Individual Privacy Rights Regarding Data Held by Public Health Agencies or Departments
May 19, 2020
The COVID-19 pandemic has raised numerous questions with regard to public health data sharing and privacy. This guidance addresses the privacy rights individuals have with regard to their personal health information that is held by a public health agency or department.
The Constitution does not expressly afford a right to information privacy. In 1977, the United States Supreme Court held that the Constitution provides a limited right to information privacy. The Court upheld the New York State Department of Health’s collection of personal information pertaining to individuals who have obtained certain prescription medication for which there is also an unlawful market. See Whalen v. Roe. Interpreting this decision in United States v. Westinghouse Electric Corporation, the Third Circuit identified factors relevant to evaluating whether the government’s interest in collecting personal health information outweighs individual privacy interests, including:
- Type of record requested. Examples of types of records include medical records and tax records;
- Information the record does or might contain. Examples of information include intimate facts of a personal nature, such as past medical history, present illness or the fact of treatment;
- Potential for harm due to re-disclosure;
- Injury to the relationship through which the record was generated;
- Adequacy of the requesting agency’s safeguards to prevent unauthorized disclosure;
- Government interest in accessing the information; and,
- Whether there is an express statutory mandate, articulated public policy, or other recognizable public interest militating toward access.
United States v. Westinghouse Elec. Corp., 638 F.2d 570, 578 (3d Cir. 1980).
Individuals’ privacy interests are further protected by a patchwork quilt of federal and state law that safeguards health information.
Congress passed the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (HIPAA), which regulates some health department programs, such as clinics that bill health plans electronically. HIPAA also regulates health plans offered by health departments, such as Medicaid. See 45 CFR § 160.103, covered entity definition. HIPAA provides a nationwide floor for health information privacy protections.
HIPAA balances individual privacy against matters of national priority, such as public health. HIPAA does not regulate “core public health functions”, such as the reporting of a disease or injury; reporting vital events, such as births or deaths; and conducting public health surveillance, investigations, or interventions. Id.
HIPAA also recognizes that protected health information (PHI) collected at the time of treatment is essential to public health. Again, because public health is a national priority area, use and disclosure of PHI for public health purposes is permitted without patient authorization or consent. 45 CFR § 164.512(b)(1). Health departments with HIPAA covered clinics or health plans may also share PHI with their own and other health departments for public health purposes. 45 CFR § 164.512(b)(2).
Further, in times of public health emergency, the federal government has authority to waive and not enforce portions of HIPAA. The federal Health and Human Services’ (HHS) Office for Civil Rights (OCR), which enforces HIPAA, has issued several Notifications of Enforcement Discretion indicating they will not impose penalties for specified HIPAA violations during the COVID-19 nationwide public health emergency. Further, HHS issued a limited waiver with respect to sanctions and penalties against covered hospitals that do not comply with specific portions of the HIPAA Privacy Rule. For more information regarding the limited waiver and Notifications of Enforcement Discretion, please see these FAQs.
States also enact laws to protect information privacy. Several states have comprehensive privacy laws that regulate all personal information. All states have Freedom of Information Laws with varying requirements and exceptions. All states have laws regarding the collection, use, and disclosure of health information which result in varying protections across the country.
Where state law is contrary to HIPAA and provides less privacy protection, it is generally preempted and HIPAA must be followed. 45 CFR. §160.203. Some states have developed publicly available preemption analyses that reflect which state laws are preempted by HIPAA. These preemption analyses are useful to public health attorneys and practitioners who seek to understand if a specific state law remains in effect or has been preempted by HIPAA. Additionally, a preemption analysis may also function as a de facto database of all state health related laws. See West Virginia’s 2019 Preemption Analysis. If there is a question as to whether a specific state statute is preempted by HIPAA, you might also consult with the state Attorney General’s Office.
Underscoring the vital importance of sharing PHI with public health for core public health functions, HIPAA provides several exceptions to this general preemption rule including when state law is established “for the conduct of public health surveillance, investigation, or intervention.” 45 CFR § 160.203(c). Consequently, HIPAA does not limit covered treatment providers and health plans’ information sharing with health departments for core public health purposes. States determine the kind and amount of PHI needed for core public health purposes within their jurisdictions.
Counterbalancing individual privacy interests, states’ police powers include protecting the health, safety and welfare of individuals within their borders. In times of disaster or emergency, such as the present time, state law may provide the governor and state or local health officers with broad legal authority to take reasonable measures to prevent and control COVID-19. See Legal Emergency Preparedness Resources. To determine whether a governor or health officer has suspended a specific state privacy statute or rule, visit the state’s website.
Balancing individual privacy against protecting the public’s health is a challenge that all health officers face during the COVID-19 pandemic with every decision to release useful health information. Disclosure decisions differ across jurisdictions and at different points during the pandemic. In the United States, an individual’s privacy rights in his or her health information are limited, differ from state to state and from tribe to tribe, and may be adjusted in times of public health emergency.
The Network for Public Health Law provides information and education about laws related to the public’s health. We do not provide legal representation or provide advice on a particular course of action.