Bioterrorism, Public Health and the Law 
Law 801: Health Care Law Seminar
Professor Vernellia R. Randall

Model State Public Health Law Act

 

Syllabus
Resources
Lesson Schedule
00: Intro to the Course
01: Intro to the Problem
02: Public Health System
03: Real Threat?
04: Public Health Law
05: Disease-Reporting
06: Quarantine
07: Model Act
08: Military Presence
09: Health Law Revisited

 

 

PRIVACY AND SECURITY OF PUBLIC HEALTH INFORMATION

Lawrence O. Gostin, Professor of Law
Georgetown University Law Center,
Principal Investigator

 

James G. Hodge, Jr., Adjunct Professor of Law
Georgetown University Law Center,
Project Director

Model State Public Health Privacy Act, without comments
[as of October 1, 1999]

Table of Contents

PREFATORY NOTE

ARTICLE I - FINDINGS AND DEFINITIONS

Section

1-101. Legislative Findings

1-102. Purposes

1-103. Definitions

ARTICLE II - ACQUISITION OF PROTECTED HEALTH INFORMATION

Section

2-101. Acquisition of Public Health Information

2-102. Subsequent Acquisition of Protected Health Information

ARTICLE III - USES OF PUBLIC HEALTH INFORMATION

Section

3-101. Uses Consistent With Original Legitimate Public Health Purposes

3-102. Scope of Uses

3-103. Commercial Uses
3-104.  De-identifying Protected Health Information.

ARTICLE IV - DISCLOSURES OF PROTECTED HEALTH INFORMATION

4-101. Non-Public Information

4-102. Informed Consent

4-103. Scope of Disclosures

4-104. Disclosures Without Informed Consent
4-105. Disclosures for Criminal or Civil Purposes

4-106. Disclosures for Health Oversight Purposes
4-107. Deceased Individuals
4-108. Secondary Disclosures
4-109. Record of Disclosures

ARTICLE V - SECURITY SAFEGUARDS AND RECORD RETENTION

5-101. Duty to Hold Information Secure

5-102. Establishment of Public Health Information Officer

5-103. Issuance of Public Reports

 

ARTICLE VI - FAIR INFORMATION PRACTICES

6-101. Individual Access to Protected Health Information

6-102. Limitations Concerning Individual Access to Protected Health Information

6-103. Accuracy of Information

6-104. Appeals

 

ARTICLE VII - CRIMINAL SANCTIONS AND CIVIL REMEDIES

7-101. Criminal Penalties

7-102. Civil Enforcement

7-103. Civil Remedies

7-104. Immunities
7-105.  Administrative Procedure Act Applicable

 

ARTICLE VIII- MISCELLANEOUS PROVISIONS

8-101. Titles

8-102. Uniformity Provision

8-103. Severability

8-104. Repeals

8-105. Saving Clause

8-106. Conflicting Laws

8-107. Reports and Effective Date

PREFATORY NOTES

 

The purpose of the Model State Public Health Privacy Act project is to develop a model state law [hereinafter the “Act”] addressing privacy and security issues arising from the acquisition, use, disclosure, and storage of identifiable health information by public health agencies at the state and local levels. The Act regulates the acquisition, use, disclosure, and storage of identifiable, health-related information by public health agencies without significantly limiting the ability of agencies to use such information for legitimate public health purposes. 

 

The Act is divided into eight (8) Articles with various Sections [please see the Table of Contents below].  The organizational content of the Act is summarized as follows [please refer to the text of the Act itself for precise language and comments].

 

ARTICLE I, FINDINGS AND DEFINITIONS, sets forth legislative findings and purposes, as well as key definitions in the context of the Act, including (1) what it means to “acquire,” “use,” “disclose,” and “store” information; (2) “protected health information” -- to include only identifiable information regarding an individual’s health status; and (3) “legitimate public health purposes” -- referring to those population-based activities or individual efforts primarily aimed at the prevention of injury, disease, or premature mortality, or the promotion of health in the community. Other key terms frequently mentioned in the Act are also defined, including “non-identifiable health information,” “public health agency,”and “public health official.”

 

These and other definitions underlie the scope of the Act.  Specifically, the Act protects the privacy and security of identifiable health-related information about individuals through various measures concerning the acquisition, use, disclosure, and storage of such information by public health agencies or public health officials.  Critical to these objectives is the definition of "protected health information." For the purposes of the Act, this term means any information, whether oral, written, electronic, visual, pictorial, physical, or any other form, that relates to an individual’s past, present, or future physical or mental health status, condition, treatment, service, products purchased, or provision of care, and which (a) reveals the identity of the individual whose health care is the subject of the information, or (b) where there is a reasonable basis to believe such information could be utilized (either alone or with other information that is, or should reasonably be known to be, available to predictable recipients of such information) to reveal the identity of that individual.  Since non-identifiable health information does not implicate serious privacy and anti-discrimination concerns at the individual level, information which cannot freely be identified or linked with the identity of any individual is not subject to the Act's provisions.

ARTICLE II, ACQUISITION OF PROTECTED HEALTH INFORMATION, sets forth fundamental requirements concerning the acquisition of protected health information by public health agencies.  Sections within Article II: (1) restrict the acquisition of protected health information to that information which is directly related to achieving legitimate public health purposes; (2) prohibit the secretive acquisition of protected health information; (3) require public notice and comment, accomplished in a confidential manner, prior to acquiring protected health information; and (4) require that public health agencies meet the same requirements for acquisitions of existing protected health information between agencies.

 

ARTICLE III, USES OF PROTECTED HEALTH INFORMATION, addresses the uses of protected health information by public health agencies. Uses of such information must be (1) directly related to the legitimate public health purpose for which the information was acquired; or (2) for public health, epidemiological, medical, or health services research provided that several requirements as stated in Section 3-101[c] of the Act are met.  Subsequent uses of the information are allowed provided the agency can justify them under the standards for acquisition stated in Article II.  The Act encourages the use of non-identifiable information whenever possible and requires the minimum amount of information to be used in the reasonable judgment of the public health official.  Commercial uses of protected health information are prohibited.  Protected health information whose use no longer furthers any legitimate public health purpose must be expunged in a confidential manner.

 

ARTICLE IV, DISCLOSURES OF PROTECTED HEALTH INFORMATION,  generally concerns the disclosure of protected health information by public health agencies to persons outside the agency.  Protected health information is deemed non-public information, which cannot be disclosed without the informed consent of the person who is the subject of the information (or the person’s lawful representative) unless otherwise allowed via narrow exceptions stated in the Act.

 

The Act specifically defines informed consent for the purposes of disclosures of protected health information from public health agencies.  Protected health information shall be disclosed for any purpose and to any person for which the disclosure is authorized via informed consent.  Unless disclosure of protected health information is specifically authorized via informed consent or pursuant to the Act, non-identifiable health information shall be disclosed.  When protected health information must be disclosed, it shall be limited to the minimum amount of information needed in the reasonable judgment of the person making the disclosure.  Any disclosure of protected health information, with or without informed consent, must be accompanied by a written statement of the public health agency’s policy on disclosures.

While the Act generally prohibits disclosures without informed consent, such disclosures may be allowed for narrow exceptions including (1) to individuals who are the subjects of the information; (2) to appropriate federal agencies pursuant to federal or state law; (3) to health care personnel in the event of an emergency to protect the health or life of the individual to whom the information relates; (4) pursuant to a court order authorizing the disclosure through subpoena, compelled testimony, in a civil, criminal, administrative, or other legal proceeding; (5) to health oversight agencies to perform oversight functions concerning the public health agency; or (6) for the purpose of identifying a deceased individual, the deceased’s manner of death, or provide necessary information about a deceased person who is a donor or prospective donor of an anatomical gift. 

The dilemma of secondary disclosures of protected health information by persons who receive the information from public health agencies is resolved by prohibiting the subsequent disclosure of the information to other persons unless authorized by the Act.  Finally, public health agencies are required to establish written records of disclosures of protected health information.

 

ARTICLE V, SECURITY SAFEGUARDS AND RECORD RETENTION, imposes the general duty on public health agencies to acquire, use, disclose, and store protected health information in a confidential manner. Specific security measures concerning protected health information are set forth, including a requirement that CDC security recommendations concerning HIV/AIDS information be followed.  The Act proposes the appointment of a new or existing public health official as a public health information officer in each public health agency. This individual is responsible for overseeing the administration of security and privacy issues inherent in government collection and use of identifiable protected health information. This individual is also responsible for preparing and circulating reports concerning the status of protected health information privacy on at least an annual basis.

 

ARTICLE VI, FAIR INFORMATION PRACTICES, sets forth basic fair information practices designed to allow individuals the opportunity to inspect and copy their protected health information in the possession of public health agencies (subject to minimal limitations), as well as request that information that is erroneous, incomplete, or false be corrected, amended, or deleted.   Denials of rights to inspect, copy, or revise incorrect or incomplete information by the public health agency must be in writing.   Individuals may appeal such determinations.   

 

ARTICLE VII, CRIMINAL SANCTIONS AND CIVIL REMEDIES, sets forth various criminal penalties and civil enforcement mechanisms to protect individuals who are harmed by violations of the Act by public health agencies, public health officials, and other persons.  Several forms of immunity are provided.  The State’s Administrative Procedure Act generally applies to actions taken by public health agencies pursuant to this Act.  

 

ARTICLE VIII contains MISCELLANEOUS PROVISIONS, including (1) the short title of the act (the Model State Public Health Privacy Act); (2) a uniformity of the law provision; (3) a severability clause; (4) a clause for repeals of existing state law; (5) a saving clause concerning preemption; (6) a provision concerning unintended conflicts of federal and existing state laws; and (7) a provision setting forth an effective date of the Act if passed.

 

COMMENTS explaining the various provisions of the Act follow Sections of each Article where appropriate.   These Comments are explanatory, not legally binding.

 

ARTICLE I

 

FINDINGS AND DEFINITIONS

 

Section 1-101.  Legislative Findings

 

The [State Legislative Body] finds that:

 

(1)        Public health agencies acquire, use, disclose, or store an increasing amount of health-related information about individuals, some of which is highly-sensitive, in paper-based and electronic forms for legitimate public health purposes;

 

(2)        Uses of health-related information for legitimate public health purposes are critically important to preserving, monitoring, and improving population-based health as well as personal health of individuals;

 

(3)        Individuals have significant privacy interests with respect to health-related information which can be identified to them;

 

(4)        Individual privacy interests in health-related information justify duties and limitations concerning (a) the acquisition, use, disclosure, and storage of such information; (b) individual access to such information in the possession of public health agencies;  and (c) security protections for such information;

 

(5)        Individual interests in the privacy of health-related information are significantly reduced when the information is acquired, used, disclosed, or stored in non-identifiable forms;

 

(6)        Public health agencies have a significant interest in protecting the privacy of health-related information in their possession where protecting the privacy of such information encourages individuals to participate in public health programs and objectives; and

 

(7)        While public health agencies generally have an excellent record of protecting the privacy interests of individuals in health-related information possessed by the agencies, additional statutory protections will further clarify and protect individual privacy interests while facilitating, without jeopardizing, legitimate public health purposes. 

 

Section 1-102.  Purposes

 

The [State Legislative Body] states that the purposes of this Act are to:

 

(1)        Address privacy and security issues arising from the acquisition, use, disclosure, and storage of protected health information by public health agencies at the State and local levels;

 

(2)        Protect health-related information in the possession of public health agencies against unauthorized disclosures without significantly limiting the ability of agencies to use such information for legitimate public health purposes;

 

(3)        Encourage wide use and disclosure of non-identifiable health information because this information does not implicate privacy and security concerns at the individual level and may greatly facilitate the accomplishment of legitimate public health purposes;

 

(4)        Require the acquisition and uses of protected health information to be consistent with legitimate public health purposes;

 

(5)        Prohibit disclosures of protected health information without the informed consent of the individual who is the subject of the information, with specified, narrow exceptions;

 

(6)        Impose the duty on public health agencies to hold and use protected health information securely; 

 

(7)        Impose a general duty on public health agencies to ensure the accuracy of protected health information; 

 

(8)        Allow individuals access to their protected health information in the possession of public health agencies through inspection and copying privileges;

 

(9)        Provide individuals the opportunity to request the correction, amendment, or deletion of erroneous, incomplete, or false protected health information; and

 

(10)      Prescribe various criminal penalties and civil enforcement mechanisms to protect individuals who are harmed by violations of the Act by public health agencies, public health officials, and other persons. 

 

Section 1-103.  Definitions

 

As used in this Act, these terms shall be defined as follows:

 

(1) “Acquire,“Acquired,”or “Acquisition” means to collect or gain possession or control of any part of protected health information for legitimate public health purposes.

 

(2) "Act" means the Model State Public Health Privacy Act.

 

(3) "Amend" means to indicate one or more disputed entries in protected health information or to change the entry without obliterating the original information.

 

(4) "Confidentiality statement" means a written statement dated and signed by an applicable individual which certifies the individual's agreement to abide by the security policy of a public health agency, as well as this Act.              

 

(5) “Disclose,” “Disclosed,” or “Disclosure” means to release, transfer, disseminate, provide access to, or otherwise communicate or divulge all or any part of any protected health information to any person or entity, other than a public health agency or authorized public health official.

 

(6) “Expunge” or “Expunged” means to permanently destroy, delete, or make non-identifiable.

 

(7) “Health oversight agency” means a person who (a) performs or oversees an assessment, investigation, or prosecution relating to compliance with legal or fiscal standards concerning fraud or fraudulent claims regarding health care, health services or equipment, or related activities; and (b) is a public executive branch agency, acts on behalf of a public executive branch agency, acts pursuant to a requirement of a public executive branch agency, or carries out such activities under federal or state law.

 

(8) "Institutional review board" means any board, committee, or other group formally designated by an institution or authorized under federal or state law to review, approve the initiation of, or conduct periodic review of research programs to assure the protection of the rights and welfare of human research subjects, consistent with requirements of the Federal Policy for the Protection of Human Subjects.

 

(9) “Legitimate public health purpose” means a population-based activity or individual effort primarily aimed at the prevention of injury, disease, or premature mortality, or the promotion of health in the community, including (a) assessing the health needs and status of the community through public health surveillance and epidemiological research, (b) developing public health policy, and (c) responding to public health needs and emergencies.

 

(10) “Non-identifiable health information” means any information, whether oral, written, electronic, visual, pictorial, physical, or any other form, that relates to an individual’s past, present, or future physical or mental health status, condition, treatment, service, products purchased, or provision of care, and which (a) does not reveal the identity of the individual whose health status is the subject of the information, or (b) where there is no reasonable basis to believe such information could be utilized (either alone or with other information that is, or should reasonably be, known to be available to predictable recipients of such information) to reveal the identity of that individual.

 

(11) “Person” means a natural person, corporation, estate, trust, partnership, limited liability company, association, joint venture, government or governmental body, or any other legal or commercial entity.

 

(12) “Protected health information” means any information, whether oral, written, electronic, visual, pictorial, physical, or any other form, that relates to an individual’s past, present, or future physical or mental health status, condition, treatment, service, products purchased, or provision of care, and which (a) reveals the identity of the individual whose health care is the subject of the information, or (b) where there is a reasonable basis to believe such information could be utilized (either alone or with other information that is, or should reasonably be known to be, available to predictable recipients of such information) to reveal the identity of that individual.

 

(13) “Public health” means population-based activities or individual efforts primarily aimed at the prevention of injury, disease, or premature mortality, or the promotion of health in the community.

 

(14) “Public health agency” means any organization operated by any state or local government that acquires, uses, discloses, or stores protected health information for legitimate public health purposes.

 

(15) "Public health official" means any officer, employee, private contractor or agent, intern, or volunteer of a public health agency with authorization from the agency or pursuant to law to acquire, use, disclose, or store protected health information.

 

(16) “Public information” means information which is generally open to inspection or review by the general public.

 

(17) “Request” means a written, dated, and signed correspondence in paper or electronic form through which the identity of the person making the request can be verified.

 

(18) “Requestor” means any individual, the parent or legal guardian of a minor, or a person’s legally-appointed guardian who makes a request.

 

(19) “Store,” “Stored,” or “Storage” means to hold, maintain, keep, or retain all or any part of protected health information.                             

 

(20) “Use” or “Used” means to employ or utilize all or any part of any protected health information for a legitimate public health purpose.

 

 

ARTICLE II

 

ACQUISITION OF PROTECTED HEALTH INFORMATION

 

Section 2-101.  Acquisition of Protected Health Information

 

[a]        In General.  A public health agency shall only acquire protected health information where:

 

(1)        the acquisition relates directly to a legitimate public health purpose;

 

(2)        the acquisition is reasonably likely to achieve such purpose, taking into account the provisions of this Act and other governing laws, and the availability of resources or means to achieve such purpose; and

 

(3)        the legitimate public health purpose cannot otherwise be achieved as well or better with non-identifiable information.

 

[b]        Secret Acquisition.  Protected health information shall not be secretly acquired by a public health agency.

 

[c]        Public Notice Requirements.  Prior to implementation of a public health agency determination to acquire or store protected health information, the agency shall announce, through public notice and comment, and through public written notice distributed and posted in a manner and to such extent as will reasonably inform members of the affected community, its intentions to acquire or store protected health information and the purposes for which the information will be used.  Such notice shall not identify any individual who is or may be the subject of protected health information.  Where State or local law requires counseling services regarding a reportable disease, such counseling services shall include information that such disease is reportable to the public health agency and a description of the purposes for which the individual’s protected health information will be used by such agency.

 

Section 2-102.  Subsequent Acquisition of Protected Health Information

 

A public health agency shall not acquire protected health information from another local, State, or federal public health agency unless the acquisition is consistent with the requirements of Section 2-101.


ARTICLE III

 

USES OF PROTECTED HEALTH INFORMATION

 

Section 3-101. Uses Consistent With Original Legitimate Public Health Purposes

 

[a]        In General.  Protected health information shall be used by a public health agency solely for legitimate public health purposes that are directly related to the purpose for which the information was acquired.  Providing access to protected health information to any person other than a public health agency or public health official is not a use.

 

[b]        Subsequent Uses.  A public health agency may use protected health information for legitimate public health purposes that are not directly related to the purpose for which the information was acquired provided that the agency meets the requirements of Section 2-101[a] and [c] before using such information.

 

[c]        Research Use.  A public health agency or official may use protected health information for public health, epidemiological, medical, or health services research provided that:

 

(1)        it is not feasible to obtain the informed consent of the individual who is the subject of the information;

 

(2)        identifiable information is necessary for the effectiveness of the research project;

 

(3)        the minimum amount of information necessary to conduct the research is used;

 

(4)        the research utilizing the protected health information will likely contribute to achieving a legitimate public health purpose;

 

(5)        the information is made non-identifiable at the earliest opportunity consistent with the purposes of the research project and expunged after the conclusion of the project; and

 

(6)        such uses are made pursuant to assurances of protections through the execution of a confidentiality agreement after review and approval of an institutional review board.  The agreement shall require any person receiving such information to adhere to protections for the privacy and security of the information equivalent to or greater than such protections provided in this Act.


Section 3-102.  Scope of Uses

 

[a]        In General.  Non-identifiable health information shall be used by a public health agency whenever possible consistent with the accomplishment of legitimate public health purposes.

 

[b]        Minimum Information.  Any use of protected health information permitted by this Act shall be limited to the minimum amount of information which the public health official using the information reasonably believes is necessary to accomplish the legitimate public health purpose.

 

Section 3-103.  Commercial Uses

 

Protected health information shall not be used by a public health agency or public health official for commercial purposes.

 

Section 3-104.  De-identifying Protected Health Information

 

Protected health information whose use by a public health agency no longer furthers the  legitimate public health purpose for which it was acquired shall be expunged in a confidential manner.

 


ARTICLE IV

 

DISCLOSURES OF PROTECTED HEALTH INFORMATION

 

Section 4-101.  Non-Public Information

 

Protected health information is not public information, and may not be disclosed without the informed consent of the individual (or the individual’s lawful representative) who is the subject of the information, except as provided in this Act. 

 

Section 4-102.  Informed Consent

 

[a]        Generally.  For the purposes of this Act, informed consent means a written authorization for the disclosure of protected health information on a form substantially similar to one promulgated by the [State public health agency] which is signed in writing or electronically by the individual who is the subject of the information.  This authorization shall be dated and shall specify to whom the disclosure is authorized, the general purpose for such disclosure, and the time period in which the authorization for the disclosure is effective. 

 

[b]        Revocation.  An individual may revoke an authorization in writing at any time.  The individual is responsible for informing the person who originally received the authorization that it has been revoked. 

 

[c]        Expiration.  If the authorization does not contain an expiration date or has not previously been revoked, it automatically expires six months after the date it is signed. 

 

[d]        General Authorization.  A general authorization for the disclosure of health-related information shall not be construed as written authorization pursuant to informed consent for the disclosure of protected health information unless such authorization also complies with this Section.

 

[e]        Inability to Provide Informed Consent.  When the individual who is the subject of protected health information is not competent or is otherwise legally unable to give informed consent for the disclosure of protected health information, written authorization under Subsection [a] may be provided by the individual's parents, legal guardians, or other persons lawfully authorized to make health care decisions for the individual.  For the purposes of this Subsection, a minor under the age of [to be inserted consistent with state law] years is unable to give informed consent.
 
 
Related Pages:
Home ] Up ] [ Model State Public Health Law Act ] Model State Act (pdf) ]
Subsequent Pages:
Home ] Up ]
Previous Pages:
Home ] Syllabus ] Introduction to the Course ] Introduction to the Problem ] Public Health System ] Is Bioterrorism a Real Threat? ] Public Health Law and Bioterrorism ] Disease Reporting and Police Powers ] Quarantine and Police Powers ] Model State Public Health Law ] Military Presence and Public Health ] Public Health Law - Revisited ]
Home Up Next

 

Last Updated:
 11/30/2002

You are visitor number:
Hit Counter
since August, 2002

Copyright @ 2002. Vernellia R. Randall 
All Rights Reserved