Not-so-confidential HIV testing

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://americanindependent.com/218779/not-so-confidential-hiv-testing

Since 2003, the Michigan Department of Community Health has been
secretly collecting the names, dates of birth, risk categories, and
other demographic information of people submitting for confidential
HIV testing at grant-funded locations throughout the state and storing
them in a massive database, a months-long investigation by The
American Independent has discovered.

The database also includes the coded identities of people who have
been identified as sexual and needle-sharing partners of persons
living with HIV.

The state says this database is necessary to track the number of tests
conducted using federal grants, as well as to determine reach and
success of targeted testing programs designed to draw in people who
are at high risk for HIV infection.

All the information that is collected is maintained in the database
“indefinitely,” said MDCH spokeswoman Angela Minicuci, and a person
whose information is captured does not have a way to remove it.

While MDCH claims the database does not contain personally
identifiable information, arecent study, published last month in the
University of California Press’ journal Social Problems, has found
that some Michigan local health departments with access to the
database are using it to pursue both civil actions – known as “health
threat to others” actions – and criminal prosecutions against people
living with HIV.

The study, authored by University of Michigan Ph.D. candidate Trevor
Hoppe, found that the database has been used specifically to identify
and target sexual or needle-sharing partners of newly diagnosed
HIV-positive persons where the infected person may not have disclosed
his or her status to partners; women who are HIV-positive and have
become pregnant; and HIV-positive persons who have been diagnosed with
other sexually transmitted infections.

Michigan law requires that funded agencies provide two options for HIV
testing. The first is anonymous testing, where a code is used in place
of a client’s name. The second option is confidential testing, where
the state certified tester is given a client’s name along with other
personally identifying information. Only those who opt for a
confidential test will receive a piece of paper with their name and
test results.

The department argues that this is not a names-based or identity-based
database because the name, date of birth, and gender are encoded
through a special formula in the database. The code, which is unique
to each individual, is used to file testing and counseling information
relative to that specific person. It is called a “unique identifying
number” (UIN).

“There is no ‘path’ for ‘persons’ (if person refers to an individual
who has received a confidential HIV test at a publically funded
testing site that enters data into the HIV Event System) to ‘remove
their name and information’ from the HIV Event System because no names
are saved in the system,” Minicuci said in an email to The American
Independent.

“It is not possible for us to match a person (as defined above) to a
HIV Event System record or records, using just her/his name and date
of birth,” she continued. “We would also need the agency that the
person was tested at, the date of the test, and additional information
to ensure that the correct record was identified. It is highly
unlikely that a person (as defined above) would have evidence to prove
that they were tested at a specific agency, on a specific date, etc.
In other words using just a name and date of birth would not allow us
to guarantee that we had found that person’s record.”

But MDCH acknowledged that a user – for example, a local health
department disease investigator – can, in fact, enter data for, say,
“John Doe” into the computer program to create a UIN and obtain the
corresponding number. With that UIN, an authorized user can search and
read records for that person.

Minicuci said there is no way to be certain the records one is
reviewing belong to a specific person, because the name does not
appear in the system.

A state document created by MDCH explains that in Michigan test
results are confidential. It specifically states that, “All positive
HIV tests are reported to the health department.” It does not
disclose, however, that negative tests results are also being reported
and collected by the state.

Multiple state-certified HIV testers confirmed with TAI that they are
taught in mandatory certification training to tell clients that
testing information is kept confidential but not to mention that the
information is collected and maintained by the state. The testers, who
are employed by various agencies receiving MDCH money to conduct HIV
testing, spoke on the condition of anonymity out of concern for their
funding.

“’You have two options,” one tester said she tells clients, based on
state-mandated certification training. “’You can test anonymously,
where you don’t give us your name, but you do give us you date of
birth and ZIP code. Or you can test confidentially, where you do give
us you name but that is not shared with anyone unless you test
positive; and then it is shared with the health department.’”

“It is not standard practice to review with testing clients what data
is entered into the HIV Event System, or how client data is encrypted
using the Health Resources Service Administration algorithm,” Minicuci
said. “Clients must, under Michigan law, be provided with the option
to be tested anonymously or confidentially. The difference between
these types of tests are described and any questions the client has
are answered before the counselor obtains the client’s consent to be
tested.”

As of June 2012, the Michigan HIV Event System contained 701,281
entries, according to documents TAI obtained through a Freedom of
Information Act request. Of those, 579,990 are of HIV-negative test
results; 483,628 of 701,281 entries are confidential tests keyed to a
person’s name with a UIN. In addition, 6,907 of these entries are from
identified partners from partner services – a voluntary program to
help those who are infected to contact current and past needle and
sexual partners that they may have been exposed to the virus. And
4,041 of these partner-services entries are names-based UIN-coded
entries.

The database became apparent when the department confirmed to TAI that
it had initiated an internal investigation into whether the private
health information of thousands of people with HIV and their partners
had been improperly released. The state’s investigation found that a
contractor had emailed some data within the HIV Event System from a
protected government server – without encryption – to an email address
at the company that created and maintains the database for the state.
The state determined that no private information was released.

MDCH says information contained in the state database is intended to
meet reporting requirements from the federal government. But the
Centers for Disease Control and Prevention says it only requires
anonymous demographic information for grant reporting.

Other states, like Indiana, also track information on people testing
for HIV using an identity-linked coding system.

But others do not, like Minnesota, which collects demographic
information on people who get tested for HIV but does not track that
data linked to any identity-linked coding system.

No other reportable disease in Michigan has a corresponding database
like HIV, Minicuci said.

According to MDCH, 785 people have access to some component of the
database system. Of those, 13 users have access to all components of
the database – partner services, HIV testing, and HIV-positive
identification. The general users are employed by local health
departments in positions such as disease investigators, or those
persons employed by AIDS service organizations who conduct testing at
various locations throughout the state.

Minicuci said that new users are taught how to use the HIV Event
System by other current users, and that no standard protocols exist
outlining who can access what information from the database, for what
reasons, and what can be done with it. The system also does not track
who has accessed which information in the database – a so-called
“digital fingerprint,” which Minicuci said “was not required” by the
CDC in the development of the database.

All of this raises significant questions of privacy, civil liberties
experts say.

“There are certainly privacy rights involved, particularly when
clients are not being told that the information they are providing is
being put in a database which can be utilized to assist with criminal
prosecution of people living with HIV,” said Jay Kaplan, staff
attorney for the American Civil Liberties Union of Michigan LGBT
Project. “It’s ironic that in its effort to try to prevent
transmission of HIV as part of the HIV-testing process, this policy
and practice will likely discourage people from being tested, because
they fear criminal prosecution for having knowledge of their HIV
status.”

Rose Saxe, from the National ACLU AIDS Project, also weighed in on the
issue. She said the state is collecting confidential health
information, but also “deeply personal information.”

“The state has a constitutional obligation to keep this information
secure, and to protect the privacy rights of people testing for HIV,”
Saxe told TAI in an email. “Because of the sensitivity of this
information, the ACLU believes it is critically important that the
state have in place policies to ensure that this information is used
appropriately. This includes safeguards to prevent inadvertent
disclosure, and ways to ensure that it is only accessed for legitimate
reasons by health department employees. If the state cannot or does
not undertake steps to protect this deeply private information about
people in Michigan, it has no business collecting and storing it
indefinitely.”

Saxe also raised a concern that those submitting for HIV testing are
being misled about who will know that they have tested for the virus.

“Information we’ve received, however, suggests that the state is
advising people that information will only be retained if they do have
HIV,” Saxe said. “Misinforming people about the data that’s being
collected is a breach of trust, and a violation of people’s rights to
make informed decisions about how and when to test for HIV.”

Kaplan said people being tested under government-funded programs have
a right to know what information is being collected and for what that
information will be used.

“I believe [those testing for HIV] should be concerned and they should
be informed about what happens to the information that they provide
and what that information can be used for,” Kaplan said. “Under the
current policy, to avoid having their info collected and used, they
would have to either forgo HIV testing at local health departments,
and seek out private testing sites (including their private
physicians), both which may not be an option for everyone.”

Saxe said she is confused about why the state is collecting
information on people who do not test positive for the virus.

“We also have serious questions about why the state is retaining
private information about people who test negative for HIV,” she said.
“Michigan would need a very good reason to justify keeping this
information, and certainly should not be misleading people about what
will happen with their private information.”
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.