Data-retention policy of HIV database could violate state law

Tools

By keeping data indefinitely on people who test for HIV at federally funded clinics, Michigan's health department could be violating state law, a former state lawmaker says. Former state Rep. Susan Grimes Gilbert, who helped pass the law, says that in any case, it violates the legislative intent of the law, according to The American Independent.

"The intent of the law was to encourage people to know what their status was, but also to protect people's privacy … It's not just the violation [of privacy]; it's the fact they're keeping this data that it was never the intent of the legislature that they keep," Grimes Gilbert told the Independent. She urged the state department to review its procedures.

A provision in Michigan's Public Health Code requires local municipalities to destroy data collected in voluntary partner-notification programs after 90 days. However, since 2003, the Michigan Department of Community Health has required local health departments to enter that data into the state's HIV Event System, where the data is kept indefinitely, the Independent reports.

According to a previous Independent article, state law in Michigan requires those who test positive for HIV to notify their sexual partners. The database, the article reported, contains nearly 7,000 entries of partners identified through the voluntary partner-services program, and about 4,000 can be traced to individuals.

There is no way for individuals to have their information removed from the database because no names are saved, a state spokeswoman told the Independent. Instead, name, date of birth, and gender are encoded with a "unique identifying number" (UIN), though the article explained how a person's identity can be discerned.

It also noted that some Michigan local health departments were using the database to pursue both civil actions--known as "health threat to others" actions--and criminal prosecutions against people with HIV, according to a University of Michigan study published in the journal Social Problems.

Leon Rodriguez, director of the U.S. Department of Health & Human Services' Office for Civil Rights, recently reiterated that it's even more critical for consumers to be able to trust that their confidential data will be protected.

The new HIPAA rules go into effect next week, though the one requiring providers to keep a patient's treatment from his or her health plan upon request may be the new rule's "trickiest" provision for electronic health record users. That's because electronic health record tools currently don't have the capability to segregate such data out.

Providers, however, should expect patients to start asserting their privacy rights, FierceEMR's Marla Durben Hirsch has written.

To learn more:
- read the most current article
- here's the previous article

Related Article:
Are cloud-based record banks superior to HIEs for data sharing?
OCR's Rodriguez: Consumers need to be able to trust EHR users
Providers: Expect patients to start asserting their privacy rights
EHR users could have trouble with new HIPAA provision