Chapter Four. Public Health Surveillanceand Medical Information Privacy

CHAPTER FOUR. PUBLIC HEALTH SURVEILLANCEAND MEDICAL INFORMATION PRIVACY

A. INTRODUCTION

Sound public health policy depends importantly on accurately identifying health risks and effective methods of decreasing or eliminating those risks. What is causing young men and women in a coastal city to fall ill with vomiting and dizziness—a bacterium in the water, a virus spread by sneezing, a chemical in the workplace, a saboteur or terrorist plot? How can it be eliminated? Can a viral or chemical agent be removed from the water supply or industrial process? If not, can it be reduced to a tolerable level? This chapter examines thepublic health programs that gather the information to answer such questions.

Section B provides background on the history and evolution of what is today called public health surveillance, beginning with case reports of contagious diseases at a time when medicine had no way to control epidemics, to current and proposed programs to collect information about people and their chronic diseases, DNA, and personal behaviors in data banks that could be electronically linked and accessed for use by physicians, public health policy makers, commercial marketing companies, and researchers.The explosion of information and the technology that makes it easy to use can create tensions between government’s legitimate need for good information about the health risks and public policy protecting personal privacy, and this section briefly reviews the sources of law governing information privacy. SectionCpresents major relevant U.S. Supreme Court decisions analyzing constitutional protection for information privacy.The remainder of the chapter examinessurveillance programsthat illustrate how information can be used for public health activities ranging from controlling epidemics to conducting research and policy analysis. This review begins with contagious diseases in SectionD, focusing on the HIV case reporting, which became controversial in part because it highlighted the role of case reporting in identifying people who can be subjected to compulsory isolation, discussed in Chapter Three.SectionElooks at the contentious question of how to distinguish surveillance programs that are engaged in public health practice to control disease from those that are conducting research with identifiable data that would require individual consent, and whether the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule clarifies or muddies the distinction. The boundaries between practice and research and the government’s power to compel information disclosure are further explored in SectionF, concerning cancer, chronic diseases, and environmental surveillance programs, and SectionG, concerning genetic information, newborn screening, and DNA banking.Throughout the chapter, the recurring questions are: What kind of information does government need to protect public health? When can government demand your personal health information without your consent or even your knowledge?[1]

Three themes are threaded though the materials in this chapter. First, the value of good information for public health policy sometimes competes for primacy with the values of personal autonomy and privacy. Reasonablepeopleweighthe two differently, often depending upon whether they are the observers or the observed. Second, the way in which courts balance the two depends importantly on the procedural posture of the cases they decide. For example, different statutes may authorize the ongoing collection of data or require a subpoena for specific documents. Personal health information is subject to a fragmented array of laws governing information privacy, often with ambiguous or unsettled applications and exceptions. The choice of law (or laws) turns not only on what information is collected, but who collects it, from whom, how it collected, how it is used, whether is kept secure and confidential, and whether and how it is further disclosed to third parties and for what purpose.

Finally, the explosion of data relevant to public health is challenging traditional conceptions of the types of information that should not be obtained without individual consent and information that should be shared without consent for the good of all, as well as what counts as a public health justification for such data collection. The apex of disease surveillance may have been the decades between 1955 and 1985, when public health officials were most true to Alexander Langmuir’s admonition that surveillance should be “information for action” and largely focused on communicable diseases.Courts have generally deferred to public health assessments that personal health information is necessary for “public health purposes” or “disease control.” Today, courts and public health practitioners may mean quite different things by those terms. With public health attention turned to “epidemics” of cancer, diabetes and obesity, the meaning of “disease control” as a justification for surveillance may undergo reexamination.

B. OVERVIEW OF PUBLIC HEALTH SURVEILLANCE

Ruth L. Berkelman ET AL ., Public Health Surveilance, INOxford Textbook of Public Health 759, 759-60 (Roger Detels ET AL. eds., 4thed. 2002)

* * *

Public health surveillance is the epidemiological foundation for modern public health.

. . . .

Definition

In 1963, Langmuir defined disease surveillance as ‘the continued watchfulness over the distribution and trends of incidence through the systematic collection, consolidation, and evaluation of morbidity and mortality reports and other relevant data’ together with timely dissemination to those who ‘need to know’. In 1968, the 21st World Health Assembly described surveillance as the systematic collection and use of epidemiological information for the planning, implementation, and assessment of disease control; in short, surveillance implied ‘information for action’.

. . . Thus, health information systems (for example, registration of births and deaths, routine abstraction of hospital records, health surveys in a population) that are general and not linked to specific prevention and control programmes do not, by themselves, constitute surveillance. However, data collected from ongoing health information systems may be useful for surveillance purposes when systematically analysed and applied on a timely basis.

History

. . . . Possibly, the first public health action that can be attributed to surveillance occurred in the 1300s when public health authorities in a port near the Republic of Venice prevented passengers from coming ashore during the time of epidemic bubonic plague in Europe. The first Bill of Mortality was issued in London in 1532 as a consequence of fear of a plague epidemic. . . .

William Farr is recognized as the founder of the modern concept of surveillance. As Superintendent of the Statistical Department of the General Registrar’s Office in Great Britain from 1839 to 1879, he collected, analysed, and interpreted vital statistics and disseminated the information in weekly, quarterly, and annual reports. . . . [and] took the responsibility of seeing that action was taken on the basis of his analyses.

In the nineteenth century, . . . Edwin Chadwick . . . investigated the relationship between environmental conditions and disease. . . . Louis Rene Villerme. . . analysed the relation between poverty and mortality in Paris. In the United States, Lemuel Shattuck also published data that related deaths, infant and maternal mortality, and infectious diseases to living conditions. He further recommended standardized nomenclature for cause of disease and death, and the collection of health data that included sex, age, locality, and other demographic factors. The first international list of causes of death was developed in 1893.

Increasingly, elements of surveillance were applied to aid in detecting epidemicsand in preventing and controlling infectious diseases. In 1899 the United Kingdom began compulsory notification of selected infectious diseases. National morbidity data collection on plague, smallpox, and yellow fever was initiated in 1878 in the United States and by 1925 all states were reporting weekly to the United State Public Health Service on the occurrence of selected diseases. In the public health context, the term surveillance was increasingly applied to programmes of reporting selected infectious diseases in a population, with less emphasis on its application to quarantine of individuals.

Similar reporting activities were occurring in Europeat about the same time. . . . However, many of the morbidity and mortality reporting systems . . . were still largely developed for long-term archival functions.

[Surveillance became important to public health activities in the 1950s.] In 1955 acute poliomyelitis among recipients of the poliomyelitis vaccine in the United States threatened national vaccination programmes that had just begun. [Ed.: This refers tothe Cutter incident.] . . . . [The CDC and state health departments] developed an intensive national surveillance systems [to report polio cases]. The surveillance data assisted epidemiologists in demonstrating that the problem was limited to a single manufacturer of the vaccine and allowed the vaccination programme to continue . . . . During the worldwide malaria control programme, surveillance was used to determine areas of continued transmission and to focus spraying efforts, as well as to document those areas without malaria. With the subsequent decline in malaria control efforts, surveillance data have documented the re-emergence of malaria in many areas of the world. . . .

Surveillance was also the foundation for the successful global campaign to eradicate smallpox. When the campaign began in 1967, efforts were focused on achieving a high vaccination level in countries with endemic smallpox; however, it was soon evident that the programme based on surveillance to target vaccination in limited areas would be more efficient. Smallpox reporting sources, usually medical facilities, were contacted on routine basis. . . .

[Perhaps greatest surveillance success story was that of HIV/AIDS.] Even before . . . HIV was identified, surveillance data contributed to identifying modes of transmission, population groups at risk for infection, and, equally important, population groups not at risk for infection. These data have been instrumental in directing public health resources to programmes, preventing further spread of HIV, and averting widespread public hysteria.

The need for a strong infrastructure for surveillance systems is currently being re-emphasized not only as countries face the emergence and re-emergence of infectious diseases but also as a result of the increasing threat of biological terrorism.

The potential usefulness of surveillance as a public health tool to address problems beyond infectious disease was emphasized in 1968 when the 21st World Health Assembly recommended the application of surveillance principles to a wider scope of problems, including cancer, atherosclerosis, and social problems such as drug addiction. Many of the principles of surveillance traditionally applied to acute infectious diseases have also been applied to chronic diseases and conditions, although some differences in surveillance techniques have been observed. . . .

In addition to the increased scope of health problems under surveillance, the methods of surveillance have expanded from general disease notification systems to include survey techniques, sentinel health-provider systems, and other approaches to data collection. . . .

The assimilation of computers into the workplace has made possible more efficient data collection as well as more rapid and sophisticated analyses. In the United States, all state health departments are linked to the CDC by computer for the routine collection and dissemination of selected data on notifiable conditions. . . .

The explosive development of technology will include the development of high-capacity storage devices, expansion of the capabilities of the internet, use of local- and wise-area networks for entry of surveillance data at multiple computers simultaneously, and development of new programming tools, video and computer integration, and voice and pen input. . . .

* * *

Notes and Questions

1. The chapter by public health scholars Berkelman, et al., uses the phrase “public health surveillance” in lieu of more traditional terms like “case reporting” or “disease surveillance.”In the middle to late twentieth century, the term disease surveillance replaced “case reporting” in order to encompassnewer and more sophisticated methods of data collection, including research studies like sample surveys, seroprevalence surveys, and capture-recapture studies.The more recent and even more generic “public health surveillance” expands the definition beyond disease to encompass all matters of interest to public health. This definition captures the positive, protective role of public health. It also may bring to mindlaw enforcement investigations conducted by the Federal Bureau of Investigation or clandestine foreign intelligence operations of the Central Intelligence Agency. Since September 11, 2001, at least one public health scholarhas used the term “health intelligence” to describe collecting and linking multiple sources of data about health and health risks.

2. Statutory requirements for reporting certain diseases were first adopted in European countries in the late 1800’s. Rhode Island required tavern owners to report customers with smallpox, yellow fever and cholera to local officials as early as 1741, but Michigan adopted the first American compulsory reporting law in 1893. All states now have “case reporting” laws requiring physicians (and often hospitals, laboratories and other health entities with relevant knowledge) to report to the state or local health department cases of “notifiable,” “communicable,” or “dangerous” diseases -- contagious infections that could be easily (and involuntarily) transmitted to others through the air, like tuberculosis, by touching the same objects, like smallpox, or by drinking the same water, like cholera. Most states also include sexually transmitted infections (STIs), such as syphilis and gonorrhea, as well as diseases that are new or not yet understood but which appear to be communicable, like SARS. Diseases like the common cold or influenza are not included, because they do not cause severe illness (in most cases; but see the discussion of influenza in Chapter Three). Reports were first made by sending a post card to the health department; more detailed forms followed. (A current example can be seen in Section E infra.)Beyond diseases, all states require reports of injuries like bullet wounds or injuries from firearms, knives or other sharp instruments, primarily for the purpose of criminal investigations.Cases of child abuse and, more recently in most states, elder abuse must be reported to the social services or health department to permit an investigation into whether the person needs protection. Cases requiring urgent intervention are reported by telephone. Electronic transmission is developing, but spotty. The basic structure of case reporting systems today differs little from the original design. In addition, births, deaths, marriages, divorces, and fetal deaths must be reported for compiling vital statistics.

3. Mandatory reporting laws can be a source of controversy. The rapid increase in data collection of all types and the expansion of public health into areas traditionally reserved to physicians on the one hand and biomedical researchers on the other have begun to test both the state’s power to compel the production of information and the law’s protection of individual autonomy and control of one’s personal information. Instead of privacy being what Justice Brandeis called the “right most valued by civilized men,”Olmstead v. United States, 277 U.S. 438, 478 (1928)(dissenting), it may become the right most challenged by technology and curiosity. Many in the public health community and their representatives have begun to argue that identifiable information about individuals should be more freely available to government agencies without the person’s knowledge or consent. Critics of this view do not dispute the value of information, but rather the need for so much identifiable information. They argue that both government agencies and commercial industry always offer a plausibly good reason for obtaining identifiable information without consent, so that such purposes offer no principled protection for privacy.

The threshold legal question in surveillance is whether the state can compel information to be reported without the consent of the person the information is about (e.g., a patient) or the person holding the information (e.g., a physician). The answer is, of course, it depends.

Specifically, it depends upon whether the information is personally identifiable and also upon one or more of the following factors:

• What use will be made of the information, immediately and in the future, and by whom
• Whether subsequent uses will be made with or without consent
• Whether the information will be linked or combined with information from other sources that makes identification possible
• Whether the information will be disclosed to third parties and whether they will subsequently disclose it to fourth and fifth parties
• Whether the information will be kept secure and inaccessible to anyone not authorized to view it, and kept or destroyed after use
• Whether there is an enforceable duty to keep the information secure and confidential on the part of all parties who receive or view it

4. Shortly before the first mandatory reporting law was enacted, Warren and Brandeis published their classic exposition of “the right to privacy,” the amorphous collection of rights and duties protecting individual control over one’s person and reputation.Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 Harv. L. Rev. 193, 196 (1890).Since that time, the scope and bounds of individual autonomy to control personal information has been developed and debated, but not fully delineated.In Katz v.United States, 389 U.S. 347, 350, n. 5 (1967), the United States Supreme Court noted,“Virtually every governmental action interferes with personal privacy to some degree. The question in each case is whether that interference violates a command of the United States Constitution." Protections against government intrusions into different personal and private matters can be found in the Fourth Amendment’s protection against unreasonable searches and seizures; the First Amendment’s protection of freedom of association; and the Fifth Amendment’s protection of liberty.The U.S. Supreme Court has distinguished the line of constitutional cases protecting information privacy or "the individual interest in avoiding disclosure of personal matters," (see Whalen v. Roe, infra) from the cases protecting personal autonomy in personal decision making concerning family, marriage, procreation, and raising children.(See Chapter Two.)Federal courts of appeal have also recognized that the Fourteenth Amendment protects a person’s privacy interest in personal information, especially medical information.