Note: This is a rapidly shifting legal space. The below page has not been updated since 2015. We are working to update this content, but for now, please be aware that this information may not be current. When exploring medical privacy issues, it's very useful to have an overview of the laws that affect control and privacy of medical information. We encourage you to read our legal overview.

You may not realize it, but your personal medical information could be added to a mandated public database without your consent. In some instances, these repositories of medical data might even have enough data to re-identify individual records.

Medical information reported for public health purposes has many different uses, including monitoring epidemics (AIDS, bird flu), outbreaks of rare diseases (Hanta virus, Legionnaire’s disease), and cancer clusters (childhood leukemia in Woburn, MA, brain cancer in Toms River, NJ). Public health agencies also collect data to register births and deaths, record child and elder abuse and neglect, investigate tainted food or drug cases, intervene in emergencies and disasters, evaluate public health programs, conduct public health research, and for many, many more reasons.

Data reported to public health agencies may or may not be individually identifiable. The reporting standard is the “minimum necessary” data for the intended use. It’s up to the health care provider to decide what constitutes the minimum necessary, unless a public health agency requests specific information. The HIPAA-mandated notice of privacy practices you’re given to read and sign when you first register at a doctor’s office informs you only that “your health information may be shared with public health authorities for public health purposes,” but leaves you in the dark as to what that might mean. In fact, it’s difficult to impossible to grasp the amount of medical data that circulates in the name of public health. Some federal agencies with access to personal health information are the Centers for Disease Control (CDC), the National Institutes of Health (NIH), the Food and Drug Administration (FDA), the Federal Emergency Management Administration (FEMA), and the Occupational Health and Safety Administration (OSHA). See the Department of Health and Human Services (HHS) Public Health website for more information.

Loyalty Cards Used for Tracking Foodborne Illnesses

The CDC’s outbreak and prevention branch of the division of foodborne, waterborne, and environmental diseases, as well as state and local health departments, have begun seeking data from supermarket loyalty and club card databases to track down the sources of outbreaks of foodborne illnesses. The so-called loyalty programs create a huge reservoir of data that links purchase information to individual customers. There are many questionable aspects to these cards, including the amount of data consumers may have to turn over to get one, but they have also become very useful to public health investigators in identifying exactly which products victims of food poisoning bought, which in turn enables stores to get contaminated products off the shelves more quickly.

While the CDC gets access to information to track outbreaks, getting that information back to customers had been less successful. Some stores like Costco voluntarily notify customers of recalls, but other stores don't have similar policies. Sen. Kirsten Gillibrand has been trying since 2010 to pass the Consumer Recall Notification Act, which would require supermarkets to notify their loyalty card customers of product recalls.

California’s Confidentiality of Medical Information Act (CMIA) has a broad public health reporting exception subject only to any legal limits created by other laws: “information may be disclosed, as permitted by state and federal law or regulation, to a local health department for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events, including, but not limited to, birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions, as authorized or required by state or federal law or regulation.” 

Another type of reporting is hospital discharge data. This has many uses, including generating certain types of public health reports. Currently, 38 states require hospitals to submit discharge data to their public health departments; two do not and it’s optional in the other ten states.

There is no uniform standard across states for what data is reported. Some uses of the data require personally identifiable information, such as a database that tracks patients with traumatic brain injuries or monitors individuals with chronic diseases.

California’s Patient Data Reporting Requirements1 include Social Security Number and are, therefore, highly identifiable. When it is published, however, it is aggregated and de-identified. Discharge data reports since 1999 are available from the Healthcare Information Division of the Office of Statewide Health Planning and Development (OSHPD).

De-identification and aggregation seem to be the rule for the discharge data that federal and state agencies publish. The uses of this data are vast. A non-exclusive list includes:

  • Public safety and injury surveillance and prevention. For example, Crash Outcomes Data Evaluation System (CODES) databases, which let states link car accident and health care utilization data, are one example of this type of use.
  • Public health, disease surveillance, and disease registries. This includes the increasingly common personally identifiable registries of people with chronic diseases, like diabetes and asthma. Notably, California has no state-mandated chronic disease registries at this time.
  • Public health planning and community assessments. Discharge data is valuable in planning the construction, expansion or closure of medical facilities and determining the extent to which existing medical services meet community needs.
  • Public reporting for informed purchasing and comparative effectiveness reports. This is an area where not only state agencies and hospitals themselves may use discharge data, but also private organizations, like hospital associations or other groups. For example, the Wisconsin Employer Health Care Alliance used the data to rate hospital safety in one area of the state. In California, (funded by the California Health Care Foundation) uses discharge data for a website that lets you search for individual hospital safety scores in general and by specific condition.
  • Quality assessment and performance improvement. This generally means a hospital’s or its hired consultants’ use of discharge and other patient data for its own internal quality assurance processes, which are rarely publicly reported.
  • Health services and health policy research applications. This category comprises both business and clinical use of discharge data. A business example would be examining how systems for organizing, financing, and delivering health services affect hospital utilization, costs, and outcomes. A clinical example is disparity studies to analyze relationships between racial, ethnic, or economic status and health care utilization and outcomes. In California, the Department of Public Health (DPH) has an Office of Health Equity (formerly the Office of Multicultural Services), that uses clinical discharge data to report on and try to reduce ethnic and race-based disparities in delivery of mental health services.
  • Private sector and commercial applications. Private consulting firms, health care providers, and health information management vendors may buy discharge data (which, under HIPAA regulations, would have to be de-identified before it can be sold) to generate reports for sale to hospitals about their market share and patient demographics, to use in their strategic planning.
  • Informing policy deliberations and legislation. Legislators, along with and advocates for and against legislation, rely on statistics to support their positions.

A 2013 survey by Prof. Latanya Sweeney showed that 33 states release hospital discharge data with varying levels of demographic information and hospital stay details such as hospital name, admission and discharge dates, diagnoses, doctors who attended to the patient, payer, and cost of the stay, but only three of these states released data that was "de-identified information" in a form consistent with the HIPAA safe harbor checklist across all data fields.

To read more about the myriad uses of hospital discharge data, although nothing about the privacy implications, see The Value of Hospital Discharge Databases.

Mapping the Data

The DataMap is an online portal for documenting the flow of personal information in the United States, currently around health data but with an eventual goal of documenting other kinds of personal data. Below is an image from the site showing the flow of data around discharge data. For the full explanation, visit the DataMap.

This tour is just the tip of the iceberg of public health reporting and the uses of hospital discharge data. It indicates, however, just how much health data is in circulation because of public health rules—both identifiable and de-identified.

Added to that are the coming widespread electronic health record (EHR) adoption and the universal health insurance mandate under the Affordable Care Act (ACA) that is intended to bring another 40 million people into the health care system. This will result in an incalculable amount of data that is easily shared and in high demand for known uses, along with other future uses that haven’t been thought of yet, much less tested. Current law seems increasingly inadequate to contain and protect this tsunami of health data.

  • 1. California Code of Regulations, Title 22, Article 8
Help defend your right to privacy.
Help defend your right to privacy. DONATE TO EFF