Bioterrorism Surveillance and Privacy: Intersection of HIPAA, the Common Rule, and Public Health Law

The threat of a large-scale bioterrorism attack exists since 9/11. Real-time public health surveillance may recognize a bioterrorism attack much earlier, leading to more timely response. Early recognition of an unusual disease pattern requires extensive, ongoing, timely clinical data collection, and electronic information sharing.

The use of electronic medical data by research organizations for bioterrorism surveillance and reporting of detected epidemics to public health departments produces a situation where HIPAA, the Common Rule, and public health law interact in complex ways. We use two interlinked bioterrorism syndromic surveillance systems to clarify the conflicts between protecting medical privacy and supporting the common good, and between research and surveillance.

In bioterrorism surveillance we have data treated differently by the partners. The data were treated as research by the HealthPartners Research Foundation, and as surveillance by the local public health department. In research, HIPAA and the Common Rule strictly govern data management. In public health, a state by state patchwork of rules and regulations exists, which is inadequate to produce a climate which balances individual privacy with public needs.

This lack of balance in public health surveillance prompts us to propose the establishment of an ethical review process. This review process, designed to consider the risks to patients inherent in the use of electronic data, could take three forms: a nationally coordinated systems change in the use and tracking of PHI data, the creation of Public Health Information Privacy Boards, or expansion of existing IRB assignments, or some combination of these three.