PROVE Letter 2
March 16, 1998
Robert D. Crider, Jr., M.S., M.P.A.,
Dear Mr. Crider:
I have reviewed the proposed rules implementing a statewide Immunization Registry (ImmTrac) and would like to make my comments part of the public record.
In my research, I reviewed H.B. No. 3054, the original bill submitted by Rep. Hugo Berlanga to add Section 161.007 to Subchapter A, Chapter 161, of the Texas Health and Safety Code. I also reviewed the final version, which incorporated amendments to H.B. No. 3054 sponsored by Jerry Patterson, including privacy protection and parental consent provisions (hereinafter, "the statute").
What most concerns me about the rules proposed by the Texas Department of Health (TDH) is that they do not include all of the statutes privacy and consent safeguards. I am very disturbed by this disregard for, and apparent attempt to circumvent, the statutes privacy and consent guarantees.
The ImmTrac home page (http://www.tdh.state.tx.us/immunize.immtrac.htm)
indicates that a vast amount of immunization data from insurance companies and state agencies has already been entered into the registry system. If this was done without obtaining written parental consent, it is there illegally and must be deleted. Inasmuch as TDH has already entered information in the registry, has it also begun releasing this immunization data? TDH should more closely follow the statutes provisions and rewrite its proposed rules to fulfill legislative intent regarding data collection and release.
The following sections more fully explain my concerns, pose questions, and offer changes in the rules to make them more compliant with the statute.
Federal Funding at What Cost?
The proposed rules state you have determined that in the first five years of registry implementation there will be no fiscal implications to state or local governments. This sounds good on the surface, but it raises other questions deserving answers from TDH.
The Federal Governments first attempt to establish a national immunization "tracking and surveillance" system was defeated several years ago due to exhaustive opposition by parents and privacy groups. In an attempt to sidestep that rejection of a national registry, federal funds have since been granted to states to set up similar tracking systems. Section 100.7(b) of the proposed rules states, "Data exchange will follow the national standard for data exchange, known as Health Level 7 (HL7), when this format is completed." Section 100.9(a) states, "The department, may transmit paper or electronic copies of immunization records or reports to other state or national immunization registries." Thus, TDHs rules propose to collect data in the same format and to share it with others registries, doing its part to accomplish a national tracking system after all.
How much federal money has been granted to Texas to implement the registry envisioned in the proposed rules? What are the States obligations in return for receiving additional federal money? How will TDH use the private information it is gathering to meet federally mandated quotas?
Statutorily Required Parental Consent
Though the original Berlanga bill did not provide for a parental consent option, the statute as amended and enacted guarantees that registry data cannot be collected or released without parental consent. The statute does not indicate that parental consent may be presumed or implied. This means the burden is on TDH and its agents to obtain consent, not on parents to withdraw it. However, TDHs proposed rules impose a contrary bias, placing the burden of action on non-participating parents to prevent their childrens data from being collected or distributed. This violates the letter and spirit of the statute, which states in Section 161.008(c):
Clearly, changes need to be made throughout the proposed rules to better reflect statutory intent, including the following:
Extend Comment Period
Because the proposed rules do not faithfully implement the statutes privacy protections, and due to the fact that records have already been entered in the registry, I am requesting that the public comment period be extended an additional 60 days to allow for more public discourse about the registry implementation. After briefly reviewing the ImmTrac home page, I could not find information explaining that inclusion in the registry is voluntary or how parents could withdraw consent. Neither could I find information on how to access the proposed rules or HB 3054. This is crucial information that should have a prominent place on the ImmTrac Home Page at all times, but especially during the comment period. These are more good reasons for extending the proposed rules comment period.
Release of Registry Data
Section 161.008(c)(2) of the statute specifies immunization records can be released only to "a public health district, a local health department, a physician to the child, or a school or child care facility in which the child is enrolled" and only when consent has been obtained. Despite these restrictions, Section 100.2(a)(1)(E) of the proposed rules attempts to broaden the entities to whom registry information can be released to include "[t]he director of the immunization division of the department or his designee." Since there is no statutory authority to include the director of the immunization division or any designee, Section 100.2(a)(1)(E) of the proposed rules should be deleted.
Section 100.2(a)(2) of the proposed rules contains a suggested re-release authorization clause, which states:
This section gives approved registry users (per statute Section 161.008(c)(2)) the opportunity to re-release private information to the "entities" listed in Section 100.2(a)(1) of the proposed rules. There is no statutory authority to allow this re-release and it should be deleted from the proposed rules.
Additionally, in order for confidentiality to be maintained, TDH should change the proposed rules to strictly prohibit all those able to use, update or otherwise access registry data from releasing information unless they have written parental consent. Then, re-release should be permitted only to other approved registry users. For example, a school that has a childs immunization records must not be allowed to make any entries into the registry or "re-release" any immunization data if the parents have not given written consent. Consent must never be assumed. This measure is necessary to protect families who dont want their children's records to become part of the registry or other TDH data files.
Section 100.9(a) of the proposed rules states that, "The department by written agreement with other providers and health plans, may transmit paper or electronic copies of immunization records or reports to registered users of the registry or to other state or national immunization registries." Even if this were allowed, the re-release authorization statement in Section 100.2(a)(2) of the proposed rules uses vague wording that doesnt clearly inform parents that their children's data could be provided to insurance companies, other state and national registries, or anyone else approved by TDH. Again, the rules should be rewritten to restrict approved registry users from releasing registry information to entities not specified in the statute.
Finally, I am requesting that TDH explain how it plans to purge the system of information about children whose parents have denied or withdrawn consent, not only from the registry that TDH maintains but from all those with access to it or to whom the information has been released and re-released.
Rep. Berlangas original bill (H.B. No. 3054) provided that the registry would include "without limitation" the data listed below as well as the parents names and addresses, the childs place of birth, and the mothers maiden name. However, as amended and finally enacted, the statute permits only limited information to be gathered. Section 161.008(b) states that:
An immunization record contains the:
However, despite a legislative history showing an intent to disallow an expansive approach to the collection and release of private information, and the restrictive statutory language quoted above, TDHs proposed rules add more private information to be collected and released via its registry. Section 100.5(f) of the proposed rules states:
The statute does not authorize TDH to collect the private information quoted in bold type above. Indeed, much of it is the same information that the Legislature excluded from the registry when H.B. No. 3054 was amended and passed. All information that TDH has already collected beyond what the statute specifies and authorizes should be removed from the registry and its other data files. Even if such information was ostensibly given with parental consent, I question whether it constituted informed and valid consent unless TDH fully apprised those parents of the statutes data collection requirements and restrictions and their right to decline consent.
The statement in Section 100.5(b) of the proposed rules that, "Other information specified on forms and data file layouts should be provided when available" further reveals TDHs intention to collect personal information in a manner unconstrained by statutory restrictions. TDHs proposed rules leave open the possibility of collecting data of any kind, with nothing in the rules to prevent it from any gathering any information it deems useful. This open-ended provision for collecting information is not authorized in the statute and should be deleted from the proposed rules.
To make the registry a more useful tool, it needs to provide for recording immunization exemption status. Otherwise, scenarios might arise in which medically exempt children are mistakenly given vaccines (for example, while in the custody of someone unfamiliar with their health history) with potentially catastrophic results. Moreover, unless the registry includes exemption status, children with medical or religious exemptions whose parents have nonetheless consented to include them in the registry may receive unnecessary and unwanted TDH notices. Including immunization exemption status in the registry is the only expansion of TDH data collection that is justified and consistent with the statutes privacy safeguards (provided there is parental consent) and should be incorporated in its rules.
Section 161.009 of the statute provides penalties for negligently releasing or disclosing information. What assurance do we have that Texas has the jurisdiction and means to enforce this provision against users of other state and national registries or other groups who could misuse data they obtain from TDH's registry? Since data is apparently being entered into ImmTrac and possibly being released without parental consent, the negligent release provisions need to be enforced. Additionally, if TDH transfers registry data electronically, "hackers" or other unauthorized people could access this information. Because TDH is trying to release registry data to recipients that the statute does not authorize, and there are no guarantees that the integrity and confidentially of the information will be maintained, such release should not be allowed.
Data Quality Assurance
Section 100.6(a) states, "For the purpose of assuring the quality of submitted data, each provider will allow the department to inspect such parts of a patients medical records as are necessary to verify the accuracy of submitted data." Since the law only allows TDH to obtain the name and date of birth of persons immunized and the dates and types of immunization, this is the only data that TDH should be able to verify in their inspections. The proposed rules do not ensure that TDH will not collect additional information from children's medical records.
Section 100.6(b), which directs providers to supply the department with immunization information needs to be rewritten to include "if consent has been obtained".
Section 100.7(a) which directs organizations that pay claims to supply the department with immunization information needs to be rewritten to include "if consent has been obtained."
Under the proposed rules, TDH must remove data from the registry when consent is not given or withdrawn, but there is nothing to prevent TDH from maintaining this data in other ways or locations. For example, TDH could create a database of non-consenting parents and children to be used or released to other agencies or organizations for any purpose. The rules should prohibit the maintenance and uses of such information and prescribe penalties for abuses. Since TDH and other agencies "back-up" all computer files, this data could still be accessed from archive tapes. TDH must ensure no one will be able to retrieve information from back-up files or from other agencies if consent was not obtained or has been withdrawn.
No Limits on "Notices"
Section 161.007(e) of the statute states:
The statute does not clearly define or place limits on these "other means". Given that the registry does not provide for exemption information, parents could be continually harassed. TDH needs to define "other means" to assure that it does not include any penalties or harassment.
Links to Other Computers
Section 100.3(c) of the proposed rules indicates that the immunization registry will be linked with other databases, including, but not limited to ICES, WIC, Medicaid, and other insurance and health plan billing systems. Where do the proposed rules provide for maintaining privacy when the registry is linked to other systems like these? For example, TDH administers the Family Planning program where information obtained from a minor cannot be released. If TDH is planning to link ImmTrac to the Family Planning records, what precautions are in place to maintain confidentiality?
Is Texas planning to deny any state services or resources if immunizations are not up-to-date? New York State has pending legislation to require proof of immunization to receive a drivers license. An Ohio mother whose baby died 17 hours after receiving a DPT shot was threatened with losing her WIC benefits for refusing to vaccinate her subsequent children. (Dayton Daily News, May 28, 1993). It is essential that Texas does not tie immunization recordation to other areas of its citizens private lives, or resort to coercion by denying state services or personal freedoms or by imposing punitive measures, in order to force compliance.
Exchange of Records
Section 100.9 of the proposed rules states:
The proposed rules should define and specify the terms of the "agreement" that will be used between TDH and the entities listed in Section 100.9(a). As discussed in the previous section, the rules allow data sharing with entities not covered by the limitations of Section 100.9(b). TDH should clearly define how records may be used by other agencies and how privacy will be maintained.
Retaliation Against Parents?
Since inclusion in the registry is voluntary, the rules should state that parents who refuse consent will not be penalized, retaliated against, or in any way harassed. Parents should be protected from any backlash by users of the registry, including, but not limited to: insurance companies, health maintenance organizations, other organizations that pay or reimburse claims for immunizations, primary care physicians, public health offices, employers, schools, or daycare establishments.
If parents consent to including a child in the registry at birth, per Section 100.2(b) of the proposed rules, birth certificates should bear a notice that consent may be declined or withdrawn and should explain the procedure for withdrawing consent. Additionally, when parents sign consent forms, the rules should provide that they must be given information explaining how to withdraw consent if they later decide to do so.
Date of Implementation?
Section 100.5(d) of the proposed rules uses a beginning date of January 1, 1997, for registry data submission, and the ImmTrac Home Page already reflects a large number of registry entries. Why has data collection begun before the public comment period has closed and implementing rules have been finalized? Have entries been made into the ImmTrac system even before HB 3054 was passed on May 14, 1997?
Providers Become Agents of TDH
Section 100.1 defines the terms used in the proposed registry rules. The "provider" definition states that, "All providers become agents of Texas Department of Health for the purposes of the Immunization Registry."
What are the legal ramifications of making providers agents of TDH? Does it shield providers from liability for neglecting their obligation to protect information covered by the doctor/patient confidentiality provisions of Section 5.08 of the Medical Practice Act (Article 4495b, Vernon's Texas Civil Statutes)?Is it possible that by making providers its agents, TDH it will be able to obtain immunization or other personal data when parental consent has not been given? I am asking TDH to fully explain what it means for a provider to become an agent of TDH and how that could affect patient confidentiality as well as the legal obligations and liabilities of providers, registry users, and TDH under Texas law.
I believe there are serious problems in the rules as they are currently written. They do not follow the provisions of HB 3054 and need to be rewritten to more closely conform to them. I again ask that the comment period be extended an additional 60 days to allow for full public discourse.
I look forward to seeing these concerns addressed. My comments have been forwarded to Senator Jerry Patterson, my State Senator John Carona and, my State Representative, Tony Goolsby.