Health Data Control, Access, and Confidentiality

Epidemiologists use health data in many forms to investigate the magnitude and distribution of disease, disability, and other health outcomes in populations, and to develop and evaluate the means for their prevention and control. Health data are generated by providers, health systems, public health departments, insurance companies, and other organizations and are accessed by epidemiologists according to professional rules of conduct and the regulation of Institutional Review Boards associated with either the investigator or with the source of the health information. Access to health data on individuals has always been critical to the work of epidemiologists and has allowed them to make substantial contributions to medical research and public health. The threat to privacy from such studies has been very small over the years, while the benefits to the public health and public interest have been large.

Concern about the privacy of medical information has alway been a tenet of responsible medical care. However, these concerns have been hightened in recent years by new forms of data that are highly sensitive and could, if discovered and used improperly, damage an individual's psychological well-being as well as their employability and insurability. Examples of such data include the results of HIV tests and genetic susceptability testing and even the fact that testing was done without the results being known.

Technological developments in the latter part of the century have created the need for a re-examination of the use of individually identifiable health data. The technologic revolution in the electronic generation, storage, and transmittal of health-related data, while presenting unparalleled research opportunities for epidemiologists and other medical and public health scientists, also presents the potential for the unscrupulous and self-interested exploitation of health data. Breakdowns in traditional safeguards for confidentiality and privacy are more easily transgressed While there are very few documented examples of such transgressions of privacy by health researchers, the potential exists, and the public's perception of a threat is very real. Thus, fundamental societal decisions are needed that balance the need for access to individually indentified health data for the public good with the equally important need of the individual for privacy. Any access are mutually exclusive and a balanced approach is necessary.

Increased restrictions on access to personal health data by epidemiologists and other public health scientists could be harmful to the public good in several different ways. Routine anonymization of archived medical data has been suggested. However, such a practice would make it difficult to trace back to individuals, and because it is impossible to predict what linkages might be useful in future investigations, it is imperative that individual identifiers be retained in some manner. Another way to bolster the privacy of medical information would be to require individual informed consent for each seperate use of this information. However repeated efforts to recontact individuals (or their next-of-kin) for consent each time archived data are used for research, years or even decades after an event has occured, is unrealistic and would impose untenable administrative, financial, and logistical burdens. The study of medical records over long periods of time (after persons have died or left organized health systems) is essential. Personal health data needs to be available on a population basis and to be free of serious selection biases, such as nonparticipation, in the population at risk, because these biases serve to undermine the scientific validity of medical and public health research.

After due consideration of the issues, the American College of Epidemiology sets forth the following principles that it believes strike a workable and fair balance between data access and confidentiality. We offer these principles for the benefit of epidemiologists, and others to whom confidential health information is entrusted, as well as for the general public at large.


1. Individuals have a right to expect that their personal health and medical information will be protected from unauthorized use. The American College of Epidemiology endorses principles and practices that encourage the responsible design and conduct of research that protects individuals from the unauthorized release of their identified health and medical information.

2. The public benefits of epidemiologic and public health research are sufficiently compelling that any new legislation or regulations must assure the continued availability of health data for purposes that include monitoring patterns of disease, the better understanding of the risk factors for and causes of disease and injury, health care delivery practices, health care outcomes, health care organization, financing, and regulation of accreditation.

3. Organizations that deliver medical care, or conduct biomedical, epidemiologic or health services research, or retain medical data, such as health insurers must be responsible and accountable for the development and implementation of appropriate policies to ensure protection of confidentiality of medical information through such mechanisms as adherence to accreditation standards and state laws and regulations, physical security safeguards, administrative policies and procedures, and mechanisms should be reviewed by Institutional Review Boards.

4. Information collected during the course of health care and medical treatment may be disclosed to clinical investigators and helath care researchers without a requirement for informed consent, if approved by an Institutional Review Board.. Traditional public health surveillance activity for vital statistics, reportable diseases, and similar statutorily-authorized data collection mechanisms is a critical non-research activity that should also not require informed consent. Data from such activities may be disclosed to clinical investigators and health care researchers under the standards noted above.

5. Archived health information on individuals is critical for the work of epidemiologists whether this information is a medical chart, and electronically stored data set, or a biologic specimen. These data must be linkable to other data sets through individual identifiers. Institutional Review Boards may require that identification be removed from research databases by coding (i.e. encryption) with the responsibility for linkage limited to a very few authorized and legally accountable individuals with an obligation to ensure confidentiality. For some specific studies complete anonymization of data or specimens may be appropriate.

6. The American College of Epidemiology believes that all individually identifiable health data should be protected by the same measures, rather than increasing levels of security for some especially sensitive information (e.g. HIV test results, BRCA1 testing for inherited susceptibilty to breast cancer). Seperate systems of access for data perceived to be of different levels of sensitivity would be difficult to operationalize, and, therefore inefficient and costly.

7. The American College of Epidemiology supports efforts to ensure by means of federal legislation the protection of medical information from unauthorized disclosure and hurtful misuse. Penalties for misuse should be established and enforced by policies of the research institution and by law enforcement agencies.

8. Federal mechanisms are also needed to protect investigators and research institutions from the forced disclosure by subpoena of confidential information created as part of the research process. Researchers should not be subject to pressures from commercial and special interests to release individual-level information collected under conditions of confidentiality. Such protections are needed to ensure the independance of the process of scientific discovery and the confidentiality of individuals. The release of anonymized group data is not included in this restriction.

9. Federal law should preempt state laws on the subject of data access and confidentiality. This is needed to ensure consistent nation-wide governance of access to individually identifiable health data. Many large epidemiologic and health services research studies are organized either as multi-center studies in multiple states or are performed by health care organizations responsible for the care of individuals in multiple states.