THE PUBLIC-HEALTH INFORMATION INFRASTRUCTURE - A NATIONAL REVIEW OF THE LAW ON HEALTH INFORMATION PRIVACY

Our objectives were to review and analyze the laws in the 50 states, t he District of Columbia, and Puerto Pico that regulate the acquisition , storage, and use of public health data and to offer proposals for re form of the laws on public health information privacy, Virtually all s tates reported some statutory protection for governmentally maintained health data for public health information in general (49 states), com municable diseases (42 states), and sexually transmitted diseases (43 states). State statutes permitted disclosure of data for statistical p urposes (42 states), contact tracing (39 states), epidemiologic invest igations (22 states), and subpoena or court order (14 states), The sur vey revealed significant problems that affect both the development of fair and effective public health information systems and the protectio n of privacy. Statutes may be silent about the degree of privacy prote ction afforded, confer weaker privacy protection to certain kinds of i nformation, or grant health officials broad discretion to disseminate personal information. Our proposals for law reform are based on a meet ing of experts at the Carter Presidential Center under the auspices of the Centers for Disease Control and Prevention and the Council of Sta te and Territorial Epidemiologists: (1) an independent data protection commission should be established, (2) health authorities should justi fy the collection of personally identifiable information, (3) subjects should be given basic information about data practices, (4) data shou ld be held and used in accordance with fair information practices, (5) legally binding privacy and security assurances should attach to iden tifiable health information with significant penalties for breach of t hese assurances, (6) disclosure of data should be made only for purpos es consistent with the original collection, and (7) secondary uses bey ond those originally intended by the data collector should be permitte d only with informed consent.