The Surveillance and Security of Protected Health Information (PHI)
Those of us who traveled on a commercial aircraft in the United States before the terrorist attacks of September 11, 2001, may remember with longing an easier time when shoes and belts always stayed on, non-ticketed companions could access the gate and shampoo could be carried on without being carefully measured beforehand. Of course, our federal government instituted various and significant changes after that painful day, including increased security measures and surveillance aimed at what was often called “counter terrorism.” While security changes at the airport, the general empowerment of the NSA, and other post-9/11 safety measures are easy to see, another meaningful governmental response from fall 2001 is easy to overlook: syndromic surveillance by public health officials.
In October 2001, FBI Director Robert Mueller announced that the Bureau was investigating anthrax exposures in Florida, New York, Washington, D.C. and elsewhere around the country. That investigation involved testing, analyzing and comparing powders sent through the U.S. Mail system to various targets including news outlets and congresspeople; testing was conducted by the Centers for Disease Control (CDC) in coordination with state, tribal, local and territorial (STLT) public health officials. These investigations led to meaningful enhancements to the century-old National Syndromic Surveillance Program (NSSP), led by the CDC, aimed at counter-bioterrorism and other potential threats to public health including severe viruses and environmental hazards.
Syndromic Surveillance begins when a patient seeks treatment from a healthcare provider including a hospital emergency department, urgent care center, outpatient clinic, or other provider. The NSSP receives nearly 10 million electronic health messages per day from approximately 7,200 health care facilities in all 50 states. The data collected varies by provider but typically includes a patient’s primary complaints, symptoms, diagnosis codes, demographic information and geographic location. The CDC claims that data is “de-identified” before it is sent directly to the local health department or to a health information exchange (HEI).
The data can also be sent directly to the CDC’s BioSense platform, a cloud-based electronic health information platform used by the NSSP. Once data is on BioSense, it is almost immediately available to public health agencies via a tool called ESSENCE (Electronic Surveillance System for the Early Notification of Community-based Epidemics) for analysis and collaboration. This data quickly facilitates identification of threats and rapid response by health departments.
For example, the CDC recently commended Idaho for its use of NSSP to analyze, identify and combat specific risks to teens and young adults.[1] In Idaho in 2015, suicide was the second-leading cause of death among teens and young adults behind only accidental deaths. Data collected under the NSSP umbrella, though the ESSENCE system, led to a Community Health Assessment which correctly identified suicide as a top public health priority. Public health officials at various levels now work to address the problem through the Suicide Prevention Action Network, which offers education programs in schools, resource centers, crisis centers, access to counseling, hotlines and other public health benefits.
Interestingly, the CDC cautions healthcare providers and public health officials that although syndromic surveillance data is described as de-identified or anonymized, it is unlikely to meet the HIPAA definition of de-identification and remains risky to disclose or share. The CDC also reassures providers and officials, however, it is impossible to trace data back through the system to identify individual patients. Moreover, the Privacy Rule is designed to cover this data collection: it permits disclosure of otherwise-protected health information to public health authorities and their authorized agents for public health purposes, including but not limited to, surveillance.
Despite these safeguards, some studies of the interplay between laws that protect health information and programs that use PHI to analyze public health concerns have noted a “lack of congruence” between rules that govern the two priorities, indicating generally that “state-by-state patchwork of rules and regulations is inadequate to produce a climate in which individual privacy is balanced with public needs.”[2]
Why should the ‘everyday’ provider care? Two reasons: broad scope and variable objectives. First, because the CDC collects data from local public health organizations in all 50 states, concerns about the improper disclosure and/or use of PHI go far beyond reporting by emergency departments at government-owned acute care hospitals. The CDC boasts that although each STLT health authority can determine what to submit to the Federal level, the data that eventually reaches the CDC comes from “anywhere that a person receives healthcare,” including hospitals, laboratories, urgent cares, clinics, home health providers, all varieties of medical group practices (individuals or associations), surgery centers, nursing homes, rehabilitation facilities and more regardless of whether these organizations are investor-owned, not-for-profit, for-profit or government-owned.
Second, the CDC uses reported data for more than bioterrorism monitoring or epidemic outbreak detection, but also for surveillance of disease trends, treatment trends and public health studies focused on a vast array of pathologies and treatment modalities. As a result, medical providers in virtually all circumstances may consider where they provide services and whether the records they generate there may be transmitted. For instance, private practitioners who do not report directly from their medical group, but who occasionally treat their patients, admitted to a nearby hospital, hospice facility or rehabilitation center may have their patients’ records transmitted to the CDC by a local health authority. This disclosure could constitute a co-called ‘Level I’ inadvertent violation, triggering at least a distracting and frustrating reporting, investigating and risk assessment protocol.
In summary, use of the NSSP system, including BioSense and ESSENCE, is likely not a HIPAA violation, but the reach of the Privacy Rule is largely untested. Moreover, providers who do not report directly from their practice may otherwise unwittingly be disclosing PHI when they provide care at, or with, other entities that do report; as such, every provider may wish to evaluate (or re-evaluate) its relationships, local regulations and the information sharing/data use agreements between the CDC and their local health department to ensure compliance and the protection of their patients’ PHI.
[1] Idaho Uses Syndromic Data to Gain Insight Into Suicide Risk | National Syndromic Surveillance Program (NSSP) | CDC.)
[2] Bioterrorism Surveillance and Privacy: Intersection of HIPAA, the Common Rule, and Public Health Law | AJPH | Vol. 98 Issue 5
Alex is an experienced litigator and member of the firm’s healthcare and litigation practices. He provides strategic advice to achieve his clients’ objectives with efficiency and clarity. To speak to Alex about this or other issues, call 208.562.4900 or send an email to aroll@parsonsbehle.com.
