Public Health Privacy Notices

Why Does DPH Collect Confidential Information?
DPH keeps records including confidential information as part of its public health duties. Certain laws require that health care providers report specific disease information to DPH and that DPH conduct specific laboratory tests. DPH also collects confidential information when licensing and inspecting health facilities such as hospitals, nursing homes, ambulance services, and substance abuse treatment centers. It collects information while conducting public health activities, such as disease tracking, research, and program evaluation. Records are also kept when people apply for certain services or benefits from programs that are operated or funded by DPH and from its four public health hospitals.

How Does DPH Use and Disclose (Share) Confidential Information?
DPH has always respected the confidentiality of health information and it continues to take very seriously the privacy and security of this information. Under state law, there are strict limitations on how DPH can collect and share the information it has. Whenever possible, information is provided in a way that does not identify you. Confidential information can only be shared in limited circumstances within DPH or outside DPH.

At DPH, certain employees need to have access to particular confidential information to do their jobs. Unless restricted by specific laws, these employees may share your information with other DPH employees when necessary. For example, your information may be shared within DPH to:

• determine if you or other family members are eligible for other benefit programs;
• coordinate services for you or family members;
• speed up payment for services or to identify other ways to pay for medical and related expenses;
• evaluate how well a program is operating;
• evaluate public health trends;
• coordinate disease investigation or intervention;
• coordinate or prosecute complaint investigations; or
• conduct research with a public health purpose.

There are a few specific times when laws or regulations require or allow DPH to share your information outside the DPH without your written authorization. Examples of when your information may be disclosed outside DPH without your written authorization include:

• when it is required by law;
• when authorized by law, for example for disease investigation and intervention;
• for research that meets all state and federal requirements;
• to comply with federal grant requirements;
• in response to a medical emergency;
• in response to a court order; or
• for public health reporting.

Additional Protections 
Some information that is collected by or reported to MDPH is subject to even stricter confidentiality protections based on specific state or federal laws. This notice does not discuss every law that provides greater protections. However, if you are applying for or if you receive services from any of the following programs, please review the additional descriptions below.

Substance Abuse Services - Federal law requires that no patient records that identify an individual as receiving drug or alcohol services in connection with any federally funded drug or alcohol abuse program may be used or disclosed without written consent. The following exceptions to this rule apply to information held by MDPH:

• internal communications (only to staff or to organizations that directly administer the program);
• medical emergency;
• appropriate court order;
• approved research; or
• audit.

Women Infants and Children (WIC) - Federal law requires that no information obtained from program applicants and participants may be used or disclosed without written consent, except:

• to persons directly involved with the administration and enforcement of the program;
• with a written agreement with other state agencies for outreach and eligibility for additional benefits;
• when it is required by law;
• in a statistical or summary form that does not identify individuals;
• to state or federal agencies to evaluate nutrition programs, only in a form that does not identify individuals.

HIV/AIDS - State law prohibits the disclosure of any HIV test results without the individual's written informed consent. Although names are reported to DPH regarding diagnosis of HIV infection and diagnosis of AIDS, for surveillance purposes, the Department never discloses names of these cases, and the regulations explicitly prohibit the disclosure of names to the federal government or other Massachusetts' agencies. HIV/AIDS data, without names, are used or disclosed only in the following limited circumstances:

• in a statistical or summary form that does not identify individuals;
• for program monitoring, needs assessment, program evaluation, and research, with direct identifiers removed and with an agreement protecting the confidentiality of the information;
• for public health purposes.

Sexually Transmitted Diseases (STD) - State law prohibits sharing reports about sexually transmitted diseases without the individual's written consent, except when there is a proper judicial order or with the written approval of the Commissioner of DPH. Within DPH, only staff members in the Division of STD Prevention have access to individual-level STD data. STD data may be disclosed in a statistical or summary form that does not identify individuals.

Your Rights
You have the following rights with respect to your confidential information held by DPH. These rights may not apply in certain situations if there is a specific law that restricts them. For example, under state and federal laws, patients are not entitled to access laboratory results from DPH. DPH may only release these results to the health care provider requesting the test. Generally, however, you have the right:

• to see and to get a copy of your confidential information. Your request must be made in writing. DPH may charge a fee for copies.
• to request that DPH change your confidential information if you believe it is incomplete or incorrect. Your request must be in writing and you must tell us what information you want changed and why. DPH may not always be able to approve your request. This right does not apply in those cases where there is a law that contains a specific process for changing information held by DPH.
• to request that DPH contact you at a different address, phone number or in some way other than at your home address. Your request must be in writing and it must describe what communications are covered by the request and where and how DPH should contact you.
• to request that DPH restrict the use and disclosure of your confidential information. Your request must be in writing. Please note that DPH may not always be able to approve the request.
• to get a list of when and with whom the Department has shared your confidential information. Your request must be in writing.

Contacts and Complaints
If you believe your privacy rights have been violated, you may file a complaint in writing with the DPH Privacy Officer:

Massachusetts Department of Public Health
Privacy Officer
Privacy and Data Compliance Office
250 Washington Street, 2nd floor
Boston, MA 02108

If the complaint is against a part of the Department that is a HIPAA covered component, you may also file with the Secretary of the Department of Health and Human Services:

A health information privacy or security complaint must be filed in writing by mail, fax, e-mail, or via the OCR Complaint Portal.  Instructions for filing a complaint with the Office for Civil Rights can be found here:

https://www.hhs.gov/hipaa/filing-a-complaint/complaint-process/index.html

No action may be taken against you for filing a complaint.