Skip to main content
NCBI home page
American Journal of Public Health logoLink to American Journal of Public Health
. 2008 May;98(5):802–807. doi: 10.2105/AJPH.2007.113332

Bioterrorism Surveillance and Privacy: Intersection of HIPAA, the Common Rule, and Public Health Law

James D Nordin 1, Sophie Kasimow 1, Mary Jeanne Levitt 1, Michael J Goodman 1
PMCID: PMC2374817  PMID: 18382006

Abstract

The threat of bioterrorism in the wake of the September 11, 2001, terrorist attacks cannot be ignored. Syndromic surveillance, the practice of electronically monitoring and reporting real-time medical data to proactively identify unusual disease patterns, highlights the conflict between safeguarding public health while protecting individual privacy.

Both the Health Insurance Portability and Accountability Act and the Common Rule (which promulgates protections for individuals in federally sponsored medical research programs) safeguard individuals. Public health law protects the entire populace; uneven state-level implementation lacks adequate privacy protections.

We propose 3 models for a nationwide bioterrorism surveillance review process: a nationally coordinated systems approach to using protected health information, creating public health information privacy boards, expanding institutional review boards, or some combination of these.

FOLLOWING THE EVENTS OF September 11, 2001, the threat of a large-scale bioterrorism attack cannot be dismissed. Syndromic surveillance, the electronic monitoring and reporting of real-time medical data, may identify a bioterrorism attack at its earliest stage, and early notification could lead to disease containment and widespread prophylactic treatments such as antibiotics or vaccinations.1 Recognizing unusual disease patterns early in an outbreak requires extensive, continuous, and timely clinical data collection and reporting. However, performing real-time surveillance, transmission, and analysis of private medical data could result in suspending individual privacy rights for the purpose of serving the greater public good.

Governing the flow of protected health information between research organizations and public health surveillance organizations creates many questions concerning each party’s legal and ethical responsibilities, particularly in a suspected epidemic. The Health Insurance Portability and Accountability Act (HIPAA) as well as the Common Rule, which promulgates rules for protecting study participants in federally sponsored research programs, provide regulations safeguarding protected health information. Both HIPAA and the Common Rule are focused toward the individual and mandate compliance nationwide. Public health law, however, is focused on the well-being and safety of the entire population. Unlike HIPAA, public health law is legislated by individual states rather than by the federal government and has no unifying mechanism for balancing privacy rights against public safety. The proper interaction between and appropriate application of HIPAA, the Common Rule, and public health law during a suspected epidemic is unclear.

We reviewed 2 projects that we manage at the nonprofit research organization, HealthPartners Research Foundation (HPRF) in conjunction with HealthPartners Medical Group in Minneapolis, Minnesota. The projects evaluated the feasibility and sensitivity of 2 interlinked bioterrorism syndromic surveillance systems. Using the HPRF projects as a reference, we then researched legal issues surrounding the collection and transfer of public health information between medical research and public health surveillance organizations. We also reviewed ethical questions regarding balancing the privacy of individual health information against protecting the public health at large.

After considering the comprehensive access to individuals’ protected health information by those performing public health surveillance, we concluded that privacy protections in surveillance must be upgraded to bring them in line with privacy protection regulations (primarily HIPAA) that now cover private entities. As surveillance organizations become ever more dependent on electronically sharing protected medical information to protect the communal welfare, public confidence in data privacy must be improved. We devised 3 possible constructive courses of action.

SYNDROMIC SURVEILLANCE

Syndromic surveillance is the ongoing systematic collection, analysis, interpretation, and dissemination of health-related data preceding diagnosis, searching for indicators suggesting sufficient probability of an outbreak to warrant a public health response. Because data must be timely to be useful, information is often pulled from large linked data systems at integrated health care organizations to obtain the largest dataset possible in the shortest period of time.

Sample Syndromic Surveillance Models

Several syndromic surveillance models are in use. In most, should signs of a potential outbreak be found, identifying data are sent to local health officials and an investigation is started.

The National Bioterrorism Syndromic Surveillance Demonstration Program uses a model in which aggregate data are sent to the data center in Boston for analysis. Should a signs of an outbreak be identified, local medical organizations supplying the data are instructed to send identifying information to the cooperating local health department, which may start an investigation.

HPRF works with 2 systems, one in which individuals’ protected health information stripped of personal identifiers is sent to the health department for analysis. Should the health department identify signs of an outbreak, HPRF will supply identifying information to begin an investigation. The second model included protected health information in the initial transmittal. Both were used in the case study reviewed below. The second model raises more issues.

Biosense is an extensive data collection system being constructed by the Centers for Disease Control and Protection (CDC) and medicalcare organizations that transmits no personal identifiers but does transmit a rich protected health-information file to the CDC. Tracing back through the system to identify individuals is not possible.

CASE STUDY

Our study addressed legal issues surrounding the collection and transfer of protected health information between research and surveillance organizations and also reviewed ethical questions regarding balancing the privacy of individual health information against protecting the public health at large. To help clarify these issues, we conducted a case study reviewing 2 projects evaluating interlinked bioterrorism syndromic surveillance systems run by HPRF and HealthPartners Medical Group, a large multispecialty group practice of over 600 physicians. The HealthPartners Medical Group uses an electronic medical-record information system to collect daily encounter data from the 18 HealthPartners clinics in the Twin Cities, Minnesota, metropolitan area, using an integrated data system. Personal health information, including demographics, is included in the medical record. Historical information is available to allow comparison of daily rates with historical rates.

After the relevant clinical encounters are extracted from the data set, the information is transmitted in 2 directions. First, as part of the HPRF’s research on the feasibility of using this clinical data set for bioterrorism surveillance, a limited data set rich in protected health information is sent to the local public health department for analysis and epidemic tracking. This limited data set includes the following: age (not birthdate), gender, clinic visited, date of visit, and patient zip code. A HIPAA-compliant data-use agreement governs flow of information from HPRF to the public health department.2 In the second project, HPRF sends a daily aggregated data set (counts of syndromes by zip code) to the Harvard-based headquarters of the National Bioterrorism Syndromic Surveillance Demonstration Program. Detailed descriptions of this program have been previously published.35

Thus, HPRF is sending an aggregate data set, which is permitted under all rules to the National Bioterrorism Syndromic Surveillance Demonstration Program, and a limited data set to the health department. If signs of an outbreak occur in either program, HPRF sends identifying information to the public health department.

LEGAL ISSUES AND PRIVACY OF PROTECTED HEALTH INFORMATION

Patients have little faith in the security of their electronic health information. Public opinion polls have long indicated a consistent lack of public trust in the security of electronic health information.6 The role of medical data privacy in research and surveillance is governed by a complicated interaction between HIPAA, the Common Rule, and public health law.

Health Insurance Portability and Accountability Act

In 1996, the Department of Health and Human Services issued HIPAA to update standards for protecting transmission of protected health information privacy.7 What is now known as the HIPAA Privacy Rule regulates the transfer of protected health information between covered entities, including health care providers, health care clearinghouses, and health plans.

The Privacy Rule is based on the following principles:

  1. Information is shared for a specific purpose only and may not be used for other purposes.

  2. Information is shared for a specific time period and destroyed when no longer needed for the original purpose.

  3. The minimum amount of information needed to perform the function should be used.

The Privacy Rule permits certain types of public health–related information disclosures without the patient’s consent. Specifically,

protected health information can be disclosed to public health authorities and their authorized agents for public health purposes including but not limited to surveillance.8

The Common Rule and Protection of Human Study Participants

The principal that protecting human study participants serves to balance the risks and benefits to those participants grew out of well-publicized research abuses, including Nazi medical experiments during World War II and the Tuskegee Syphilis studies, which exposed participants to substantial risk with neither informed consent nor possible benefit to the participant.

Rules for protecting human participants were promulgated in the 1979 report by the National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research, Ethical Principles and Guidelines for the Protection of Human Subjects of Research (also known as the “Belmont Report”). The report established the ethical principles of respect for persons, beneficence, and justice as applied to human participants in medical research studies.9

Out of the Belmont Report came a set of regulations known as the Common Rule, created to govern federally sponsored human participant research. The Common Rule formalized the requirements that (1) research be reviewed by an institutional review board, (2) all participants must give their informed consent to the research, and (3) institutional compliance must be assured.9,10 Under the Common Rule, investigators’ access to individual research information, the limitations on the use of research information, and investigators’ conflicts of interest are regulated.

Thus, before HPRF could begin testing the feasibility of a bioterrorism surveillance program using protected health information, researchers had to provide the institutional review board with procedures for protecting participants and an assessment of likely benefits from of the research. They also had to provide confirmation that the investigators had undergone training in both privacy compliance and the responsible conduct of research, and had no conflicts of interest.

Public Health Law

Public health law differs from HIPAA and the Common Rule in 2 critical regards. First, the goal of public health law is to protect the greater good, even at the expense of a specific individual. Public health law grew out of the need for state health departments to address communicable diseases through quarantine and other actions. As such, rights of the individual are subjugated to the public good under public health law. Second, whereas HIPAA and the Common Rule were derived from the federal government, public health law has been delegated to the states. Many states’ public health laws have not been updated to reflect the advent of large computerized databases and changes in disease threats.11 In no state does a body equivalent to an institutional review board or a HIPAA privacy board exist to oversee administration of state infectious disease reporting rules.

The threat of bioterrorism raises important issues for public health law. First, data gathering for bioterrorism surveillance is ongoing rather than initiated in response to an existing threat. Second, limited structural safeguards are in place for reviewing the use of protected health information transmitted under state infectious disease reporting rules, and these vary greatly from state to state. As Gostin has noted,

Government collection of sensitive health information (e.g., named HIV reporting) raises privacy concerns. Yet, the [HIPAA privacy] rule leaves public health information unprotected, unless there are strong state laws. Scholarly reviews demonstrate that state privacy safeguards are often weak and fragmented.11(p3019)

Recognizing the inconsistencies in state public health law, the CDC-sponsored Center for Law and the Public’s Health, based at Georgetown and Johns Hopkins Universities, has published a model state health emergency powers act. This model act gives substantial powers to state and local health departments in times of emergency, facilitates the early detection of health emergencies by authorizing data collection and reporting, and grants health departments immediate access to individuals’ health information under specified situations.12

ETHICAL ISSUES

There is an inherent conflict between protecting personal privacy and protecting the common good, evident in the conflict between data used for medical research versus surveillance purposes. Research is subject to well-codified standards regulated by HIPAA and the Common Rule. Public health law, however, does not universally define similar standards for weighing the public interest and personal privacy. Bayer and Fairchild note,

Although epidemiological research has been the subject of ethical review, it is remarkable that surveillance has not been subject to similar oversight.13(p1898)

Whereas HPRF treated the bioterrorism surveillance program as medical research, subject to all the requisite data protections, the public health department viewed the program as surveillance. Surveillance conducted by state and local health departments is governed by each state’s unique data privacy laws. In addition to a lack of national consistency, state regulations often focus on limiting data release outside of public health departments without a similar focus on regulating data access internally. The risk of failing to closely regulate internal data access is that the likelihood of an external release increases when information access is poorly controlled within a department. For example, in February 2005, a highly confidential list of the names and addresses of 6500 Palm Beach County residents with HIV/AIDS was emailed to more than 800 county health department employees. This accidental release illustrates the risks of failing to take or follow adequate data access protections.

Given these contrasting standards, what defines the difference between medical research and public health surveillance? Most criteria are based on the investigator’s “primary intent,” so the way in which an organization or group defines its work has a tremendous effect on the legal restrictions of data use and the requisite oversight.8,9 According to the Privacy Rule, if the activity is both research and surveillance, the rules governing protected health information are based on the activity’s primary purpose.6,8 Thus, if the activity is primarily research, the research rules prevail. The Belmont Report also recognizes this imprecise line between research and public health practice: “The distinction between research and practice is blurred partly because both often occur together.”10

It is an issue of concern that 2 fields with access to the same clinical information are subject to such different regulatory oversight and legal responsibilities. As electronic surveillance increases, public health practitioners will need to address the public’s desire to protect confidentiality. A major unauthorized release of protected information by a government agency or other unregulated private data repository could lead to severe restrictions on access to crucial electronic data, which could in turn hinder the ability to rapidly identify and respond to unusual disease patterns.

The current standard of primary intent is ambiguous in the case of bioterrorism surveillance. The ramifications of the research versus surveillance question would be of lesser consequence were privacy protection and public health protection better balanced in both cases.

NATIONWIDE BIOTERRORISM SURVEILLANCE REVIEW PROCESS

The increased use of electronic medical data makes the debate between personal privacy and public health increasingly urgent. In research, the philosophical debate between the need for individual privacy and an obligation to protect the public lasted nearly 30 years before resulting in the Common Rule and HIPAA.

Although the same ethical debate of individual privacy versus public protection exists in surveillance, there is a notable absence of consistent rules balancing individual rights and public health; the entire debate system is skewed toward the collective good. Standards have not been updated to reflect the transition to electronic real-time personal health information. Although, like Minnesota, most states have data privacy statutes protecting an individual’s private data from public release, it remains the ethical and legal responsibility of public health practitioners and state public health departments to uphold individual rights and privacy as much as possible. In this post–September 11 era, there may be a greater tendency to quickly suspend an individual’s rights in favor of the public’s protection.

The public health community should codify rules concerning use of public health information before a privacy breach or public health crisis occurs. A research-like culture that balances risk and reward, limits information access, and defines data use before data collection should characterize public health practice as well. This would guard against 2 risks: (1) with data access closely controlled, accidental or intentional releases would be far less likely, and (2) such a structure would make it much easier for public health practitioners to balance privacy versus public health concerns. We propose 3 possible models for change.

Although critics of a nationwide review process contend it could become a hindrance in time of crisis, we found that using such a process would have made very little difference in the case study. In the time it took HPRF to get the projects through the institutional review board at HealthPartners, the case study could have also completed a public health review using any of our 3 proposed models. With some forethought, the safeguards we propose in the 3 models should not hinder appropriate surveillance.

Model 1: Systems Solution

Leading researchers in the field of medical error prevention employ the idea of “system-level solutions” when proposing methods of handling medical mistakes. If an incident of public health information misuse could be thought of as an unintentional—but still harmful—medical error, then the ideas behind a systems solutions approach can be adapted to fit the needs of a public health organization. Data agreements for surveillance projects could adopt explicit data-use standards, require compliance with those standards, monitor employee performance, and outline methods for responding to deficiencies.14

Data agreements could stipulate that employees must read and understand the standards for data use, acknowledge that data use will be monitored, personal use of data will be evaluated, and that failure to adhere to the stated rules will result in a loss of access privileges. Those individuals with access to public health information

will know who is responsible for collecting data, who should receive reports, and what actions are required by whom at each level. Such a system would provide accountability at all levels.14(p112)

Data agreements would add specific language stating under what circumstances each individual would have access to information; public health information should be considered “classified” information. This type of systems solution adds privacy and accountability protections at the level closest to those with access to public health information. Protecting information may be most successful if the people using that information know how to protect it.

Proposals for toughening existing protections of public health information and data-use agreements have faced 2 criticisms in particular. First, stronger data-use protections might unintentionally become bureaucratic barriers to rapid response in event of an actual emergency. Systems proposals are not easily vulnerable to this criticism; information access would be clearly delineated before an emergency, maintaining and possibly improving communication. However, a systems proposal does not, address the second concern—a lack of oversight. Should public health organizations be responsible for internally monitoring their own use of data? The Common Rule, acknowledging this potential for problems within the research community, created institutional review boards after which our second proposal is modeled.

Model 2: Structural Solution

A structural solution for addressing privacy concerns would be the creation of a public health information privacy board. This is consistent with a proposal from Fairchild and Bayer.15

The recent efforts to provide definitional solutions to the question of research and public health practice have produced inconsistent and conceptually unsatisfying results. The time has come to resolve the matter by acknowledging the necessity for ethical review of surveillance activities at both state and federal levels, whether such activities fall neatly under the classification of research, public health practice, or in some combination of the two.

We propose that, like HIPAA privacy boards, a public health information privacy board should have several powers. First, the public health information privacy board should prospectively approve surveillance activities. Second, the public health information privacy board should have the ability to suspend surveillance activities for violation of public health information privacy board rules. Third, public health information privacy boards should require that emergency actions taken without prior board approval would receive a prompt and thorough retrospective review.

The public health information privacy board could reasonably be housed within public health organizations, but should include community members not employed by the government. These members should represent a diverse range of perspectives to create a balance of public health and community voices, similar to the structure of most HIPAA privacy boards and institutional review boards. At the state level, public health information privacy board members could be appointed by the commissioner of health or other senior government officials, thereby giving the committee the authoritative backing it needs to be effective. Public health information privacy boards must be able to robustly defend their impartiality. As an entity, public health information privacy boards must not only remain politically neutral, but must also be free from financial pressures.

Model 3: Institutional Review Board Expansion

Another option would be to broaden the scope of the institutional review boards within public health practice organizations to include surveillance review as well as research review. Existing institutional review boards handle both the privacy and consent aspects of the patient protection discussion. Consent, however, would not be a main issue for surveillance activities. Institutional review board membership would necessarily expand to include the expertise of an epidemiologist and a lawyer familiar with public health law. Unlike research, the nature of surveillance work is such that an expeditious response to public health problems is frequently required. An expedited process for review within 24 to 48 hours should be implemented, as well as a rapid retrospective review. The primary advantages of this proposal are that an institutional review board is a previously existing impartial group, and that limited additional time, money, and personnel would be required for an institutional review board to begin reviewing surveillance activities.

No Action

The final option of doing nothing is, in our opinion, certain to lead to a public health information crisis. Another data release like the one in Florida is inevitable. It is only a matter of time until another public disclosure or inappropriate use of private health data by public health authorities will result in a massive public outcry; this could in turn lead to substantial regulatory restrictions on data access, and impede identification and rapid treatment of disease epidemics.

CONCLUSION

Although rules and regulations offer some privacy protection in public health, without external supervision these measures have repeatedly been found to be inadequate within the field of research, leading to review boards. In our case study of bioterrorism surveillance, we saw an example of data handled differently by the 2 partners on the project. Our research revealed a lack of congruence between well-codified research rules designed to protect the individual and surveillance rules designed to protect society. In the public health arena, the state-by-state patchwork of rules and regulations is inadequate to produce a climate in which individual privacy is balanced with public needs. The lack of safeguards in surveillance prompted us to propose the establishment of an ethical review process. This review process, designed to consider the risks to patients inherent in the use of electronic data, could use any of the forms proposed in this article: a nationally coordinated systems change in the use and tracking of public health information, the creation of public health information privacy boards, expansion of existing institutional review board assignments, or some combination of these.

Acknowledgments

This work was funded by the Centers for Disease Control and Prevention (grant UR8/CCU115079-08).

The authors thank Karen Maschke, PhD, for her comments and suggestions and Mary Ann Baily, PhD, and Martin Gunderson, JD, PhD, for helpful discussions. We appreciate the assistance from the Centers for Disease Control and Prevention, which has provided financial support toward the development of the National Bioterrorism Syndromic Surveillance Project. The authors would also like to thank Betty Jo Haggerty, MS, and Barbara Olson-Bullis, MA, for their operations and research assistance.

Human Participant Protection …No protocol approval was needed for this study, because no human participants were involved.

Peer Reviewed

Contributors…J. D. Nordin conceptualized the article, with help developing the concept from S. Kasimow, M.J. Levitt, and M.J. Goodman. J. D. Nordin, S. Kasimow, and M. J. Levitt performed the literature review. All authors contributed to writing and revising the article.

References

  • 1.Nordin J, Asplin BR, Kassenborg H. Syndromic surveillance systems. Minn Med. 2003;17:1–10. [Google Scholar]
  • 2.Miller B, Kassenborg H, Dunsmuir W, et al. Syndromic surveillance for influenzalike illness in ambulatory care network. Emerg Infect Dis. 2004;10: 1806–1811. [DOI] [PMC free article] [PubMed] [Google Scholar]
  • 3.Yih WK, Caldwell B, Harmon R. National bioterrorism syndromic surveillance demonstration program. MMWR Morb Mortal Wkly Rep. 2004;53(suppl): 43–49. [PubMed] [Google Scholar]
  • 4.Platt R, Bocchino C, Caldwell B, et al. Syndromic surveillance using minimum transfer of identifiable data: the example of the national bioterrorism syndromic surveillance demonstration program. J Urban Health. 2003;80 (suppl 1):i25–i31. [DOI] [PMC free article] [PubMed] [Google Scholar]
  • 5.Lazarus R, Kleinman K, Dashevsky, et al. Use of automated ambulatory-care encounter records for detection of acute illness clusters, including potential bioterrorism events. Emerg Infect Dis. 2002;8(8):753–760. [DOI] [PMC free article] [PubMed] [Google Scholar]
  • 6.Hodge J, Gostin L, Jacobson P. Legal issues concerning electronic health information: privacy, quality, and liability. JAMA. 1999;282:1–2. [DOI] [PubMed] [Google Scholar]
  • 7.Dunn C, Chadwick G. Protecting Study Volunteers in Research: A Manual for Investigative Sites. 3rd ed. Boston, MA: Thompson Centerwatch; 2004.
  • 8.Centers for Disease Control and Prevention. HIPAA privacy rule and public health: guidance from CDC and the US Department of Health and Human services. MMWR Morb Mortal Wkly Rep. 2003; 52; 1–12. Available at http://www.cdc.gov/mmwr/preview/mmwrhtml/m2e411a1.htm. Accessed May 17, 2005. [Google Scholar]
  • 9.Ethical and Policy Issues in Research Involving Human Participants: Report and Recommendations of the National Bioethics Advisory Commission. Bethesda, MD: National Bioethics Advisory Commission; 2001. Vol 1.
  • 10.The Belmont Report: Ethical Principles and Guidelines for the Protection of Human Subjects of Research. Washington, DC: Department of Health Education and Welfare; 1978. Publication No. (OS) 78-0012. [PubMed]
  • 11.Gostin L. National health information privacy: regulations under the health insurance portability and accountability act. JAMA. 2001;285: 3019. [DOI] [PubMed] [Google Scholar]
  • 12.Public Health Statute Modernization National Excellence Collaborative. Model State Public Health Act. Turning Point Web site. Available at http://www.turningpointprogram.org/Pages/pdfs/statute_mod/MSPHAfinal.pdf. Accessed July 17, 2005.
  • 13.Bayer R, Fairchild A. Surveillance and privacy. Science. 2000;290: 1898–1899. [DOI] [PubMed] [Google Scholar]
  • 14.Leape LL, Fromson JA. Problem doctors: is there a system-level solution? Ann Intern Med. 2006;144:107–115. [DOI] [PubMed] [Google Scholar]
  • 15.Fairchild A, Bayer R. Ethics and the conduct of public health surveillance. Science. 2004;203:632. [DOI] [PubMed] [Google Scholar]

Articles from American Journal of Public Health are provided here courtesy of American Public Health Association

RESOURCES