Abstract
Despite benefits to sharing data among public health programs, confidentiality laws are often presumed to obstruct collaboration or data sharing. We present an overview of the use and release of confidential, personally identifiable information as consistent with public health interests and identify opportunities to align data-sharing procedures with use and release provisions in state laws to improve program outcomes.
In August 2013, Centers for Disease Control and Prevention staff and legal researchers from the National Nurse-Led Care Consortium conducted a review of state laws regulating state and local health departments in 50 states and the District of Columbia. Nearly all states and the District of Columbia employ provisions for the general use and release of personally identifiable information without patient consent; disease-specific use or release provisions vary by state. Absence of law regarding use and release provisions was noted.
Health departments should assess existing state laws to determine whether the use or release of personally identifiable information is permitted. Absence of direction should not prevent data sharing but prompt an analysis of existing provisions in confidentiality laws.
An important strategy of the Centers for Disease Control and Prevention’s (CDC’s) National Center for HIV/AIDS, Viral Hepatitis, STD, and TB Prevention is to reduce barriers to collaborative work across disease areas and integrate appropriate services provided by state and local programs for the prevention of HIV/AIDS, viral hepatitis, other sexually transmitted infections (STIs), and tuberculosis. For more than a decade, health departments have seen a need to provide comprehensive services when conducting disease investigation, testing, treatment, or care services for persons at risk for multiple diseases at separate times to reduce duplicative efforts.1–4 Prevention programs can be strengthened by collaborating and integrating services at the client level.5 There are numerous public health benefits to sharing data among HIV, viral hepatitis, STI, and tuberculosis programs.6 Despite the possible benefits, confidentiality laws are often cited as reasons for obstructing program collaboration or data sharing.
We consider 4 research questions whose answers will assist health departments in their use of personally identifiable information (PII):
Are use and release provisions consistent with public health interests?
Do opportunities exist to align data-sharing procedures with use and release provisions in state laws to improve program outcomes or to update laws that may impose barriers to program integration?
What are the public health purposes for use and release of PII for communicable diseases generally and for specific diseases?
How should health departments treat the absence of provisions, or silence in the law, regarding the use and release of PII?
Disease report data submitted to health departments are sometimes directly sent to disease-specific programs and shared only with staff who have a role in understanding, preventing, and controlling that disease (e.g., HIV) or set of diseases (e.g., STIs). Consequently, health departments have perceived or experienced challenges in using or releasing PII between disease-specific programs, despite the public health need to do so. This leads to restrictions in the use and release of critical data within discrete programs that could be used by multiple health programs for immediate public health action, for understanding an individual’s health, or for analyzing the extent to which diseases are synergistically interacting in a community. Furthermore, health departments do not always prioritize the use of data to track and improve critical outcomes.7
The collection, use, and release of PII for public health purposes allows health departments to carry out their mission to prevent and control diseases. The Health Insurance Portability and Accountability Act (HIPAA) serves to protect the information collected by covered entities (including health plans, health care clearinghouses, and health care providers who transmit any health information in electronic form in connection with a transaction covered by HIPAA) but allows the sharing of information with and by public health authorities.8 National reporting requirements and state laws may mandate that diagnoses of reportable diseases be sent to a state or local health department and sometimes only to a specific program or unit. Laws also authorize data collection during disease outbreak investigations, partner notifications, or contact tracing activities. Finally, health department programs are authorized to collect information from clients as a part of testing, screening, and disease surveillance programs to monitor, control, and respond to threats to the health and safety of the public at large.9
Much of the information health departments collect through these mechanisms is PII. PII includes any information that can be used to determine a person’s identity (e.g. name, social security number, date of birth) and any other information that is linked to an individual (e.g., medical, educational, and employment information).10 When PII is collected for a specific disease, it may be the only information collected across multiple activities that can enable health departments to determine whether a person has received testing, treatment, and other services for more than 1 disease. Access to PII is, therefore, critical in understanding syndemics (synergistically interacting epidemics), identifying duplicative services, and ensuring necessary care for multiple related diseases within a state or local jurisdiction.
State laws can govern the use and release of PII held by health departments. A use provision of a law permits the health department use of PII within the department that holds the information without patient consent. A release provision of a law explicitly indicates for what purposes health departments may release PII, without patient consent, to entities outside the department that holds the information. Lastly, states may have release provisions that facilitate interagency sharing of information across programs within the health department.
Use and release provisions are further characterized as being general or specific. General provisions address communicable diseases broadly, whereas specific provisions address the diseases chosen for this analysis, which include HIV, hepatitis B infection, hepatitis C infection, STIs (specifically gonorrhea, chlamydia, and syphilis), and tuberculosis.
An example of a general use provision can be found in an Arkansas regulation:
B. If the Director finds that the nature of the disease and the circumstances of the case or outbreak warrant such action, the Director shall make, or cause to be made, an examination of the patient in order to verify the diagnosis, make an investigation to determine the source of the infection, and take appropriate steps to prevent or control spread of the disease.11
An example of a specific use provision for tuberculosis can be found in a New Mexico statute:
A. When a physician or other person knows that a person has an infectious form of tuberculosis, the physician or other person shall promptly notify the department.12
A release provision might allow health departments to share PII throughout the agency or between agencies. Examples include these.
A general release provision from a regulation in Montana:
Health care information in the possession of the department, a local board, a local health officer, or the entity’s authorized representatives may not be released except: . . . (5) to another state or local public health agency, including those in other states, whenever necessary to continue health services to the named person or to undertake public health efforts to prevent or interrupt the transmission of a communicable disease or to alleviate and prevent injury caused by the release of biological, chemical, or radiological agents capable of causing imminent disability, death, or infection.13
A specific release provision for HIV from a statute in New York:
Confidentiality and disclosure.
1. No person who obtains confidential HIV related information in the course of providing any health or social service or pursuant to a release of confidential HIV related information may disclose or be compelled to disclose such information, except to the following: . . . (d) A health care provider or health facility when knowledge of the HIV related information is necessary to provide appropriate care or treatment to the protected individual, a child of the individual, a contact of the protected individual or a person authorized to consent to health care for such a contact.14
An interagency release provision from Iowa:
To the extent allowed by law, the following uses are considered routine uses of all department records: . . . (e) Transfers of information within the department, to other state or federal agencies, or to local units of government as necessary to administer the program for which the information is collected or as necessary to administer a program within the other governmental agency.15
These provisions show just a fraction of ways state laws include language that may support the release of PII for public health benefit.
METHODS
CDC staff and legal researchers from the National Nurse-Led Care Consortium conducted a review of state laws affecting state and local health department use and release of PII, as they existed in August 2013, across the 50 states and the District of Columbia. CDC staff developed the questions of interest, with assistance from National Nurse-led Care Consortium legal researchers, who researched and coded the laws. The review examined (1) for what purposes the laws of each state authorize health departments to use and release PII, and (2) where absence of provisions, or silence, may exist.
The researchers used WestlawNext to find each state’s public health statutes and regulations and then used these laws to answer each study question. If an answer to a question required reading 2 pieces of law in tandem, the researchers recorded all sources they used to determine the answer.
The research team developed the operational definitions for use provisions and release provisions. If a use or release provision includes all communicable diseases but expressly excepts 1 or more specific diseases from the applicable provision, the provision is still considered a general provision. The operational definitions are included in Table 1.
TABLE 1—
Number of States with General Provisions in Their State Laws Regarding the Use and Release of Personally Identifiable Information: United States, August 2013
| Type of Provision | No. of States by Type |
| General use provisionsa | 47 |
| General use provisions only | 8 |
| General release provisionsb | 50 |
| General release provisions only | 9 |
A general use provision of a law permits the health department use of personally identifiable information to address communicable diseases broadly within the department that holds the information without patient consent.
A release provision of a law explicitly indicates for what purposes health departments may release personally identifiable information to address communicable diseases broadly, without patient consent, to entities outside the department that holds the information.
The research team also developed search terms to capture and code purposes for use or release of PII. The specific terms selected were chosen because they either arose frequently in early stages of research or were requested by the CDC. On the basis of textual analysis of the laws, the purposes that were coded included treatment or coordination of care, public health, implementation of public health laws, disease investigation, disease prevention and control, partner notification and contact tracing, interagency release, research, and other. The definitions of the purposes are included in Table 2.
TABLE 2—
Number of States with Provisions in Their State Laws Regarding the Use and Release of Personally Identifiable Information (PII) by Purpose and Disease: United States, August 2013
| Purpose | No. of States With Use Provisions | No. of States With Release Provisions |
| Treatment and coordination of carea | 33 | 41 |
| Public healthb | 26 | 24 |
| Implementation of public health lawsc | 17 | 31 |
| Disease investigationd | 44 | 21 |
| Disease prevention and control and outbreak investigatione | 42 | 33 |
| Partner notification or contact tracingf | 41 | 20 |
| Researchg | 17 | 14 |
| Otherh | 24 | 43 |
| Interagency (release only)i | . . . | 46 |
| Disease | ||
| HIV/AIDS | 35 | 35 |
| Syphilis | 27 | 17 |
| Gonorrhea | 26 | 15 |
| Chlamydia | 23 | 14 |
| Tuberculosis | 24 | 18 |
| Hepatitis B | 17 | 11 |
| Hepatitis C | 12 | 7 |
To provide or refer to health care treatment or counseling, the individual whom the PII provision is intended to protect; to coordinate and use or release information with health providers for the purpose of having a patient treated or to benefit.
To protect or promote the general health and safety of the public.
To carry out provisions of public health statutes or regulations.
To investigate, examine, inquire into, etc. the occurrence of a disease, which includes testing or examination of individuals for the identification of a disease.
To prevent and control the spread of disease, which includes health education, quarantine, and isolation.
To inform or identify partners, spouses, or contacts of their possible exposure to a communicable disease.
To conduct epidemiological or other scientific research.
Any exception other than those listed above but not including subpoenas unrelated to public health purpose, such as a subpoena to appear in family court (e.g., judicial orders, day care enrollment, quality assurance, emergency medical worker exposure).
Allows release of PII by 1 health department to another health department operating under a different legal authority.
The team adopted the methods articulated in “Measuring Law for Evaluation Research” for this work, which encourages iterative development of a research protocol during the early stages of research and quality oversight of multiple researchers following the standardized protocol.16 A researcher conducted initial legal research and coded the purposes for use or release of PII. Two lawyers and the lead author then reviewed the coding for every state.
RESULTS
The purposes for which PII are permitted, generally and for each specific disease, are identified in Table 1. Many of the coded purposes could be combined into broader categories of public health and patient care; therefore, some of the purposes were bundled to simplify the tables (Table A, available as a supplement to the online version of this article at http://www.ajph.org).
The number of states employing use provisions varied in frequency by purposes. The most frequently identified purposes were broad in scope, such as disease investigation (44) and disease prevention and control and outbreak investigation (42), and included more specific purposes, such as research (17). Release provisions also varied by state with interagency as the most frequently cited purpose and research as the least common purpose (14).
In addition to reviewing the purposes included in the state laws, we examined the range of permissions states employed in their use and release provisions, which varied from very specific information about PII use or release to a broad range of activities. For example, Rhode Island provides 24 detailed circumstances under which PII can be released. The 24 circumstances listed the “release and transfer of confidential health care information” to various entities and identify the purposes for which the information may be released.17
By contrast, Massachusetts briefly specifies purposes for which PII may be released:
Except when necessary for the Commonwealth’s disease investigation, control, treatment and prevention purposes, the Department and local boards of health shall not disclose any personally identifying information without the individual’s written consent.18
A majority of the states and the District of Columbia (47) have general use provisions, but not all states have laws addressing disease-specific use of PII. Because health departments do not necessarily rely on a state’s use provision to use PII, not all states have general use provisions (AK, GA, HI, and KY). There are 8 states (AK, DE, ME, MN, NH, PA, TN, and VA) that have a general use provision but have no disease-specific use provisions.
Forty-nine states and the District of Columbia have general release provisions, which allow health departments to release PII related to communicable diseases to entities outside the health department for a range of public health purposes. The only state without a general release provision is Georgia, which has disease-specific release provisions only for HIV/AIDS. There are 9 states (AK, IN, MN, NE, NV, OR, UT, VT, and VA) that have a general release provision but do not have any disease-specific release provisions. The analysis shows that use and release provisions are not universally applied within or across states, resulting in absence, or silence, of the law. In these instances, states may choose to turn to the general release provision for guidance in releasing PII concerning specific diseases.
DISCUSSION
In our review of state-level laws that apply to PII use and release by health departments, we found that nearly all states (49 of 50) and the District of Columbia employ a general release provision for PII. Additionally, most states have laws that include a general use provision, and these provisions often address functions or authorities of the health department. Some states have use or release provisions that treat all communicable diseases similarly, whereas others are specific for certain diseases. These provisions may authorize releasing data to outside entities or between divisions or prevention programs within the health department. It is interesting that the most common purposes identified are broad in scope, implying permissiveness as opposed to restrictiveness. Therefore, when a state law allows PII use or release for the aim of public health or disease prevention and control, the provision likely allows it for the protection and promotion of the health of the state population.
We also identified an absence of law regarding allowable PII use and release, meaning that the law does not expressly address how health departments may use or release PII in some instances. Health departments may struggle with how the law applies to a specific disease when the law is silent on its use or release. However, even when a state is silent on use or release for a specific disease, there may be language for PII related to communicable diseases generally. In these instances, health departments may consider using the general use or release provisions for guidance.
Notably, some states may be silent on use or release but have provisions that label disease-related PII as confidential in their reporting or investigation laws and do not have exceptions to protecting PII. This is different from the complete absence of applicable law because the health department has at least some direction on how to treat the information. However, broadly worded confidentiality provisions may affect use and release differently because they are usually directed at the health department as a whole. This may translate to a broad prohibition to releasing PII to entities outside the health department but may not affect PII use among programs within a health department, especially when there may be a strong public health purpose for using information.
Likewise, silence on PII release in the face of a broadly worded confidentiality provision may not necessarily prevent health departments from releasing PII in situations when a narrow and targeted release of information may be necessary to protect the public’s health. Concededly, many of these situations raise complex questions of legal interpretation, which is why health departments should seek legal counsel before making situation-specific decisions.
We identified situations for which the law is silent with respect to a health department’s ability to use or release PII for HIV/AIDS, some STIs, tuberculosis, hepatitis B infection, and hepatitis C infection outside the health department. In doing so, we found that despite situations for which the law is silent, states often had other provisions with expansive authority that could allow PII use or release for public health purposes.
When examining the protection of PII, the HIPAA privacy rule must be considered. This rule prohibits covered entities from disclosing PII outside the entity that holds the information.19–21 Although the HIPAA privacy rule prohibits many types of disclosures, it permits covered entities to disclose PII without the written authorization of the individual to public health authorities that are authorized by law to collect or receive it for public health purposes.22,23
The HIPAA privacy rule does not apply to information that public health authorities possess, except in limited circumstances.24 However, the rule does not supersede state laws that address the use and release of health information held by public health officials. Therefore, there are no national standards for protecting all data held by public health agencies; state laws are critical components of privacy, confidentiality, and security of PII and other information.25 Relatedly, some health departments offer clinical services, thus transforming the health department into a covered entity for those clinical functions. Covered entities that conduct covered and noncovered functions are called “hybrid entities.”26 Under the HIPAA rule, hybrid entities can share PII among the covered functions for treatment, payment, and operations.27 Because covered entities are permitted to disclose PII to public health authorities for public health purposes, the release of PII within the health department from clinical treatment programs to public health programs is still permitted, depending on the context of the state and local laws that govern the public health authority.
The challenge for public health practitioners is that the variation in state laws concerning the protection of public health data creates confusion regarding the use or release of PII for the benefit of the patient or public health programs. It has been argued that this creates a lack of clarity that may lead practitioners to take a “when in doubt, just say no” stance to avoid running afoul of the law.28 The data and analysis we have presented suggest a different approach to interpreting the patient confidentiality laws in their own jurisdiction.
We identified elements included in state statutes and regulations that may promote PII use or release for public health purposes. Laws that facilitate data use or release typically minimize the potential for laws to conflict, adopt broad language, or exclude health department personnel from confidentiality provisions. For example, Alaska regulates the use or release of only general PII, and no laws exist governing the use or release of disease-specific PII. When fewer laws exist, the opportunity for conflict or confusion of reading disease-specific laws together may be reduced at the statutory and regulatory level. New Mexico uses broad language in their laws, which allows health departments to release HIV/AIDS-specific PII “in the conduct of public health practice.”29
Health department practitioners may consider looking at examples of laws that contain these elements as they consider how the confidentiality laws in their jurisdiction allow use or release of PII for purposes of improving public health. The resulting framework from this analysis suggests viewing laws that may initially seem restrictive or unresponsive as a basis from which health departments may still be able to accomplish their mandate to provide public health services through using and releasing PII. It may be possible for health departments to share PII within existing legal provisions to improve individual and population health within a jurisdiction.
Limitations
Public health agencies are encouraged to work with legal counsel to determine whether PII may be shared for use within the agency or release outside the agency. Our data and analysis should not be misconstrued as legal advice. This analysis is limited to state statutes and regulations. We did not examine city and county laws or health department policies and procedures. Additionally, we did not examine case law from federal or state appellate courts or administrative proceedings. We identified analytic themes directly from the text of the law, which limits data analysis to the language in the laws and does not include legal analysis. Furthermore, the purposes coded for this analysis did not include purposes of using or disclosing PII for quality assurance measures or public health emergencies. Finally, states vary widely in their laws as well as their public health departments, and textual analysis may not capture the many nuances affecting how health departments may use or share PII in their state.
Conclusions
State and local health departments should consider assessing all existing state and local statutes and regulations to determine whether the use or release of PII is permitted and work with legal counsel to update those that may impose barriers to program effectiveness. The absence of clear direction within the law, or silence, should not be immediately considered a roadblock to data use or release but may indicate the need to take a closer look at the existing provisions in general and disease-specific confidentiality laws. Although the use and release of PII are commonly permitted, health department personnel should always seek legal counsel when questions arise concerning perceived restrictions or implementation of confidentiality laws.
HUMAN PARTICIPANT PROTECTION
No protocol approval was required because no human participants were involved in this analysis.
Footnotes
See also Hodge, p. 1207.
REFERENCES
- 1.Program Collaboration and Service Integration: Enhancing the Prevention and Control of HIV/AIDS, Viral Hepatitis, Sexually Transmitted Diseases, and Tuberculosis in the United States. Atlanta, GA: Centers for Disease Control and Prevention; 2009. [Google Scholar]
- 2.Wohlfeiler D. STD/HIV prevention integration. 2002. Available at: http://www.ihs.gov/medicalprograms/hivaids/docs/STDHIVIntegration.pdf. Accessed February 20, 2014.
- 3.Lush L. Service integration: an overview of policy developments. Int Fam Plan Perspect. 2002;28(2):71–76. [Google Scholar]
- 4.Jourden J, Etkind P. Enhancing HIV/AIDS and STD prevention through program integration. Public Health Rep. 2004;119(1):4–11. doi: 10.1016/j.phr.2004.03.003. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 5.Hoffman HL, Castro-Donlan CA, Johnson VM, Church DR. The Massachusetts HIV, Hepatitis, Addiction Services Integration (HHASI) experience: responding to the comprehensive needs of individuals with co-occurring risks and conditions. Public Health Rep. 2004;119(1):25–31. doi: 10.1016/j.phr.2004.03.008. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 6.Data Security and Confidentiality Guidelines for HIV, Viral Hepatitis, Sexually Transmitted Disease, and Tuberculosis Programs: Standards to Facilitate Sharing and Use of Surveillance Data for Public Health Action. Atlanta, GA: Centers for Disease Control and Prevention; 2011. [Google Scholar]
- 7.Frieden TR, Foti KE, Mermin J. Applying public health principles to the HIV epidemic—how are we doing? N Engl J Med. 2015;373(23):2281–2287. doi: 10.1056/NEJMms1513641. [DOI] [PubMed] [Google Scholar]
- 8. Health Insurance Portability and Accountability Act (HIPAA), 42 U.S.C.A. § 1320d-2 (West 2010).
- 9. Public Health Service Act, 42 U.S.C. § 242m (West 1998).
- 10.National Institute of Standards and Technology. Special publication 800–122. Guide to protecting the confidentiality of personally identifiable information (PII) Available at: http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122.pdf. Accessed May 10, 2017.
- 11. Ark. Admin. Code 007.15.2–VII (West 2014).
- 12. N.M. Stat. Ann. § 24-1-15.1 (West 2009).
- 13. Mont. Code Ann. § 50-16-603 (West 2003).
- 14. N.Y. Pub. Health Law § 2782 (McKinney 2011).
- 15. Iowa Admin. Code r. 641–175.10(17A,22) (West 2008).
- 16.Tremper C, Thomas S, Wagenaar A. Measuring law for evaluation research. Eval Rev. 2010;34(3):242–266. doi: 10.1177/0193841X10370018. [DOI] [PubMed] [Google Scholar]
- 17. R.I. Gen. Laws Ann. § 5–37.3–4 (West 2014).
- 18. 105 Mass. Code Regs. 300.120 (West 2015).
- 19. 45 C.F.R. § 164.502 (West 2015).
- 20. 45 C.F.R. § 160.103 (West 2015).
- 21. 45 C.F.R. § 164.104 (West 2015).
- 22. 45 C.F.R. § 164.512 (West 2015).
- 23.Hodge JG., Jr Health information privacy and public health. J Law Med Ethics. 2003;31(663):1–14. doi: 10.1111/j.1748-720x.2003.tb00133.x. [DOI] [PubMed] [Google Scholar]
- 24.O’Connor J, Matthews G. Informational privacy, public health, and state laws. Am J Public Health. 2011;101(10):1845–1850. doi: 10.2105/AJPH.2011.300206. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 25.Lee LM, Gostin LO. Ethical consideration, storage, and use of public health data: a proposal for a national privacy protection. JAMA. 2009;302(1):82–84. doi: 10.1001/jama.2009.958. [DOI] [PubMed] [Google Scholar]
- 26. 45 C.F.R. § 164.103 (West 2015).
- 27. 45 C.F.R. § 164.506 (West 2015).
- 28.Wilson A. Missing the mark: the public health exception to the HIPAA privacy rule and its impact on surveillance activity. Hous J Health L & Pol’y. 2009;9:131–156. [Google Scholar]
- 29. N.M. Stat. Ann. § 24-2B-6 (West 2014).