California lawmakers want more state oversight of immunizations, and under a bill they are pushing, the state would begin collecting sensitive health information of schoolchildren whose doctors have exempted them from vaccinations due to medical reasons. But that proposed data collection has alarmed some parents already opposed to state-mandated vaccinations, who question whether California can be trusted to guard kids’ private medical data.
Experts, even those in support of broader immunizations, say that privacy question is a debate worth having.
Reports of healthcare data breaches are increasingly common, with more than 500 incidents over the past 16 months in the United States involving nearly 18 million people, according to U.S. Department of Health and Human Services data. Among the victims of hacking and theft of healthcare information are state agencies, including some in California.
“There has been so much cybercrime that it’s natural that parents are concerned about the protection of privacy,” said Dr. Jonathan Fielding, professor of public health and medicine at UCLA and former public health director for Los Angeles County. “I can’t say it’s an illegitimate concern, but you do have to weigh the importance of trying to prevent outbreaks and broader epidemics of a number of diseases.”
Senate Bill 276, by Sen. Richard Pan (D-Sacramento), would give the state health department the final say over whether a child should receive a medical exemption from some or all vaccines required to attend public or private school. Currently, doctors can excuse a child from vaccines, but Pan said some “unscrupulous” physicians have compromised that practice by advertising medical exemptions for cash.
Amid a nationwide surge in measles — the most reported in the U.S. since 2000 — Pan said the state must ensure everyone who can be vaccinated gets their shots in order to attend school.
His fix under SB 276 is to give the state’s Department of Public Health authority to approve medical exemptions, creating a new oversight arm in the agency. The department would be tasked with creating a standardized medical exemption form that doctors would fill out and send to the state. The state’s public health officer or their “designee” would approve or deny requests.
Medical exemptions that are approved would be included in a database the agency would create by Dec. 31, 2020, for use by public health officials in the state.
Currently, medical exemptions are kept at schools and district offices. Under the bill, those would be forwarded to the state for inclusion in the non-public database by the end of 2021. The bill would allow public health officials to revoke existing exemptions.
One of the leading opposition groups to SB 276, Educate. Advocate., said the state’s medical exemption database raises concerns that the private health information of California students with medical exemptions could be compromised.
“Databases are at risk for hacking, exposing confidential medical information to insurance companies, higher education institutions and future employers, who may discriminate based on pre-exisiting conditions and disabilities,” the group wrote in its opposition arguments.
Many of the specifics of the bill would be left to the public health department to craft, including what would be included in the database and which public health officials would have access to it. The department already manages several databases containing sensitive medical information, including one monitoring people diagnosed with HIV in California. The department also tracks individual cases of measles in the state.
“The people who feel this is invasive are the people who feel their avenue to exemptions has been cut off,” said Catherine Flores-Martin of the California Immunization Coalition. “We have confidence that the state public health department will be able to manage the exemptions as they do with other data they keep.”
John Verdi, vice president of policy at the nonprofit Future of Privacy Forum in Washington, D.C., said medical data are sensitive and need to be adequately protected, but he doesn’t see vaccine exemptions being targeted because they will likely lack the Social Security numbers or credit card information that thieves seek.
In many cases, he said, hackers target health insurance information to fraudulently use another person’s coverage for their own care. That information is also unlikely to appear on the database, Verdi said.