Privacy and security issues related to the electronic exchange of health information for public health and other secondary data uses

Between May 2006 and March 2007 teams from 33 states and 1 territory collected input from a wide variety of stakeholders under the Privacy and Security Solutions for Interoperable Health Information Exchange project. Many of the “scenarios” used to capture the variation in business practices and policies touched on the electronic exchange of personal health information for public health purposes. Initial reports from the state projects indicate that a number of fundamental privacy and security concerns emerge in the context of electronic exchange of health information for public health purposes. Although there is a high level of awareness within the health care community that HIPAA allows for the transfer of information in a public health emergency, there is little consensus on procedures to determine the appropriate amount of information to be disclosed and what factors indicate disclosure to non-covered entities such as law enforcement. In non-emergent situations, this variability is even more pronounced. Some states also uncovered significant misunderstanding within the general public and sometimes within the health care community concerning the routine collection of public health data, and guidelines around the disclosure of the information. This paper will report on practices described by stakeholders and summarize issues related to private and secure transmission of information contained in health records.