State laws, which have "just grown" independently over the years, vary greatly in the ways and extents to which they protect privacy of health information. Most recognize some form of patient–physician privilege (the patient right to defend against forced court disclosure of his record), but the scope of protection varies greatly. Most require that medical records be held closely, but allow a variety of disclosures for insurance and other "legitimate" purposes. All require, though not uniformly, that physicians and clinical laboratories notify public-health authorities of certain communicable diseases and some kinds of trauma (gunshot wounds, indications of child abuse...), and they may set constraints on disclosure of those data.
A recent analysis of State laws by Lawrence Gostin and colleagues found extreme variance in coverage of public-health data:106
Virtually all states reported some statutory protection for governmentally maintained health data for public health information in general (49 states), communicable diseases (42 states), and sexually transmitted diseases (43 states). State statutes permitted disclosure of data for statistical purposes (42 states), contact tracing (39 states), epidemiologic investigations (22 states), and subpoena or court order (14 states).
A number of States have statutes dealing with the confidentiality of personal data relating to specific diseases, such as cancer, HIV–AIDS, or mental-health problems. State legislative activity continues, with genetic data especially receiving attention.
Over the years State courts have rewarded penalties against unwarranted disclosure of health data on grounds of malpractice, breach of contract or implied contract with patients, invasion of privacy, and public embarrassment.
Having reviewed the above legal matters, in 1993 the U.S. Office of Technology Assessment summarized:107
This patchwork of State and Federal Laws addressing the question of privacy in personal medical data is inadequate to guide the health care industry with respect to obligations to protect the privacy of medical information in a computerized environment. It fails to confront the reality that, in a computerized system, information will regularly cross State lines, and will therefore be subject to inconsistent legal standards with respect to privacy. The law allows development of private sector businesses dealing in computer databases and data exchanges of patient information without regulation, statutory guidance, or recourse for persons who believe they have been wronged by abuse of data. These laws do not address the questions presented by new demands for data prompted by computerization, and the obligations of secondary users in accessing and maintaining data.
(106) Lawrence O. Gostin, Zita Lazzarini, Verla S. Neslund, and Michael T. Osterholm, "The public health information infrastructure," Journal of the American Medical Association 275, 1921–1927 (1996).
More detail is given in Lawrence O. Gostin, Zita Lazzarini, and Kathleen M. Flaherty, "Legislative survey of state confidentiality laws, with specific emphasis on HIV and immunization," report of a study sponsored by the U.S. Centers for Disease Control and Prevention, the Council of State and Territorial Epidemiologists, and the Task Force for Child Survival and Development of the Carter Presidential Center (July 2, 1996).
(107) U.S. Congress, Office of Technology Assessment, Protecting Privacy in Computerized Medical Information, p. 15 (Report No. OTA-TCT-576, U.S. Government Printing Office, Washington, DC, September 1993).