§ 1001. Reports to commissioner of health
(a) When a physician, health care provider, nurse practitioner, nurse, physician's assistant, or school health official has reason to believe that a person is sick or has died of a diagnosed or suspected disease, identified by the department of health, as a reportable disease and dangerous to the public health or if a laboratory director has evidence of such sickness or disease, he or she shall transmit within 24 hours a report thereof and identify the name and address of the patient and the name of the patient's physician to the commissioner of health or designee. In the case of the human immunodeficiency virus (HIV), "reason to believe" shall mean personal knowledge of a positive HIV test result. The commissioner, with the approval of the secretary of human services, shall by rule establish a list of those diseases dangerous to the public health that shall be reportable. Nonmedical community-based organizations shall be exempt from this reporting requirement. All information collected pursuant to this section and in support of investigations and studies undertaken by the commissioner for the purpose of determining the nature or cause of any disease outbreak shall be privileged and confidential. The health department shall, by rule, require that any person required to report under this section has in place a procedure that ensures confidentiality. In addition, in relation to the reporting of HIV and the acquired immune deficiency syndrome (AIDS), the health department shall, by rule:
(1) develop procedures, in collaboration with individuals living with HIV or AIDS and with representatives of the Vermont AIDS service organizations, to ensure confidentiality of all information collected pursuant to this section; and
(2) develop procedures for backing up encrypted, individually identifying information, including procedures for storage, location, and transfer of data.
(b) Public health records that relate to HIV or AIDS that contain any personally identifying information, or any information that may indirectly identify a person and was developed or acquired by state or local public health agencies, shall be confidential and shall only be disclosed following notice to the individual subject of the public health record or the individual's legal representative and pursuant to a written authorization voluntarily executed by the individual or the individual's legal representative. Such notice and authorization is required prior to all disclosures, including disclosures to other states, the federal government, and other programs, departments, or agencies of state government.
(c) A disclosure made pursuant to subsection (b) of this section shall include only the information necessary for the purpose for which the disclosure is made. The disclosure shall be made only on agreement that the information shall remain confidential and shall not be further disclosed without additional notice to the individual and written authorization by the individual subject as required by subsection (b) of this section.
(d) A confidential public health record, including any information obtained pursuant to this section, shall not be:
(1) Disclosed or discoverable in any civil, criminal, administrative, or other proceeding.
(2) Used to determine issues relating to employment or insurance for any individual.
(3) Used for any purpose other than public health surveillance, and epidemiological follow-up.
(e) Any person who:
(1) willfully or maliciously discloses the content of any confidential public health record without written authorization or other than as authorized by law or in violation of subsection (b), (c), or (d) of this section shall be subject to a civil penalty of not less than $10,000.00 and not more than $25,000.00, costs and attorney fees as determined by the court, compensatory and punitive damages, or equitable relief, including restraint of prohibited acts, costs, reasonable attorney's fees, and other appropriate relief.
(2) negligently discloses the content of any confidential public health record without written authorization or other than as authorized by law or in violation of subsection (b), (c), or (d) of this section shall be subject to a civil penalty in an amount not to exceed $2,500.00 plus court costs, as determined by the court, which penalty and costs shall be paid to the subject of the confidential information.
(3) willfully, maliciously, or negligently discloses the results of an HIV test to a third party in a manner that identifies or provides identifying characteristics of the person to whom the test results apply without written authorization or other than as authorized by law or in violation of subsection (b), (c), or (d) of this section and that results in economic, bodily, or psychological harm to the subject of the test is guilty of a misdemeanor, punishable by imprisonment for a period not to exceed one year or a fine not to exceed $25,000.00, or both.
(4) commits any act described in subdivision (1), (2), or (3) of this subsection shall be liable to the subject for all actual damages, including damages for any economic, bodily, or psychological harm that is a proximate result of the act. Each disclosure made in violation of this chapter is a separate and actionable offense. Nothing in this section shall limit or expand the right of an injured subject to recover damages under any other applicable law.
(f) Except as provided in subdivision (a)(2) of this section, the health department is prohibited from collecting, processing, or storing any individually identifying information concerning HIV/AIDS on any networked computer or server, or any laptop computer or other portable electronic device. On rare occasion, not as common practice, the department may accept HIV/AIDS individually identifying information electronically. Once that information is collected, the department shall, in a timely manner, transfer the information in compliance with this subsection.
(g) Health care providers must, prior to performing an HIV test, inform the individual to be tested that a positive result will require reporting of the result and the individual's name to the department, and that there are testing sites that provide anonymous testing that are not required to report positive results. The department shall develop and make widely available a model notification form.
(h) Nothing in this section shall affect the ongoing availability of anonymous testing for HIV. Anonymous HIV testing results shall not be required to be reported under this section.
(i) No later than November 1, 2007, the health department shall conduct an information and security audit in relation to the information collected pursuant to this section, including evaluation of the systems and procedures it developed to implement this section and an examination of the adequacy of penalties for disclosure by state personnel. No later than January 15, 2008, the department shall report to the senate committee on health and welfare and the house committee on human services concerning options available, and the costs those options would be expected to entail, for maximizing protection of the information collected pursuant to this section. That report shall also include the department's recommendations on whether the general assembly should impose or enhance criminal penalties on health care providers for unauthorized disclosures of medical information. The department shall solicit input from AIDS service organizations and the community advisory group regarding the success of the department's security measures and their examination of the adequacy of penalties as they apply to HIV/AIDS and include this input in the report to the legislature.
(j) No later than January 1, 2008, the department shall plan and commence a public campaign designed to educate the general public about the value of obtaining an HIV test.
(k) The commissioner shall maintain a separate database of reports received pursuant to subsection 1141(i) of this title for the purpose of tracking the number of tests performed pursuant to subchapter 5 of chapter 21 of this title and such other information as the department of health determines to be necessary and appropriate. The database shall not include any information that personally identifies a patient. (Amended 1979, No. 60, § 1; 1997, No. 7, § 1, eff. April 29, 1997; 1999, No. 17, § 2; 2007, No. 73, § 2; eff. April 1, 2008; 2007, No. 194 (Adj. Sess.), § 2.)