PRIVACY AND SECURITY OF
PUBLIC HEALTH INFORMATION
Lawrence O. Gostin,
Professor of Law
Georgetown University Law Center,
Principal Investigator
James G. Hodge, Jr.,
Adjunct Professor of Law
Georgetown University Law Center,
Project Director
Model State Public Health Privacy
Act, without comments
[as of October 1, 1999]
Table of Contents
PREFATORY
NOTE
ARTICLE
I - FINDINGS AND DEFINITIONS
Section
1-101.
Legislative Findings
1-102.
Purposes
1-103.
Definitions
ARTICLE
II - ACQUISITION OF PROTECTED HEALTH INFORMATION
Section
2-101.
Acquisition of Public Health Information
2-102.
Subsequent Acquisition of Protected Health Information
ARTICLE
III - USES OF PUBLIC HEALTH INFORMATION
Section
3-101.
Uses Consistent With Original Legitimate Public Health Purposes
3-102.
Scope of Uses
3-103.
Commercial Uses
3-104.
De-identifying Protected Health Information.
ARTICLE
IV - DISCLOSURES OF PROTECTED HEALTH INFORMATION
4-101.
Non-Public Information
4-102.
Informed Consent
4-103.
Scope of Disclosures
4-104.
Disclosures Without Informed Consent
4-105.
Disclosures for Criminal or Civil Purposes
4-106.
Disclosures for Health Oversight Purposes
4-107.
Deceased Individuals
4-108.
Secondary Disclosures
4-109.
Record of Disclosures
ARTICLE
V - SECURITY SAFEGUARDS AND RECORD RETENTION
5-101.
Duty to Hold Information Secure
5-102.
Establishment of Public Health Information Officer
5-103.
Issuance of Public Reports
ARTICLE
VI - FAIR INFORMATION PRACTICES
6-101.
Individual Access to Protected Health Information
6-102.
Limitations Concerning Individual Access to Protected Health
Information
6-103.
Accuracy of Information
6-104.
Appeals
ARTICLE
VII - CRIMINAL SANCTIONS AND CIVIL REMEDIES
7-101.
Criminal Penalties
7-102.
Civil Enforcement
7-103.
Civil Remedies
7-104.
Immunities
7-105.
Administrative Procedure Act Applicable
ARTICLE
VIII- MISCELLANEOUS PROVISIONS
8-101.
Titles
8-102.
Uniformity Provision
8-103.
Severability
8-104.
Repeals
8-105.
Saving Clause
8-106.
Conflicting Laws
8-107.
Reports and Effective Date
PREFATORY
NOTES
The
purpose of the Model State Public Health Privacy Act project is to
develop a model state law [hereinafter the “Act”] addressing
privacy and security issues arising from the acquisition, use,
disclosure, and storage of identifiable health information by public
health agencies at the state and local levels. The Act regulates the
acquisition, use, disclosure, and storage of identifiable,
health-related information by public health agencies without
significantly limiting the ability of agencies to use such information
for legitimate public health purposes.
The
Act is divided into eight (8) Articles with various Sections [please see the Table of Contents below]. The organizational content of the Act is summarized as
follows [please refer to the
text of the Act itself for precise language and comments].
ARTICLE
I, FINDINGS AND DEFINITIONS, sets forth legislative findings and
purposes, as well as key definitions in the context of the Act,
including (1) what it means to “acquire,” “use,” “disclose,”
and “store” information; (2) “protected
health information” -- to include only identifiable information
regarding an individual’s health status; and (3) “legitimate
public health purposes” -- referring to those population-based
activities or individual efforts primarily aimed at the prevention of
injury, disease, or premature mortality, or the promotion of health in
the community. Other key terms frequently mentioned in the Act are
also defined, including “non-identifiable
health information,” “public
health agency,”and “public
health official.”
These
and other definitions underlie the scope of the Act. Specifically, the Act protects the privacy and security of
identifiable health-related information about individuals through
various measures concerning the acquisition, use, disclosure, and
storage of such information by public health agencies or public health
officials. Critical to
these objectives is the definition of "protected
health information." For the purposes of the Act, this term
means any information, whether oral, written, electronic, visual,
pictorial, physical, or any other form, that relates to an
individual’s past, present, or future physical or mental health
status, condition, treatment, service, products purchased, or
provision of care, and which (a) reveals the identity of the
individual whose health care is the subject of the information, or (b)
where there is a reasonable basis to believe such information could be
utilized (either alone or with other information that is, or should
reasonably be known to be, available to predictable recipients of such
information) to reveal the identity of that individual.
Since non-identifiable health information does not implicate
serious privacy and anti-discrimination concerns at the individual
level, information which cannot freely be identified or linked with
the identity of any individual is not subject to the Act's provisions.
ARTICLE
II, ACQUISITION OF PROTECTED HEALTH INFORMATION, sets forth
fundamental requirements concerning the acquisition of protected
health information by public health agencies.
Sections within Article II: (1) restrict the acquisition of
protected health information to that information which is directly
related to achieving legitimate public health purposes; (2) prohibit
the secretive acquisition of protected health information; (3) require
public notice and comment, accomplished in a confidential manner,
prior to acquiring protected health information; and (4) require that
public health agencies meet the same requirements for acquisitions of
existing protected health information between agencies.
ARTICLE
III, USES OF PROTECTED HEALTH INFORMATION, addresses the uses of
protected health information by public health agencies. Uses of such
information must be (1) directly related to the legitimate public
health purpose for which the information was acquired; or (2) for
public health, epidemiological, medical, or health services research
provided that several requirements as stated in Section 3-101[c] of
the Act are met. Subsequent
uses of the information are allowed provided the agency can justify
them under the standards for acquisition stated in Article II.
The Act encourages the use of non-identifiable information
whenever possible and requires the minimum amount of information to be
used in the reasonable judgment of the public health official.
Commercial uses of protected health information are prohibited. Protected health information whose use no longer furthers any
legitimate public health purpose must be expunged in a confidential
manner.
ARTICLE
IV, DISCLOSURES OF PROTECTED HEALTH INFORMATION,
generally concerns the disclosure of protected health
information by public health agencies to persons outside the agency.
Protected health information is deemed non-public information,
which cannot be disclosed without the informed consent of the person
who is the subject of the information (or the person’s lawful
representative) unless otherwise allowed via narrow exceptions stated
in the Act.
The
Act specifically defines informed consent for the purposes of
disclosures of protected health information from public health
agencies. Protected
health information shall be disclosed for any purpose and to any
person for which the disclosure is authorized via informed consent.
Unless disclosure of protected health information is
specifically authorized via informed consent or pursuant to the Act,
non-identifiable health information shall be disclosed.
When protected health information must be disclosed, it shall
be limited to the minimum amount of information needed in the
reasonable judgment of the person making the disclosure.
Any disclosure of protected health information, with or without
informed consent, must be accompanied by a written statement of the
public health agency’s policy on disclosures.
While
the Act generally prohibits disclosures without informed consent, such
disclosures may be allowed for narrow exceptions including (1) to
individuals who are the subjects of the information; (2) to
appropriate federal agencies pursuant to federal or state law; (3) to
health care personnel in the event of an emergency to protect the
health or life of the individual to whom the information relates; (4)
pursuant to a court order authorizing the disclosure through subpoena,
compelled testimony, in a civil, criminal, administrative, or other
legal proceeding; (5) to health oversight agencies to perform
oversight functions concerning the public health agency; or (6) for
the purpose of identifying a deceased individual, the deceased’s
manner of death, or provide necessary information about a deceased
person who is a donor or prospective donor of an anatomical gift.
The
dilemma of secondary disclosures
of protected health information by persons who receive the
information from public health agencies is resolved by prohibiting the
subsequent disclosure of the information to other persons unless
authorized by the Act. Finally,
public health agencies are required to establish written records of
disclosures of protected health information.
ARTICLE
V, SECURITY SAFEGUARDS AND RECORD RETENTION, imposes the general
duty on public health agencies to acquire, use, disclose, and store
protected health information in a confidential manner. Specific
security measures concerning protected health information are set
forth, including a requirement that CDC security recommendations
concerning HIV/AIDS information be followed.
The Act proposes the appointment of a new or existing public
health official as a public health information officer in each public
health agency. This individual is responsible for overseeing the
administration of security and privacy issues inherent in government
collection and use of identifiable protected health information. This
individual is also responsible for preparing and circulating reports
concerning the status of protected health information privacy on at
least an annual basis.
ARTICLE
VI, FAIR INFORMATION PRACTICES, sets forth basic fair information
practices designed to allow individuals the opportunity to inspect and
copy their protected health information in the possession of public
health agencies (subject to minimal limitations), as well as request
that information that is erroneous, incomplete, or false be corrected,
amended, or deleted. Denials
of rights to inspect, copy, or revise incorrect or incomplete
information by the public health agency must be in writing.
Individuals may appeal such determinations.
ARTICLE
VII, CRIMINAL SANCTIONS AND CIVIL REMEDIES, sets forth various
criminal penalties and civil enforcement mechanisms to protect
individuals who are harmed by violations of the Act by public health
agencies, public health officials, and other persons.
Several forms of immunity are provided.
The State’s Administrative Procedure Act generally applies to
actions taken by public health agencies pursuant to this Act.
ARTICLE
VIII contains MISCELLANEOUS
PROVISIONS, including (1) the short title of the act (the Model
State Public Health Privacy Act); (2) a uniformity of the law
provision; (3) a severability clause; (4) a clause for repeals of
existing state law; (5) a saving clause concerning preemption; (6) a
provision concerning unintended conflicts of federal and existing
state laws; and (7) a provision setting forth an effective date of the
Act if passed.
COMMENTS
explaining the various provisions of the Act follow Sections of each
Article where appropriate.
These Comments are explanatory, not legally binding.
ARTICLE
I
FINDINGS
AND DEFINITIONS
Section
1-101. Legislative Findings
The
[State Legislative Body]
finds that:
(1)
Public health agencies acquire, use, disclose, or store an
increasing amount of health-related information about individuals,
some of which is highly-sensitive, in paper-based and electronic forms
for legitimate public health purposes;
(2)
Uses of health-related information for legitimate public health
purposes are critically important to preserving, monitoring, and
improving population-based health as well as personal health of
individuals;
(3)
Individuals have significant privacy interests with respect to
health-related information which can be identified to them;
(4)
Individual privacy interests in health-related information
justify duties and limitations concerning (a) the acquisition, use,
disclosure, and storage of such information; (b) individual access to
such information in the possession of public health agencies;
and (c) security protections for such information;
(5)
Individual interests in the privacy of health-related
information are significantly reduced when the information is
acquired, used, disclosed, or stored in non-identifiable forms;
(6)
Public health agencies have a significant interest in
protecting the privacy of health-related information in their
possession where protecting the privacy of such information encourages
individuals to participate in public health programs and objectives;
and
(7)
While public health agencies generally have an excellent record
of protecting the privacy interests of individuals in health-related
information possessed by the agencies, additional statutory
protections will further clarify and protect individual privacy
interests while facilitating, without jeopardizing, legitimate public
health purposes.
Section
1-102. Purposes
The
[State Legislative Body]
states that the purposes of this Act are to:
(1)
Address privacy and security issues arising from the
acquisition, use, disclosure, and storage of protected health
information by public health agencies at the State and local levels;
(2)
Protect health-related information in the possession of public
health agencies against unauthorized disclosures without significantly
limiting the ability of agencies to use such information for
legitimate public health purposes;
(3)
Encourage wide use and disclosure of non-identifiable health
information because this information does not implicate privacy and
security concerns at the individual level and may greatly facilitate
the accomplishment of legitimate public health purposes;
(4)
Require the acquisition and uses of protected health
information to be consistent with legitimate public health purposes;
(5)
Prohibit disclosures of protected health information without
the informed consent of the individual who is the subject of the
information, with specified, narrow exceptions;
(6)
Impose the duty on public health agencies to hold and use
protected health information securely;
(7)
Impose a general duty on public health agencies to ensure the
accuracy of protected health information;
(8)
Allow individuals access to their protected health information
in the possession of public health agencies through inspection and
copying privileges;
(9)
Provide individuals the opportunity to request the correction,
amendment, or deletion of erroneous, incomplete, or false protected
health information; and
(10)
Prescribe various criminal penalties and civil enforcement
mechanisms to protect individuals who are harmed by violations of the
Act by public health agencies, public health officials, and other
persons.
Section
1-103. Definitions
As
used in this Act, these terms shall be defined as follows:
(1)
“Acquire,” “Acquired,”or “Acquisition”
means to collect or gain possession or control of any part of
protected health information for legitimate public health purposes.
(2)
"Act" means the
Model State Public Health Privacy Act.
(3)
"Amend" means to
indicate one or more disputed entries in protected health information
or to change the entry without obliterating the original information.
(4)
"Confidentiality statement"
means a written statement dated and signed by an applicable individual
which certifies the individual's agreement to abide by the security
policy of a public health agency, as well as this Act.
(5)
“Disclose,” “Disclosed,” or “Disclosure”
means to release, transfer, disseminate, provide access to, or
otherwise communicate or divulge all or any part of any protected
health information to any person or entity, other than a public health
agency or authorized public health official.
(6)
“Expunge” or “Expunged” means to permanently destroy, delete, or make
non-identifiable.
(7)
“Health oversight agency”
means a person who (a) performs or oversees an assessment,
investigation, or prosecution relating to compliance with legal or
fiscal standards concerning fraud or fraudulent claims regarding
health care, health services or equipment, or related activities; and
(b) is a public executive branch agency, acts on behalf of a public
executive branch agency, acts pursuant to a requirement of a public
executive branch agency, or carries out such activities under federal
or state law.
(8)
"Institutional review
board" means any board, committee, or other group formally
designated by an institution or authorized under federal or state law
to review, approve the initiation of, or conduct periodic review of
research programs to assure the protection of the rights and welfare
of human research subjects, consistent with requirements of the
Federal Policy for the Protection of Human Subjects.
(9)
“Legitimate public health
purpose” means a population-based activity or individual effort
primarily aimed at the prevention of injury, disease, or premature
mortality, or the promotion of health in the community, including (a)
assessing the health needs and status of the community through public
health surveillance and epidemiological research, (b) developing
public health policy, and (c) responding to public health needs and
emergencies.
(10)
“Non-identifiable health
information” means any information, whether oral, written,
electronic, visual, pictorial, physical, or any other form, that
relates to an individual’s past, present, or future physical or
mental health status, condition, treatment, service, products
purchased, or provision of care, and which (a) does not reveal the
identity of the individual whose health status is the subject of the
information, or (b) where there is no reasonable basis to believe such
information could be utilized (either alone or with other information
that is, or should reasonably be, known to be available to predictable
recipients of such information) to reveal the identity of that
individual.
(11)
“Person” means a
natural person, corporation, estate, trust, partnership, limited
liability company, association, joint venture, government or
governmental body, or any other legal or commercial entity.
(12)
“Protected health information”
means any information, whether oral, written, electronic, visual,
pictorial, physical, or any other form, that relates to an
individual’s past, present, or future physical or mental health
status, condition, treatment, service, products purchased, or
provision of care, and which (a) reveals the identity of the
individual whose health care is the subject of the information, or (b)
where there is a reasonable basis to believe such information could be
utilized (either alone or with other information that is, or should
reasonably be known to be, available to predictable recipients of such
information) to reveal the identity of that individual.
(13)
“Public health” means
population-based activities or individual efforts primarily aimed at
the prevention of injury, disease, or premature mortality, or the
promotion of health in the community.
(14)
“Public health agency”
means any organization operated by any state or local government that
acquires, uses, discloses, or stores protected health information for
legitimate public health purposes.
(15)
"Public health official"
means any officer, employee, private contractor or agent, intern, or
volunteer of a public health agency with authorization from the agency
or pursuant to law to acquire, use, disclose, or store protected
health information.
(16)
“Public information”
means information which is generally open to inspection or review by
the general public.
(17)
“Request” means a
written, dated, and signed correspondence in paper or electronic form
through which the identity of the person making the request can be
verified.
(18)
“Requestor” means any
individual, the parent or legal guardian of a minor, or a person’s
legally-appointed guardian who makes a request.
(19)
“Store,” “Stored,”
or “Storage” means to
hold, maintain, keep, or retain all or any part of protected health
information.
(20)
“Use” or “Used” means to employ or utilize all or any part of any protected
health information for a legitimate public health purpose.
ARTICLE
II
ACQUISITION
OF PROTECTED HEALTH INFORMATION
Section
2-101. Acquisition of Protected Health Information
[a]
In General. A
public health agency shall only acquire protected health information
where:
(1)
the acquisition relates directly to a legitimate public health
purpose;
(2)
the acquisition is reasonably likely to achieve such purpose,
taking into account the provisions of this Act and other governing
laws, and the availability of resources or means to achieve such
purpose; and
(3)
the legitimate public health purpose cannot otherwise be
achieved as well or better with non-identifiable information.
[b]
Secret Acquisition.
Protected health information shall not be secretly acquired by
a public health agency.
[c]
Public Notice Requirements.
Prior to implementation of a public health agency determination
to acquire or store protected health information, the agency shall
announce, through public notice and comment, and through public
written notice distributed and posted in a manner and to such extent
as will reasonably inform members of the affected community, its
intentions to acquire or store protected health information and the
purposes for which the information will be used.
Such notice shall not identify any individual who is or may be
the subject of protected health information.
Where State or local law requires counseling services regarding
a reportable disease, such counseling services shall include
information that such disease is reportable to the public health
agency and a description of the purposes for which the individual’s
protected health information will be used by such agency.
Section
2-102. Subsequent Acquisition of Protected Health Information
A
public health agency shall not acquire protected health information
from another local, State, or federal public health agency unless the
acquisition is consistent with the requirements of Section 2-101.
Protected
health information is not public information, and may not be disclosed
without the informed consent of the individual (or the individual’s
lawful representative) who is the subject of the information, except as
provided in this Act.
