Since 2003, the Michigan Department of Community Health has been secretly collecting the names, dates of birth, risk categories, and other demographic information of people submitting for confidential HIV testing at grant-funded locations throughout the state and storing them in a massive database, a months-long investigation by The American Independent has discovered.
The database also includes the coded identities of people who have been identified as sexual and needle-sharing partners of persons living with HIV.
The state says this database is necessary to track the number of tests conducted using federal grants, as well as to determine reach and success of targeted testing programs designed to draw in people who are at high risk for HIV infection.
All the information that is collected is maintained in the database "indefinitely," said MDCH spokeswoman Angela Minicuci, and a person whose information is captured does not have a way to remove it.
While MDCH claims the database does not contain personally identifiable information, arecent study, published last month in the University of California Press' journal Social Problems, has found that some Michigan local health departments with access to the database are using it to pursue both civil actions known as "health threat to others" actions and criminal prosecutions against people living with HIV.
The study, authored by University of Michigan Ph.D. candidate Trevor Hoppe, found that the database has been used specifically to identify and target sexual or needle-sharing partners of newly diagnosed HIV-positive persons where the infected person may not have disclosed his or her status to partners; women who are HIV-positive and have become pregnant; and HIV-positive persons who have been diagnosed with other sexually transmitted infections.
Michigan law requires that funded agencies provide two options for HIV testing. The first is anonymous testing, where a code is used in place of a client's name. The second option is confidential testing, where the state certified tester is given a client's name along with other personally identifying information. Only those who opt for a confidential test will receive a piece of paper with their name and test results.
The department argues that this is not a names-based or identity-based database because the name, date of birth, and gender are encoded through a special formula in the database. The code, which is unique to each individual, is used to file testing and counseling information relative to that specific person. It is called a "unique identifying number" (UIN).
"There is no 'path' for 'persons' (if person refers to an individual who has received a confidential HIV test at a publically funded testing site that enters data into the HIV Event System) to 'remove their name and information' from the HIV Event System because no names are saved in the system," Minicuci said in an email to The American Independent.
"It is not possible for us to match a person (as defined above) to a HIV Event System record or records, using just her/his name and date of birth," she continued. "We would also need the agency that the person was tested at, the date of the test, and additional information to ensure that the correct record was identified. It is highly unlikely that a person (as defined above) would have evidence to prove that they were tested at a specific agency, on a specific date, etc. In other words using just a name and date of birth would not allow us to guarantee that we had found that person's record."
But MDCH acknowledged that a user for example, a local health department disease investigator can, in fact, enter data for, say, "John Doe" into the computer program to create a UIN and obtain the corresponding number. With that UIN, an authorized user can search and read records for that person.
Minicuci said there is no way to be certain the records one is reviewing belong to a specific person, because the name does not appear in the system.
A state document created by MDCH explains that in Michigan test results are confidential. It specifically states that, "All positive HIV tests are reported to the health department." It does not disclose, however, that negative tests results are also being reported and collected by the state.
Multiple state-certified HIV testers confirmed with TAI that they are taught in mandatory certification training to tell clients that testing information is kept confidential but not to mention that the information is collected and maintained by the state. The testers, who are employed by various agencies receiving MDCH money to conduct HIV testing, spoke on the condition of anonymity out of concern for their funding.
"'You have two options," one tester said she tells clients, based on state-mandated certification training. "'You can test anonymously, where you don't give us your name, but you do give us you date of birth and ZIP code. Or you can test confidentially, where you do give us you name but that is not shared with anyone unless you test positive; and then it is shared with the health department.'"
"It is not standard practice to review with testing clients what data is entered into the HIV Event System, or how client data is encrypted using the Health Resources Service Administration algorithm," Minicuci said. "Clients must, under Michigan law, be provided with the option to be tested anonymously or confidentially. The difference between these types of tests are described and any questions the client has are answered before the counselor obtains the client's consent to be tested."
As of June 2012, the Michigan HIV Event System contained 701,281 entries, according to documents TAI obtained through a Freedom of Information Act request. Of those, 579,990 are of HIV-negative test results; 483,628 of 701,281 entries are confidential tests keyed to a person's name with a UIN. In addition, 6,907 of these entries are from identified partners from partner services a voluntary program to help those who are infected to contact current and past needle and sexual partners that they may have been exposed to the virus. And 4,041 of these partner-services entries are names-based UIN-coded entries.
The database became apparent when the department confirmed to TAI that it had initiated an internal investigation into whether the private health information of thousands of people with HIV and their partners had been improperly released. The state's investigation found that a contractor had emailed some data within the HIV Event System from a protected government server without encryption to an email address at the company that created and maintains the database for the state. The state determined that no private information was released.
MDCH says information contained in the state database is intended to meet reporting requirements from the federal government. But the Centers for Disease Control and Prevention says it only requires anonymous demographic information for grant reporting.
Other states, like Indiana, also track information on people testing for HIV using an identity-linked coding system.
But others do not, like Minnesota, which collects demographic information on people who get tested for HIV but does not track that data linked to any identity-linked coding system.
No other reportable disease in Michigan has a corresponding database like HIV, Minicuci said.
According to MDCH, 785 people have access to some component of the database system. Of those, 13 users have access to all components of the database partner services, HIV testing, and HIV-positive identification. The general users are employed by local health departments in positions such as disease investigators, or those persons employed by AIDS service organizations who conduct testing at various locations throughout the state.
Minicuci said that new users are taught how to use the HIV Event System by other current users, and that no standard protocols exist outlining who can access what information from the database, for what reasons, and what can be done with it. The system also does not track who has accessed which information in the database a so-called "digital fingerprint," which Minicuci said "was not required" by the CDC in the development of the database.
All of this raises significant questions of privacy, civil liberties experts say.
"There are certainly privacy rights involved, particularly when clients are not being told that the information they are providing is being put in a database which can be utilized to assist with criminal prosecution of people living with HIV," said Jay Kaplan, staff attorney for the American Civil Liberties Union of Michigan LGBT Project. "It's ironic that in its effort to try to prevent transmission of HIV as part of the HIV-testing process, this policy and practice will likely discourage people from being tested, because they fear criminal prosecution for having knowledge of their HIV status."
Rose Saxe, from the National ACLU AIDS Project, also weighed in on the issue. She said the state is collecting confidential health information, but also "deeply personal information."
"The state has a constitutional obligation to keep this information secure, and to protect the privacy rights of people testing for HIV," Saxe told TAI in an email. "Because of the sensitivity of this information, the ACLU believes it is critically important that the state have in place policies to ensure that this information is used appropriately. This includes safeguards to prevent inadvertent disclosure, and ways to ensure that it is only accessed for legitimate reasons by health department employees. If the state cannot or does not undertake steps to protect this deeply private information about people in Michigan, it has no business collecting and storing it indefinitely."
Saxe also raised a concern that those submitting for HIV testing are being misled about who will know that they have tested for the virus.
"Information we've received, however, suggests that the state is advising people that information will only be retained if they do have HIV," Saxe said. "Misinforming people about the data that's being collected is a breach of trust, and a violation of people's rights to make informed decisions about how and when to test for HIV."
Kaplan said people being tested under government-funded programs have a right to know what information is being collected and for what that information will be used.
"I believe [those testing for HIV] should be concerned and they should be informed about what happens to the information that they provide and what that information can be used for," Kaplan said. "Under the current policy, to avoid having their info collected and used, they would have to either forgo HIV testing at local health departments, and seek out private testing sites (including their private physicians), both which may not be an option for everyone."
Saxe said she is confused about why the state is collecting information on people who do not test positive for the virus.
"We also have serious questions about why the state is retaining private information about people who test negative for HIV," she said. "Michigan would need a very good reason to justify keeping this information, and certainly should not be misleading people about what will happen with their private information."