Disclose,”
“Disclosed,” or “Disclosure”
means to release, transfer, disseminate, provide access to,
or otherwise communicate or divulge all or any part of any
protected health information to any person or entity, other
than a public health agency or authorized public health
official.
(6)
“Expunge” or
“Expunged” means to permanently destroy, delete, or make
non-identifiable.
(7)
“Health oversight
agency” means a person who (a) performs or oversees an
assessment, investigation, or prosecution relating to
compliance with legal or fiscal standards concerning fraud
or fraudulent claims regarding health care, health services
or equipment, or related activities; and (b) is a public
executive branch agency, acts on behalf of a public
executive branch agency, acts pursuant to a requirement of a
public executive branch agency, or carries out such
activities under federal or state law.
(8)
"Institutional
review board" means any board, committee, or other
group formally designated by an institution or authorized
under federal or state law to review, approve the initiation
of, or conduct periodic review of research programs to
assure the protection of the rights and welfare of human
research subjects, consistent with requirements of the
Federal Policy for the Protection of Human Subjects.
(9)
“Legitimate public
health purpose” means a population-based activity or
individual effort primarily aimed at the prevention of
injury, disease, or premature mortality, or the promotion of
health in the community, including (a) assessing the health
needs and status of the community through public health
surveillance and epidemiological research, (b) developing
public health policy, and (c) responding to public health
needs and emergencies.
(10)
“Non-identifiable
health information” means any information, whether
oral, written, electronic, visual, pictorial, physical, or
any other form, that relates to an individual’s past,
present, or future physical or mental health status,
condition, treatment, service, products purchased, or
provision of care, and which (a) does not reveal the
identity of the individual whose health status is the
subject of the information, or (b) where there is no
reasonable basis to believe such information could be
utilized (either alone or with other information that is, or
should reasonably be, known to be available to predictable
recipients of such information) to reveal the identity of
that individual.
(11)
“Person”
means a natural person, corporation, estate, trust,
partnership, limited liability company, association, joint
venture, government or governmental body, or any other legal
or commercial entity.
(12)
“Protected health
information” means any information, whether oral,
written, electronic, visual, pictorial, physical, or any
other form, that relates to an individual’s past, present,
or future physical or mental health status, condition,
treatment, service, products purchased, or provision of
care, and which (a) reveals the identity of the individual
whose health care is the subject of the information, or (b)
where there is a reasonable basis to believe such
information could be utilized (either alone or with other
information that is, or should reasonably be known to be,
available to predictable recipients of such information) to
reveal the identity of that individual.
(13)
“Public health”
means population-based activities or individual efforts
primarily aimed at the prevention of injury, disease, or
premature mortality, or the promotion of health in the
community.
(14)
“Public health
agency” means any organization operated by any state
or local government that acquires, uses, discloses, or
stores protected health information for legitimate public
health purposes.
(15)
"Public health
official" means any officer, employee, private
contractor or agent, intern, or volunteer of a public health
agency with authorization from the agency or pursuant to law
to acquire, use, disclose, or store protected health
information.
(16)
“Public information”
means information which is generally open to inspection or
review by the general public.
(17)
“Request”
means a written, dated, and signed correspondence in paper
or electronic form through which the identity of the person
making the request can be verified.
(18)
“Requestor”
means any individual, the parent or legal guardian of a
minor, or a person’s legally-appointed guardian who makes
a request.
(19)
“Store,”
“Stored,” or “Storage”
means to hold, maintain, keep, or retain all or any part of
protected health information.
(20)
“Use” or “Used” means to employ or utilize all or any part of any protected
health information for a legitimate public health purpose.
COMMENTS
________________________________________________
This
Section contains the Act’s definitions.
These definitions are critical toward understanding
the scope and extent of the Act and its coverage. Although
these terms may be precisely defined, these definitions also
allow for reasonable interpretation by State Legislative
bodies, public health agencies and officials, courts, and
the public. Through such interpretations, the Act may continue to have
substantive meaning as the types and uses of health-related
information by public health agencies change.
Subsection
(1) defines the series of terms “Acquire,”
“Acquired,”or
“Acquisition” to mean to collect or gain possession or control
of any part of protected health information for legitimate
public health purposes.
These terms are broadly defined to encompass the
collection or gaining of possession or control of any part
of protected health information by public health agencies.
Subsection
(2) defines "Act"
to mean the Model State Public Health Privacy Act.
Wherever the word “Act” appears in the body of
the law as stated [unless indicated otherwise], it refers to
the complete Act in its entirety.
Subsection
(3) defines the term "Amend"
to mean the indication of one or more disputed entries in
protected health information or to change the entry without
obliterating the original information.
For a public health agency to amend a protected
health information record [as required under § 6-103[b] of
the Act] thus means one of two things: (a) that the agency
indicate that a certain entry of information in the record
is disputed by the individual to whom the entry relates; or
(b) that the agency change an incorrect entry without
destroying the original information.
For example, if a health record used by a public
health agency indicated a person had HIV when this is
demonstrated to be false, the agency would amend the record
to indicate the fallacy of this information without simply
deleting the information itself.
This procedure allows the agency and the individual
who is the subject of the information to verify that a
correction is appropriate and has been made.
Subsection
(4) defines "Confidentiality
statement" to mean a written statement dated and
signed by an applicable individual which certifies the
individual's agreement to abide by the security policy of
any public health agency as required under § 5-101[d](2) of
this Act.
Subsection
(5) defines the series of terms, “Disclose,”
“Disclosed,”
or “Disclosure” to mean the release, transfer, dissemination,
providing access to, or otherwise communicating or divulging
all or any part of any protected health information to any
person or entity other than a public health agency or
authorized public health official.
This definition is critical to Article IV of the Act
and is meant to be broad in scope.
It specifically defines disclosure for the purposes
of the Act to include any communication of protected health
information to any persons outside a public health agency or
an authorized public health official.
Communication of such information between authorized
public health officials within a public health agency or
between public health agencies is not a “disclosure”
under the Act, but a “use” of the information as defined
in Subsection (20).
Subsection
(6) defines the terms “Expunge”
or “Expunged”
to mean to permanently destroy, delete, or make
non-identifiable. Where
the Act requires protected health information to be
expunged, the information must be physically or
technologically destroyed, deleted from computer or
paper-based records, or made non-identifiable.
Subsection
(7) defines “Health
oversight agency” to mean a person who performs or
oversees oversight
functions related to fraud or fraudulent claims regarding
health care, health services or equipment, or related
activities and is either (a) a public executive branch
agency, or (b) a person acting on behalf of or pursuant to a
requirement of such an agency, or implementing health
oversight activities under authority of federal or state
law.
Subsection
(8) defines "Institutional
review board" to mean any board, committee, or
other group formally designated by an institution or
authorized under federal or state law to review, approve the
initiation of, or conduct periodic review of research
programs to assure the protection of the rights and welfare
of human research subjects, consistent with requirements of
the Federal Policy for the Protection of Human Subjects
[otherwise known as “The Common Rule”].
IRB’s are a fixture of the modern medical research
industry. In this Act, the approval of an IRB may be
required to allow for the disclosure of protected health
information for research purposes pursuant to § 3-101[c].
Subsection
(9) defines “Legitimate
public health purpose” to mean a population-based
activity or individual effort primarily aimed at the
prevention of injury, disease, or premature mortality, or
the promotion of health in the community.
This includes, but is not limited to, activities such
as (a) assessing the health needs and status of the
community through public health surveillance and
epidemiological research, (b) developing public health
policy, and (c) responding to public health needs and
emergencies. These examples are consistent with
public health objectives as defined by the Institute of
Medicine in its report, The
Future of Public Health (1988).
The Act does not attempt to categorically list
substantive legitimate public health purposes, nor does it
concern the merit of such purposes.
As a result, the Act acknowledges that federal,
State, and local governments may legally define what is a
legitimate public health purpose via statutory law,
administrative regulation, case law, or accepted public
health practice. Provided
such definitions are consistent with the broad definition of
legitimate public health purposes in this Act, they shall be
considered authoritative in interpreting and enforcing the
provisions of this Act.
Subsection
(10) defines “Non-identifiable
health information” as any information, whether oral,
written, electronic, visual, pictorial, physical, or any
other form, that relates to an individual’s past, present,
or future physical or mental health status, condition,
treatment, service, products purchased, or provision of
care, and which (a) does not reveal the identity of the individual whose health status
is the subject of the information, or (b) where there is no reasonable basis to believe such information could be utilized
(either alone or with other information that is, or should
reasonably be, known to be available to predictable
recipients of such information) to reveal the identity of
that individual.
This
definition incorporates similar language as used to define
“protected health information” in Subsection (12) with
two primary differences.
First, non-identifiable health information does not directly reveal the identity of the individual whose health
status is the subject of the information. Direct
identification could occur through the inclusion of many
types of personal information including names, Social
Security numbers, addresses, employers, medical providers,
or other facts. Second,
non-identifiable information cannot be utilized alone or
conjunction with other information to reveal the identity of
the individual. Thus, for example, if aggregate data about
persons are disclosed that are non-identifiable on their
face, but can be matched or linked with information that is
available to predictable recipients of the disclosed
information, the disclosed data cannot be considered
“non-identifiable” for the purposes of the Act. Unless it can be concluded that health information is
non-identifiable under this definition, it must be
considered protected health information under Subsection
(12).
Subsection
(11) defines “Person”
broadly to mean natural persons as well as legal entities
including corporations, trusts, estates, partnerships,
limited liability companies, associations, joint ventures,
governments, or governmental bodies.
Subsection
(12) defines “Protected
health information” to mean any information, whether
oral, written, electronic, visual, pictorial, physical, or
any other form, that relates to an individual’s past,
present, or future physical or mental health status,
condition, treatment, service, products purchased, or
provision of care, and which (a) reveals the identity of the individual whose health care is the
subject of the information, or (b) where there is a reasonable basis to believe such information could be utilized
(either alone or with other information that is, or should
reasonably be known to be, available to predictable
recipients of such information) to reveal the identity of
that individual. Since
the privacy and security protections of the Act only confer
to health data which are identifiable to individuals who are
the subjects of the information, this definition should be
interpreted broadly.
The
term incorporates a two-part scheme into defining
health-related information for the purposes of the Act.
The information must be identifiable and it must
generally concern one’s health.
The information may be identifiable on its face to
the individual who is the subject of the information. For
example, the information may be in the form of a medical
record or listing that contains one’s name, Social
Security number, or other common identifier.
Alternatively,
there may be a reasonable basis to believe such information
could be utilized alone or with other information that is or
may reasonably be available to persons receiving such
information that would allow such persons to reveal the
identity of that individual.
For example, where a health record contains
information that is sufficiently unique to identify the
individual to whom it relates (such as a fingerprint), it
must be considered protected health information.
In addition, if a health record contains sufficient
information to identify an individual to whom it relates
because it provides information which specifically narrows
the class of individuals in an aggregate setting (such as a
HIV report that contains the race, sex, age, county of
residence, date of infection, place of treatment, or other
information about an individual in a rural community with
limited cases of HIV infection), such may also be considered
identifiable in its existing form, and thus protected health
information.
Subsection
(13) defines “Public
health” to mean population-based activities or
individual efforts primarily aimed at the prevention of
injury, disease, or premature mortality, or the promotion of
health in the community.
While this definition is broad, it is limited to
activities which are geared toward modern public health
goals. This definition is explicitly incorporated into the
definition of “legitimate public health purpose” in
Subsection (9).
Subsection
(14) defines “Public
health agency” to include any organization operated by
any state or local government that acquires, uses,
discloses, or stores protected health information for
legitimate public health purposes. Public health agencies
include, but may not be limited to, public health offices
established by state or local law, testing laboratories,
testing facilities, treatment clinics, research facilities,
and information storage facilities.
Public health agencies do not include
government-funded facilities which primarily provide
individual health care (such as locally-operated hospitals),
governmental organizations which operate primarily in
individual health-related areas (such as workers’
compensation commissions), or private organizations (such as
private research labs) which are merely funded in whole or
part by state or local governments.
Subsection
(15) defines "Public
health official" broadly to mean any officer,
employee, private contractor or agent, intern, or volunteer
of a public health agency with authorization from the agency
or pursuant to law to acquire, use, disclose, or store
protected health information.
Virtually anyone, whether public or private, having
access to a public health agency and its protected health
information is to be considered an official of the agency
for the purposes of the Act.
Subsection
(16) defines “Public
information” to mean information which is generally
open to inspection or review by the general public.
Protected health information is not public
information, as stated in § 4-101.
Subsection
(17) defines “Request”
to mean a written, dated, and signed correspondence in paper
or electronic form through which the identity of the person
making the request can be verified.
Verification of one’s identity is left to the
reasonable discretion of the holder of the request document.
Subsection
(18) defines “Requestor”
to mean any individual, the parent or legal guardian of a
minor, or the legally-appointed guardian of another person
(who is mentally incompetent or otherwise unable to make
health-related decisions), who makes a request.
Subsection
(19) defines the series of terms, “Store,”
“Stored,”or
“Storage,” to mean the holding, maintaining, keeping, or retaining
of all or any part of protected health information. The essence of this definition centers around the possession
of protected health information by public health agencies
for a period of time.
Subsection
(20) defines “Use”
or “Used” to mean the employment or utilization of all or any part of
protected health information for legitimate public health
purposes. The Act allows public health agencies to use
protected health information for legitimate public health
purposes with minimal restrictions.
Uses of such information include transferring
information within or among public health agencies who have
the authority to acquire the information.
Uses do not include disclosing such information to
any person outside a public health agency.
ARTICLE
II
ACQUISITION
OF PROTECTED HEALTH INFORMATION
Section 2-101. Acquisition
of Protected Health Information
[a]
In General.
A public health agency shall only acquire protected
health information where:
(1)
the acquisition relates directly to a legitimate
public health purpose;
(2)
the acquisition is reasonably likely to achieve such
purpose, taking into account the provisions of this Act and
other governing laws, and the availability of resources or
means to achieve such purpose; and
(3)
the legitimate public health purpose cannot otherwise
be achieved as well or better with non-identifiable
information.
[b]
Secret Acquisition.
Protected health information shall not be secretly
acquired by a public health agency.
[c]
Public Notice Requirements.
Prior to implementation of a public health agency
determination to acquire or store protected health
information, the agency shall announce, through public
notice and comment, and through public written notice
distributed and posted in a manner and to such extent as
will reasonably inform members of the affected community,
its intentions to acquire or store protected health
information and the purposes for which the information will
be used. Such
notice shall not identify any individual who is or may be
the subject of protected health information.
Where State or local law requires counseling services
regarding a reportable disease, such counseling services
shall include information that such disease is reportable to
the public health agency and a description of the purposes
for which the individual’s protected health information
will be used by such agency.
COMMENTS
________________________________________________
This
Section provides fundamental statutory language concerning
the acquisition of protected health information by public
health agencies. Subsection
[a] states that protected health information shall only be
acquired by a public health agency where the acquisition
relates directly to a legitimate public health purpose and
is reasonably likely to achieve such purpose.
Whether the acquisition of protected health
information is reasonably likely to achieve a legitimate
public health purpose must be assessed consistent with the
provisions of the Act and other governing law [including
federal or state laws authorizing its acquisition or
specifying a legitimate public health purpose], as well as
the availability of resources or means to achieve the
purpose.
This
second requirement includes a showing that public health
agencies have sufficient financial and personnel resources
to accomplish the purpose for which the information is
acquired. This
may be shown at either the local or state level.
For example, where a local public health agency
acquires information concerning HIV status among infected
individuals in the community, the fact that this information
is forwarded to the [State
public health agency] for the purposes of surveying HIV
disease in the larger population justifies the local public
health agency’s acquisition of protected health
information even though the local agency cannot alone
accomplish the legitimate public health purpose (surveying
HIV disease in the larger population).
In
addition, the agency must consider whether the legitimate
public health purpose cannot otherwise be achieved as well
or better with non-identifiable information. Stated
alternatively, it must be demonstrated that identifiable
information is required to accomplish the legitimate public
health purpose [note that “protected health information”
is defined for the purposes of the Act in § 1-103(12) to
include only personally-identifiable, health-related
information]. Where
such purposes can be achieved through the acquisition of
non-identifiable information [defined for the purposes of
the Act in § 1-103(10)], identifiable information cannot be
justifiably acquired for the same purpose.
This and other provisions of the Act encourage the
acquisition, use, disclosure, and storage of
non-identifiable health information in order to
significantly abate individual privacy concerns.
Subsection
[b] requires that protected health information not be
secretly acquired by a public health agency.
Public health agencies shall not covertly acquire
health-related information about individuals. The
acquisition of such information under open and fair
information practices shall not be kept secret from those to
whom the information relates.
Individuals have a right to know that such
information is acquired by public health agencies.
Subsection
[c] supports the individual’s and community’s right to
know what protected health information is acquired by public
health agencies through notice requirements which public
health agencies must adhere prior to the acquisition or
storage of protected health information.
Public notice prior to implementation of the
acquisition or storage of protected health information
should be provided in a State’s administrative register
and through means likely to reach the affected community
(i.e. information and notices distributed through health
care providers and facilities serving the affected community
on an annual or biannual basis).
Such notice, whether via the State’s administrative
register or otherwise, shall not identify any individual who
is or may be the subject of protected health information.
Where
State or local governments require health care providers to
provide counseling services to individuals for some
reportable diseases, this Subsection requires as part of
these counseling services that the provider 1) inform the
individual that the disease will be reported to a public
health agency, and 2) briefly describe the legitimate public
health purposes for which the individual’s protected
health information will be used by the agency.
Section 2-102. Subsequent
Acquisition of Protected Health Information
A
public health agency shall not acquire protected health
information from another local, State, or federal public
health agency unless the acquisition is consistent with the
requirements of Section 2-101.
COMMENTS
________________________________________________
Some
acquisitions of protected health information by public
health agencies may occur through the original collection of
health-related information
about individuals through reporting requirements, public
health research, or other information collection practices.
However, public health agencies often acquire such
information through existing sources or collections of
protected health information held by other public health
agencies at the federal, state, or local levels.
This Section requires that the acquiring public
health agency meet the same requirements for acquisition set
forth in § 2-101 for these types of acquisitions.
A similar provision concerning use of the information
is set forth in § 3-101[b].
Thus,
if a public health agency in County X wanted to compare its
protected HIV data with similar data in County Y, County X
would have to demonstrate that its acquisition of County
Y’s protected health information is justified under the
three-part showing set forth in § 2-101.
