HOME HELP FEEDBACK SUBSCRIPTIONS ARCHIVE SEARCH TABLE OF CONTENTS		QUICK SEARCH:   [advanced] Author: Keyword(s): Year:  Vol:  Page:

This Article Abstract Figures Only Full Text (PDF) Submit a response View responses View Shopping Cart Alert me when this article is cited Alert me when eLetters are posted Alert me if a correction is posted Services Similar articles in this journal Similar articles in PubMed Alert me to new issues of the journal Download to citation manager Citing Articles Citing Articles via HighWire Citing Articles via Google Scholar Google Scholar Articles by Gostin, L. O. Articles by Valdiserri, R. O. Search for Related Content PubMed PubMed Citation Articles by Gostin, L. O. Articles by Valdiserri, R. O. Related Collections Ethics Health Law Health Policy

Lawrence O. Gostin, JD, LLD (Hon), James G. Hodge, Jr, JD, LLM and Ronald O. Valdiserri, MD, MPH

Lawrence O. Gostin is with Georgetown University Law Center, Washington, DC, and the Center for Law and the Public's Health, Baltimore, Md, and Washington, DC. James G. Hodge Jr is with the Johns Hopkins Bloomberg School of Public Health, Baltimore, Md, and the Center for Law and the Public's Health, Baltimore, Md, and Washington, DC. Ronald O. Valdiserri is with the Centers for Disease Control and Prevention, Atlanta, Ga.

Correspondence: Requests for reprints should be sent to James G. Hodge Jr, JD, LLM, Center for Law and the Public's Health, Johns Hopkins Bloomberg School of Public Health, 624 N Broadway, Room 582, Baltimore, MD 21205-1996 (e-mail: hodgej{at}erols.com).

	ABSTRACT

TOP ABSTRACT INTRODUCTION RECONCILING PUBLIC HEALTH AND... THE MODEL STATE PUBLIC... FAIR INFORMATION PRACTICES CONCLUSION References

 

Protecting public health requires the acquisition, use, and storage of extensive health-related information about individuals. The electronic accumulation and exchange of personal data promises significant public health benefits but also threatens individual privacy; breaches of privacy can lead to individual discrimination in employment, insurance, and government programs. Individuals concerned about privacy invasions may avoid clinical or public health tests, treatments, or research.

Although individual privacy protections are critical, comprehensive federal privacy protections do not adequately protect public health data, and existing state privacy laws are inconsistent and fragmented. The Model State Public Health Privacy Act provides strong privacy safeguards for public health data while preserving the ability of state and local public health departments to act for the common good.

	INTRODUCTION

TOP ABSTRACT INTRODUCTION RECONCILING PUBLIC HEALTH AND... THE MODEL STATE PUBLIC... FAIR INFORMATION PRACTICES CONCLUSION References

 
ASSESSING POPULATIONAL health is a core function of state and local public health departments that requires the acquisition, use, and storage of health-related information about individuals.^1,2 National, regional, and statewide governmental public health systems collect vast amounts of public health data regarding communicable (e.g., sexually transmitted diseases [STDs], HIV, tuberculosis), genetic (e.g., newborn metabolic conditions, birth defects), behavioral (e.g., use of drugs, alcohol, and tobacco), and environmental (e.g., pediatric blood lead levels) diseases, conditions, and risks to reduce morbidity and excess mortality.³

The accumulation and exchange of these personal data within an increasingly automated public health information infrastructure promises significant public health benefits. Well-planned surveillance helps to identify health problems, target interventions, and influence funding decisions.⁴ Health information databases facilitate existing and future epidemiologic investigations and research studies. These essential public health functions rely on the quality and reliability of identifiable health information (i.e., any healthrelated information that reveals, or could reveal under certain circumstances, the identity of the individual who is the subject of the information).⁵

As increasing amounts of identifiable health data are gathered, stored, and exchanged,⁶ personal privacy is threatened. Many Americans distrust government agencies⁷ and believe that the collection of personal data without their explicit permission is morally wrong.⁸ If public health authorities disclose intimate information, individuals may suffer embarrassment, stigma, and discrimination in employment, insurance, and government programs.^3,9 Persons who fear invasions of privacy may avoid clinical tests and treatments, withdraw from research, or provide inaccurate or incomplete health information.¹⁰

Congress has unsuccessfully pursued comprehensive health information privacy legislation,¹¹ but the Department of Health and Human Services recently issued final regulations pursuant to the Health Insurance Portability and Accountability Act of 1996.¹² However, these federal initiatives do not regulate government collection of state public health information. Since public health is quintessentially a state function, federal privacy rules defer to state public health law under principles of federalism.

Although state public health agencies have an excellent track record of safeguarding public health data, extant state laws concerning public health information privacy are inconsistent, fragmented, and inadequate.² These laws differ significantly in the degree of privacy protection afforded, give varying rights to access identifiable data, and allow multiple exceptions to disclosure prohibitions outside public health agencies.² Some states' laws declare that public health records are private, but they are silent about the degree of protection of privacy. Laws often fail to narrowly define who may have access to such data and to require persons to demonstrate why they need access. Statutes often lack specificity about when disclosures may be made, permissively allow disclosures to persons or for purposes that are inconsistent with those of public health (e.g., disclosure in legal settings through court orders or subpoenas), or fail to address secondary disclosures of information beyond those used to justify the original collection. In some states, disclosure provisions are too strict, interfering with legitimate public health exchanges of identifiable data among in-state and out-of-state public health agencies.

Current law and policy often fail to reconcile individual privacy interests with collective public health interests in identifiable health data. Civil libertarians and consumers see informational privacy as a fundamental right and stress the importance of stronger legal safeguards. Public health professionals, on the other hand, strongly assert the need to use data to achieve important public health purposes. To reconcile these 2 divergent approaches, the Georgetown/Johns Hopkins Program on Law and Public Health convened a multidisciplinary team of privacy, public health, and legislative experts to propose a model public health information privacy statute.¹³ The Model Act would provide, for the first time, strong and consistent privacy safeguards for public health data, while still preserving the ability of state and local health departments to act for the common good. The Centers for Disease Control and Prevention recommends that states consider adopting the model legislation to "strengthen the current level of protection of public health data."¹⁴ In this commentary, we explain the Model Act and the principles that underlie its protections.

	RECONCILING PUBLIC HEALTH AND PRIVACY INTERESTS

TOP ABSTRACT INTRODUCTION RECONCILING PUBLIC HEALTH AND... THE MODEL STATE PUBLIC... FAIR INFORMATION PRACTICES CONCLUSION References

 
Some scholars perceive a conflict between individual privacy interests (which seek strict limits on data uses) and public health interests (which seek more expansive data uses for the common good).^15,16 This conflict, while complex and difficult, often can be resolved. The Model Act's approach is to maximize privacy safeguards where they matter most to individuals and facilitate data uses where they are necessary to promote the public's health. This accommodation between privacy and public health balances individual and collective interests.

Consider the sequence of events when a government agency collects public health data through, for example, reporting or other forms of surveillance. First, the agency acquires the data, typically after the patient has given informed consent (usually to a medical care provider) to provide a biologic sample (e.g., blood or urine) or health-related behavioral information (e.g., sexual history or drug use practices). Given that there is a strong public health interest, most people believe that patients should accept this invasion of privacy for the collective good. Next, the agency uses the data strictly within the confines of the health department. Again, if the agency has a strong public health interest and the data are shared only with agency officials who have a need to know, data uses should prevail over privacy. When public health authorities acquire and use data strictly within the agency, public health benefits are at their highest and risks to privacy are at their lowest. The agency needs the freedom to use the data to monitor and prevent health risks. If public health authorities do not disclose the identifiable data outside the agency, patients face few social risks.

Finally, the agency may be asked or, under unusual circumstances, may seek to disclose personally identifiable information to persons outside the agency—for example, to employers, insurers, commercial marketers, family, or friends. These kinds of disclosures are not very important for the public's health, but they do place patients at considerable risk of embarrassment, stigma, and discrimination. For these reasons, the law ought to provide maximum protection of privacy. The Model Act's approach, therefore, is to give government flexibility to acquire and use data strictly within the mission of the public health agency, providing it can demonstrate an important public health purpose. However, the Model Act affords public health authorities very little discretion to release personally identifiable data outside the agency and imposes serious penalties for disclosures without the patient's informed consent.

	THE MODEL STATE PUBLIC HEALTH PRIVACY ACT

TOP ABSTRACT INTRODUCTION RECONCILING PUBLIC HEALTH AND... THE MODEL STATE PUBLIC... FAIR INFORMATION PRACTICES CONCLUSION References

 
The Model Act is structured to protect privacy and security interests without thwarting public health goals underlying the acquisition, use, disclosure, and storage of identifiable health data at the state and local levels. Figure 1 provides a flowchart image of the Model Act, the design of which is based on several core assumptions.

View larger version (56K): [in this window] [in a new window]   FIGURE 1—— The Model State Public Health Privacy Act.

All identifiable health information deserves legal protection.
The Model Act applies to all "protected health information" held by public health agencies. This includes any public health information, whether oral, written, electronic, or visual, that relates to an individual's past, present, or future physical or mental health status, condition, treatment, service, product purchases, or provision of care. This broad definition of protected health information recognizes that any identifiable data (e.g., HIV, STD, or immunization status) can be sensitive.

Nonidentifiable health information requires no protection.
The definition of "protected health information" specifically incorporates another core assumption: nonidentifiable health data do not merit privacy protection. Where health data are truly nonidentifiable, individual privacy interests are not threatened. Notwithstanding the interests of societal groups (e.g., ethnic, racial, or religious minorities) in the protection of some nonidentifiable information, the Model Act only regulates in favor of individual privacy interests. Protected health information includes only health information (1) that reveals the identity of the individual whose health care is the subject of the information (e.g., health data that refer to the name, social security number, or any other information about the person who is the subject of the data) or (2) that, in cases where there is a reasonable basis to believe, could be used (either alone or with other information that is known to be available to predictable recipients of such information) to reveal the identity of that individual. Under this latter category of protected health information, even aggregate statistical data may be identifiable. Consider, for example, statistical data that reveal that a Native American female in a small county is infected with HIV. If this information can be used to identify this individual because the ethnic group membership is sufficiently small in the county, the data are individually identifiable under the Model Act. Since nonidentifiable information cannot infringe individual privacy, the act requires public health agencies, whenever possible, to use data stripped of personal identifiers.

Acquisition and use are contingent upon legitimate public health purposes.
The Model Act regulates the ways in which public health agencies acquire, use, disclose, and store protected health information. It safeguards privacy, in part, by requiring public health authorities to demonstrate a legitimate public health purpose for the acquisition and use of data. The act defines "legitimate public health purpose" to mean a population-based activity or individual effort primarily aimed at the prevention of injury, disease, or premature mortality, or the promotion of health in the community (see Figure 1). Such efforts include carrying out public health surveillance, conducting epidemiologic research, developing public health policy, and responding to public health needs and emergencies. While interpretation of a legitimate public health purpose may admittedly narrow or broaden the scope of the act, it allows flexibility in prioritizing various state public health activities across jurisdictions.

In addition to imposing a requirement to justify data acquisition, the Model Act limits the use of identifiable information within the agency. In particular, it specifies that (1) nonidentifiable data must be used whenever possible, (2) the sharing of identifiable data among public health officials must be limited to the minimum amount necessary, (3) public health officials may have access to identifiable data only if they have a demonstrable need to know, and (4) agencies must protect security by maintaining the data in a physically and technologically secure environment.

Disclosures must be strictly limited.
While the Model Act affords public health agencies the power to acquire and use health data for important public health purposes, it grants very little authority to disclose identifiable data outside the public health system. The act clarifies that protected health information is not subject to public review (e.g., inspection, dissemination, or investigation by members of the public) and may not be disclosed without the specific informed consent of the individual who is the subject of the information (or the individual's lawful representative), except under narrow circumstances.

Disclosures without informed consent may only be made as follows.

1. Directly to the individual. For example, a public health agency may contact an individual about identifiable health information it has about the individual without that person's consent.
   
2. To appropriate federal agencies or authorities. As a model state law, the Model Act cannot restrict federal demands for identifiable information under constitutional principles.
   
3. To health care personnel where necessary in a medical emergency to protect the health or life of the person who is the subject of the information from serious, imminent harm. This exception is exceedingly narrow. It would not allow, for example, a disclosure to protect the health of a person who is not the subject of the information, such as a health care worker who was injured by a needle that may have been used by an individual infected with HIV.
   
4. Pursuant to a court order sought exclusively by public health agencies in light of a clear danger to an individual or to the public health that can be averted or mitigated only through a disclosure by the agency. This is the only exception for the disclosure of protected health information pursuant to a court order.
   
5. To appropriate public or private agencies performing health oversight functions relating to the public health agency as authorized by law.
   
6. To identify a deceased individual, determine the manner of death, or provide information in cases where the deceased is a prospective organ donor.
   

Secondary disclosures by recipients of protected health information from public health agencies are specifically prohibited without individual informed consent or authorization under the narrow exceptions. Naturally, this prohibition does not apply to the (a) individual subject of the information, (b) persons authorized to make health care decisions for the individual, or (c) any person who is specifically required by federal or other state law to disclose the information.

Finally, the Model Act permits the exchange of data among public health agencies within and outside the state. These information exchanges are viewed as data acquisitions or uses, not disclosures. As such, public health agencies may exchange identifiable health data with other state or local agencies provided the exchanges are necessary for the public's health. For example, comparing HIV and tuberculosis registries among state and local health agencies is an important public health function, given the strong relationship between these two diseases.

	FAIR INFORMATION PRACTICES

TOP ABSTRACT INTRODUCTION RECONCILING PUBLIC HEALTH AND... THE MODEL STATE PUBLIC... FAIR INFORMATION PRACTICES CONCLUSION References

 
Safeguarding privacy requires data holders to engage in a range of fair information practices. These practices ensure strong security and privacy of public health information, but they do not unreasonably burden public health authorities. The act incorporates the following fair information practices.

Justifying the Need for Data Collection
Acquiring identifiable data is not an inherent good. Rather, public health authorities must substantiate the need for identifiable data. As discussed above, the Model Act affirms that public health agencies shall only acquire identifiable health information that (a) relates directly to a legitimate public health purpose and (b) is reasonably likely to achieve such a purpose. When information is no longer needed to fulfill the purpose for which it is acquired, it must be expunged or made nonidentifiable.

Informing Data Subjects
The act acknowledges that individuals are entitled to know how information about them is being used. Public health agencies may not acquire identifiable data without public knowledge. Before acquiring such data, public health agencies must provide public notice (through written information distributed in such a way as to reasonably inform the public) concerning their intentions to acquire the data and the purposes for which the data will be used. Individuals are entitled to view records of disclosures of their protected health information, which public health agencies are required to maintain.

Access to One's Own Data
Subject to reasonable limitations, individuals are entitled to access, inspect, and copy their health data. Public health agencies are required to explain to individuals any code, abbreviation, notation, or other marks appearing in the information, as well as to ensure the accuracy of such data and amend any errors.

Ensuring Privacy and Security
Public health agencies have a duty to adhere to privacy and security safeguards. Specific protections are administered by a designated health information officer appointed by each public health agency and enforced through significant administrative, criminal, and civil penalties. These protections apply to identifiable health data, regardless of their holder, through various provisions of the act that (a) require an affirmative statement of privacy protections to accompany the disclosure of protected health information and (b) apply similar criminal and civil sanctions for unlawful disclosures to public health officials as well as secondary recipients.

	CONCLUSION

TOP ABSTRACT INTRODUCTION RECONCILING PUBLIC HEALTH AND... THE MODEL STATE PUBLIC... FAIR INFORMATION PRACTICES CONCLUSION References

 
The Model State Public Health Privacy Act is a product of consensus-building among nationally prominent experts in privacy and public health.¹² The National Conference of State Legislatures plans to make the act available to state legislators interested in promoting health information privacy.¹⁷ At least one state legislature, Texas, has introduced a version of the Model Act to date.¹⁸ Proposed legislation concerning health information privacy in New York has incorporated some of the language and principles embodied in the act.¹⁹

Although not perfect, the act provides a balance between the social good of data collection (recognizing its substantial value to community health) and the individual good of privacy (recognizing the normative value of respect for persons). It authorizes public health agencies to acquire, use, and store identifiable health data for public health purposes while simultaneously requiring them to respect individual privacy and imposing stiff penalties for failure to comply. Individuals are empowered with various privacy rights and remedies for breaches of these duties. The community generally is sympathetic to data collection for public health purposes, but it seeks strong legal protection against potentially harmful uses of personal information. States that adopt the act or laws consistent with its structure can stabilize and modernize public health information practices. If the act serves as a model across multiple jurisdictions, it could reduce the variability of existing protections among states, allow for the responsible exchange of health data within a national public health information infrastructure, and ultimately improve public health outcomes.

	Acknowledgments

 
This project was supported by the Centers for Disease Control and Prevention, the Council of State and Territorial Epidemiologists, the Association of State and Territorial Health Officers, and the National Conference of State Legislatures.

The authors are grateful for the contributions of the following individuals who served as consultants in the drafting and review of the Model Act: Julio C. Abreu, Christopher E. Anders, Cornelius Baker, Gus Birkhead, K. King Burnett, Scott Burris, J. Richard Ciccone, Jeffrey S. Crowley, Kevin DeCock, Ruth R. Faden, John P. Fanning, Chai Feldblum, Helen Fox Fields, Patricia Fleming, Robert Gellman, Eric P. Goosby, Richard N. Gottfried, Paula C. Hollinger, Tracey Hooker, John F. Hybarger, Michael T. Isbell, Rob Janssen, Derek Link, Glen Maxey, Kristine Moore, Verla S. Neslund, James L. Pearson, Steven B. Powell, Kevin Quinn, Marc Rotenberg, Steve Scarborough, Julie Scofield, Susan K. Steeg, Robert E. Stein, John W. Ward, David Webber, and Timothy Westmoreland.

	Footnotes

 
L. O. Gostin convened and chaired the panel (of which J. G. Hodge and R. O. Valdiserri were members) to develop the Model State Public Health Privacy Act. L. O. Gostin and J. G. Hodge drafted the act with the assistance of the panel. All 3 persons contributed to the writing of the commentary.

Peer Reviewed

Accepted for publication March 19, 2001.

	References

TOP ABSTRACT INTRODUCTION RECONCILING PUBLIC HEALTH AND... THE MODEL STATE PUBLIC... FAIR INFORMATION PRACTICES CONCLUSION References

 
1. Institute of Medicine. The Future of Public Health. Washington, DC: National Academy Press; 1988.

2. Gostin LO. Public Health Law: Power, Duty, Restraint. Berkeley: University of California Press; 2000.

3. Gostin LO, Lazzarini Z, Neslund V, Osterholm M. The public health information infrastructure. JAMA.1996;275:1921–1927.[Abstract/Free Full Text]

4. Gostin LO, Hodge JG. The "names debate": the case for national HIV reporting in the United States. Albany Law Rev.1998;61:679–743.

5. Hodge JG, Gostin LO, Jacobson PD. Legal issues concerning electronic health information. JAMA.1999;282:1466–1471.[Abstract/Free Full Text]

6. National Research Council, Committee on Maintaining Privacy and Security in Health Care Applications for the National Information Infrastructure. For the Record: Protecting Electronic Health Information. Washington, DC: National Academy Press; 1997.

7. Wills G. A Necessary Evil: A History of American Distrust of Government. New York, NY: Simon & Schuster; 1999.

8. Beauchamp TL, Childress JF. Principles of Biomedical Ethics. New York, NY: Oxford University Press; 1994.

9. Blum BM, Crooks GM. Designing solutions for securing patient privacy—meeting the demands of health care in the 21st century. J Am Pharm Assoc.1999;390:402–407.

10. Goldman J. Protecting privacy to improve health care. Health Aff.1998;17:47–60.[Abstract]

11. Pear R. Clinton to unveil rules to protect medical privacy. New York Times. October 27, 1999:A1.

12. Standards for Privacy of Individually Identifiable Health Information: Final Rule, 45 CFR Part 160–164. Washington, DC: Dept of Health and Human Services; 1999.

13. Gostin LO, Hodge JG. Model State Public Health Privacy Act. 1999. Available at: http://www.critpath.org/msphpa/privacy.htm. Accessed June 15, 2001.

14. CDC guidelines for national human immunodeficiency virus case surveillance. MMWR Morb Mortal Wkly Rep.1999;48:1–27.

15. Gostin LO. Health information privacy. Cornell Law Rev.1995;80:101–184.

16. Etzioni A. The Limits of Privacy. New York, NY: Basic Books; 1998.

17. Model state law on privacy of medical records sets strict protections for identifiable information. State Health Watch.1999;6:3.

18. HR 3254, 76 Leg. Reg Sess (Tx 1999).

19. Assemb 4473, 223rd Leg, Reg Sess (NY 1999); Assemb 11242, 223rd Leg, Reg Sess (NY 1999); S 8127, 223rd Leg, Reg Sess (NY 1999).

This article has been cited by other articles:

				J. Myers, T. R. Frieden, K. M. Bherwani, and K. J. Henning Ethics in Public Health Research: Privacy and Public Health at Risk: Public Health Confidentiality in the Digital Age Am J Public Health, May 1, 2008; 98(5): 793 - 801. [Abstract] [Full Text] [PDF]

				L. Gostin Public Health Strategies for Pandemic Influenza: Ethics and the Law JAMA, April 12, 2006; 295(14): 1700 - 1704. [Full Text] [PDF]

				J. G. Hodge Jr., L. O. Gostin, K. Gebbie, and D. L. Erickson Transforming Public Health Law: The Turning Point Model State Public Health Act J. Law Med. Ethics, March 1, 2006; 34(1): 77 - 84. [PDF]

				J. G. Hodge Jr. An Enhanced Approach to Distinguishing Public Health Practice and Human Subjects Research J. Law Med. Ethics, March 1, 2005; 33(1): 125 - 141. [PDF]

				J. G. Hodge Jr. Health Information Privacy and Public Health J. Law Med. Ethics, December 1, 2003; 31(4): 663 - 671. [PDF]

				The Turning Point Model State Public Health Act J. Law Med. Ethics, December 1, 2003; 31(4): 716 - 720. [PDF]

				L. O. Gostin Public Health Law Reform Am J Public Health, September 1, 2001; 91(9): 1365 - 1368. [Abstract] [Full Text] [PDF]

eLetters:

This Article Abstract Figures Only Full Text (PDF) Submit a response View responses View Shopping Cart Alert me when this article is cited Alert me when eLetters are posted Alert me if a correction is posted Services Similar articles in this journal Similar articles in PubMed Alert me to new issues of the journal Download to citation manager Citing Articles Citing Articles via HighWire Citing Articles via Google Scholar Google Scholar Articles by Gostin, L. O. Articles by Valdiserri, R. O. Search for Related Content PubMed PubMed Citation Articles by Gostin, L. O. Articles by Valdiserri, R. O. Related Collections Ethics Health Law Health Policy