Click a topic below for an index of articles:

 

New-Material

Home

Donate

Alternative-Treatments

Financial or Socio-Economic Issues

Forum

Health Insurance

Hepatitis

HIV/AIDS

Institutional Issues

International Reports

Legal Concerns

Math Models or Methods to Predict Trends

Medical Issues

Our Sponsors

Occupational Concerns

Our Board

Religion and infectious diseases

State Governments

Stigma or Discrimination Issues

If you would like to submit an article to this website, email us at info@heart-intl.net for a review of this paper
info@heart-intl.net

 

 

 

any words all words
Results per page:

“The only thing necessary for these diseases to the triumph is for good people and governments to do nothing.”

  


     

Model State Public Health Privacy Act, with comments

PRIVACY AND SECURITY OF PUBLIC HEALTH INFORMATION

Lawrence O. Gostin, Professor of Law
Georgetown University Law Center,
Principal Investigator

 

James G. Hodge, Jr., Adjunct Professor of Law
Georgetown University Law Center,
Project Director


Model State Public Health Privacy Act, with comments
[as of October 1, 1999]

 

PREFATORY NOTES

The purpose of the Model State Public Health Privacy Act project is to develop a model state law [hereinafter the “Act”] addressing privacy and security issues arising from the acquisition, use, disclosure, and storage of identifiable health information by public health agencies at the state and local levels. The Act regulates the acquisition, use, disclosure, and storage of identifiable, health-related information by public health agencies without significantly limiting the ability of agencies to use such information for legitimate public health purposes. 

The Act is divided into eight (8) Articles with various Sections [please see the Table of Contents below].  The organizational content of the Act is summarized as follows [please refer to the text of the Act itself for precise language and comments].

ARTICLE I, FINDINGS AND DEFINITIONS, sets forth legislative findings and purposes, as well as key definitions in the context of the Act, including (1) what it means to “acquire,” “use,” “disclose,” and “store” information; (2) “protected health information” -- to include only identifiable information regarding an individual’s health status; and (3) “legitimate public health purposes” -- referring to those population-based activities or individual efforts primarily aimed at the prevention of injury, disease, or premature mortality, or the promotion of health in the community. Other key terms frequently mentioned in the Act are also defined, including “non-identifiable health information,” “public health agency,”and “public health official.”

These and other definitions underlie the scope of the Act.  Specifically, the Act protects the privacy and security of identifiable health-related information about individuals through various measures concerning the acquisition, use, disclosure, and storage of such information by public health agencies or public health officials.  Critical to these objectives is the definition of "protected health information." For the purposes of the Act, this term means any information, whether oral, written, electronic, visual, pictorial, physical, or any other form, that relates to an individual’s past, present, or future physical or mental health status, condition, treatment, service, products purchased, or provision of care, and which (a) reveals the identity of the individual whose health care is the subject of the information, or (b) where there is a reasonable basis to believe such information could be utilized (either alone or with other information that is, or should reasonably be known to be, available to predictable recipients of such information) to reveal the identity of that individual.  Since non-identifiable health information does not implicate serious privacy and anti-discrimination concerns at the individual level, information which cannot freely be identified or linked with the identity of any individual is not subject to the Act's provisions.

ARTICLE II, ACQUISITION OF PROTECTED HEALTH INFORMATION, sets forth fundamental requirements concerning the acquisition of protected health information by public health agencies.  Sections within Article II: (1) restrict the acquisition of protected health information to that information which is directly related to achieving legitimate public health purposes; (2) prohibit the secretive acquisition of protected health information; (3) require public notice and comment, accomplished in a confidential manner, prior to acquiring protected health information; and (4) require that public health agencies meet the same requirements for acquisitions of existing protected health information between agencies.

ARTICLE III, USES OF PROTECTED HEALTH INFORMATION, addresses the uses of protected health information by public health agencies. Uses of such information must be (1) directly related to the legitimate public health purpose for which the information was acquired; or (2) for public health, epidemiological, medical, or health services research provided that several requirements as stated in Section 3-101[c] of the Act are met.  Subsequent uses of the information are allowed provided the agency can justify them under the standards for acquisition stated in Article II.  The Act encourages the use of non-identifiable information whenever possible and requires the minimum amount of information to be used in the reasonable judgment of the public health official.  Commercial uses of protected health information are prohibited.  Protected health information whose use no longer furthers any legitimate public health purpose must be expunged in a confidential manner.

ARTICLE IV, DISCLOSURES OF PROTECTED HEALTH INFORMATION,  generally concerns the disclosure of protected health information by public health agencies to persons outside the agency.  Protected health information is deemed non-public information, which cannot be disclosed without the informed consent of the person who is the subject of the information (or the person’s lawful representative) unless otherwise allowed via narrow exceptions stated in the Act.

The Act specifically defines informed consent for the purposes of disclosures of protected health information from public health agencies.  Protected health information shall be disclosed for any purpose and to any person for which the disclosure is authorized via informed consent.  Unless disclosure of protected health information is specifically authorized via informed consent or pursuant to the Act, non-identifiable health information shall be disclosed.  When protected health information must be disclosed, it shall be limited to the minimum amount of information needed in the reasonable judgment of the person making the disclosure.  Any disclosure of protected health information, with or without informed consent, must be accompanied by a written statement of the public health agency’s policy on disclosures.

While the Act generally prohibits disclosures without informed consent, such disclosures may be allowed for narrow exceptions including (1) to individuals who are the subjects of the information; (2) to appropriate federal agencies pursuant to federal or state law; (3) to health care personnel in the event of an emergency to protect the health or life of the individual to whom the information relates; (4) pursuant to a court order authorizing the disclosure through subpoena, compelled testimony, in a civil, criminal, administrative, or other legal proceeding; (5) to health oversight agencies to perform oversight functions concerning the public health agency; or (6) for the purpose of identifying a deceased individual, the deceased’s manner of death, or provide necessary information about a deceased person who is a donor or prospective donor of an anatomical gift. 

The dilemma of secondary disclosures of protected health information by persons who receive the information from public health agencies is resolved by prohibiting the subsequent disclosure of the information to other persons unless authorized by the Act.  Finally, public health agencies are required to establish written records of disclosures of protected health information.

ARTICLE V, SECURITY SAFEGUARDS AND RECORD RETENTION, imposes the general duty on public health agencies to acquire, use, disclose, and store protected health information in a confidential manner. Specific security measures concerning protected health information are set forth, including a requirement that CDC security recommendations concerning HIV/AIDS information be followed.  The Act proposes the appointment of a new or existing public health official as a public health information officer in each public health agency. This individual is responsible for overseeing the administration of security and privacy issues inherent in government collection and use of identifiable protected health information. This individual is also responsible for preparing and circulating reports concerning the status of protected health information privacy on at least an annual basis.

ARTICLE VI, FAIR INFORMATION PRACTICES, sets forth basic fair information practices designed to allow individuals the opportunity to inspect and copy their protected health information in the possession of public health agencies (subject to minimal limitations), as well as request that information that is erroneous, incomplete, or false be corrected, amended, or deleted.   Denials of rights to inspect, copy, or revise incorrect or incomplete information by the public health agency must be in writing.   Individuals may appeal such determinations.   

ARTICLE VII, CRIMINAL SANCTIONS AND CIVIL REMEDIES, sets forth various criminal penalties and civil enforcement mechanisms to protect individuals who are harmed by violations of the Act by public health agencies, public health officials, and other persons.  Several forms of immunity are provided.  The State’s Administrative Procedure Act generally applies to actions taken by public health agencies pursuant to this Act.   

ARTICLE VIII contains MISCELLANEOUS PROVISIONS, including (1) the short title of the act (the Model State Public Health Privacy Act); (2) a uniformity of the law provision; (3) a severability clause; (4) a clause for repeals of existing state law; (5) a saving clause concerning preemption; (6) a provision concerning unintended conflicts of federal and existing state laws; and (7) a provision setting forth an effective date of the Act if passed.

COMMENTS explaining the various provisions of the Act follow Sections of each Article where appropriate.   These Comments are explanatory, not legally binding.


ARTICLE I

 

FINDINGS AND DEFINITIONS

Section 1-101.  Legislative Findings

The [State Legislative Body] finds that:

(1)        Public health agencies acquire, use, disclose, or store an increasing amount of health-related information about individuals, some of which is highly-sensitive, in paper-based and electronic forms for legitimate public health purposes;  

(2)        Uses of health-related information for legitimate public health purposes are critically important to preserving, monitoring, and improving population-based health as well as personal health of individuals;

(3)        Individuals have significant privacy interests with respect to health-related information which can be identified to them;

(4)        Individual privacy interests in health-related information justify duties and limitations concerning (a) the acquisition, use, disclosure, and storage of such information; (b) individual access to such information in the possession of public health agencies;  and (c) security protections for such information;

(5)        Individual interests in the privacy of health-related information are significantly reduced when the information is acquired, used, disclosed, or stored in non-identifiable forms;

(6)        Public health agencies have a significant interest in protecting the privacy of health-related information in their possession where protecting the privacy of such information encourages individuals to participate in public health programs and objectives; and

(7)        While public health agencies generally have an excellent record of protecting the privacy interests of individuals in health-related information possessed by the agencies, additional statutory protections will further clarify and protect individual privacy interests while facilitating, without jeopardizing, legitimate public health purposes. 

COMMENTS

________________________________________________

The inclusion of a statement of legislative findings and purposes [see § 1-102] is a common feature of health information privacy legislation, whether federal or state.  These findings and purposes serve as useful guides for officials, courts, and the public to understand the bases for which the Act was drafted and enacted.  These statements should not be read to provide substantive protections like the remainder of the Act.  Thus, while these statements do not compel or prohibit conduct nor provide authority for certain actions or inactions, they help to illustrate some of the principles which underlie the purposes and objectives of the Act.

Section 1-102.  Purposes

The [State Legislative Body] states that the purposes of this Act are to:

(1)        Address privacy and security issues arising from the acquisition, use, disclosure, and storage of protected health information by public health agencies at the State and local levels;

(2)        Protect health-related information in the possession of public health agencies against unauthorized disclosures without significantly limiting the ability of agencies to use such information for legitimate public health purposes;  

(3)        Encourage wide use and disclosure of non-identifiable health information because this information does not implicate privacy and security concerns at the individual level and may greatly facilitate the accomplishment of legitimate public health purposes;

(4)        Require the acquisition and uses of protected health information to be consistent with legitimate public health purposes;

(5)        Prohibit disclosures of protected health information without the informed consent of the individual who is the subject of the information, with specified, narrow exceptions;

(6)        Impose the duty on public health agencies to hold and use protected health information securely; 

(7)        Impose a general duty on public health agencies to ensure the accuracy of protected health information; 

(8)        Allow individuals access to their protected health information in the possession of public health agencies through inspection and copying privileges;

(9)        Provide individuals the opportunity to request the correction, amendment, or deletion of erroneous, incomplete, or false protected health information; and

(10)      Prescribe various criminal penalties and civil enforcement mechanisms to protect individuals who are harmed by violations of the Act by public health agencies, public health officials, and other persons. 

Section 1-103.  Definitions

As used in this Act, these terms shall be defined as follows:

(1) “Acquire,“Acquired,”or “Acquisition” means to collect or gain possession or control of any part of protected health information for legitimate public health purposes.

(2) "Act" means the Model State Public Health Privacy Act.

(3) "Amend" means to indicate one or more disputed entries in protected health information or to change the entry without obliterating the original information.  

(4) "Confidentiality statement" means a written statement dated and signed by an applicable individual which certifies the individual's agreement to abide by the security policy of a public health agency, as well as this Act.              

(5) “Disclose,” “Disclosed,” or “Disclosure” means to release, transfer, disseminate, provide access to, or otherwise communicate or divulge all or any part of any protected health information to any person or entity, other than a public health agency or authorized public health official.

(6) “Expunge” or “Expunged” means to permanently destroy, delete, or make non-identifiable.

(7) “Health oversight agency” means a person who (a) performs or oversees an assessment, investigation, or prosecution relating to compliance with legal or fiscal standards concerning fraud or fraudulent claims regarding health care, health services or equipment, or related activities; and (b) is a public executive branch agency, acts on behalf of a public executive branch agency, acts pursuant to a requirement of a public executive branch agency, or carries out such activities under federal or state law.

(8) "Institutional review board" means any board, committee, or other group formally designated by an institution or authorized under federal or state law to review, approve the initiation of, or conduct periodic review of research programs to assure the protection of the rights and welfare of human research subjects, consistent with requirements of the Federal Policy for the Protection of Human Subjects.

(9) “Legitimate public health purpose” means a population-based activity or individual effort primarily aimed at the prevention of injury, disease, or premature mortality, or the promotion of health in the community, including (a) assessing the health needs and status of the community through public health surveillance and epidemiological research, (b) developing public health policy, and (c) responding to public health needs and emergencies.

(10) “Non-identifiable health information” means any information, whether oral, written, electronic, visual, pictorial, physical, or any other form, that relates to an individual’s past, present, or future physical or mental health status, condition, treatment, service, products purchased, or provision of care, and which (a) does not reveal the identity of the individual whose health status is the subject of the information, or (b) where there is no reasonable basis to believe such information could be utilized (either alone or with other information that is, or should reasonably be, known to be available to predictable recipients of such information) to reveal the identity of that individual.

(11) “Person” means a natural person, corporation, estate, trust, partnership, limited liability company, association, joint venture, government or governmental body, or any other legal or commercial entity.

(12) “Protected health information” means any information, whether oral, written, electronic, visual, pictorial, physical, or any other form, that relates to an individual’s past, present, or future physical or mental health status, condition, treatment, service, products purchased, or provision of care, and which (a) reveals the identity of the individual whose health care is the subject of the information, or (b) where there is a reasonable basis to believe such information could be utilized (either alone or with other information that is, or should reasonably be known to be, available to predictable recipients of such information) to reveal the identity of that individual.

(13) “Public health” means population-based activities or individual efforts primarily aimed at the prevention of injury, disease, or premature mortality, or the promotion of health in the community.

(14) “Public health agency” means any organization operated by any state or local government that acquires, uses, discloses, or stores protected health information for legitimate public health purposes.

(15) "Public health official" means any officer, employee, private contractor or agent, intern, or volunteer of a public health agency with authorization from the agency or pursuant to law to acquire, use, disclose, or store protected health information.

(16) “Public information” means information which is generally open to inspection or review by the general public.

(17) “Request” means a written, dated, and signed correspondence in paper or electronic form through which the identity of the person making the request can be verified.

(18) “Requestor” means any individual, the parent or legal guardian of a minor, or a person’s legally-appointed guardian who makes a request.

(19) “Store,” “Stored,” or “Storage” means to hold, maintain, keep, or retain all or any part of protected health information.                             

(20) “Use” or “Used” means to employ or utilize all or any part of any protected health information for a legitimate public health purpose.

COMMENTS

________________________________________________

 

This Section contains the Act’s definitions.  These definitions are critical toward understanding the scope and extent of the Act and its coverage. Although these terms may be precisely defined, these definitions also allow for reasonable interpretation by State Legislative bodies, public health agencies and officials, courts, and the public.  Through such interpretations, the Act may continue to have substantive meaning as the types and uses of health-related information by public health agencies change.

Subsection (1) defines the series of terms “Acquire,“Acquired,”or “Acquisition” to mean to collect or gain possession or control of any part of protected health information for legitimate public health purposes.  These terms are broadly defined to encompass the collection or gaining of possession or control of any part of protected health information by public health agencies.

Subsection (2) defines "Act" to mean the Model State Public Health Privacy Act.  Wherever the word “Act” appears in the body of the law as stated [unless indicated otherwise], it refers to the complete Act in its entirety.

Subsection (3) defines the term "Amend" to mean the indication of one or more disputed entries in protected health information or to change the entry without obliterating the original information.  For a public health agency to amend a protected health information record [as required under § 6-103[b] of the Act] thus means one of two things: (a) that the agency indicate that a certain entry of information in the record is disputed by the individual to whom the entry relates; or (b) that the agency change an incorrect entry without destroying the original information.  For example, if a health record used by a public health agency indicated a person had HIV when this is demonstrated to be false, the agency would amend the record to indicate the fallacy of this information without simply deleting the information itself.  This procedure allows the agency and the individual who is the subject of the information to verify that a correction is appropriate and has been made.

Subsection (4) defines "Confidentiality statement" to mean a written statement dated and signed by an applicable individual which certifies the individual's agreement to abide by the security policy of any public health agency as required under § 5-101[d](2) of this Act.

Subsection (5) defines the series of terms, “Disclose,” “Disclosed,” or “Disclosure” to mean the release, transfer, dissemination, providing access to, or otherwise communicating or divulging all or any part of any protected health information to any person or entity other than a public health agency or authorized public health official.  This definition is critical to Article IV of the Act and is meant to be broad in scope.  It specifically defines disclosure for the purposes of the Act to include any communication of protected health information to any persons outside a public health agency or an authorized public health official.  Communication of such information between authorized public health officials within a public health agency or between public health agencies is not a “disclosure” under the Act, but a “use” of the information as defined in Subsection (20).

Subsection (6) defines the terms “Expunge” or “Expunged” to mean to permanently destroy, delete, or make non-identifiable.  Where the Act requires protected health information to be expunged, the information must be physically or technologically destroyed, deleted from computer or paper-based records, or made non-identifiable.

Subsection (7) defines “Health oversight agency” to mean a person who performs or oversees  oversight functions related to fraud or fraudulent claims regarding health care, health services or equipment, or related activities and is either (a) a public executive branch agency, or (b) a person acting on behalf of or pursuant to a requirement of such an agency, or implementing health oversight activities under authority of federal or state law. 

Subsection (8) defines "Institutional review board" to mean any board, committee, or other group formally designated by an institution or authorized under federal or state law to review, approve the initiation of, or conduct periodic review of research programs to assure the protection of the rights and welfare of human research subjects, consistent with requirements of the Federal Policy for the Protection of Human Subjects [otherwise known as “The Common Rule”].  IRB’s are a fixture of the modern medical research industry. In this Act, the approval of an IRB may be required to allow for the disclosure of protected health information for research purposes pursuant to § 3-101[c]. 

Subsection (9) defines “Legitimate public health purpose” to mean a population-based activity or individual effort primarily aimed at the prevention of injury, disease, or premature mortality, or the promotion of health in the community.  This includes, but is not limited to, activities such as (a) assessing the health needs and status of the community through public health surveillance and epidemiological research, (b) developing public health policy, and (c) responding to public health needs and  emergencies. These examples are consistent with public health objectives as defined by the Institute of Medicine in its report, The Future of Public Health (1988).  The Act does not attempt to categorically list substantive legitimate public health purposes, nor does it concern the merit of such purposes.  As a result, the Act acknowledges that federal, State, and local governments may legally define what is a legitimate public health purpose via statutory law, administrative regulation, case law, or accepted public health practice.  Provided such definitions are consistent with the broad definition of legitimate public health purposes in this Act, they shall be considered authoritative in interpreting and enforcing the provisions of this Act.

Subsection (10) defines “Non-identifiable health information” as any information, whether oral, written, electronic, visual, pictorial, physical, or any other form, that relates to an individual’s past, present, or future physical or mental health status, condition, treatment, service, products purchased, or provision of care, and which (a) does not reveal the identity of the individual whose health status is the subject of the information, or (b) where there is no reasonable basis to believe such information could be utilized (either alone or with other information that is, or should reasonably be, known to be available to predictable recipients of such information) to reveal the identity of that individual. 

This definition incorporates similar language as used to define “protected health information” in Subsection (12) with two primary differences.  First, non-identifiable health information does not directly reveal the identity of the individual whose health status is the subject of the information. Direct identification could occur through the inclusion of many types of personal information including names, Social Security numbers, addresses, employers, medical providers, or other facts.  Second, non-identifiable information cannot be utilized alone or conjunction with other information to reveal the identity of the individual. Thus, for example, if aggregate data about persons are disclosed that are non-identifiable on their face, but can be matched or linked with information that is available to predictable recipients of the disclosed information, the disclosed data cannot be considered “non-identifiable” for the purposes of the Act.  Unless it can be concluded that health information is non-identifiable under this definition, it must be considered protected health information under Subsection (12).

Subsection (11) defines “Person” broadly to mean natural persons as well as legal entities including corporations, trusts, estates, partnerships, limited liability companies, associations, joint ventures, governments, or governmental bodies.

Subsection (12) defines “Protected health information” to mean any information, whether oral, written, electronic, visual, pictorial, physical, or any other form, that relates to an individual’s past, present, or future physical or mental health status, condition, treatment, service, products purchased, or provision of care, and which (a) reveals the identity of the individual whose health care is the subject of the information, or (b) where there is a reasonable basis to believe such information could be utilized (either alone or with other information that is, or should reasonably be known to be, available to predictable recipients of such information) to reveal the identity of that individual.  Since the privacy and security protections of the Act only confer to health data which are identifiable to individuals who are the subjects of the information, this definition should be interpreted broadly. 

The term incorporates a two-part scheme into defining health-related information for the purposes of the Act.  The information must be identifiable and it must generally concern one’s health.  The information may be identifiable on its face to the individual who is the subject of the information.  For example, the information may be in the form of a medical record or listing that contains one’s name, Social Security number, or other common identifier. 

Alternatively, there may be a reasonable basis to believe such information could be utilized alone or with other information that is or may reasonably be available to persons receiving such information that would allow such persons to reveal the identity of that individual.  For example, where a health record contains information that is sufficiently unique to identify the individual to whom it relates (such as a fingerprint), it must be considered protected health information.  In addition, if a health record contains sufficient information to identify an individual to whom it relates because it provides information which specifically narrows the class of individuals in an aggregate setting (such as a HIV report that contains the race, sex, age, county of residence, date of infection, place of treatment, or other information about an individual in a rural community with limited cases of HIV infection), such may also be considered identifiable in its existing form, and thus protected health information.      

Subsection (13) defines “Public health” to mean population-based activities or individual efforts primarily aimed at the prevention of injury, disease, or premature mortality, or the promotion of health in the community.  While this definition is broad, it is limited to activities which are geared toward modern public health goals. This definition is explicitly incorporated into the definition of “legitimate public health purpose” in Subsection (9).

Subsection (14) defines “Public health agency” to include any organization operated by any state or local government that acquires, uses, discloses, or stores protected health information for legitimate public health purposes. Public health agencies include, but may not be limited to, public health offices established by state or local law, testing laboratories, testing facilities, treatment clinics, research facilities, and information storage facilities.  Public health agencies do not include government-funded facilities which primarily provide individual health care (such as locally-operated hospitals), governmental organizations which operate primarily in individual health-related areas (such as workers’ compensation commissions), or private organizations (such as private research labs) which are merely funded in whole or part by state or local governments.

Subsection (15) defines "Public health official" broadly to mean any officer, employee, private contractor or agent, intern, or volunteer of a public health agency with authorization from the agency or pursuant to law to acquire, use, disclose, or store protected health information.  Virtually anyone, whether public or private, having access to a public health agency and its protected health information is to be considered an official of the agency for the purposes of the Act.

Subsection (16) defines “Public information” to mean information which is generally open to inspection or review by the general public.  Protected health information is not public information, as stated in § 4-101.

Subsection (17) defines “Request” to mean a written, dated, and signed correspondence in paper or electronic form through which the identity of the person making the request can be verified.  Verification of one’s identity is left to the reasonable discretion of the holder of the request document.

Subsection (18) defines “Requestor” to mean any individual, the parent or legal guardian of a minor, or the legally-appointed guardian of another person (who is mentally incompetent or otherwise unable to make health-related decisions), who makes a request.

Subsection (19) defines the series of terms, “Store,” “Stored,”or “Storage,” to mean the holding, maintaining, keeping, or retaining of all or any part of protected health information.  The essence of this definition centers around the possession of protected health information by public health agencies for a period of time.

Subsection (20) defines “Use” or “Used” to mean the employment or utilization of all or any part of protected health information for legitimate public health purposes. The Act allows public health agencies to use protected health information for legitimate public health purposes with minimal restrictions.  Uses of such information include transferring information within or among public health agencies who have the authority to acquire the information.  Uses do not include disclosing such information to any person outside a public health agency.

ARTICLE II

ACQUISITION OF PROTECTED HEALTH INFORMATION

Section 2-101.  Acquisition of Protected Health Information

[a]        In General.  A public health agency shall only acquire protected health information where:

(1)        the acquisition relates directly to a legitimate public health purpose;

(2)        the acquisition is reasonably likely to achieve such purpose, taking into account the provisions of this Act and other governing laws, and the availability of resources or means to achieve such purpose; and

(3)        the legitimate public health purpose cannot otherwise be achieved as well or better with non-identifiable information.

[b]        Secret Acquisition.  Protected health information shall not be secretly acquired by a public health agency.

[c]        Public Notice Requirements.  Prior to implementation of a public health agency determination to acquire or store protected health information, the agency shall announce, through public notice and comment, and through public written notice distributed and posted in a manner and to such extent as will reasonably inform members of the affected community, its intentions to acquire or store protected health information and the purposes for which the information will be used.  Such notice shall not identify any individual who is or may be the subject of protected health information.  Where State or local law requires counseling services regarding a reportable disease, such counseling services shall include information that such disease is reportable to the public health agency and a description of the purposes for which the individual’s protected health information will be used by such agency.

 


COMMENTS

________________________________________________

This Section provides fundamental statutory language concerning the acquisition of protected health information by public health agencies.  Subsection [a] states that protected health information shall only be acquired by a public health agency where the acquisition relates directly to a legitimate public health purpose and is reasonably likely to achieve such purpose.  Whether the acquisition of protected health information is reasonably likely to achieve a legitimate public health purpose must be assessed consistent with the provisions of the Act and other governing law [including federal or state laws authorizing its acquisition or specifying a legitimate public health purpose], as well as the availability of resources or means to achieve the purpose.

This second requirement includes a showing that public health agencies have sufficient financial and personnel resources to accomplish the purpose for which the information is acquired.  This may be shown at either the local or state level.  For example, where a local public health agency acquires information concerning HIV status among infected individuals in the community, the fact that this information is forwarded to the [State public health agency] for the purposes of surveying HIV disease in the larger population justifies the local public health agency’s acquisition of protected health information even though the local agency cannot alone accomplish the legitimate public health purpose (surveying HIV disease in the larger population). 

In addition, the agency must consider whether the legitimate public health purpose cannot otherwise be achieved as well or better with non-identifiable information. Stated alternatively, it must be demonstrated that identifiable information is required to accomplish the legitimate public health purpose [note that “protected health information” is defined for the purposes of the Act in § 1-103(12) to include only personally-identifiable, health-related information].  Where such purposes can be achieved through the acquisition of non-identifiable information [defined for the purposes of the Act in § 1-103(10)], identifiable information cannot be justifiably acquired for the same purpose.  This and other provisions of the Act encourage the acquisition, use, disclosure, and storage of non-identifiable health information in order to significantly abate individual privacy concerns.

Subsection [b] requires that protected health information not be secretly acquired by a public health agency.  Public health agencies shall not covertly acquire health-related information about individuals. The acquisition of such information under open and fair information practices shall not be kept secret from those to whom the information relates.  Individuals have a right to know that such information is acquired by public health agencies.

Subsection [c] supports the individual’s and community’s right to know what protected health information is acquired by public health agencies through notice requirements which public health agencies must adhere prior to the acquisition or storage of protected health information.  Public notice prior to implementation of the acquisition or storage of protected health information should be provided in a State’s administrative register and through means likely to reach the affected community (i.e. information and notices distributed through health care providers and facilities serving the affected community on an annual or biannual basis).  Such notice, whether via the State’s administrative register or otherwise, shall not identify any individual who is or may be the subject of protected health information.

Where State or local governments require health care providers to provide counseling services to individuals for some reportable diseases, this Subsection requires as part of these counseling services that the provider 1) inform the individual that the disease will be reported to a public health agency, and 2) briefly describe the legitimate public health purposes for which the individual’s protected health information will be used by the agency.

Section 2-102.  Subsequent Acquisition of Protected Health Information

A public health agency shall not acquire protected health information from another local, State, or federal public health agency unless the acquisition is consistent with the requirements of Section 2-101.

COMMENTS

________________________________________________

 

Some acquisitions of protected health information by public health agencies may occur through the original collection of health-related  information about individuals through reporting requirements, public health research, or other information collection practices.  However, public health agencies often acquire such information through existing sources or collections of protected health information held by other public health agencies at the federal, state, or local levels.  This Section requires that the acquiring public health agency meet the same requirements for acquisition set forth in § 2-101 for these types of acquisitions.  A similar provision concerning use of the information is set forth in § 3-101[b].

Thus, if a public health agency in County X wanted to compare its protected HIV data with similar data in County Y, County X would have to demonstrate that its acquisition of County Y’s protected health information is justified under the three-part showing set forth in § 2-101.

 

ARTICLE III

USES OF PROTECTED HEALTH INFORMATION

Section 3-101. Uses Consistent With Original Legitimate Public Health Purposes

[a]        In General.  Protected health information shall be used by a public health agency solely for legitimate public health purposes that are directly related to the purpose for which the information was acquired.  Providing access to protected health information to any person other than a public health agency or public health official is not a use.

[b]        Subsequent Uses.  A public health agency may use protected health information for legitimate public health purposes that are not directly related to the purpose for which the information was acquired provided that the agency meets the requirements of Section 2-101[a] and [c] before using such information.

[c]        Research Use.  A public health agency or official may use protected health information for public health, epidemiological, medical, or health services research provided that:

(1)        it is not feasible to obtain the informed consent of the individual who is the subject of the information;

(2)        identifiable information is necessary for the effectiveness of the research project;

(3)        the minimum amount of information necessary to conduct the research is used;

(4)        the research utilizing the protected health information will likely contribute to achieving a legitimate public health purpose;

(5)        the information is made non-identifiable at the earliest opportunity consistent with the purposes of the research project and expunged after the conclusion of the project; and

(6)        such uses are made pursuant to assurances of protections through the execution of a confidentiality agreement after review and approval of an institutional review board.  The agreement shall require any person receiving such information to adhere to protections for the privacy and security of the information equivalent to or greater than such protections provided in this Act.

COMMENTS

________________________________________________

 

Assuming that a public health agency justifiably acquires protected health information under Article II of the Act, this Section describes the ways in which the agency can use the information.  Such uses are limited to legitimate public health purposes that are directly related to the purpose for the information was acquired as well as for public health, epidemiological, medical, or health services research under set proscriptions [stated below]. 

Furthermore, providing access to protected health information to any person other than a public health agency or public health official is not a use.  Thus, where a public health agency uses protected health information in such a way that it allows others besides public health agencies or officials to access the information, a disclosure [as defined in § 1-103(5) has occurred, and the provisions of the Act relating to disclosures of protected health information [Article IV] are applicable.

Should the agency want to subsequently use the information for legitimate public health purposes which are not directly related to the purpose for which it was acquired, it must justify such use under the standards for acquisition in § 2-101[a] and [c].

For example, where a public health agency justifiably acquires information about individuals with sexually-transmitted diseases for the purpose of surveillance of such diseases in the community, it may further use that information for additional public health activities which are directly related to surveillance and control of sexually-transmitted diseases.  It may not use this information, however, for the purposes of matching individuals with sexually-transmitted diseases with persons with tuberculosis in the community absent a showing that the production of such information meets the acquisition standards in § 2-101[a] and [c].

Concerning the use of protected health information for public health and other research, Subsection [c] lists six (6) specific requirements which must be met before protected health information can be used for such purposes by public health agencies or officials.  These standards are modeled after those set forth in federal regulations relating to human subject research (see 45 C.F.R. §§ 46.101-.404 (1996)).  A public health agency or official must show that (1) it is infeasible, either financially or practically, to obtain the informed consent of the individual who is the subject of the information; (2) identifiable information is necessary for the effectiveness of the research project; (3) the minimum amount of information necessary to conduct the research is used (restating a subsequent requirement of § 3-102[b]); (4) the research utilizing the protected health information will likely contribute to achieving a legitimate public health purpose.  This purpose may be similar to or different than the purpose for which the public health agency originally acquired the information; (5) the information is made non-identifiable at the earliest opportunity consistent with the purposes of the project and expunged [as defined in § 1-101(6)] after the conclusion of the research project (restating subsequent requirements in §§ 3-102[a], 3-104); and (6) such uses are made pursuant to assurances of protections through the execution of a confidentiality agreement after review and approval by an institutional review board.  The agreement shall require any person receiving such information to adhere to protections for the privacy and security of the information equivalent to or greater than such protections provided in this Act.  Provided these requirements are shown and satisfied, protected health information can be used by public health agencies or officials for a wide variety of health research needs.

Section 3-102.  Scope of Uses

[a]        In General.  Non-identifiable health information shall be used by a public health agency whenever possible consistent with the accomplishment of legitimate public health purposes.

[b]        Minimum Information.  Any use of protected health information permitted by this Act shall be limited to the minimum amount of information which the public health official using the information reasonably believes is necessary to accomplish the legitimate public health purpose.

COMMENTS

________________________________________________

Consistent with the purpose of the Act to protect individual privacy interests in health-related information, Subsection [a] requires that public health agencies use non-identifiable health information whenever possible consistent with the accomplishment of legitimate public health purposes.  Although such determinations are largely left to the discretion of the public health agencies, this Section requires the use of non-identifiable information and thus strongly suggests that agencies utilize this type of information whenever possible.  To the degree to which non-identifiable health information is used, the privacy and security protections in the Act do not apply because individual privacy interests are not  implicated.    

Where protected health information is used, Subsection [b] requires that its use be limited to the minimum amount of information which the public health official using the information reasonably believes is necessary to accomplish the legitimate public health purpose.  Without constricting the ability of public health agencies to perform or accomplish legitimate public health purposes, this requirement means that public health officials must assess the amount of identifiable health information which is needed to accomplish a given legitimate public health purpose, and use only that amount of information.  Thus, if a public health official, for example, has authority to compare rates of HIV infection among persons with tuberculosis, the use of protected health information which also includes other sexually-transmitted diseases contracted by individuals with HIV or tuberculosis is impermissible.

Section 3-103.  Commercial Uses

Protected health information shall not be used by a public health agency or public health official for commercial purposes.

COMMENTS

________________________________________________

This Section specifically prohibits the use of protected health information by a public health agency or official for commercial purposes.  Protected health information is not an article, commodity, or good for sale or commercial exchange.  Any use of this information in a commercial setting or for financial gain is prohibited.  Thus, a public health agency may not, for example, sell its HIV database to a pharmaceutical company.

Section 3-104.  De-identifying Protected Health Information

Protected health information whose use by a public health agency no longer furthers the  legitimate public health purpose for which it was acquired shall be expunged in a confidential manner.