GRANULAR PATIENT CONTROL OF PERSONAL HEALTH INFORMATION: FEDERAL AND STATE LAW CONSIDERATIONS*

Michael J Saks; Adela Grando; Anita Murcko; Chase Millea

. Author manuscript; available in PMC: 2019 Dec 3.

Published in final edited form as: Jurimetrics. 2018 Summer;58(4):411–435.

GRANULAR PATIENT CONTROL OF PERSONAL HEALTH INFORMATION: FEDERAL AND STATE LAW CONSIDERATIONS*

Michael J Saks ^*, Adela Grando ^†, Anita Murcko ^‡, Chase Millea ^**

PMCID: PMC6890413 NIHMSID: NIHMS1023052 PMID: 31798215

Abstract

The advent of electronic medical records and health information exchanges has facilitated the possibility of patients exercising increasingly granular control over sensitive health information. In principle, patients should be able to control which of their health information is made accessible to which of their healthcare providers. To meet this goal, the architects of any system of granular control of patients’ health information face a variety of challenges. In addition to technical, ethical, and prudential considerations, the architects of any effective system must also ensure compliance with applicable legal requirements. The extent of a patient’s permissible control depends upon whether governing law prohibits providers from disclosing health information to other providers without a patient’s authorization, permits providers to disclose to other providers at the provider’s discretion, or requires such disclosure. To inform efforts to design a viable system, this article analyzes U.S. federal and state (Arizona) law in regard to the sharing of the following types of sensitive health information: substance abuse, mental health, genetic, communicable diseases, and sexual and reproductive health.

I. BACKGROUND

As patients’ physical and behavioral health records become increasingly digitized, integrated, and networked, an accompanying effort is under way to enable patients to exercise more control over what information they wish to share with which providers.¹ Depending on the type of information to be disclosed (e.g., substance abuse) as well as the sender and the recipient of the information (e.g., treating physician, health plan), federal and state laws both facilitate and limit patients’ exercise of such control.² The architects of electronic patient consent systems need to be alert to what the law permits or requires in regard to patients’ control over their health records. Where the law mandates privacy subject to a patient’s authorization for disclosure, patients will encounter no legal barriers to their control. But where legal requirements mandate disclosure of certain information, a patient’s desire to withhold that information cannot be satisfied.

The aim of this article is to review and discuss the legal requirements bearing on health data sharing and how they affect patients’ granular control over disclosure of sensitive health information. We focus on Arizona state law, where, in conjunction with the statewide health information exchange (HIE),³ we are innovating the technology to support granular consent.⁴ Our hope is that this examination of the relevant law will serve as a model for health information architects in other states.

A. The Movement Toward Granular Control of Health Records

The Substance Abuse and Mental Health Services Administration (SAMHSA), an agency within the Department of Health and Human Services (DHHS), leads efforts to improve the nation’s behavioral health.⁵ As part of its mission to “reduce the impact of substance abuse and mental illness on America’s communities,”⁶ SAMHSA “supports standards that protect personal health information and advances standards on behavioral health records privacy, consent, and sharing.”⁷

Furthermore, it is important to note that SAMHSA “recognizes the potential of health IT [information technology] to transform behavioral health systems.”⁸ One of the 2015–2018 goals of SAMHSA is to “increase the number of HIEs that incorporate substance abuse and mental health treatment data by 25 percent.”⁹ The agency promotes coordination of federal and state-funded health IT initiatives within the behavioral health community.¹⁰ For that reason, SAMHSA initiated the Open Behavioral Health Information Technology Architecture (OBHITA) project in 2015.¹¹ One of the health IT tools developed within OBHITA is Consent2Share (C2Share), a data consent management tool to support information exchange in compliance with health information privacy and confidentiality regulations.¹² C2Share set several goals:

to “[d]emonstrate that privacy consent and data segmentation software tools and standards, developed through HHS initiatives, can be used to allow patient health record sharing in an environment where privacy regulations are currently an impediment;”¹³
to enable “patients receiving behavioral health treatment to share their health information while providing improved protection of their privacy;”¹⁴ and
to “develop a production-grade privacy and consent management system which is capable of supporting a pilot implementation which demonstrates that patient health record sharing can be successful” within the constraints of state and federal data sharing laws.¹⁵

C2Share has been proposed as a generic granular electronic consent tool that can be tailored to federal and state laws.¹⁶ Currently, C2Share supports data control related to drug use, alcohol use and alcoholism information, mental health information, HIV/AIDS information, genetic disease information, communicable disease information, sexual and reproductive health information, and other information.¹⁷

SAMHSA requirements strictly restrict health professionals from disclosing a patient’s protected substance abuse treatment information without signed consent.¹⁸ In addition, most states have laws limiting disclosure by health professionals of a patient’s information related to substance abuse, HIV/AIDS, mental health, genetic diseases, communicable diseases, sexuality, and reproductive health.¹⁹ For a state to implement C2Share, stakeholders must first conduct an in-depth review of relevant state and federal data privacy laws, as reported here, to better understand the extent to which the tool needs to be tailored to comport with unique state requirements.

B. Privacy of Sensitive Health Information

The basic notion of informational privacy—the social and legal recognition of a right to prevent others from learning about particular areas of our lives—varies across cultures, within societies, between generations, over historic time, and among individuals.²⁰ Sometimes the same information can be regarded as private in some contexts but not others, or be readily shared with some individuals or institutions but not others.²¹ Informational privacy rights emerged as a response to the development of modern states and the growth of government power to regulate social and economic life and collect information about us, aided by the evolution of information technology.²²

Sensitivity about health information is largely “subjective and varies depending on the particulars of an individual’s situation and context.”²³ What are thought to be factors of significant influence include “cultural and political norms, individual life circumstances, and the emotional and health status of the individual.”²⁴ When not properly disclosed, sensitive health information “carries with it unusually high risks”—such as “the possibility of discrimination, social stigma, and physical harm” (e.g., connecting information to specific instances of domestic violence).²⁵ In certain cases, such as the disclosure of genetic information, the risk could “extend beyond the individual to his or her family, employer, or others.”²⁶

Personal autonomy is one of the central pillars of western, and especially American, culture. One aspect of that autonomy is each individual’s control over information with which that person feels an intimate association.²⁷ High on the list of such information is the record of our physical and behavioral (psychological) health.²⁸ Autonomy, even informational autonomy, is not without limits. Sometimes others in society need to know, or have ethical claims to knowing, facts about us that we might prefer to keep to ourselves.²⁹ As with most things, a balance must be struck, with our culture privileging confidentiality over disclosure.³⁰ Federal and state laws pertaining to personal health information support that balance, though affording patients the benefits of electronic health records (EHR), especially the electronic networking of such records, while maintaining patient control over privacy in this digitized world, has become increasingly challenging.³¹ The goal of our larger project is to find ways to facilitate patients’ informational autonomy in this modern electronic data context.

While there is no universal agreement on what data should be regarded as sensitive, the National Committee on Vital and Health Statistics outlines the following categories of health information as generally considered sensitive: genetic information, substance abuse treatment records, HIV information or other information regarding sexually transmitted disease, mental health information (in particular psychotherapy notes) and sexual and reproductive health information.³² In line with SAMHSA goals to improve patients’ control over the sharing of sensitive data, these are the same categories of information supported by the existing C2S software.³³

Though the importance of informational privacy in general is intuitively obvious to most people, disagreement exists over its scope and limits.³⁴ Disagreement is almost certainly a permanent condition, changing along with the evolution of information itself as well as cultural and personal sensibilities.

The law gives some categories of sensitive health information enhanced levels of privacy protection for differing reasons. Some categories receive increased protection because of policy choices aimed at encouraging people to seek treatment they might otherwise avoid (e.g., mental health, substance abuse).³⁵ Other categories receive additional safeguards because of effective political organizing (e.g., HIV/AIDS),³⁶ or because disclosure of the information could result in strategic actions against persons suffering certain conditions (e.g., genetic information).³⁷ In contrast, certain categories of health information are accorded reduced protection to afford needed protection to certain individuals or the general public (e.g., mandatory reporting of certain kinds of wounds,³⁸ abuse or neglect,³⁹ communicable diseases,⁴⁰ threats to identifiable individuals,⁴¹ or opioid use⁴²).

Although a common law duty of confidentiality as well as medical ethics has long protected individual health information from unauthorized disclosure, HIPAA is currently the most influential law in the United States regulating privacy of individual health records.⁴³ HIPAA promulgates a Privacy Rule that defines the persons and organizations (“covered entities”)⁴⁴ whose privacy practices it regulates.⁴⁵ The Privacy Rule restricts disclosure of protected health information (PHI) except for purposes of treatment, payment, and healthcare operations, or pursuant to a patient’s explicit, written authorization.⁴⁶ HIPAA is an unusual federal law because it sets a level of protection, which serves as a floor that can be raised by state law.⁴⁷ That is, whichever affords greater privacy protection—HIPAA or state laws—is the one that controls.⁴⁸

That network of federal and state statutes and regulations have added substantially to the protections against disclosure of patient health records already afforded by common law privacy doctrines.⁴⁹ Moreover, disputes that arise are litigated principally at the administrative level, within the Office of Civil Rights (OCR) (within DHHS), which is responsible for enforcing HIPAA.⁵⁰

Existing laws on sensitive health information are neither comprehensive nor consistent—nor do they easily apply to electronic medical record sharing. Such laws are both numerous and inconsistent across jurisdictions.⁵¹ Discrepancies in the way states regulate sensitive data sharing can lead to difficulties in data exchange between states.⁵²

C. Sensitive Health Information and the Advent of Electronic Health Information Exchanges

1. The Arizona HIE Context

In 2006, Arizona Health-e-Connection (AzHeC) (now known as Health Current), was created as a public-private partnership to serve as Arizona’s statewide HIE.⁵³ Health Current is tasked by the State of Arizona to produce an integrated physical and behavioral health HIE to improve outcomes for Arizona patients.⁵⁴ The integration plan was initiated in 2017.⁵⁵

Health Current serves as a digital, standards-based, statewide hub to connect electronic health information between and among disparate providers.⁵⁶ It has direct connections with hospitals, health plans, community health centers, physical health providers, behavioral health providers, and other provider-based networks, including accountable care organizations (ACOs), integrated delivery networks (IDNs), clinically integrated networks, and other HIEs.⁵⁷ Health Current also connects to the eHealth Exchange to access data from out-of-state HIEs and federal agencies, including Centers for Medicare and Medicaid Services (CMS), Veterans Administration (VA), Social Security Administration (SSA), Department of Defense (DOD) and, in the future, Indian Health Services.⁵⁸

Health Current and other HIEs are important stakeholders in efforts to expand patient control of sensitive information. Architects of effective consent management systems should ensure the ability of HIEs to meet both technical and legal requirements of patient control initiatives.

2. Patient Control in the Era of HIE: “My Data Choices”

The work reported in this article is part of a larger, federally funded, project titled “My Data Choices.”⁵⁹ The National Institute of Mental Health (NIMH) supports the development of effective informed consent strategies for behavioral health patients. Particularly important to our project, the NIMH funds research relevant to determining an individual’s capacity to provide informed consent for research participation, when the consent of a surrogate (legally authorized representative) should be obtained, and how best to involve surrogates in the consent process.

“My Data Choices” (MDC) is a five-year, NIMH-funded research project (R01MH108992), designed to develop and evaluate granular consent strategies, especially for patients with behavioral health conditions.⁶⁰ The main goals of MDC are to understand implications of patient-driven, consent-based granular data access in terms of healthcare delivery, ethics, technology and policy; extend C2Share to facilitate electronic medical record exchange within Health Current; support electronic granular consent to comply with data sharing laws and patients’ granular data sharing choices; and use multimedia resources to educate behavioral health patients (including Spanish speakers and patients with serious mental illness (SMI)) on privacy consequences of data exchange.⁶¹

Achieving the goals of MDC requires understanding current electronic consent tools for the release of personal health information,⁶² patient and provider perspectives on granular consent-based data sharing,⁶³ and the legal constraints surrounding patients’ ability to withhold certain information from certain providers. In the next sections, we summarize our review of federal and state laws on health data sharing that will guide the process of tailoring and deploying the C2Share tool in Arizona.

II. RESEARCH SCOPE

With our focus on law relevant to withholding certain sensitive information from providers, this article will say little about other entities to which disclosure laws apply. Consequently, sharing or withholding from researchers is beyond the scope of our project, though a general answer can be given here. For scientific research—at least of the kinds that are subject to federal regulations governing research with human subjects, and which HIPAA defines as “a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge”⁶⁴—prior written authorization by patients must be obtained.⁶⁵ Even Arizona laws that seem to authorize disclosure of PHI to researchers actually limit that disclosure to research “conducted pursuant to applicable federal or state laws and regulations governing research.”⁶⁶ Consequently, patients do generally have control over their health information when it is to be used for scientific research.⁶⁷

By contrast, analysis of patient data undertaken by a healthcare organization for purposes such as management, utilization review, peer review, and quality assurance are classified by HIPAA as “healthcare operations” and such uses do not require a patient’s specific consent or authorization.⁶⁸ From such uses, patients do not have the power to withhold their information unless the healthcare organization chooses to honor patients’ requests to do so.⁶⁹

Also beyond the scope of our review are data disclosures to government for statistical reporting purposes or insurers for payment purposes. We will also assume that disclosure has to be made whenever ordered by a court. Though that assumption will not always be true, it is a more than adequate rule of thumb for present purposes.⁷⁰

A. Legal Constraints on Patient Control of Their Health Information

The core of this article is a discussion of the current legal feasibility of giving patients increased control over what information in their medical records they wish to share with which providers. Some laws might require disclosure of health information to persons and organizations from whom a patient might prefer to withhold the information. Where those legal requirements mandate disclosure, it will not be possible to satisfy a patient’s wishes, and therefore the design of a consent tool should not offer the choice of withholding. Our aim is to explicate those disclosure requirements. Table 1 summarizes the more extensive discussion that is presented below.

Table 1.

Summary of Analysis of Federal and Arizona Laws on Sensitive Health Information Sharing

Type of Info.	Provider… Must Disclose, May Disclose, or May Not Disclose w/out Patient authorization to other Providers	Most relevant Arizona Law	Most relevant Federal Law	With HCO agreement, patient could withhold info from providers⁷¹	Comments
Alcohol & Substance Abuse
• Fed. subsidized	May Not		42 U.S.C. § 290dd-2	Yes
• Private	May	ARS § 36–509	HIPAA	Yes	Providers “may” disclose “only” to enumerated others, but are not required to do so. HIPPA also permits but does not require disclosure.
• Prescribed controlled substances	Must	ARS § 36–2602 et seq		No	Arizona’s Controlled Substances Monitoring System
Mental Health	May	ARS § 36–509		Yes	Providers “may” disclose “only” to enumerated others, including physicians, but not required to.
• Psychotherapy notes		ARS §§ 13–3620(M) & 46–454(H)		Yes	In addition, may be redacted before disclosure by the provider who created the notes, even when ordered by a court.
Genetic Info	May not	ARS § 12–2802	GINA	Yes	List of “shall be released” to entities does not include providers, except a doctor who replaces one who (presumably) already had been granted access by the patient
Communicable Diseases	Unclear: either may or may not	ARS § 36–664	42 U.S.C. § 264	Yes	AZ provision not coherent regarding providers, but all of the interpretations lead to “may”
• HIV & AIDS	Unclear: either may or may not			Yes	Heightened protection from many forms of disclosure.
Sexual & Reproductive Health	May		HIPAA	Yes
• Abortion	May	ARS § 36–2161		Yes	State requires anonymous statistical reporting to DHS. CDC can only request the data from states.

Open in a new tab

In the text, as well as in Table 1, we report our analysis of tensions that might exist between the law and a patient’s possible desire to withhold information. For some laws, we conclude that the patient may withhold the type of information because the law does not mandate disclosure. That conclusion presumes that the healthcare organization involved exercises its discretion to cooperate with patients’ requests to withhold when the law merely permits disclosure by a provider. Moreover, in relation to some privacy categories, the law prohibits the provider from disclosing. For other laws, we conclude that the patient may not withhold the information because the law requires disclosure—that is, the law defines circumstances where the provider must disclose. The discussion and Table 1 also indicate the nature of the statutory mandate pertaining to a particular type of health information: whether a provider must disclose, may disclose, or may not disclose the information.

Note that, even where the law would allow patients to withhold information, with the healthcare organization’s agreement, other (nonlegal) considerations might weigh against a healthcare organization agreeing to cede its control of disclosure to the patient. Among those other considerations might be ethical, prudential, practical, or other concerns.

III. RESULTS

A. Substance Abuse Information

1. Federal Law

The principal regulation concerning drug and substance abuse information is the Federal Confidentiality of Alcohol and Drug Abuse Patient Records law and implementing regulations, sometimes called the substance use disorder (SUD) law or the 42 C.F.R. Part 2 confidentiality law.⁷² This provision guarantees the confidentiality of information about people receiving substance abuse treatment services from federally assisted programs that hold themselves out as a provider of such services (Part 2 Program).⁷³ Under the statute, Part 2 Programs must have the patient’s express consent to release identifiable information related to substance abuse treatment services (absent an overriding need such as bona fide medical emergency in which the patient’s prior informed consent cannot be obtained).⁷⁴ Therefore, a patient may withhold disclosure by a Part 2 Program.

Disclosure of patient information by a non-federally funded drug and substance abuse program (or from an entity that does not hold itself out as generally providing substance abuse services, e.g., a hospital emergency department) would be regulated by the Health Insurance Portability and Accountability Act (HIPAA).⁷⁵

HIPAA authorizes, but does not require, disclosure of patients’ substance abuse records (not held by a Part 2 Program) for treatment.⁷⁶ This means, for the purposes of MDC, that healthcare organizations have the power to decide whether to honor a patient’s request to withhold information.⁷⁷ Presumably, a provider adopting MDC would be interested in cooperating with a patient choosing to withhold information from providers. Thus, a patient may withhold disclosure of substance abuse information by a non-Part 2 Program.

2. Arizona Law

Relevant health information about a patient that is not held by a federally funded program would be subject to the provisions of Arizona Revised Statute section 36–509.⁷⁸ That statute requires that “[a] health care entity must keep records and information contained in records confidential.”⁷⁹ But it also provides that disclosure “may” be made to “[p]hysicians and providers of health, mental health or social and welfare services involved in caring for, treating or rehabilitating the patient.”⁸⁰

In addition, the statute provides a list of other entities that may receive information (by action of the statute without specific consent of the patient).⁸¹ Those other entities include government or law enforcement agencies for the purpose of reporting “a crime on the premises” of the healthcare facility or to “[a]vert a serious and imminent threat to an individual or the public”; persons with a close relationship to the patient if the judgment is made that disclosure would be “in the best interests of the patient;” legal representatives of the healthcare entity in the possession of the records for the purpose of securing legal advice; and “[p]ersons authorized by a court order.”⁸²

Note that disclosure is permitted without specific patient authorization, but it is not required to be disclosed to the enumerated persons and entities.⁸³ Thus, the healthcare organization in possession of the records is authorized to decide whether to disclose to any of those on the may-disclose-to list.

If a healthcare organization agrees to honor the patient’s wishes, then the law does not prohibit the organization from withholding such information pursuant to a patient’s request.⁸⁴ Thus, the healthcare organization could agree to restrict disclosure within tighter bounds than the law requires; more specifically, to not disclose certain information to certain caregivers without the patient’s explicit consent or authorization. Therefore, the patient may withhold disclosure of substance abuse information by a non-federally assisted healthcare organization.

3. Controlled Substances

Controlled substances that are medically prescribed raise a separate issue of disclosure such that, for this portion of a patient’s medical record, the patient may not withhold disclosure. Arizona has established a “Controlled Substances Monitoring System” to enable prescribers to track the use of certain medications in an effort to reduce excessive use of those drugs by alerting practitioners about a patient’s recent fill history for controlled substances, and also to “[a]ssist law enforcement to identify illegal activity related to the prescribing, dispensing and consumption of schedule II, III, IV and V controlled substances.”⁸⁵

The Controlled Substance Monitoring System creates “a computerized central database tracking system to track the prescribing, dispensing and consumption of schedule II, III, IV and V controlled substances … .”⁸⁶ When contemplating prescribing any of the drugs of concern, “a medical practitioner, before prescribing an opioid analgesic or benzodiazepine controlled substance listed in schedule II, III or IV for a patient, shall obtain a patient utilization report regarding the patient for the preceding twelve months … .” either by directly accessing the centralized tracking system or by using an electronic medical record system that integrates the data from the tracking system.⁸⁷

Prescribers need not query the system for a utilization report under certain circumstances, including when the controlled substance is being prescribed “during the course of inpatient or residential treatment in a hospital, nursing care facility, assisted living facility, correctional facility or mental health facility,” or when the prescription is for no more than a ten-day period for an invasive procedure or an acute injury or disease.⁸⁸

The bottom line is that it will not be possible for patients to withhold information about the use of those monitored drugs from subsequent practitioners who are considering prescribing such drugs under circumstances where querying the centralized system is required. Therefore, the patient may not withhold.

B. Mental Health Information

1. Federal Law

Other than HIPAA, we are aware of no federal laws that specifically affect disclosure practices regarding mental health information. HIPAA’s privacy rule extends to all PHI, including mental health records.⁸⁹

However, HIPAA does provide additional protections for psychotherapy notes of a mental health professional.⁹⁰ HIPAA defines psychotherapy notes as “notes recorded … by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record.”⁹¹ Excluded from this definition is information about medications, modalities and frequencies of treatment provided, results of clinical tests, summaries of diagnoses, functional status, treatment plan, symptoms, prognosis, progress, or information that is maintained in a patient’s medical record.⁹²

A covered entity is required to obtain a patient’s authorization before a disclosure of psychotherapy notes for any reason, including disclosure for treatment purposes to any healthcare provider other than the originator of the notes.⁹³ Thus, the patient may withhold disclosure of psychotherapy notes. Exceptions to that rule include disclosures required by other law, including state law, such as for mandatory reporting of abuse and mandatory “duty to warn” situations regarding threats of harm made by the patient.⁹⁴

2. Arizona Law

A healthcare entity must keep mental health records confidential.⁹⁵ Mental health records and information contained in such records “may only be disclosed to” entities specified in the statute.⁹⁶ The quoted language is probably best understood as indicating that disclosure is not required to be made to any of those entities; rather that disclosure to any entity outside of that list requires specific authorization by the patient. Thus, in the context of healthcare providers participating in MDC, a patient may withhold disclosure of mental health records.

Under Arizona law, psychotherapy notes are given some special protection.⁹⁷ Even when psychotherapists are required to disclose mental health records, they may redact certain information, including “personal information about individuals other than the patient” and “information regarding specific diagnosis or treatment of a psychiatric condition … [if the] information would be detrimental to the patient’s health or treatment.”⁹⁸

C. Genetic Information

Except for disclosures to insurers and employers, both federal and Arizona laws say little about the duties of healthcare providers or healthcare organizations to disclose genetic information or to keep it confidential.

1. Federal Law

The principal federal law concerned with the privacy of genetic information is the Genetic Information Nondiscrimination Act (GINA).⁹⁹ The Act defines what is included in the concept of genetic information, and broadly prohibits its use by health insurers (e.g., for underwriting) or employers.¹⁰⁰ GINA also carefully develops several exceptions and provisions for enforcement (by the Secretary of Labor).¹⁰¹

Regarding the exceptions, the Act specifies that under those exceptions only the “minimum amount of information necessary to accomplish the intended purpose” may be disclosed.¹⁰² Exceptions include requesting an insured to undergo genetic testing for research purposes under carefully prescribed circumstances.¹⁰³ Employment entities that do come into possession of genetic information must not disclose such information except under specific circumstances.¹⁰⁴

Given that the main targets of GINA are employers and insurers, not healthcare providers, little more need be said.¹⁰⁵ The healthcare organizations and providers who are the focus of MDC may treat genetic information as they do most other healthcare information. Therefore, the patient may withhold disclosure of genetic information.

2. Arizona Law

Under Arizona law, “genetic testing and information derived from genetic testing are confidential and considered privileged to the person tested … .”¹⁰⁶ That same statute enumerates eleven categories of persons or entities to which the genetic information “shall be released.”¹⁰⁷ These eleven categories do not include the patient’s healthcare providers. Thus, patients would have to specifically authorize their healthcare providers to have access. But for two exceptions that are unlikely to arise when using MDC, the patient may withhold disclosure.

One minor exception has to do with providers who are involved in using organs and tissue from a deceased patient or in artificial insemination of semen or ova.¹⁰⁸ Another minor exception is this: “A health care provider that assumes the responsibility to provide care for, or consultation to, the patient from another health care provider that had access to the patient’s genetic records.”¹⁰⁹ Thus, a new provider is granted access to genetic information (without needing a new consent from the patient) if the patient’s previous provider (from whom the new one took over or consulted regarding patient care) had been granted access. To this limited extent, the patient may not withhold disclosure. Note that if the original doctor did not have access to the patient’s genetic testing information, then the new doctor does not have access either. Furthermore, a patient may easily revoke consent. The patient could grant consent to Doctor 1 and then withdraw it as care is being transferred to Doctor 2 (or even withdraw consent from Doctor 1 at any time).

D. Communicable Disease Information

1. Federal Law

Federal law authorizes quarantine (keeping a patient under observation to determine if the patient has contracted a disease of special concern) and isolation (keeping a patient with an identified disease apart from people who do not have the disease).¹¹⁰ The federal government generally relies on state health departments to handle these matters.¹¹¹ However, effective in 2002, Congress gave the federal government authority for “apprehension, detention, or conditional release of individuals … for the purpose of preventing the introduction, transmission, or spread of such communicable diseases,” when ordered by the President.¹¹² This authority preempts state law only insofar as state law is inconsistent with the federal provisions.¹¹³

Certain communicable diseases are on a list of diseases the sufferers of which may be ordered quarantined or isolated.¹¹⁴ The list is subject to change by executive order of the President.¹¹⁵ As of this writing, the following diseases are included on the list: cholera, diphtheria, infectious tuberculosis, plague, smallpox, yellow fever, viral hemorrhagic fevers, severe acute respiratory syndromes, and flu that can cause a pandemic.¹¹⁶ A patient might want providers to withhold from public health authorities the fact that the patient is infected with one of those diseases so that she or he will not be kept in isolation; but withholding that information is not legally permissible.¹¹⁷ To effectuate public health protections, the patient’s condition would need to be made known to those officials. As explained below, Arizona law (like that of most or all other state laws on communicable diseases) requires providers to notify state health officials when a patient presents with one of these conditions.¹¹⁸

HIPAA treats these diseases no differently from other diseases, and therefore automatically authorizes sharing of a patient’s PHI with the patient’s other caregivers.¹¹⁹ Therefore, under federal law, a patient with a listed communicable disease may not withhold that identifiable health information from public health officials.¹²⁰ However, as to withholding from others, including healthcare providers, the patient may withhold if the custodian of the records (e.g., the patient’s doctor) agrees to a patient’s request to withhold the information.

2. Arizona Law

Pursuant to Arizona statute, “[a] person who learns that a contagious, epidemic or infectious disease exists shall immediately make a written report of the particulars to the appropriate board of health or health department.”¹²¹ The statute requires that “[t]he report shall include names and residences of persons afflicted with the disease,” and “[i]f the person reporting is the attending physician he shall report on the condition of the person afflicted and the status of the disease at least twice each week.”¹²²

Note that the part of the statute applicable to attending physicians requires mandatory reporting to state health officials,¹²³ which is not a focus of MDC. The central question for purposes of MDC is whether a patient is prohibited by law from withholding information or, on occasion, whether a provider is required to share information about a contagious disease with caregivers who might not have a need to know about the condition, but who normally would have access to the patient’s entire record.

In answer to that question, Arizona Revised Statute section 36–664 should provide guidance. In one circumstance relating to providers, the statute does give clear guidance. When a “health care provider or first responder who has had an occupational significant exposure risk to the protected person’s blood or bodily fluid,” and “provides a written request that documents the occurrence and information regarding the nature of the occupational significant exposure risk and the report is reviewed and confirmed by a health care provider who is both licensed … and competent to determine a significant exposure risk,” then the patient’s communicable disease information may be shared with the provider seeking the information.¹²⁴ In the circumstance just described, the patient may not withhold the disclosure of communicable disease information.

Beyond that section, the relevant portion of this statute, subsection (A)(4),¹²⁵ is drafted so poorly that one cannot say with confidence whether disclosure by one provider to another provider, in the routine course of patient care, is permitted or prohibited.

The statute begins by prohibiting disclosure: “A person who obtains communicable disease related information in the course of providing a health service or obtains that information from a health care provider pursuant to an authorization shall not disclose or be compelled to disclose that information … .”¹²⁶ It then lists a number of exceptions where disclosure is appropriate (“shall not disclose … except to the following”).¹²⁷ This is best understood as an exclusive list (these exceptions and no additional ones) and as a permitted, not required, disclosure (in contrast to the disclosure required to the health department). Among those exceptions, it is not easy to find providers acting in the normal course of patient care.

Note that none of the possible interpretations requires disclosure, and therefore the patient may withhold. If the statute prohibits disclosure (without patient authorization), then clearly the patient could choose to withhold rather than share. If the statute permits disclosure, then a healthcare organization (whether participating in MDC or otherwise) would have the option of determining under what circumstances it chose to honor requests by patients to withhold information about the patient’s infectious diseases.

Presumably, no healthcare organization or provider would choose to withhold from another provider information about a meaningful risk of exposure to infection. The issue is more likely whether a patient’s history of an infectious disease is something the provider would agree to withhold (presumably from providers who did not have a need to know).

In other statutes where the legislature intended to make an exception for disclosure to caregivers, the law simply and straightforwardly exempts caregivers from the general prohibition on disclosure.¹²⁸ For example, in making these exceptions to the requirement of confidentiality of mental health records it exempts “[p]hysicians and providers of health, mental health or social and welfare services involved in caring for, treating or rehabilitating the patient.”¹²⁹

In Arizona Revised Statute section 36–664, the only provision that might overcome the general prohibition on disclosure and extend the exceptions to providers states: “An agent or employee of a health facility or health care provider to provide health services to the protected person or the protected person’s child or for billing or reimbursement for health services.”¹³⁰

One way to read that statute is to focus on the clear subjects of the sentence: the agent or employee. Then the statute would mean that exceptions to the prohibition on disclosure include “[a]n agent or employee [who works for] a health facility or health care provider [that already received authorized disclosure, and the agent or employee of the health facility or heath care provider is assisting] to provide health services to the protected person … .”¹³¹ No doubt most people would feel that the statute should liberally include providers, and they would look for ways to read it so that the desired authority can be found in the statute.

One possibility is to interpret the second “or” as a disjunctive “or,” a major dividing line, so that the provision would be read to say instead: “An agent or employee of a health facility or [a] health care provider to provide health services … .”¹³² That would put providers on a syntactical par with agents and employees. Others would read some commas into the statute: “An agent or employee of a health facility[,] or health care provider[,] to provide … .”¹³³

From a statute-reading perspective, this all comes down to whether the “health care provider” is part of the prepositional phrase starting with “of” or is a belated subject of the sentence, along with agents and employees. Until the statute is amended to better reflect the legislature’s intent, or the question is resolved judicially, we cannot know with confidence whether providers are a general exception to the prohibition on disclosure. But, as noted above, because neither interpretation requires disclosure, as far as the law is concerned, healthcare organizations are free to comply with a patient’s request and the patient may withhold disclosure of this information.

3. HIV/AIDS Information

In some respects, Arizona law treats HIV-related information like that pertaining to any other infectious disease, meaning the patient may withhold.¹³⁴ In other respects, HIV-related information is subject to greater protection than that of other infectious diseases.¹³⁵

The reason for complicated legal treatment of HIV-related information is the dilemma it presents to public health policy.¹³⁶ On the one hand, society wishes to encourage at-risk individuals to obtain testing so that those who have been infected can seek treatment and take precautions to prevent further transmission of the virus.¹³⁷ Confidentiality promotes those goals, especially because of the stigma and fear associated with HIV/AIDS,¹³⁸ which can have adverse social, employment, and even medical consequences for the HIV-positive person (some providers decline to accept HIV-positive patients).¹³⁹

On the other hand, disclosure benefits intimate contacts of the patient, enabling those individuals to be counseled, tested, and (if necessary) treated.¹⁴⁰ But such disclosure, especially over a patient’s objections, would lead some at-risk patients to refrain from being tested.¹⁴¹ The dilemma, then, is “determining when the need to protect others, such as sex partners to whom the patient is likely to transmit HIV, supersedes the patient’s right to confidentiality.”¹⁴²

Consequently, the law is pulled in two directions at once. On one hand the law seeks to protect confidentiality, while on the other it seeks to protect individual and public health. For example, an HIV-related test may be ordered by a healthcare provider only after the patient has received specific information about the test and the implications of positive results, and the patient has granted informed consent for HIV testing.¹⁴³

HIV is, of course, covered by the same general confidentiality requirement that protects other communicable disease information, such that anyone “who obtains communicable disease related information in the course of providing a health service or obtains that information from a health care provider pursuant to an authorization shall not disclose or be compelled to disclose that information” other than for the exceptions enumerated in the statute.¹⁴⁴

Beyond that general prohibition on disclosure of communicable disease information, “a person who receives HIV-related information in the course of providing a health service or pursuant to a release of HIV-related information shall not disclose that information to another person or legal entity or be compelled by subpoena, order, search warrant or other judicial process to disclose that information to another person or legal entity.”¹⁴⁵

Moreover, subsection 664(F) of the statute singles out HIV-related information for special protection associated with an authorization for disclosure: “A general authorization for the release of medical or other information, including communicable disease related information, is not an authorization for the release of HIV-related information unless the authorization specifically indicates its purpose as an authorization for the release of confidential HIV-related information … .”¹⁴⁶

Furthermore, Arizona Revised Statute section 36–665, which governs the conditions under which a “court or administrative body may issue an order for the disclosure of or a search warrant for communicable disease related information,” carves out a special provision for HIV-related information.¹⁴⁷ Section 36–665 states that “a court or administrative body shall not order the [state health] department, a county health department or a local health department to release HIV-related information in its possession.”¹⁴⁸

Underscoring the legislature’s seriousness about confidentiality of HIV-related information are additional provisions that make HIV testing or disclosure that occurs in violation of the rules outlined above subject to criminal penalties,¹⁴⁹ civil penalties,¹⁵⁰ and private suits for damages.¹⁵¹

On the side of protecting public health, especially the contacts of an HIV-positive patient, the law requires certain disclosures.¹⁵² When investigating a reportable communicable disease, state and local health departments have authority to access patient records held by providers.¹⁵³ Further, the Arizona Administrative Code requires healthcare providers and administrators of healthcare facilities, correctional facilities, schools, childcare establishments, or shelters (or their authorized representatives) to submit reports on patients with specified communicable diseases to their local health agency.¹⁵⁴ These reports are required to include the patient’s name, address, and phone number (and the same information for the party providing the report).¹⁵⁵ HIV is included among the diseases that are required to be reported.¹⁵⁶ Thus, in this instance, the patient may not withhold disclosure.

E. Sexual and Reproductive Health Information

1. Federal Law

For most or all of what would be included in this category, there are no applicable federal laws, and therefore none to require disclosure of information over a patient’s desire to withhold. Therefore, the patient may withhold disclosure of records relating to sexual or reproductive health.

Specifically regarding abortion, CDC requests, but cannot require, state health departments to provide annual statistical data on abortions for CDC’s national abortion surveillance system, in place since 1969.¹⁵⁷ Apparently, nearly all states currently cooperate with the request.¹⁵⁸ Because Arizona does not collect individually identifiable abortion patient information,¹⁵⁹ it could not provide names or other identifiable information even if CDC wanted them (which it does not).¹⁶⁰

2. Arizona Law

Arizona law does require anonymous statistical reporting of abortion procedures to the state health department, including basic facts about patients and circumstances, including demographics, but not patients’ identity.¹⁶¹ Thus, the law creates a duty to disclose on the part of the healthcare organization providing the abortion.¹⁶² As noted above, CDC requests, but has no legal authority to require, state health departments to provide annual statistical data on abortions for CDC’s national abortion surveillance system.¹⁶³

A different Arizona statute is concerned with the reporting of complications that develop in the provision of abortion services.¹⁶⁴ The law requires providers to report descriptive information about the patient, the abortion, and the complications, but the “report shall not identify the individual patient by name.”¹⁶⁵

Finally, Arizona Revised Statute section 36–2163 requires the Arizona Department of Health Services (ADHS) to gather reports of abortions, complications, and other data (notably, numbers of minors seeking judicial approval and the outcomes of those petitions) and aggregate them into “a comprehensive annual statistical report.”¹⁶⁶ Important for MDC purposes, the reports created under this statute must preserve the privacy of individual patients.¹⁶⁷ The reports “shall not contain the name of the woman, common identifiers such as the woman’s social security number, driver license number or insurance carrier identification numbers or any other information or identifiers that would make it possible to identify in any manner or under any circumstances an individual who has obtained or seeks to obtain an abortion.”¹⁶⁸

These reporting duties will not affect MDC because the requirement is imposed on abortion providers and ADHS.¹⁶⁹ Information about an abortion that has already occurred, or is being considered, and is contained in the patient’s behavioral health file need not be reported to anyone.¹⁷⁰ Therefore, in regard to abortions, the patient may withhold information.

Advances in information technology will facilitate continued expansion of healthcare information exchange. Along with the benefits of such information networks come privacy concerns. Fortunately, the same technology facilitates a solution: rapidly advancing health information technology will support digital filtering, sequestering and exchange of increasingly granular health information. Patients can be given the power to control who may access which portions of their personal health records.

Decisions about the design of an information technology that balances patient privacy and sharing of sensitive data will benefit from the differing perspectives and the expertise of diverse professionals, among them primary care providers, mental health providers, patient representatives, technology experts, healthcare organizations, HIEs, and experts in law and ethics.

Not least among the considerations that system architects will need to take into account will be applicable federal and state laws, which require, permit, or prohibit disclosure of particular categories of health information. The work reported in this article provides a roadmap, which could be followed by each state to discover and make use of their own particular jurisdiction’s legal requirements to guide construction of their own systems of patient-driven control of sensitive health information.

Acknowledgments

This article was supported by NIMH Grant R01MH108992, My Data Choices. We want to acknowledge those who generously assisted our preparation of this article: Janice Dinner, J.D., Senior Associate General Counsel, Banner Health; Ira Ellman, J.D., Charles J. Merriam Distinguished Professor of Law Emeritus, Sandra Day O’Connor College of Law, Arizona State University; Pat Gilbert, A.A.L., Legal Consultant, Partners in Recovery; Charlton Wilson, M.D., Chair, Mercy Care Plan; Kim Weidenaar, J.D., Fellow at Public Health Law and Policy Program, Sandra Day O’Connor College of Law, Arizona State University.

References

1.See generally Caine Kelly et al. , Designing a Patient-Centered User Interface for Access Decisions About EHR Data: Implications from Patient Interviews, 30 J. GEN. INTERNAL MED (SUPP. 1) S7 (2015) [DOI] [PMC free article] [PubMed] [Google Scholar]; Caine Kelly & Hanania Rima, Patients Want Granular Privacy Control Over Health Information in Electronic Medical Records, 20 J. AM. MED. INFORMATICS ASS’N 7 (2013) [DOI] [PMC free article] [PubMed] [Google Scholar]; Campos-Castillo Celeste & Anthony Denise L., The Double-Edged Sword of Electronic Health Records: Implications for Patient Disclosure, 22 J. AM. MED. INFORMATICS ASS’N e130 (2015) [DOI] [PMC free article] [PubMed] [Google Scholar]; Adela Grando M et al. , A Study to Elicit Behavioral Health Patients’ and Providers’ Opinions on Health Records Consent, 45 J. L. MED. & ETHICS 238 (2017) [DOI] [PMC free article] [PubMed] [Google Scholar]; Schwartz Peter H. et al. , Patient Preferences in Controlling Access to Their Electronic Health Records: A Prospective Cohort Study in Primary Care, 30 J. GEN. INTERNAL MED (SUPP. 1) S25 (2015). [DOI] [PMC free article] [PubMed] [Google Scholar]
2. Federal healthcare regulations, notably HIPAA, apply only to covered entities and their business associates. See 45 C.F.R. §§ 160.102–.103 (2017). Other laws also regulate certain indi-viduals and institutions but not others. Thus, the analysis depends upon who the sender of infor-mation is, what the information consists of, and who the receiver is.
3.See infra Section I.C.1. See also HEALTHCURRENT, https://healthcurrent.org [https://perma.cc/8J34-9ATH].
4. The research doing this work is funded by NIMH Grant R01MH108992 to Principal Investigator Adela Grando.
5.About Us, SUBSTANCE ABUSE & MENTAL HEALTH ADMIN, https://www.samhsa.gov/about-us [https://perma.cc/AKP7-BMTC].
6.Id.
7.Medical Records Privacy and Confidentiality, SUBSTANCE ABUSE & MENTAL HEALTH ADMIN, https://www.samhsa.gov/laws-regulations-guidelines/medical-records-privacy-confidentiality [http://perma.cc/E8T5-DZ6C].
8.SAMHSA’S Efforts in Health Information Technology (Health IT), SUBSTANCE ABUSE & MENTAL HEALTH ADMIN, https://www.samhsa.gov/health-information-technology/samhsas-efforts [http://perma.cc/98MG-RYVE].
9.SAMHSA, LEADING CHANGE 2.0: ADVANCING THE BEHAVIORAL HEALTH OF THE NATION 2015–2018, at 28 (2014).
10.See SAMHSA’s Efforts in Health Care and Health Systems Integration, SUBSTANCE ABUSE & MENTAL HEALTH ADMIN, https://www.samhsa.gov/health-care-health-systems-integration/samhsas-efforts [http://perma.cc/5P5A-Z8K8].
11.See SAMHSA’s 2015–2018 Plans for HIT, FED. TELEMEDICINE NEWS (October 13, 2014), http://federaltelemedicine.com/?p=2617 [http://perma.cc/WE25-9Z6A].
12.Id.
13.Polk Bear, Consent2Share: Patient Consent Management & Access Control Services, HEALTHIT (May 25, 2013), https://www.healthit.gov/sites/default/files/c2spresentation_0.pdf [https://perma.cc/55FW-E6DX].
14.Id.
15.Id.
16.See Consent2Share, FEI SYS, http://www.feisystems.com/what-we-do/health-it-application-development/consent2share/ [http://perma.cc/HVB6-YWYW].
17.See Consent2Share V3.4.0 Patent User Guide, SAMHSA HEALTHIT, https://bhits.github.io/consent2share/downloads/3.4.0/C2S_Patient_User_Guide_3.4.0.pdf [https://perma.cc/RT8U-8EU4].
18.See 42 C.F.R. § 2.31 (2017).
19.See, e.g., ARIZ. REV. STAT. ANN. § 36–509 (2016. & Supp. 2017).
20.See Carly Nyst, Privacy, Protection of Personal Information and Reputation Rights 7 (UNICEF, Children’s Rights & Business in a Digital World Discussion Paper Series, 2017), www.unicef.org/csr/files/UNICEF_CRB_Digital_World_Series_PRIVACY.pdf [https://perma.cc/2MGM-7S7Y]. [Google Scholar]
21. We might, for example, disclose certain intimacies over coffee with a friend, but not on Facebook; with a family member but not a friend; risky activities with a school counselor but not the vice-principal; certain health information with a doctor, but not all of our health information with that same doctor.
22.See generally Solove Daniel J., A Brief History of Information Privacy Law, in PROSKAUER ON PRIVACY (2006). [Google Scholar]
23.Ricciardi Lygeia, Protecting Sensitive Health Information in the Context of Health Information Technology, CONSUMER P’SHIP FOR EHEALTH 2 (June 2010), http://www.nationalpartnership.org/research-library/health-care/HIT/protecting-sensitive-health.pdf [https://perma.cc/ZY6M-NLPT].Id. [Google Scholar]
24. Id.
25. Id.
26. Id.
27.See Neame Roderick L.B., Privacy Protection for Personal Health Information and Shared Care Records, 21 INFORMATICS IN PRIMARY CARE 84, 85 (2014). [DOI] [PubMed] [Google Scholar]
28.See id.
29.Grande David et al. , Public Preferences About Secondary Uses of Electronic Health Information, 173 JAMA INTERNAL MED 1798, 1799 (2013). [DOI] [PMC free article] [PubMed] [Google Scholar]
30.Consider such familiar examples as the Fourth Amendment (protecting from government intrusion), the development of a common law of privacy in the twentieth century (protecting from private intrusion), various state and federal statutes protecting health information from unauthorized disclosure (discussed infra), and Americans’ desire for a “general right of the individual to be let alone.” Warren Samuel D. & Brandeis Louis D., The Right to Privacy, 4 HARV. L. REV 193, 205 (1890). [Google Scholar]
31.See Gostin Lawrence O., Personal Privacy in the Health Care System: Employer-Sponsored Insurance, Managed Care, and Integrated Delivery Systems, 7 KENNEDY INST. ETHICS J 361, 364 (1997) [DOI] [PubMed] [Google Scholar]; Riso Brigida et al. , Ethical Sharing of Health Data in Online Platforms—Which Values Should Be Considered?, LIFE SCI., SOC’Y & POL’Y, 2017, at 1, 4–5 (identifying six core values considered to be essential for the ethical sharing of data using electronic health record exchanges: scientific value, user protection, facilitating user agency, trustworthiness, benefit and sustainability). [DOI] [PMC free article] [PubMed] [Google Scholar]
32.Letter from Justine M. Carr, Chairperson, Nat’l Comm. on Vital and Health Statistics, to Kathleen Sebelius, Sec’y, Dep’t of Health and Human Servs (Nov. 10, 2010) (on file with the National Committee on Vital and Health Statistics).
33. See Consent2Share V3.4.0 Patent User Guide, supra note 17.
34. See generally sources cited supra note 1.
35. See infra Sections III.A, III.B.
36.See infra Section III.D. See also Doughty Roger, The Confidentiality of HIV-Related Information: Responding to the Resurgence of Aggressive Public Health Interventions in the AIDS Epidemic, 82 CAL. L. REV 111, 122 (1994). [PubMed] [Google Scholar]
37. See infra Section III.C.
38.ARIZ. REV. STAT. ANN. § 13–3806 (2016).
39.Id. § 13–3620 (2016).
40. See infra Section III.D.
41. ARIZ. REV. STAT. ANN. § 36–517.02 (2016 & Supp. 2017).
42. See id. § 36–509(A)(1)–(7) (2016 & Supp. 2017).
43.See Annas George J., HIPAA Regulations-A New Era of Medical-Record Privacy?, 348 NEW ENG. J. MED 1486, 1486 (2003) [DOI] [PubMed] [Google Scholar]; See generally The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L. No. 104–191, 110 Stat. 1936 (1996). [PubMed] [Google Scholar]
44.Covered entities are health plans, healthcare clearinghouses, and healthcare providers. 45 C.F.R. § 160.103 (2017).
45.Standards for Privacy of Individually Identifiable Health Information, OFF. ASSISTANT SECRETARY FOR PLAN. & EVALUATION (July 6, 2001), https://aspe.hhs.gov/standards-privacy-individually-identifiable-health-information [https://perma.cc/6RKX-M4DW].
46.45 C.F.R. § 164.506 (2017).
47. Standards for Privacy of Individually Identifiable Health Information, supra note 45. [PubMed]
48.45 C.F.R. § 160.203 (2017).
49. Major federal health information privacy laws, several of which are discussed, infra, in-clude HIPAA, HITECH, GINA, and “Part 2” (Confidentiality of Alcohol and Drug Abuse Patient Records), 42 U.S.C.A. § 290dd-2 (Westlaw through Pub. L. No. 115–193). State statutes and regulations are voluminous.
50.See Filing a Complaint, U.S. DEP’T OF HEALTH AND HUMAN SERVS., https://www.hhs.gov/hipaa/filing-a-complaint/index.html [https://perma.cc/8LEN-HPPV].
51.See generally PRITTS JOY et al. , PRIVACY AND SECURITY SOLUTIONS FOR INTEROPERABLE HEALTH INFORMATION EXCHANGE: REPORT ON STATE MEDICAL RECORD ACCESS LAWS (2009), https://www.healthit.gov/sites/default/files/290-05-0015-state-law-access-report-1.pdf [https://perma.cc/4863-H46K].
52.Schmit Cason D. et al. , Falling Short: How State Laws Can Address Health Information Exchange Barriers and Enablers, 25 J. AM. MED. INFORMATICS ASS’N 635, 636 (2017) (“[O]verlapping, conflicting, and inconsistent state and federal laws add complexity and threaten efforts to promote information exchange nationally.”). [DOI] [PMC free article] [PubMed] [Google Scholar]
53.ARIZ. HEALTH CARE COST CONTAINMENT SYS., ARIZONA STATE MEDICAID HEALTH INFORMATION TECHNOLOGY PLAN 47 (2016), https://www.azahcccs.gov/AHCCCS/Downloads/Plans/2016_AZ_SMHP_Version7_0_CMS_Submission_Final_112216.pdf [http://perma.cc/QPF7-KJSU].
54. Id. at 10.
55. Id. at 60.
56.See What Is HIE?, HEALTHCURRENT, https://healthcurrent.org/hie/what-is-hie/ [perma.cc/PU9M-2YH6].
57.Spitzer David, Improving Population Health and Integrating Care in Rural Communities through Arizona’s Statewide Integrated Health Information Exchange (HIE), ARIZ. HEALTH-E CONNECTION 8, https://crh.arizona.edu/sites/default/files/u428/AzHeC_Spitzer.pdf [http://perma.cc/S53V-JCDT]. [Google Scholar]
58.See About eHealth Exchange, SEQUOIA PROJECT, https://sequoiaproject.org/ehealth-exchange/about/ [https://perma.cc/6HPZ-96RC];
59.See, e.g., Hiral Soni et al. , Current State of Electronic Consent Processes in Behavioral Health: Outcomes from an Observational Study, 2017 AMIA ANN. SYMP. PROCEEDINGS 1607, 1615 (2018). [PMC free article] [PubMed] [Google Scholar]
60. Id. at 1608, 1615.
61.See generally id.
62. Id. at 1613–14.
63.Histand Megan et al. , Behavioral Health Provider Perspectives on Health Data Sharing, AMIA (November 2017), https://www.researchgate.net/profile/Maria_Adela_Grando/publication/325369835_Behavioral_Health_Provider_Perspectives_on_Health_Data_Sharing/links/5b084642a6fdcc8c252fd3cf/Behavioral-Health-Provider-Perspectives-on-Health-Data-Sharing.pdf [https://perma.cc/ZSK5-EC78].
64.45 C.F.R. § 46.102(d) (2017).
65. Id. § 46.117.
66. ARIZ. REV. STAT. ANN. § 36–664(A)(17) (2016 & Supp. 2017).
67. HIPPA’s Privacy Rule, however, does permit a covered entity to use or disclose PHI for research purposes without prior written authorization under certain circumstances:• when reviews are conducted preparatory to research (45 C.F.R. § 164.512(i)(1)(ii) (2017))• when research is based solely on decedents’ information (Id. § 164.512(i)(1)(iii))• when the covered entity receives appropriate documentation that an IRB or a Privacy Board has granted a waiver of the Authorization requirement (Id. § 164.512(i))• when the PHI has been de-identified (and therefore is no longer PHI) (Id. § 164.514(a)–(c))• when the information is released in the form of a limited data set, with certain identifiers removed and with a data use agreement between the researcher and the covered entity (Id. § 164.514(e))• under transitional provisions (applying to data gathered and consented to before HIPAA came into effect) (Id. § 164.532(c)).
68. See 45 C.F.R. § 164.506.
69. A covered entity need not agree to a patient’s request to restrict disclosure, but if it does so, the “covered entity that agrees to a restriction … may not use or disclose protected health infor-mation in violation of such restriction” except in an emergency. 45 C.F.R. § 164.522(a)(1)(iii).
70. Most such orders will be upheld. Those that are not will be vacated on such particularized circumstances that no useful generalizations could be offered by us in this article.
71. The entries in this column presuppose that a healthcare organization is participating in a consent management program designed to facilitate patients’ granular control over disclosure of healthcare information, and therefore has agreed to honor patients’ wishes in many or most circum-stances.
72.See 42 U.S.C.A. § 290dd-2 (Westlaw through Pub. L. No. 115–193); 42 CFR Part 2 Confidentiality of Substance Use Disorder Patient Records, SAMHSA, https://www.samhsa.gov/health-information-technology/laws-regulations-guidelines [https://perma.cc/FA7M-PZY3].
73.42 C.F.R. § 2.12(a)(1) (2017).
74. Id. § 2.12(e)(1).
75.45 C.F.R. § 164.502(a); U.S. DEP’T HEALTH & HUMAN SERVS., THE CONFIDENTIALITY OF ALCOHOL AND DRUG ABUSE PATIENT RECORDS REGULATION AND THE HIPAA PRIVACY RULE: IMPLICATIONS FOR ALCOHOL AND SUBSTANCE ABUSE PROGRAMS 3 (2004), https://www.samhsa.gov/sites/default/files/part2-hipaa-comparison2004.pdf [https://perma.cc/UB6G-SGCL].
76. See 45 C.F.R. § 164.506.
77. The patient’s ultimate control lies in choosing whether to remain a client of a given pro-vider, and a patient could make that choice partly based on the provider’s disclosure policies.
78. See ARIZ. REV. STAT. ANN. §36–509 (2016 & Supp. 2017).
79. Id. § 36–509(A).
80. Id. § 36–509(A)(1).
81. See id. § 36–509(A)(2)–(22).
82. Id. § 36–509(A)(3), (6), (7), (16).
83. See id. §36–509(A) (the statute says “may” disclose, not “must” or “shall” disclose).
84.See id.
85.Id. § 36–2602 (2016). The legislation creating the monitoring system, S. 1370, 52nd Leg., 1st Sess. (Ariz. 2015), modified a number of Arizona laws, most notably for our purposes: ARIZ. REV. STAT. ANN. § 36–2604: Use and Release of Confidential Information and ARIZ. REV. STAT. ANN. § 36–2606: Registration; access. In 2017 the legislature passed and the governor signed H.R. 2307, 53rd Leg., 1st Sess. (Ariz. 2017), which further amended those laws.
86. ARIZ. REV. STAT. ANN. § 36–2602(A)(3).
87. Id. § 36–2606(F).
88. Id. § 36–2606(G)(4).
89.See 45 C.F.R. § 164.508(a)(1) (2017); HIPAA Privacy Rule and Sharing Information Related to Mental Health, HEALTH AND HUMAN SERVS 1, https://www.hhs.gov/sites/default/files/hipaa-privacy-rule-and-sharing-info-related-to-mental-health.pdf [https://perma.cc/W2MV-KLGZ]. [Google Scholar]
90. 45 C.F.R. § 164.508(a)(2).
91. 45 C.F.R. § 164.501.
92. Id.
93. See id. § 164.508(a)(2).
94. See id. § 164.512(j)(1)(i); see also ARIZ. REV. STAT. ANN. § 36–517.02 (2016 & Supp. 2017).
95. ARIZ. REV. STAT. ANN. § 36–509(A) (2016 & Supp. 2017).
96.Id.
97. See ARIZ. REV. STAT. ANN. § 13–3620(M) (2016); see also ARIZ. REV. STAT. ANN. § 46–454(H) (2016 & Supp. 2017).
98. ARIZ. REV. STAT. ANN. § 13–3620(M); § 46–454(H).
99. See Genetic Information Nondiscrimination Act of 2008, Pub. L. No. 110–233, 122 Stat. 881 (2008) (codified as amended in scattered sections of 26 and 42 U.S.C.A.). [PubMed]
100.See 42 U.S.C.A. §§ 2000ff(4)(A) (Westlaw through Pub. L. No. 115–223) (defining “ge-netic information”), 20000ff-1(a) (prohibiting employers’ use of genetic information for certain purposes), 300gg-53(a)(1) (prohibition on health insurers’ use of genetic information for certain purposes); see also Genetic Information Discrimination, U.S. EQUAL EMPLOYMENT OPPORTUNITY COMM’N, https://www.eeoc.gov/laws/types/genetic.cfm [https://perma.cc/3DYT-9X5D].
101. See generally Genetic Information Nondiscrimination Act, 122 Stat. 881.
102.See 29 U.S.C. § 1182(c)(3)(B) (2012).
103. See id. § 1182(c)(4).
104. See 42 U.S.C.A. § 2000ff-1(b)(2)(D) (Westlaw).
105. See generally Genetic Information Nondiscrimination Act, 122 Stat. 881.
106. ARIZ. REV. STAT. ANN. § 12–2802(A) (2016 & Supp. 2017).
107. Id. § 12–2802(A)(1)–(11).
108. Id. § 12–2802(A)(7)(b).
109. Id. § 12–2802(A)(11) (emphasis added).
110.See 42 U.S.C.A. § 264 (Westlaw through Pub. L. No. 115–193); Legal Authorities for Isolation and Quarantine, CTRS. FOR DISEASE CONTROL AND PREVENTION, https://www.cdc.gov/quarantine/aboutlawsregulationsquarantineisolation.html [https://perma.cc/V49Z-BATL]. [Google Scholar]
111. See Legal Authorities for Isolation and Quarantine, supra note 110.
112. 42 U.S.C.A. § 264(b) (Westlaw).
113. Id. § 264(e) (Westlaw).
114. See Legal Authorities for Isolation and Quarantine, supra note 110.
115.Id.
116.Id.
117. ARIZ. REV. STAT. § 36–621 (2016 & Supp. 2017) (requiring mandatory reporting of existence of “contagious, epidemic or infectious disease”); see 42 U.S.C. § 264(e) (federal law will not supersede congruous state law).
118. ARIZ. REV. STAT. ANN. § 36–621.
119.See 45 C.F.R. §§ 164.502(b)(2)(i), 506(c)(2) (2017).
120. See 45 C.F.R. §§ 164.512(b), .514(e).
121. ARIZ. REV. STAT. ANN. § 36–621.
122.Id.
123.Id.
124.Id. § 36–664(A)(2) (2016).
125. Id. § 36–664(A)(4).
126. Id. § 36–664(A).
127. Id. § 36–664(A)(1)–(18).
128. See, e.g., id. § 36–509(A)(1).
129. Id. § 36–509(A)(1).
130. Id. § 36–664(A)(4).
131.Id.
132. Id. (emphasis added).
133.Id.
134. Id. § 36–664(I).
135. See discussion infra notes 145−151 and accompanying text.
136.See generally Lin Laura & Liang Bryan A., HIV and Health Law, Striking the Balance Between Legal Mandates and Medical Ethics, VIRTUAL MENTOR (October 2005, http://virtualmentor.ama-assn.org/2005/10/hlaw1-0510.html [https://perma.cc/8GRA-6D7Q] [DOI] [PubMed] [Google Scholar]; Raanan Gillon, Refusal to Treat AIDS and HIV Positive Patients, 294 BRITISH MED. J 1332 (1987). [DOI] [PMC free article] [PubMed] [Google Scholar]
137. Lin & Liang, supra note 136.
138.See id.
139. Gillon, supra note 136, at 1332–33.
140. Lin & Liang, supra note 136.
141.Id.
142.Id.
143.ARIZ. REV. STAT. ANN. § 36–663(A) (2016).
144. Id. § 36–664(A).
145. Id. § 36–664(J).
146. Id. § 36–664(F).
147. Id. § 36–665(A).
148. Id. § 36–665(I).
149. Id. § 36–666.
150. Id. § 36–667.
151. Id. § 36–668.
152.See id. § 36–662 (2016); ARIZ. ADMIN. CODE §§ R9–6-202, 203, 204, 205 (Supp. 18–1 2018).
153. ARIZ. REV. STAT. ANN. § 36–662.
154. ARIZ. ADMIN. CODE §§ R9–6-202, 203, 204, 205.
155. Id. §§ R9–6-202(C)–(D), 203(B), 204(B)–(D), 205(C).
156.Arizona Administrative Code Requires Provider to: Report Communicable Diseases to the Local Health Department, ARIZ. DEP’T OF HEALTH SERVS., http://www.azdhs.gov/documents/preparedness/epidemiology-disease-control/communicable-disease-reporting/reportable-diseases-list.pdf [https://perma.cc/R2NK-4M8K] (citing ARIZ. ADMIN. CODE § R9–6-202). [Google Scholar]
157.CDCs Abortion Surveillance System FAQs, CTRS. FOR DISEASE CONTROL AND PREVENTION, https://www.cdc.gov/reproductivehealth/data_stats/abortion.htm [https://perma.cc/KQ47-W6JS]. [Google Scholar]
158.See id.
159.See ARIZ. REV. STAT. ANN. § 36–2161(A)(1)–(18) (2016).
160. CDCs Abortion Surveillance System FAQs, supra note 157.
161. See ARIZ. REV. STAT. ANN. § 36–2161(A)(1)–(18).
162.See id.
163. CDCs Abortion Surveillance System FAQs, supra note 157.
164. See ARIZ. REV. STAT. ANN. § 36–2162.
165. Id. § 36–2162(A).
166. Id. § 36–2163.
167. See id. § 36–2163(A)–(B).
168. Id. § 36–2163(A).
169. See id. §§ 36–2161(A), 36–2163(B).
170. See id. § 36–2161(A) (“A hospital or facility in this state where abortions are performed must submit to the department of health services on a form prescribed by the department a report of each abortion performed in the hospital or facility.” (emphasis added)).

[R1] 1.See generally Caine Kelly et al. , Designing a Patient-Centered User Interface for Access Decisions About EHR Data: Implications from Patient Interviews, 30 J. GEN. INTERNAL MED (SUPP. 1) S7 (2015) [DOI] [PMC free article] [PubMed] [Google Scholar]; Caine Kelly & Hanania Rima, Patients Want Granular Privacy Control Over Health Information in Electronic Medical Records, 20 J. AM. MED. INFORMATICS ASS’N 7 (2013) [DOI] [PMC free article] [PubMed] [Google Scholar]; Campos-Castillo Celeste & Anthony Denise L., The Double-Edged Sword of Electronic Health Records: Implications for Patient Disclosure, 22 J. AM. MED. INFORMATICS ASS’N e130 (2015) [DOI] [PMC free article] [PubMed] [Google Scholar]; Adela Grando M et al. , A Study to Elicit Behavioral Health Patients’ and Providers’ Opinions on Health Records Consent, 45 J. L. MED. & ETHICS 238 (2017) [DOI] [PMC free article] [PubMed] [Google Scholar]; Schwartz Peter H. et al. , Patient Preferences in Controlling Access to Their Electronic Health Records: A Prospective Cohort Study in Primary Care, 30 J. GEN. INTERNAL MED (SUPP. 1) S25 (2015). [DOI] [PMC free article] [PubMed] [Google Scholar]

[R2] 2. Federal healthcare regulations, notably HIPAA, apply only to covered entities and their business associates. See 45 C.F.R. §§ 160.102–.103 (2017). Other laws also regulate certain indi-viduals and institutions but not others. Thus, the analysis depends upon who the sender of infor-mation is, what the information consists of, and who the receiver is.

[R3] 3.See infra Section I.C.1. See also HEALTHCURRENT, https://healthcurrent.org [https://perma.cc/8J34-9ATH].

[R4] 4. The research doing this work is funded by NIMH Grant R01MH108992 to Principal Investigator Adela Grando.

[R5] 5.About Us, SUBSTANCE ABUSE & MENTAL HEALTH ADMIN, https://www.samhsa.gov/about-us [https://perma.cc/AKP7-BMTC].

[R6] 6.Id.

[R7] 7.Medical Records Privacy and Confidentiality, SUBSTANCE ABUSE & MENTAL HEALTH ADMIN, https://www.samhsa.gov/laws-regulations-guidelines/medical-records-privacy-confidentiality [http://perma.cc/E8T5-DZ6C].

[R8] 8.SAMHSA’S Efforts in Health Information Technology (Health IT), SUBSTANCE ABUSE & MENTAL HEALTH ADMIN, https://www.samhsa.gov/health-information-technology/samhsas-efforts [http://perma.cc/98MG-RYVE].

[R9] 9.SAMHSA, LEADING CHANGE 2.0: ADVANCING THE BEHAVIORAL HEALTH OF THE NATION 2015–2018, at 28 (2014).

[R10] 10.See SAMHSA’s Efforts in Health Care and Health Systems Integration, SUBSTANCE ABUSE & MENTAL HEALTH ADMIN, https://www.samhsa.gov/health-care-health-systems-integration/samhsas-efforts [http://perma.cc/5P5A-Z8K8].

[R11] 11.See SAMHSA’s 2015–2018 Plans for HIT, FED. TELEMEDICINE NEWS (October 13, 2014), http://federaltelemedicine.com/?p=2617 [http://perma.cc/WE25-9Z6A].

[R12] 12.Id.

[R13] 13.Polk Bear, Consent2Share: Patient Consent Management & Access Control Services, HEALTHIT (May 25, 2013), https://www.healthit.gov/sites/default/files/c2spresentation_0.pdf [https://perma.cc/55FW-E6DX].

[R14] 14.Id.

[R15] 15.Id.

[R16] 16.See Consent2Share, FEI SYS, http://www.feisystems.com/what-we-do/health-it-application-development/consent2share/ [http://perma.cc/HVB6-YWYW].

[R17] 17.See Consent2Share V3.4.0 Patent User Guide, SAMHSA HEALTHIT, https://bhits.github.io/consent2share/downloads/3.4.0/C2S_Patient_User_Guide_3.4.0.pdf [https://perma.cc/RT8U-8EU4].

[R18] 18.See 42 C.F.R. § 2.31 (2017).

[R19] 19.See, e.g., ARIZ. REV. STAT. ANN. § 36–509 (2016. & Supp. 2017).

[R20] 20.See Carly Nyst, Privacy, Protection of Personal Information and Reputation Rights 7 (UNICEF, Children’s Rights & Business in a Digital World Discussion Paper Series, 2017), www.unicef.org/csr/files/UNICEF_CRB_Digital_World_Series_PRIVACY.pdf [https://perma.cc/2MGM-7S7Y]. [Google Scholar]

[R21] 21. We might, for example, disclose certain intimacies over coffee with a friend, but not on Facebook; with a family member but not a friend; risky activities with a school counselor but not the vice-principal; certain health information with a doctor, but not all of our health information with that same doctor.

[R22] 22.See generally Solove Daniel J., A Brief History of Information Privacy Law, in PROSKAUER ON PRIVACY (2006). [Google Scholar]

[R23] 23.Ricciardi Lygeia, Protecting Sensitive Health Information in the Context of Health Information Technology, CONSUMER P’SHIP FOR EHEALTH 2 (June 2010), http://www.nationalpartnership.org/research-library/health-care/HIT/protecting-sensitive-health.pdf [https://perma.cc/ZY6M-NLPT].Id. [Google Scholar]

[R24] 24. Id.

[R25] 25. Id.

[R26] 26. Id.

[R27] 27.See Neame Roderick L.B., Privacy Protection for Personal Health Information and Shared Care Records, 21 INFORMATICS IN PRIMARY CARE 84, 85 (2014). [DOI] [PubMed] [Google Scholar]

[R28] 28.See id.

[R29] 29.Grande David et al. , Public Preferences About Secondary Uses of Electronic Health Information, 173 JAMA INTERNAL MED 1798, 1799 (2013). [DOI] [PMC free article] [PubMed] [Google Scholar]

[R30] 30.Consider such familiar examples as the Fourth Amendment (protecting from government intrusion), the development of a common law of privacy in the twentieth century (protecting from private intrusion), various state and federal statutes protecting health information from unauthorized disclosure (discussed infra), and Americans’ desire for a “general right of the individual to be let alone.” Warren Samuel D. & Brandeis Louis D., The Right to Privacy, 4 HARV. L. REV 193, 205 (1890). [Google Scholar]

[R31] 31.See Gostin Lawrence O., Personal Privacy in the Health Care System: Employer-Sponsored Insurance, Managed Care, and Integrated Delivery Systems, 7 KENNEDY INST. ETHICS J 361, 364 (1997) [DOI] [PubMed] [Google Scholar]; Riso Brigida et al. , Ethical Sharing of Health Data in Online Platforms—Which Values Should Be Considered?, LIFE SCI., SOC’Y & POL’Y, 2017, at 1, 4–5 (identifying six core values considered to be essential for the ethical sharing of data using electronic health record exchanges: scientific value, user protection, facilitating user agency, trustworthiness, benefit and sustainability). [DOI] [PMC free article] [PubMed] [Google Scholar]

[R32] 32.Letter from Justine M. Carr, Chairperson, Nat’l Comm. on Vital and Health Statistics, to Kathleen Sebelius, Sec’y, Dep’t of Health and Human Servs (Nov. 10, 2010) (on file with the National Committee on Vital and Health Statistics).

[R33] 33. See Consent2Share V3.4.0 Patent User Guide, supra note 17.

[R34] 34. See generally sources cited supra note 1.

[R35] 35. See infra Sections III.A, III.B.

[R36] 36.See infra Section III.D. See also Doughty Roger, The Confidentiality of HIV-Related Information: Responding to the Resurgence of Aggressive Public Health Interventions in the AIDS Epidemic, 82 CAL. L. REV 111, 122 (1994). [PubMed] [Google Scholar]

[R37] 37. See infra Section III.C.

[R38] 38.ARIZ. REV. STAT. ANN. § 13–3806 (2016).

[R39] 39.Id. § 13–3620 (2016).

[R40] 40. See infra Section III.D.

[R41] 41. ARIZ. REV. STAT. ANN. § 36–517.02 (2016 & Supp. 2017).

[R42] 42. See id. § 36–509(A)(1)–(7) (2016 & Supp. 2017).

[R43] 43.See Annas George J., HIPAA Regulations-A New Era of Medical-Record Privacy?, 348 NEW ENG. J. MED 1486, 1486 (2003) [DOI] [PubMed] [Google Scholar]; See generally The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L. No. 104–191, 110 Stat. 1936 (1996). [PubMed] [Google Scholar]

[R44] 44.Covered entities are health plans, healthcare clearinghouses, and healthcare providers. 45 C.F.R. § 160.103 (2017).

[R45] 45.Standards for Privacy of Individually Identifiable Health Information, OFF. ASSISTANT SECRETARY FOR PLAN. & EVALUATION (July 6, 2001), https://aspe.hhs.gov/standards-privacy-individually-identifiable-health-information [https://perma.cc/6RKX-M4DW].

[R46] 46.45 C.F.R. § 164.506 (2017).

[R47] 47. Standards for Privacy of Individually Identifiable Health Information, supra note 45. [PubMed]

[R48] 48.45 C.F.R. § 160.203 (2017).

[R49] 49. Major federal health information privacy laws, several of which are discussed, infra, in-clude HIPAA, HITECH, GINA, and “Part 2” (Confidentiality of Alcohol and Drug Abuse Patient Records), 42 U.S.C.A. § 290dd-2 (Westlaw through Pub. L. No. 115–193). State statutes and regulations are voluminous.

[R50] 50.See Filing a Complaint, U.S. DEP’T OF HEALTH AND HUMAN SERVS., https://www.hhs.gov/hipaa/filing-a-complaint/index.html [https://perma.cc/8LEN-HPPV].

[R51] 51.See generally PRITTS JOY et al. , PRIVACY AND SECURITY SOLUTIONS FOR INTEROPERABLE HEALTH INFORMATION EXCHANGE: REPORT ON STATE MEDICAL RECORD ACCESS LAWS (2009), https://www.healthit.gov/sites/default/files/290-05-0015-state-law-access-report-1.pdf [https://perma.cc/4863-H46K].

[R52] 52.Schmit Cason D. et al. , Falling Short: How State Laws Can Address Health Information Exchange Barriers and Enablers, 25 J. AM. MED. INFORMATICS ASS’N 635, 636 (2017) (“[O]verlapping, conflicting, and inconsistent state and federal laws add complexity and threaten efforts to promote information exchange nationally.”). [DOI] [PMC free article] [PubMed] [Google Scholar]

[R53] 53.ARIZ. HEALTH CARE COST CONTAINMENT SYS., ARIZONA STATE MEDICAID HEALTH INFORMATION TECHNOLOGY PLAN 47 (2016), https://www.azahcccs.gov/AHCCCS/Downloads/Plans/2016_AZ_SMHP_Version7_0_CMS_Submission_Final_112216.pdf [http://perma.cc/QPF7-KJSU].

[R54] 54. Id. at 10.

[R55] 55. Id. at 60.

[R56] 56.See What Is HIE?, HEALTHCURRENT, https://healthcurrent.org/hie/what-is-hie/ [perma.cc/PU9M-2YH6].

[R57] 57.Spitzer David, Improving Population Health and Integrating Care in Rural Communities through Arizona’s Statewide Integrated Health Information Exchange (HIE), ARIZ. HEALTH-E CONNECTION 8, https://crh.arizona.edu/sites/default/files/u428/AzHeC_Spitzer.pdf [http://perma.cc/S53V-JCDT]. [Google Scholar]

[R58] 58.See About eHealth Exchange, SEQUOIA PROJECT, https://sequoiaproject.org/ehealth-exchange/about/ [https://perma.cc/6HPZ-96RC];

[R59] 59.See, e.g., Hiral Soni et al. , Current State of Electronic Consent Processes in Behavioral Health: Outcomes from an Observational Study, 2017 AMIA ANN. SYMP. PROCEEDINGS 1607, 1615 (2018). [PMC free article] [PubMed] [Google Scholar]

[R60] 60. Id. at 1608, 1615.

[R61] 61.See generally id.

[R62] 62. Id. at 1613–14.

[R63] 63.Histand Megan et al. , Behavioral Health Provider Perspectives on Health Data Sharing, AMIA (November 2017), https://www.researchgate.net/profile/Maria_Adela_Grando/publication/325369835_Behavioral_Health_Provider_Perspectives_on_Health_Data_Sharing/links/5b084642a6fdcc8c252fd3cf/Behavioral-Health-Provider-Perspectives-on-Health-Data-Sharing.pdf [https://perma.cc/ZSK5-EC78].

[R64] 64.45 C.F.R. § 46.102(d) (2017).

[R65] 65. Id. § 46.117.

[R66] 66. ARIZ. REV. STAT. ANN. § 36–664(A)(17) (2016 & Supp. 2017).

[R67] 67. HIPPA’s Privacy Rule, however, does permit a covered entity to use or disclose PHI for research purposes without prior written authorization under certain circumstances:• when reviews are conducted preparatory to research (45 C.F.R. § 164.512(i)(1)(ii) (2017))• when research is based solely on decedents’ information (Id. § 164.512(i)(1)(iii))• when the covered entity receives appropriate documentation that an IRB or a Privacy Board has granted a waiver of the Authorization requirement (Id. § 164.512(i))• when the PHI has been de-identified (and therefore is no longer PHI) (Id. § 164.514(a)–(c))• when the information is released in the form of a limited data set, with certain identifiers removed and with a data use agreement between the researcher and the covered entity (Id. § 164.514(e))• under transitional provisions (applying to data gathered and consented to before HIPAA came into effect) (Id. § 164.532(c)).

[R68] 68. See 45 C.F.R. § 164.506.

[R69] 69. A covered entity need not agree to a patient’s request to restrict disclosure, but if it does so, the “covered entity that agrees to a restriction … may not use or disclose protected health infor-mation in violation of such restriction” except in an emergency. 45 C.F.R. § 164.522(a)(1)(iii).

[R70] 70. Most such orders will be upheld. Those that are not will be vacated on such particularized circumstances that no useful generalizations could be offered by us in this article.

[R71] 71. The entries in this column presuppose that a healthcare organization is participating in a consent management program designed to facilitate patients’ granular control over disclosure of healthcare information, and therefore has agreed to honor patients’ wishes in many or most circum-stances.

[R72] 72.See 42 U.S.C.A. § 290dd-2 (Westlaw through Pub. L. No. 115–193); 42 CFR Part 2 Confidentiality of Substance Use Disorder Patient Records, SAMHSA, https://www.samhsa.gov/health-information-technology/laws-regulations-guidelines [https://perma.cc/FA7M-PZY3].

[R73] 73.42 C.F.R. § 2.12(a)(1) (2017).

[R74] 74. Id. § 2.12(e)(1).

[R75] 75.45 C.F.R. § 164.502(a); U.S. DEP’T HEALTH & HUMAN SERVS., THE CONFIDENTIALITY OF ALCOHOL AND DRUG ABUSE PATIENT RECORDS REGULATION AND THE HIPAA PRIVACY RULE: IMPLICATIONS FOR ALCOHOL AND SUBSTANCE ABUSE PROGRAMS 3 (2004), https://www.samhsa.gov/sites/default/files/part2-hipaa-comparison2004.pdf [https://perma.cc/UB6G-SGCL].

[R76] 76. See 45 C.F.R. § 164.506.

[R77] 77. The patient’s ultimate control lies in choosing whether to remain a client of a given pro-vider, and a patient could make that choice partly based on the provider’s disclosure policies.

[R78] 78. See ARIZ. REV. STAT. ANN. §36–509 (2016 & Supp. 2017).

[R79] 79. Id. § 36–509(A).

[R80] 80. Id. § 36–509(A)(1).

[R81] 81. See id. § 36–509(A)(2)–(22).

[R82] 82. Id. § 36–509(A)(3), (6), (7), (16).

[R83] 83. See id. §36–509(A) (the statute says “may” disclose, not “must” or “shall” disclose).

[R84] 84.See id.

[R85] 85.Id. § 36–2602 (2016). The legislation creating the monitoring system, S. 1370, 52nd Leg., 1st Sess. (Ariz. 2015), modified a number of Arizona laws, most notably for our purposes: ARIZ. REV. STAT. ANN. § 36–2604: Use and Release of Confidential Information and ARIZ. REV. STAT. ANN. § 36–2606: Registration; access. In 2017 the legislature passed and the governor signed H.R. 2307, 53rd Leg., 1st Sess. (Ariz. 2017), which further amended those laws.

[R86] 86. ARIZ. REV. STAT. ANN. § 36–2602(A)(3).

[R87] 87. Id. § 36–2606(F).

[R88] 88. Id. § 36–2606(G)(4).

[R89] 89.See 45 C.F.R. § 164.508(a)(1) (2017); HIPAA Privacy Rule and Sharing Information Related to Mental Health, HEALTH AND HUMAN SERVS 1, https://www.hhs.gov/sites/default/files/hipaa-privacy-rule-and-sharing-info-related-to-mental-health.pdf [https://perma.cc/W2MV-KLGZ]. [Google Scholar]

[R90] 90. 45 C.F.R. § 164.508(a)(2).

[R91] 91. 45 C.F.R. § 164.501.

[R92] 92. Id.

[R93] 93. See id. § 164.508(a)(2).

[R94] 94. See id. § 164.512(j)(1)(i); see also ARIZ. REV. STAT. ANN. § 36–517.02 (2016 & Supp. 2017).

[R95] 95. ARIZ. REV. STAT. ANN. § 36–509(A) (2016 & Supp. 2017).

[R96] 96.Id.

[R97] 97. See ARIZ. REV. STAT. ANN. § 13–3620(M) (2016); see also ARIZ. REV. STAT. ANN. § 46–454(H) (2016 & Supp. 2017).

[R98] 98. ARIZ. REV. STAT. ANN. § 13–3620(M); § 46–454(H).

[R99] 99. See Genetic Information Nondiscrimination Act of 2008, Pub. L. No. 110–233, 122 Stat. 881 (2008) (codified as amended in scattered sections of 26 and 42 U.S.C.A.). [PubMed]

[R100] 100.See 42 U.S.C.A. §§ 2000ff(4)(A) (Westlaw through Pub. L. No. 115–223) (defining “ge-netic information”), 20000ff-1(a) (prohibiting employers’ use of genetic information for certain purposes), 300gg-53(a)(1) (prohibition on health insurers’ use of genetic information for certain purposes); see also Genetic Information Discrimination, U.S. EQUAL EMPLOYMENT OPPORTUNITY COMM’N, https://www.eeoc.gov/laws/types/genetic.cfm [https://perma.cc/3DYT-9X5D].

[R101] 101. See generally Genetic Information Nondiscrimination Act, 122 Stat. 881.

[R102] 102.See 29 U.S.C. § 1182(c)(3)(B) (2012).

[R103] 103. See id. § 1182(c)(4).

[R104] 104. See 42 U.S.C.A. § 2000ff-1(b)(2)(D) (Westlaw).

[R105] 105. See generally Genetic Information Nondiscrimination Act, 122 Stat. 881.

[R106] 106. ARIZ. REV. STAT. ANN. § 12–2802(A) (2016 & Supp. 2017).

[R107] 107. Id. § 12–2802(A)(1)–(11).

[R108] 108. Id. § 12–2802(A)(7)(b).

[R109] 109. Id. § 12–2802(A)(11) (emphasis added).

[R110] 110.See 42 U.S.C.A. § 264 (Westlaw through Pub. L. No. 115–193); Legal Authorities for Isolation and Quarantine, CTRS. FOR DISEASE CONTROL AND PREVENTION, https://www.cdc.gov/quarantine/aboutlawsregulationsquarantineisolation.html [https://perma.cc/V49Z-BATL]. [Google Scholar]

[R111] 111. See Legal Authorities for Isolation and Quarantine, supra note 110.

[R112] 112. 42 U.S.C.A. § 264(b) (Westlaw).

[R113] 113. Id. § 264(e) (Westlaw).

[R114] 114. See Legal Authorities for Isolation and Quarantine, supra note 110.

[R115] 115.Id.

[R116] 116.Id.

[R117] 117. ARIZ. REV. STAT. § 36–621 (2016 & Supp. 2017) (requiring mandatory reporting of existence of “contagious, epidemic or infectious disease”); see 42 U.S.C. § 264(e) (federal law will not supersede congruous state law).

[R118] 118. ARIZ. REV. STAT. ANN. § 36–621.

[R119] 119.See 45 C.F.R. §§ 164.502(b)(2)(i), 506(c)(2) (2017).

[R120] 120. See 45 C.F.R. §§ 164.512(b), .514(e).

[R121] 121. ARIZ. REV. STAT. ANN. § 36–621.

[R122] 122.Id.

[R123] 123.Id.

[R124] 124.Id. § 36–664(A)(2) (2016).

[R125] 125. Id. § 36–664(A)(4).

[R126] 126. Id. § 36–664(A).

[R127] 127. Id. § 36–664(A)(1)–(18).

[R128] 128. See, e.g., id. § 36–509(A)(1).

[R129] 129. Id. § 36–509(A)(1).

[R130] 130. Id. § 36–664(A)(4).

[R131] 131.Id.

[R132] 132. Id. (emphasis added).

[R133] 133.Id.

[R134] 134. Id. § 36–664(I).

[R135] 135. See discussion infra notes 145−151 and accompanying text.

[R136] 136.See generally Lin Laura & Liang Bryan A., HIV and Health Law, Striking the Balance Between Legal Mandates and Medical Ethics, VIRTUAL MENTOR (October 2005, http://virtualmentor.ama-assn.org/2005/10/hlaw1-0510.html [https://perma.cc/8GRA-6D7Q] [DOI] [PubMed] [Google Scholar]; Raanan Gillon, Refusal to Treat AIDS and HIV Positive Patients, 294 BRITISH MED. J 1332 (1987). [DOI] [PMC free article] [PubMed] [Google Scholar]

[R137] 137. Lin & Liang, supra note 136.

[R138] 138.See id.

[R139] 139. Gillon, supra note 136, at 1332–33.

[R140] 140. Lin & Liang, supra note 136.

[R141] 141.Id.

[R142] 142.Id.

[R143] 143.ARIZ. REV. STAT. ANN. § 36–663(A) (2016).

[R144] 144. Id. § 36–664(A).

[R145] 145. Id. § 36–664(J).

[R146] 146. Id. § 36–664(F).

[R147] 147. Id. § 36–665(A).

[R148] 148. Id. § 36–665(I).

[R149] 149. Id. § 36–666.

[R150] 150. Id. § 36–667.

[R151] 151. Id. § 36–668.

[R152] 152.See id. § 36–662 (2016); ARIZ. ADMIN. CODE §§ R9–6-202, 203, 204, 205 (Supp. 18–1 2018).

[R153] 153. ARIZ. REV. STAT. ANN. § 36–662.

[R154] 154. ARIZ. ADMIN. CODE §§ R9–6-202, 203, 204, 205.

[R155] 155. Id. §§ R9–6-202(C)–(D), 203(B), 204(B)–(D), 205(C).

[R156] 156.Arizona Administrative Code Requires Provider to: Report Communicable Diseases to the Local Health Department, ARIZ. DEP’T OF HEALTH SERVS., http://www.azdhs.gov/documents/preparedness/epidemiology-disease-control/communicable-disease-reporting/reportable-diseases-list.pdf [https://perma.cc/R2NK-4M8K] (citing ARIZ. ADMIN. CODE § R9–6-202). [Google Scholar]

[R157] 157.CDCs Abortion Surveillance System FAQs, CTRS. FOR DISEASE CONTROL AND PREVENTION, https://www.cdc.gov/reproductivehealth/data_stats/abortion.htm [https://perma.cc/KQ47-W6JS]. [Google Scholar]

[R158] 158.See id.

[R159] 159.See ARIZ. REV. STAT. ANN. § 36–2161(A)(1)–(18) (2016).

[R160] 160. CDCs Abortion Surveillance System FAQs, supra note 157.

[R161] 161. See ARIZ. REV. STAT. ANN. § 36–2161(A)(1)–(18).

[R162] 162.See id.

[R163] 163. CDCs Abortion Surveillance System FAQs, supra note 157.

[R164] 164. See ARIZ. REV. STAT. ANN. § 36–2162.

[R165] 165. Id. § 36–2162(A).

[R166] 166. Id. § 36–2163.

[R167] 167. See id. § 36–2163(A)–(B).

[R168] 168. Id. § 36–2163(A).

[R169] 169. See id. §§ 36–2161(A), 36–2163(B).

[R170] 170. See id. § 36–2161(A) (“A hospital or facility in this state where abortions are performed must submit to the department of health services on a form prescribed by the department a report of each abortion performed in the hospital or facility.” (emphasis added)).

PERMALINK

GRANULAR PATIENT CONTROL OF PERSONAL HEALTH INFORMATION: FEDERAL AND STATE LAW CONSIDERATIONS*

Michael J Saks

Adela Grando

Anita Murcko

Chase Millea

Abstract

I. BACKGROUND

A. The Movement Toward Granular Control of Health Records

B. Privacy of Sensitive Health Information

C. Sensitive Health Information and the Advent of Electronic Health Information Exchanges

1. The Arizona HIE Context

2. Patient Control in the Era of HIE: “My Data Choices”

II. RESEARCH SCOPE

A. Legal Constraints on Patient Control of Their Health Information

Table 1.

III. RESULTS

A. Substance Abuse Information

1. Federal Law

2. Arizona Law

3. Controlled Substances

B. Mental Health Information

1. Federal Law

2. Arizona Law

C. Genetic Information

1. Federal Law

2. Arizona Law

D. Communicable Disease Information

1. Federal Law

2. Arizona Law

3. HIV/AIDS Information

E. Sexual and Reproductive Health Information

1. Federal Law

2. Arizona Law

Acknowledgments

References

ACTIONS

PERMALINK

RESOURCES

Similar articles

Cited by other articles

Links to NCBI Databases