Informational Privacy, Public Health, and State Laws

doi:10.2105/AJPH.2011.300206

American Journal of Public Health

American Public Health Association

Informational Privacy, Public Health, and State Laws

Jean O'Connor, JD, DrPH and Gene Matthews, JD

Additional article information

Abstract

Developments in information technology that make it possible to rapidly transmit health information also raise questions about the possible inappropriate use and protection of identifiable (or potentially identifiable) personal health information.

Despite efforts to improve state laws, adoption of provisions has lagged. We found that half of states have no statutes addressing nondisclosure of personally identifiable health information generally held by public health agencies. Exceptional treatment of HIV, sexually transmitted infections, or tuberculosis-related information was common. Where other provisions were found, there was little consistency in the laws across states.

The variation in state laws supports the need to build consensus on the appropriate use and disclosure of public health information among public health practitioners.

Surveillance, epidemiological, and laboratory data are essential to the practice of public health, particularly at the state and local level.¹ Public health practitioners within government agencies use data to identify new cases of disease and to make decisions about when to apply public health interventions. The exchange of information between health officials in different jurisdictions has been demonstrated to be essential to managing outbreaks of well-understood diseases, such as measles, and identifying and responding to new and emerging threats, such as severe acute respiratory syndrome and pandemic influenza A (H1N1). However, the very developments in information technology and health care policy that make it increasingly possible to rapidly transmit health information, such as electronic medical records and health information exchanges, continue to raise questions about the possible inappropriate use and lack of protection of personally identifiable health information.^2–4

In highly charged situations, such as the recent influenza A (H1N1) pandemic, variations in state laws and incomplete understanding among jurisdictions can easily lead to inconsistent public health disclosure practices, resulting in media questions about the integrity of information access policies.^5,6 Clearly, consideration should now be given to a more cohesive approach to public health information sharing.

A NATIONAL APPROACH TO PROTECTING PUBLIC HEALTH INFORMATION

The US Constitution does not impart a broad right to the privacy of individual health information.⁷ At the federal level, statutes place boundaries around the collection, use, and disclosure of certain types of health-related information. These statutes include the Freedom of Information Act,⁸ the Privacy Act of 1974,⁹ the Department of Health and Human Services (HHS) Human Subject Protection Regulations,¹⁰ the E-Government Act of 2002, ¹¹ the Family Educational Rights and Privacy Act,¹² the Federal Drug and Alcohol Confidentiality provisions,¹³ and the Genetic Information Nondiscrimination Act.¹⁴ These statutes restrict the use of information for different purposes. For example, the HHS Human Subjects Protection Regulations focus on protecting information in the research context. However, the most frequently cited law in discussions of the privacy of public health information is the Health Insurance Portability and Accountability Act (HIPAA) and its associated regulations. The HIPAA Privacy Rule protects most health records from disclosure but permits health care providers to make disclosures to public health officials and for certain other purposes.¹⁵ The rule does not protect information possessed by public health officials from disclosure, except in limited circumstances. HIPAA also does not preempt state laws on the use or disclosure of data by public health authorities.¹⁶

Because there is no national standard for safeguarding all data held by public health agencies, state laws remain central to discussions of the privacy, confidentiality, security, use, and disclosure of information within the public health system.¹⁷ These state laws have been reported to be fragmented and antiquated, and to “fail to effectively balance competing individual interests in privacy with the need to share public health data and information for the common good.”^18(p1389)

For more than a decade, both public health advocates and privacy advocates have responded to this need by calling for clearer protections for state public health information and developing model state policies.^17,19,20 To disseminate ideas to update state public health privacy laws, Gostin et al. developed the Model State Health Privacy Act (MSHPA), a model statute for states to use as a guide in developing new laws, in 1999.¹⁸ The MSHPA contains detailed language about the appropriate acquisition and use of public health information, terms for when it is appropriate for state health departments to disclose that information, and penalties for noncompliance. After the events in the fall of 2001, the Model State Emergency Health Powers Act (MSEHPA) was drafted to promote the adoption of state public health emergency statutes that contained, among other things, language related to the disclosure of public health information.²¹ Despite these efforts, anecdotal information suggests that few states have adopted public health privacy and disclosure provisions recommended in the MSHPA and MSEHPA.

To address the lack of adoption of provisions by states and the continuing development of new approaches to data exchange, Lee and Gostin recently recommended a set of national principles for protecting public health data.¹⁷ The principles included discussion of use of data for legitimate public health purposes, collection or use of the minimum information necessary, data use agreements and security measures, and stewardship and trust. The need to develop a common approach to the use and disclosure of public health information has also been recognized as more than solely a domestic problem; various professional organizations (e.g., the International Epidemiological Association²²) have developed guidelines for the use of data by their members, and an international collaborative is seeking to develop a collective code of conduct for the use of public health data.²³

ANALYSIS OF CURRENT STATE LAWS

An analysis of current public health privacy laws can inform these efforts. The success of a national or international set of principles for the use and disclosure of personally identifiable health information under the control of the public health system depends, in part, on acknowledging the specific political and historical factors that have resulted in existing laws. In the United States, understanding current state laws may assist in identifying approaches to bridging the gap between the reality that state and local public health agencies face and ideal policies, frameworks, or practices for the use and disclosure of public health information. Identifying approaches and patterns in existing state laws is also an essential first step in further analyses of what laws are effective.

Using methods applied in other public health policy studies,^24–26 we conducted a systematic online search of all statutes in the 50 states and the District of Columbia related to the privacy, confidentiality, disclosure, or release of human health data in effect as of January 1, 2009. For this purpose, we used a series of Boolean search terms and an online legal research database (Westlaw) of statutory indices. Regulations, which are not consistently available in published form for all states and all years, were excluded from the analysis, except when a state referred specifically to a regulation. We also excluded from the analysis freedom of information–type acts or “sunshine” laws, which mandate when a government agency can be compelled to disclose information. We included in the analysis only court opinions included in the annotations of relevant statutes. We looked for the presence or absence of laws, and then identified themes in the laws and assessed their alignment with the MSHPA, MSEHPA, and recommendations in the public health law literature.

States Without a Presumption of Nondisclosure

We found that few, if any, of the provisions recommended in the MSHPA or MSEHPA had been adopted in many states. We also found that state approaches to the use and disclosure of public health information could be broken down into 2 models (Table 1). In the first model, state statutes offered the public no general presumption of the privacy, confidentiality, or nondisclosure of public health information, but protect information associated with specific diseases. About half the jurisdictions (25 of 51) fit this first model. The others (26 of 51) established a general protection for personally identifiable health information maintained by the health department, but allowed for exceptions to disclosure and offered more stringent protections for specific disease information.

TABLE 1

State Statutes on Use and Disclosure of Public Health Information

In the states that fit the first model, it is worth noting that silence on the protection of public health data does not necessarily mean that data were not protected in practice, but the absence of clear statutes did give rise to questions about what approaches were being applied to protect data and who was the responsible party. One possible explanation for the absence of an overarching provision is that until the mid-20th century, when understanding of disease and treatment options were limited, state and local public health authorities routinely disclosed the names and addresses of individuals with infectious diseases in newspapers to warn or protect others from exposure.²⁷ Although such disclosures are usually not necessary in today's society, silence in the law may be reflective of historical factors. Another possibility is that the common law privacy right under which a health care provider is expected to maintain the confidentiality of a person's health information, known as the patient–physician privilege, is misunderstood to apply to public health authorities as well. The patient–physician privilege is the duty of physicians—or, in some cases, all health care providers—to maintain the confidentiality of information obtained in the course of treatment, in accordance with state laws and HIPAA provisions.

In most of the states that lacked an overarching provision protecting all health information (model 1), there were statutes that provided special protections for certain types of disease information related to HIV, sexually transmitted infections (STIs), or other specific health conditions. Eighteen states had provisions for the protection of HIV-related information, 11 had restrictions on the disclosure of STI information (still called venereal disease in some state statutes), and 2 had provisions related to other disease-specific information, such as tuberculosis. This type of policy approach, known as exceptionalism, is controversial even within public health. Whereas advocates are more likely to have success in pursuing legislation that addresses specific, narrow objectives on a single disease, state officials and public health officials find that the resulting policies have unintended consequences, are not supported by scientific evidence, create disease-based silos within the public health system, and can quickly become outdated. For example, in some states, laws that were passed in the 1950s through 1970s provided special protections for “venereal disease,” a term that is not commonly used in practice and that is not clearly applicable to infections that may be bloodborne or sexually transmitted. In South Dakota, the law required that “The identity of any individual… pursuant to a report of a venereal disease shall be maintained in the strictest confidence within the venereal disease control system.”²⁸ Similarly, in Tennessee the statute also explicitly stated that disclosure of “venereal disease” case reports was limited.²⁹

States With a Presumption of Nondisclosure

The remaining 26 jurisdictions did explicitly address the circumstances under which public health officials may disclose public health information (model 2). In these states, the statutory scheme set up a general bar on disclosure but allowed for some exceptions. We found the following 3 common exceptions to the rule against disclosing information in these states: (1) when deemed necessary by public health officials to protect the public's health or the health of an individual, (2) for statistical analysis and research when certain requirements are met, and (3) disclosure to a contact or for contact-tracing purposes. Almost all of these jurisdictions (23 of 26) had exceptions allowing information disclosure for protecting the public's health, 10 had at least 2 of the 3 exceptions, and just 5 (AK, AZ, IN, OK, and OR) explicitly allowed for all 3 exceptions.

For example, in North Dakota, a report to the state health department was considered to be confidential information. The information “may not be disclosed, shared with any agency or institution, or made public, upon subpoena, search warrant, discovery proceedings, or otherwise.” The statute goes on to indicate the following exceptions: (1) for statistical purposes if the disclosure is made in such a manner that no individual can be identified; (2) for enforcement of the reportable conditions statute and for treatment, control, and investigation of HIV infection; or (3) for disclosure to medical personnel to the extent necessary to protect the health or life of any individual.³⁰ In Washington, disclosures were permitted to federal, state, or local public health authorities when needed to protect the public's health.³¹ Arkansas had a unique statute that allowed state, county, or local health officers to disclose communicable disease information if the disclosure was

authorized or required by state or federal law,
permitted by written authorization of the individual,
used for contact tracing,
necessary for research purposes, or
used “for the purposes of conducting a search of the national death index.”³²

However, the statute was silent on whether disclosure is authorized to protect public health generally. Similarly, Maryland, Nebraska, and New Hampshire had no apparent provision explicitly allowing the disclosure of health information when health officials deemed it necessary.

Interestingly, although about half of the states had relatively clear language related to how and when information could be disclosed by public health officials, some of these states also had statutes pertaining explicitly to HIV, STIs, and tuberculosis. We also found that although the statutory language seemed clear on its face, there were almost no court cases, very few definitions, and few regulations to guide interpretation of the statutes. This finding may be contributing to confusion and uncertainty among public health officials about how and when public health information should be or is disclosed.

Unique Provisions in Some State Laws

We also found a few additional notable patterns in state laws. Fewer than a quarter of states had language that addressed any of the following: disclosure to contacts of a person with a communicable disease, in some cases including prehospital personnel exposed to the bodily fluids or respiratory droplets of a person with particular infectious diseases; disclosure of public health information by the state to federal public health officials (most state statutes specifically mention the Centers for Disease Control and Prevention or the HHS); secondary disclosure of personally identifiable information provided by the health department to a third party; or when certain types of health threats may or must be disclosed to law enforcement. In a few states, disclosure of certain personally identifiable health information from one state agency to another even appeared to be prohibited. For example, in Connecticut, the Medicaid program could only obtain information that supported payments for the care of individuals receiving medical assistance.³³ Although this may be an important protection, this approach may indicate a lost opportunity for collaboration between the health care delivery and financing system and public health authorities seeking to design or deliver interventions for at-risk populations.

We also found that Montana was the only state that explicitly allowed public health officials to release information to another state to

continue health services to the named person or to undertake public health efforts to prevent or interrupt the transmission of a communicable disease or to alleviate and prevent injury caused by the release of biological, chemical, or radiological agents capable of causing imminent disability, death, or infection.³⁴

Other than in Montana and in some other states that allow disclosure when necessary to protect the public's health, we found no provisions that addressed whether restrictions on the use of public health information could be waived in the event of a public health emergency. Few states explicitly allowed the sharing of public health information with law enforcement or exchange with the federal government.

MOVING TOWARD A COMMON APPROACH

Electronic health records, health information exchanges, and electronic laboratory and disease reporting present an important opportunity for enhancing public health surveillance, detecting public health events more effectively, and ensuring the conditions necessary for people to be healthy. The sharing and exchange of data within and between jurisdictions and public health professionals is essential to rapidly detecting and responding to health events and to continuing to improve the public's health. We found wide variation in the content of state statutes related to the use and disclosure of identifiable (or potentially identifiable) information held by public health agencies, despite the development of model policies. This finding may suggest that practices in the use and disclosure of information also vary significantly across the United States.

Further research is needed on how public health officials understand and act within the laws of their jurisdictions, on whether those laws inhibit or facilitate the sharing of information needed for public health purposes, and, if laws are acting as a barrier, on what factors may influence the adoption of new privacy laws and policies within states in the future. There is also a need to continue the work, begun by Lee and Gostin,¹⁷ of identifying the essential elements of such a framework and build consensus within the public health community on which future privacy policies can be based. Advances in information technology and federal policies that encourage the exchange of data via electronic health records will require a common, understandable, and principled framework for ensuring the appropriate protection, use, and disclosure of personally identifiable information maintained by public health systems. Such a framework can be developed and its adoption encouraged by engaging stakeholders in the development of the framework, integrating the framework into other public health efforts such as the movement to accredit state and local health departments, and providing state and local jurisdictions with tools, such as a set of sample policies, to assess their own privacy practices and policies.

Acknowledgments

We thank Thomas Ricketts, Jon Oberlander, and Pam Silberman of the University of North Carolina at Chapel Hill and Ali Khan of the Centers for Disease Control and Prevention for their support.

Human Participant Protection

This study was approved by the institutional review board of the University of North Carolina at Chapel Hill.

Article information

Am J Public Health. 2011 October; 101(10): 1845–1850.

doi: 10.2105/AJPH.2011.300206

PMCID: PMC3222345

PMID: 21852633

Jean O'Connor, JD, DrPH and Gene Matthews, JD

At the time of the writing, Jean O'Connor was with the Centers for Disease Control and Prevention, Atlanta, GA. Gene Matthews is with the North Carolina Institute of Public Health, Chapel Hill.

Corresponding author.

Correspondence should be sent to Jean O'Connor, Deputy Director, Oregon Public Health Division, 800 NE Oregon St., Ste 930, Portland, OR 97212 (e-mail: su.ro.etats@ronnoCO.C.naeJ). Reprints can be ordered at http://www.ajph.org by clicking the “Reprints/Eprints” link.

Peer Reviewed

Note. The findings and conclusions in this report do not necessarily represent those of the US Department of Health and Human Services or the Centers for Disease Control and Prevention.

Contributors

J. O'Connor carried out the research and drafted the essay. G. Matthews provided guidance in conceptualizing the study and in drafting the essay.

Accepted January 19, 2011.

This article has been cited by other articles in PMC.

Articles from American Journal of Public Health are provided here courtesy of American Public Health Association

References

1. Neslund VS, Goodman RA, Hadler JL. Frontline public health: surveillance field epidemiology. : Goodman R, Hoffman RE, Lopez W, Matthews GW, Rothstein MA, Foster KL, Law in Public Health Practice. 2nd ed New York, NY: Oxford University Press; 2007:222–237 [Google Scholar]

2. Myers J, Freiden TR, Bherwani KM, Henning KJ. Privacy and public health at risk: public health confidentiality in the digital age. Am J Public Health. 2008;98(5):793–801 [PMC free article] [PubMed] [Google Scholar]

3. Goodman KW. Ethics, information technology, and public health: new challenges for the clinician–patient relationship. J Law Med Ethics. 2010;38(1):58–63 [PubMed] [Google Scholar]

4. Wartenberg D, Thompson D. Privacy versus public health: the impact of current confidentiality rules. Am J Public Health. 2010;100(3):407–412 [PMC free article] [PubMed] [Google Scholar]

5. H1N1 privacy and state law [audio file] WUNC, Chapel Hill, NC: Available at: http://wunc.org/programs/news/archive/NRH1207.mp3. Accessed April 30, 2010 [Google Scholar]

6. Sabalow R. Health departments fear disease warnings could cause complacency. Record Searchlight. March 27, 2010. Available at: http://www.redding.com/news/2010/mar/27/health-departments-fear-disease-warnings-could. Accessed April 30, 2010 [Google Scholar]

7. Whalen v Roe, 429 US 589 (1977)

8. Freedom of Information Act, 5 USC §552 (2009)

9. Privacy Act of 1974, 5 USC §552a (2009)

10. Department of Health and Human Services Human Subject Protection Regulations, 45 CFR part 46 (2009)

11. E-Government Act of 2002, 44 USC §3601 et seq. (2009)

12. Family Educational Rights and Privacy Act, 20 USC §1232g (2009)

13. Federal Drug and Alcohol Confidentiality provisions, 42 USC §290dd-2 (2009)

14. Genetic Information Nondiscrimination Act, 42 USC 2000ff et seq. (2009)

15. Health Insurance Portability and Accountability Act Privacy Rule, 45 CFR §164.512 (2009)

16. Health Insurance Portability and Accountability Act, 42 USC §1320d–2 (2009)

17. Lee LM, Gostin LO. Ethical collection, storage, and use of public health data: a proposal for a national privacy protection. JAMA. 2009;302(1):82–84 [PubMed] [Google Scholar]

18. Gostin LO, Hodge JG, Jr, Valdiserri RO. Informational privacy and the public's health: the Model State Public Health Privacy Act. Am J Public Health. 2001;91(9):1388–1392 [PMC free article] [PubMed] [Google Scholar]

19. Hodge JG., Jr Health information privacy and public health. J Law Med Ethics. 2003;31(4):663–671 [PubMed] [Google Scholar]

20. Gostin LO. Public health law reform. Am J Public Health. 2001;91(9):1365–1368 [PMC free article] [PubMed] [Google Scholar]

21. Gostin L, Sapsin JW, Teret SP, et al. The Model State Emergency Health Powers Act: planning for and response to bioterrorism and naturally occurring infectious diseases. JAMA. 2002;288(5):622–628 [PubMed] [Google Scholar]

22. International Epidemiological Association Good epidemiological practice—rules for good research behavior. Available at: http://www.ieaweb.org/index.php?option=com_content&view=article&id=15&Itemid=43&limitstart=6. Accessed April 1, 2011

23. Wellcome Trust Public health and epidemiology. Available at: http://www.wellcome.ac.uk/About-us/Policy/Spotlight-issues/Data-sharing/Public-health-and-epidemiology/index.htm. Accessed April 23, 2010

24. Centers for Disease Control and Prevention Changes in state smoking restrictions in private-sector worksites, restaurants, and bars—United States, 1999–2004. MMWR Morb Mortal Wkly Rep. 2005;54(26):649–653 [PubMed] [Google Scholar]

25. O'Connor JC, Chriqui J, McBride D. Finding lasting legal solutions to the dual epidemics of methamphetamine production and use. N D Law Rev. 2006;82:1165–1194 [Google Scholar]

26. ImpacTeen Illicit Drug Team Illicit Drug Policies: Selected Laws From the 50 States. Berrien Springs, MI: Andrews University; 2002. Available at: www.rwjf.org/files/publications/other/DrugPoliciesReport.pdf. Accessed April 23, 2010 [Google Scholar]

27. Gould T. A Summer Plague: Polio and Its Survivors. New Haven, CT: Yale University Press; 1995 [Google Scholar]

28. SD ST §34-23-2 (2008)

29. TN ST §68-10-113 (2008)

30. ND ST §23-07-02.2 (2008)

31. RCWA 0.02.050 (2008)

32. ARS §36-664 (B) (2008)

33. CGSA §17b-225 (2008)

34. MT ST §50-16-603 (2008)

		Exceptions to Nondisclosure			Exceptionalism^a
State	Presumption of Nondisclosure	To Protect Public Health or the Health of an Individual	For Contact Tracing or Partner Notification Purposes	For Statistical Analysis When De-Identified	HIV	STIs	Other Conditions
AL	Yes	Yes					Yes
AK	Yes	Yes	Yes	Yes
AZ	Yes	Yes	Yes	Yes	Yes		Yes
AR					Yes
CA			Yes		Yes
CO					Yes		Yes
CT							Yes
DE	Yes	Yes			Yes		Yes
DC	Yes	Yes		Yes
FL					Yes	Yes
GA						Yes
HI	Yes	Yes			Yes		Yes
ID					Yes
IL					Yes
IN	Yes	Yes	Yes	Yes
IA					Yes
KS	Yes	Yes
KY					Yes	Yes
LA					Yes
ME	Yes	Yes			Yes
MD	Yes			Yes
MA						Yes
MI
MN	Yes	Yes		Yes
MS					Yes
MO					Yes
MT	Yes	Yes		Yes	Yes	Yes	Yes
NE	Yes			Yes
NV	Yes	Yes		Yes
NH	Yes			Yes
NJ	Yes	Yes				Yes
NM	Yes	Yes		Yes	Yes	Yes
NY					Yes
NC	Yes	Yes			Yes
ND	Yes	Yes			Yes
OH	Yes	Yes		Yes	Yes
OK	Yes	Yes	Yes	Yes
OR	Yes	Yes	Yes	Yes
PA	Yes	Yes			Yes
RI
SC						Yes
SD	Yes	Yes		Yes	Yes	Yes
TN					Yes	Yes
TX	Yes	Yes		Yes
UT	Yes	Yes	Yes		Yes
VT					Yes	Yes
VA					Yes
WA					Yes	Yes
WV					Yes	Yes
WI						Yes
WY						Yes
Total	25	23	7	16	28	15	7

Making articles easier to read in PMC

Welcome to PubReader!

Informational Privacy, Public Health, and State Laws

Abstract

A NATIONAL APPROACH TO PROTECTING PUBLIC HEALTH INFORMATION

ANALYSIS OF CURRENT STATE LAWS

States Without a Presumption of Nondisclosure

States With a Presumption of Nondisclosure

Unique Provisions in Some State Laws

MOVING TOWARD A COMMON APPROACH

Acknowledgments

Human Participant Protection

Article information

References

TABLE 1