The last year has been a very active one for North Carolina public health workers who deal with communicable disease. The 2014-15 flu season was a bad one, with a total of 218 deaths reported by the time the season began to wind down in the spring. A majority of North Carolina counties had at least one pertussis (whooping cough) case in 2014, and the state’s total number of cases for the year was quite high at 782. The largest Ebola epidemic in history was well underway by last summer, and in the fall four cases were diagnosed in the United States. A large outbreak of measles associated with theme parks in California did not reach North Carolina but caused over 100 cases in seven states, and spread to Mexico and Canada as well. Perhaps you read news stories about these or other communicable diseases. Perhaps you even wondered how information about particular cases or outbreaks could be made public. I’ve had quite a few questions along those lines in recent months—questions about when information may be released, when it may not, how much information can be made public, and why information is released in some cases but not others.

There are several laws that protect the confidentiality of people who have, or have been exposed to, communicable diseases. The purpose of this post is to take a look at those laws with a focus on one very narrow question: when may information be released to the public—by which I mean either the general public, or a subset of the public who may be at risk from the disease. The confidentiality laws I’ll describe also govern other releases of information, such as to public health officials or between health care providers, but I won’t be dealing with those issues in this post. Which laws determine whether communicable disease information may be released to the public? Information about communicable disease is health information, and the general rule is that individually identifiable health information is confidential. Most people think of HIPAA when they think of confidential health information. Indeed, the HIPAA Privacy Rule is one of the two main laws to take into account in answering this question for North Carolina. The other main law is a state statute, G.S. 130A-143, which I’ll refer to as the state CD confidentiality law. The two laws are different in a couple of significant ways. First, they differ in who must comply with them. The HIPAA Privacy Rule applies only to covered entities—a term that captures most health care providers as well as some, but not all, public health programs. Even within a single public health agency, the Privacy Rule may not apply to all functions or activities. (A full treatment of this complex subject is beyond the scope of this post, but my colleague Aimee Wall recently explained it.) In contrast, the state CD confidentiality statute applies to any public or private entity that has information and records that identify a person who has or may have a reportable communicable disease. Second, the laws differ in the information that they cover. The HIPAA Privacy Rule applies to protected health information (PHI), defined as individually identifiable information that relates to an individual’s health status or condition, the provision of health care to the individual, or payment for the provision of health care to the individual. Individually identifiable information about communicable diseases clearly falls within this definition, but the definition captures other kinds of health information as well. The state CD confidentiality law applies only to information or records that identify a person who has or may have a communicable disease or condition that the North Carolina Commission for Public Health has made reportable. It doesn’t apply to other types of health information, but it is nevertheless a law with a wide reach. The list of reportable communicable diseases and conditions presently includes over 70 diseases and conditions of public health significance, including HIV, tuberculosis, hepatitis, most of the vaccine-preventable illnesses, some food- or water-borne illnesses, hemorrhagic viral diseases including Ebola, mosquito-borne illnesses, and some others. (If you want more information about North Carolina law on communicable disease reporting, I've summarized it here.) Third, the two laws have different rules regarding when information about communicable disease may be disclosed. In general, the state CD confidentiality law is stricter than HIPAA about whether and to whom information may be disclosed. But HIPAA is sometimes more prescriptive than state law about the conditions that must be met before a disclosure is made. It is therefore important to consider both HIPAA and state law together when deciding whether and how communicable disease information may be disclosed. The state CD law also expressly states that a record that identifies an individual who has or may have a reportable communicable disease is “strictly confidential” and is not a public record for purposes of G.S. Chapter 132. This means that when a public agency has information that is subject to G.S. 130A-143 in its records, the agency may not disclose that information in response to a public records request, even if the record is otherwise a public record that the public has a right to access. However, sometimes the record in which the information is contained may be disclosed after the CD information is redacted. An agency should consult with its attorney to determine how to respond to a request for records that may be subject to this protection. How do these laws protect the information? The general rule under HIPAA is that an individual’s written authorization is required before PHI may be disclosed. However, there are exceptions that allow disclosure of PHI without the individual’s authorization. Two in particular are important for communicable disease control:

• An exception that expressly allows disclosure of PHI for specific public health purposes, including disease monitoring and control, if certain criteria are met. 45 C.F.R. 164.512(b).
• An exception that allows disclosure of PHI when the disclosure is required by another law, 45 C.F.R. 164.512(a), including state laws requiring reports to public health officials.

In daily public health work, we tend to think of these exceptions as relating primarily to the disclosure of information from health care providers to public health officials to carry out various public health purposes. However, the rules are also applicable to HIPAA-covered public health agencies that use or disclose protected health information in carrying out their communicable disease activities. North Carolina’s CD confidentiality law has a general rule that is similar to HIPAA’s—ordinarily, written consent is required to disclose information covered by the law. It also has a number of exceptions to the general rule, but they are not exactly the same as the HIPAA exceptions. However, the law explicitly allows information to be released without consent when (1) release of information is necessary to protect the public health, and (2) the release of information is made in accordance with the state administrative rules that establish communicable disease control measures (10A N.C.A.C. 41A .0201 -.0214, available here). The state CD law also allows release of medical or epidemiological information for statistical purposes provided that no person can be identified from the information released. HIPAA also allows disclosure of de-identified information, but it sets out specific criteria that must be applied to determine whether de-identification is adequate. When may communicable disease information be made public? Considering HIPAA and the state law together, it is possible to identify three circumstances in which communicable disease information may be disclosed publicly, either to the general public or to a subset potentially affected by the disease. With the individual’s written authorization. Both HIPAA and the state CD law allow communicable disease information to be made public if the individual who is the subject of the information gives written permission. If the entity disclosing the information is covered by HIPAA, the written permission needs to be given on a HIPAA-compliant authorization form. You may wonder when or why an individual would authorize such a disclosure. Sometimes the media has an interest in a particular case or outbreak. Sometimes individuals want to discuss their experiences with media or other public outlets and want a public health official or doctor to make a statement as well. An individual certainly may discuss his or her own health with the media or any person, but if he or she wants a public health official or health care provider to discuss the individual’s particular case, then he or she should provide written authorization that clearly identifies to whom information may be disclosed and specifies any limits on the information that may be disclosed. A public health official or health care provider who is asked to make a disclosure under this circumstance is not required to do so and should consider carefully whether it is a good idea. Disclosure of the information is necessary to protect the public health and the disclosure is made in accordance with the North Carolina communicable disease control rules. Public health officials sometimes determine that they need to disclose information about a communicable disease case or outbreak to the public in order to protect the public health. HIPAA allows public health officials to disclose information to persons who may be at risk of contracting a disease, but only if the public health officials are authorized by law to do so. North Carolina’s CD confidentiality law provides that authority, but only if disclosure (1) is necessary to protect the public health, and (2) is allowed by the applicable CD control rules. This may be best illustrated with a couple of examples:

• A restaurant employee is diagnosed with hepatitis A, a disease that can be transmitted by food handlers. The local health department investigates and determines that it needs to issue a press release to ensure that members of the public who may have been exposed to hepatitis A receive appropriate medical evaluation or treatment.
• A child who attends a summer day camp is diagnosed with pertussis (whooping cough). The local health department determines that parents of other children attending the camp need to be notified that their child may have been exposed and advised about any prophylactic measures that need to be taken.

In both of these cases, the disclosures the health department wishes to make would be allowed, because (1) disclosure is necessary to protect the public health, and (2) the CD control rules for the diseases in each example allow the particular disclosure to be made. Both of these points require case-by-case decision-making. The CD control rules are disease-specific and should be read closely before making a disclosure under this exception. It’s a good idea to consult the state’s communicable disease specialists as well. (For more information about how the disease-specific CD control measures can be found in North Carolina’s state rules, see this summary.) When this kind of disclosure is made, public health officials do not identify the person who had the communicable disease by name. However, for purposes of both HIPAA and the state CD confidentiality law, this is still considered a disclosure of identifiable information, because it is possible (maybe even likely) that some members of the public will be able to figure out who the person was. Public health officials should take care to disclose only the information that is needed to protect the public health in the particular circumstances, bearing in mind that a disclosure of this type is subject to HIPAA’s minimum necessary standard, and that the North Carolina Supreme Court has pointed to the state CD confidentiality law as an important element of the state’s overall communicable disease control program. See Act-Up Triangle v. Commission for Health Services, 345 NC. 699 (1997) (upholding the state’s HIV reporting requirement after concluding that the state CD confidentiality law was sufficient to guard against unauthorized public disclosure of the information). Information is released for statistical purposes and in a way that no person can be identified. Public health officials are responsible for keeping government officials and the general public informed about health conditions in the community. This may include disclosing statistical information about communicable diseases. Both HIPAA and the state CD confidentiality law allow disclosure of communicable disease information that doesn’t identify individuals. If the entity releasing the information is a HIPAA-covered entity, the information must be de-identified in accordance with very specific standards. In general, those standards require one of two things: either a person who has been trained in statistical methodology must apply the appropriate methods and determine the information has been de-identified, or particular identifiers must be stripped from the information. It is imperative to consult the relevant HIPAA provision to ensure that information has been de-identified properly – it’s available here. When should CD information be publicly disclosed? An important question I have not addressed is, when should information about communicable diseases be disclosed to the public? That is a different question from when the information may be released under applicable laws. Certainly if the laws don’t permit it, then information should not be released. But even when information legally may be released, public health officials need to consider separately the question of whether it should be released. While the protection of communicable disease information is motivated in part by the usual concern for medical confidentiality, there is also the recognition that this category of information can be highly sensitive. There are many examples in history of communicable diseases carrying stigma or adverse consequences for individuals that other diseases do not. Because of this, people who suspect they have a communicable disease may be reluctant to seek diagnosis or treatment if they fear the information will get out. Maintaining confidentiality can therefore be seen as a communicable disease control measure in itself, because it promotes the detection of communicable disease—an essential step in controlling its spread. Also, sometimes the public is far better protected by measures other than identifying individuals with the disease. For example, with HIV and other bloodborne illnesses, the use of universal precautions when dealing with blood or body fluids provides protection against transmission regardless of whether a person’s infected status is known (and even an infected person may be unaware of his or her infection for quite some time). Finally, it’s important to remember and respect that confidentiality in personal medical information is both an expectation and a value held by the public to whom the information is being disclosed.