Massachusetts Department of Public Health Privacy of Health Data
Institutional Commitment to Privacy Privacy and Data Access Office Staffing Privacy Attorney Confidential Data Officer Admin Support Goals of Office Making sure that MDPH workforce members comply with state and federal privacy laws and the MDPH Confidentiality Policy and Procedures Provide training to staff, volunteers, interns, consultants Respond to requests for confidential information from within and outside the Department Respond to questions about the privacy of confidential information Respond to complaints filed by people who feel that a MDPH Bureau or Program has violated their privacy Two (2) Institutional Review Boards Both federally recognized Meet monthly
Institutional Commitment to Privacy Various training for staff at all levels Security Privacy (Basic / Advanced) Self Audit of Security Privacy Liaisons for each bureau / program area IT safeguards in place to allow role-based access
Regulatory Data collected by DPH strictly regulated by a web of state and federal laws HIPAA and FIPA State laws and regulations that are program-specific (Vital Records, Cancer, Birth Defects) Federal laws that are program-specific (i.e. Early Intervention, WIC, Substance Abuse, HIV/AIDS surveillance, STDs)
HIE and Public Health DPH currently only focusing on the 3 public health components listed for meaningful use 1. Electronic Lab Reporting 2. Syndromic Surveillance 3. Immunization Registry With time and experience, anticipate looking at additional uses for HIE Reduce administrative burden on providers who have many reporting requirements Improve quality and timeliness of reporting Respond to federal funders who may require HIE interface
Overview of Three Systems Use Released to Researchers Notes Syndromic Surveillance Cluster surveillance No Limited information collected Electronic Lab Reporting Reportable diseases; case investigation and follow up No Strict role-based access; laws governing access depending on disease type Immunization Registry Surveillance Information-sharing with health care providers Not active registry Expanded privacy language included in statute
Immunization Registry Statute (if applicable) DPH Regs (if applicable) Open to Researchers? Chapter 111, Section 24M To be developed Yes (according to statute) Specific legal restrictions for privacy? Health care providers must discuss the reporting procedures of the registry with individuals (or parents) and advise them of their right to object to the disclosure of such information to others outside DPH Immunization Registry Program. Information in the immunization registry shall be Confidential and not a public record not subject to subpoena or court order or admissible as evidence in before a court, tribunal, agency, board or person Individuals (or parents) may amend incorrect information in the immunization registry DPH must, upon request, provide a record of all individuals and agencies that have accessed an individual's information.
Immunization Registry Immunization information shall only be released to the following without consent, unless the individual or the parent or guardian objects to such disclosure: licensed health care providers providing direct care to the individual patient; elementary and secondary school nurses and registration officials who require proof of immunization for school enrollment and disease control; local boards of health for disease prevention and control; Women Infants and Children, or WIC, nutrition program staff who administer WIC benefits to eligible infants and children; staff of state agencies or state programs whose duties include education and outreach related to the improvement of immunization coverage rates among their clients.
Disease reporting / Syndromic surveillance DPH Regs (if applicable) Released to Researchers? 105 CMR 300 and 105 CMR 111D No Specific legal restrictions for privacy? All personally identifying information, whether kept in an electronic system or paper format, including but not limited to, reports of disease, records of interviews, written or electronic reports, statements, notes, and memoranda, about any individual that is reported to or collected by the Department or local boards of health pursuant to 105 CMR 300.000 et seq., shall be protected by persons with knowledge of such identity. Except when necessary for disease investigation, control, treatment and prevention purposes, the Department and local boards of health shall not disclose any personally identifying information without the individual s written consent. Only those Department and local board of health employee who have a specific need to review personal data records for lawful purposes of the Department or local board of health shall be entitled access to such records.
Electronic lab reporting The Department and local boards of health shall ensure that all paper records and electronic data systems relating to information that is reported to or collected by the Department or local boards of health pursuant to 105 CMR 300.000 et seq. are kept secure and, to the greatest extent practical, kept in controlled access areas. [Specific to electronic lab reporting] Every such report shall be kept confidential by the department and its employees and agents and shall not be subject to the inspection, examination, or copying by any other agency of government or by any other person.