Expert Meeting on Privacy, Confidentiality, and Other Legal and ...

VOLUME 7NUMBER 2DATE 2009<strong>Expert</strong> <strong>Meeting</strong> on Privacy, Confidentiality, and Other Legal and Ethical Issues inSyndromic SurveillanceReport from an International Society for Disease Surveillance ConsultationWashington DC, October 4–5, 2007Michael A. Stoto, 1 James X. Dempsey, 2 Atar Baer, 3 Christopher Cassa, 4 P. Joseph Gibson, 5and James W. Buehler 61Department of Health Systems Administration, School of Nursing and Health Studies, Georgetown University, Washington DC.2Center for Democracy and Technology, Washington DC.3Public Health, Seattle and King County, Seattle, WA.4Massachusetts Institute of Technology, Cambridge, MA.5Health and Hospital Corporation of Marion County, Indianapolis, IN.6Epidemiology Department and Center for Public Health Preparedness and Research, Rollins School of Public Health, EmoryUniversity, Atlanta, GA.For syndromic and related public health surveillance systems to be effective, health departments need accessto a variety of types of health data. Since the development and implementation of syndromic surveillancesystems in recent years, health departments’ experience in gaining access to personal health information forsyndromic surveillance has been mixed. Although the HIPAA Privacy Rule permits health care providers to discloseprotected health information without patients’ consent to public health agencies for authorized purposes,some health care providers have cited HIPAA in refusing to provide data for syndromic surveillance. BeyondHIPAA, a variety of federal, state, and local public health laws enable, restrict, and otherwise influence the sharingof health information between health care providers and public health agencies for surveillance, as well asresearch, purposes. To address these issues in the context of syndromic surveillance practice, an expert meetingwas convened to (a) share experiences regarding privacy, confidentiality, and other legal and ethical issues;(b) clarify how these legal and ethical issues enable or constrain data sharing; and (c) identify approaches toprotect privacy and confidentiality.Rooted in the principle that state and local governments have inherent and broad powers to protect the health,safety and welfare of the people, public health agencies have the authority to collect personal health information,including the power to compel disclosure of such data under certain conditions. The precise limits of thesepublic health powers have never been defined, however, and are limited by and must be balanced with the rightof privacy. Although existing laws and regulations provide little clarity on how to balance disclosure risks andpotential benefits of public health actions that reasonably follow from surveillance, guidance can be found inthe principles known as the “Fair Information Practices.” Two specific fair information practices—specification ofpurpose and limitation on secondary use—are especially critical for syndromic surveillance.Considering these principles should help health officials to determine what level of health information detail,and thus what level of potential ability to identify individuals, is needed for the intended public health purpose,and whether surveillance will lead to effective public health action. The principles also suggest a number ofstrategies for dealing with concerns that the public or health care providers may have about sharing data withpublic health agencies: (a) improve communication with the public about how data are used to safeguard the1 Advances in Disease Surveillance 2009;7:2

2 Stoto et al.population’s health and how confidentiality is protected; (b) further develop approaches to sharing data in aggregateor de-identified form that have capability to link back to identified data when necessary; (c) further developstatistical approaches to anonymization and aggregation; and (d) conduct evaluation research and case studiesthat demonstrate utility and clarify how privacy and confidentiality are protected.INTRODUCTIONFor syndromic and related public health surveillancesystems to be effective, state and local health departmentsand the Centers for Disease Control and Prevention (CDC)need access to a variety of types of health data. Since thedevelopment and implementation of syndromic surveillancesystems in recent years, health departments have gainedvaried levels of access to personal health information forinclusion in these systems. A variety of federal, state, andlocal laws enable, restrict, and otherwise influence the sharingof health information between health care providers andpublic health agencies for surveillance, as well as research,purposes. Some health care providers have expressed reluctanceor refused to provide identifiable data for syndromicsurveillance to health departments (1), citing state privacylaws or the Health Insurance Portability and AccountabilityAct of 1996 (HIPAA) Privacy Rule (2). Although the HIPAAPrivacy Rule permits health care providers to disclose protectedhealth information without patients’ consent to publichealth agencies for authorized purposes, it does not supersedestate laws that provide greater protection of individualprivacy (2,3).The use of individuals’ health information for syndromicsurveillance poses challenging questions regarding theinterpretation and future development of ethical and legalstandards for public health practice and research. While thepractice of syndromic surveillance extends the longstandingtradition of public health surveillance as an essential elementof public health practice (4), it raises in a new lightequally longstanding questions about governments’ authorityto collect and use health information (5). As the practiceof syndromic surveillance evolves, it is in the national interestto clarify the conditions under which health informationcan be shared, the ways that privacy and confidentialitycan be protected, and the ways that local, state, and federalpublic health agencies can legally, ethically, and effectivelyexercise their respective responsibilities to detect, monitor,and respond to public health threats.CONSULTATION OBJECTIVES AND PROCESSTo address these issues, Georgetown University’s O’NeillInstitute for National and Global Health Law, with supportfrom the International Society for Disease Surveillance(ISDS), convened 17 experts in syndromic surveillance andrelated areas in Washington, DC, on October 4–5, 2007. Themeeting focused on the development, use, and evaluationof syndromic surveillance. Its objectives were (a) to shareexperiences regarding privacy, confidentiality, and otherlegal and ethical issues; (b) to clarify how these legal andethical issues enable or constrain data sharing; and (c) toidentify approaches to protect privacy and confidentiality.The participants are listed in Appendix I, and the consultationagenda appears in Appendix II. This report summarizesthe proceedings of the consultation. The participants had anopportunity to comment on earlier drafts, but do not necessarilyagree with every conclusion in this report. Moreover,this report does not represent the official position of the participants’agencies or organizations or the ISDS.BACKGROUND AND ASSUMPTIONSFor the purpose of the consultation, the participants choseto define “syndromic surveillance” broadly to include nearreal-time acquisition and use of nonclinical or prediagnostichealth data for population health monitoring purposes. Inthis sense, prediagnostic refers to information on symptomsand stages of a patient’s illness before a diagnosis is established.Because these systems emphasize timeliness betweenthe health-related events and when trends in these events canbe monitored, they typically use data that are routinely collectedand stored electronically and automate the process ofdata collection, management, and analysis to detect unusualpatterns such as unexpected numbers of cases.Participants held a range of views on the effectivenessof syndromic surveillance for achieving different goals. Itwas not the purpose of the consultation to address, let aloneresolve, questions of effectiveness. However, the legal justificationfor different methods of surveillance is rooted in thepresumption that the information obtained will lead to effectivepublic health action, so questions of effectiveness arerelevant. In this context, participants noted that the purposeof syndromic surveillance in public health practice is shiftingfrom an emphasis on the early detection of bioterrorismor other infectious disease outbreaks to other uses, includingidentification of potential cases of notifiable disease, surveillancefor noninfectious conditions such as chronic diseasesor injuries, and “situational awareness.” Such uses includefollowing up potential cases when aberrant trends aredetected, monitoring the course of outbreaks, monitoringseasonal illnesses such as influenza and viral gastroenteritis,and preparing for surveillance of pandemic influenza.It is important to note that the practical and legal justificationfor surveillance is based on public health agencies’Advances in Disease Surveillance 2009;7:2

Privacy, Confidentiality, and Other Legal and Ethical Issues in Syndromic Surveillance 3responsibility to monitor and to take action when necessaryto protect the community’s health. Such actions comprise aspectrum of public health activities, ranging from individualcase follow-up to program evaluation and policy development.These varying uses of surveillance result in varyinglevels of need for detailed information, for personal identifiers,and for timely data. For example, in some instances, datamay be needed daily to detect infectious disease outbreaksand respond in a timely way. In other instances, annual datamay be sufficient to guide programs, allocate resources, orset policies.Effective use of syndromic data sometimes requires thatpublic health epidemiologists have some capacity to “drilldown” or examine the data in more detail when aberranttrends are detected. This need derives from an importantattribute of syndromic surveillance: in order to assure thatsystems have sufficient sensitivity to detect events of publichealth significance, the systems inherently generate a sizeablenumber of statistical “false alarms” due to random variationin the data. Epidemiologists are able to dismiss someof these alerts by interpreting them in the context of theirknowledge and experience, including reviewing the syndromicdata in greater depth or considering the data in thecontext of other information. However, when these analyticmethods are insufficient and the initial assessment of thealert raises sufficient concern, it may be necessary to identifyindividuals in order to conduct further investigations.Health departments represented at the meeting receivepatient-level data from local hospitals in a wide variety ofways: (a) without any patient identifiers; (b) with the hospitals’medical record number; (c) with a code generated specificallyfor such reporting; and (d) with a combination ofthese methods. Participants noted that in some public healthdepartments epidemiologists have direct access to hospitalinformation systems, particularly if the hospital is managedby a public health agency, enabling them to conduct preliminaryfollow-up assessments of alerts without troublinghospital staff. In one jurisdiction, data are shared througha preexisting Regional Health Information Organization(RHIO). In another, complete identified data are shared forpatients with certain pre-identified conditions, and the list ofconditions can be expanded through a formal approval process.For those hospitals that provide detailed clinical anddiagnostic data to the CDC’s BioSense program, CDC hasthe capacity to conduct detailed follow-back assessmentswith data maintained at CDC (6,7).In practice, a variety of concerns can discourage or evenprevent the sharing of data for syndromic surveillance purposes.Most prominent among them are concerns aboutpatient privacy and confidentiality that are reflected in variousfederal, state, and local laws and regulations and in theHIPAA Privacy Rule (2,3), and in varying interpretations ofthese laws and regulations, by health care providers and publichealth agencies. CDC technical guidance and stipulationsattached to the funding also shape health departments’ privacyand confidentiality practices. In addition, data ownersmay be willing to share data with their local or statehealth department but may have concerns about potentialsubsequent access and use by others, including researchers,agencies aside from public health departments, or the federalgovernment. The personnel or other operational costs ofsharing data, as well as proprietary concerns and turf issues,may also discourage data owners from sharing informationwith public health agencies.Local health departments also express concern aboutinformation overload, including the large numbers of falsepositives alerts that nevertheless require preliminary investigations,and about their ability to interpret surveillancereports for higher-level authorities. The sense that the effectivenessof syndromic surveillance is not yet proven, especiallyfor early detection of bioterrorist attacks, can alsodiscourage sharing data.LEGAL AUTHORITIES FOR SYNDROMICSURVEILLANCEAt its core, public health surveillance stands on firm legalfooting, rooted in the principle that the state governmentshave inherent and broad sovereign power (commonly calledthe “police power”) to provide for the health, safety, andwelfare of the people. It has long been recognized that thispower includes the authority to collect personal information,including the power to compel disclosure of health data forsufficiently justifiable purposes. The precise limits of thepolice power have never been defined. Specifically withrespect to information collection and disclosure, the policepower is limited by constitutional protection of the right toprivacy in one’s personal medical information. The scopeof this right to information privacy also remains unsettled.Typically, the purpose of a data collection program is balancedagainst the loss of privacy it may entail. Though theU.S. Supreme Court has upheld reporting requirementsgenerally (7), the absence of specific guidance from theCourt makes it difficult to determine how to strike the balancebetween the potential benefits of public health actionsand risks to privacy in public health surveillance systemslike syndromic surveillance. In these circumstances, publichealth officials must use their authority judiciously inorder to maintain public support and ultimately legislativeapproval to retain this authority (8,9).Compounding the questions inherent in the conceptof privacy and its codification in the HIPAA Rule, publichealth officials are dealing with rapid changes in the natureof health care and public health itself. First, there is a trendtoward the digitization of medical records and the ability totransfer large quantities of data by electronic means and toanalyze them by sophisticated statistical techniques, creatingthe opportunity for public health to access more data, inAdvances in Disease Surveillance 2009;7:2

4 Stoto et al.greater detail. These capabilities may generate both greaterpublic concerns about privacy and greater public expectationsabout the ability of health departments to automaticallydetect unusual disease trends and monitor populationhealth status.A second trend is the growing public health emphasison an expanding array of noninfectious conditions, such aschronic diseases, disabilities, injuries, or reproductive healthoutcomes and their behavioral or environmental antecedents.Surveillance for noninfectious conditions has long been partof modern public health practice, but the growing emphasison health promotion and prevention of a large spectrum ofdiseases has expanded the scope of what data are of value topublic health programs and policies (10).A third trend is the increasing role of the federal governmentin public health. Unlike the states, the federal governmentdoes not have general police powers, and its authorityto collect public health data rests on less comprehensivegrounds, such as national defense, immigration, regulationof interstate commerce, the ability to attach conditions tofederal spending, and border control. However, in recentyears, particularly since 9/11, heightened concerns withbioterrorism and naturally emerging microbial threats haveaccelerated the expansion of federally managed and federallyfunded public health activity. Some of these initiativesinvolve the transfer of large volumes of data to the federalgovernment, bypassing the traditional role of local and statehealth departments in managing the collection of surveillancedata and transferring it to a federal database for analysisand possible action. Notably, CDC’s BioSense programinvolves the transfer of large volumes of data directly fromparticipating hospitals to the federal government, bypassingthe traditional role of local or state health departments inmanaging the collection of surveillance data, and transferringit to a federal database for analysis and possible action(6). * A wide variety of federal, state, and local laws and regulationsauthorize and regulate public health surveillanceactivities as well as seek to protect privacy and confidentiality(8). In addition to the federal constitutional right to privacy,there are state common-law rules, statutes, and somestate constitutional provisions that protect rights of privacyin medical information. The laws of many states generallyforbid physicians and other care providers from disclosinga patient’s identifiable information without the patient’sconsent. For this reason, specific state legislation may be*While the BioSense program still includes hospitals that reportdetailed clinical data directly to CDC, efforts to recruit additionalhospitals to report in this manner has been superseded by a strategyto obtain less detailed information from existing local or statesyndromic surveillance networks, restoring the traditional pathwayfor health information flow to CDC, and to a longer-term strategythat extends the use of decentralized surveillance methods (6).required to authorize state public health agencies to collectand use identifiable personal information for public healthpurposes. As noted earlier, the constitutionality of theselaws depends upon whether the state’s reason for collectingthe data outweighs individuals’ reasonable expectations ofprivacy in the information. Many of these laws date fromlong before the introduction of electronic data systems orgrowing federal involvement in public health surveillance; itis unclear whether the legislatures intended the kinds of datasharing contemplated by today’s programs. Indeed, syndromicsurveillance per se is the subject of only a few veryrecent and specific laws that specifically authorize or mandateparticipation in local or state syndromic surveillancenetworks. Elsewhere, public health agencies have adoptedregulations or initiated syndromic surveillance under theumbrella of existing public health reporting laws.Specific laws setting out detailed reporting requirementsfor syndromic surveillance may make it easier for data ownersto share data with public health authorities. However,in the absence of such specific laws—or in the politicalprocess needed to develop a reporting law for syndromicsurveillance—health departments and health care providersare understandably left with a lot of questions because ofdifferences in what is meant by “syndromic surveillance,”differing federal, state and local responsibilities, and confusionabout the HIPAA Privacy Rule. As a result, the currentlegal framework for syndromic surveillance does notprovide clear guidance to public health practitioners. Thereis a need for a rational framework that can guide policymakersand public health professionals as they necessarily andappropriately seek to balance disclosure risks against potentialbenefits of public health actions that reasonably followfrom surveillance and against competing public health prioritiesand broader societal interests.The HIPAA Privacy Rule and Syndromic SurveillanceAlthough a variety of laws and regulations both enableand restrict public health surveillance, health officials, policymakers, and others typically focus their attention on theHIPAA Privacy Rule (11). This rule generally governs thedisclosure of personally identifiable health information byhospitals and other health care providers (called “coveredentities”). HIPAA provides an important addition to the lawsgoverning health privacy in the United States, but it doesnot supersede (preempt) applicable state laws that providegreater privacy protection. The HIPAA Privacy Rule has alsobeen the subject of considerable confusion and controversy.The complexity of the rule and the ambiguities surroundingkey terms often lead to differences of opinion about what ispermissible and what is not.A key attribute of the HIPAA Privacy Rule is that it appliesonly to disclosures of “individually identifiable health information.”While there is debate about what is “identifiable,”Advances in Disease Surveillance 2009;7:2

Privacy, Confidentiality, and Other Legal and Ethical Issues in Syndromic Surveillance 5the rule clearly contemplates disclosures of de-identifieddata without patient authorization. However, because surveillanceparameters such as the date of health care visits,the Zip code or country of residence are considered as “identifiers”by HIPAA, there is a wide range of syndromic surveillancefunctions that could not be exempt from HIPAAon this basis alone.In the public health sphere, controversy has centered onthe rule’s exception permitting disclosure without patientauthorization of individually identifiable data for “publichealth activities and purposes.” Specifically, the HIPAArule allows a “covered entity” such as a hospital to discloseprotected information to(i) A public health authority that is authorized by lawto collect or receive such information for the purposeof preventing or controlling disease, injury, or disability,including, but not limited to, the reporting of disease,injury, vital events such as birth or death, and theconduct of public health surveillance, public healthinvestigations, and public health interventions; or, atthe direction of a public health authority, to an officialof a foreign government agency that is acting in collaborationwith a public health authority (12).This exception is not limited to disclosures of so-called“notifiable diseases,” the specified diseases or conditionsthat health care providers are required by law to report topublic health authorities. Rather, disclosure can be made forpatients with other conditions in circumstances where publichealth officials have the authority to investigate unusualcases or clusters of disease that may herald or represent abroader threat to public health.This provision is qualified in that such release of informationis limited to “the minimum necessary information toaccomplish the intended public health purpose of the disclosure”(10), except for disclosures that are mandated by stateor local law. In the absence of a state or local law requiringdisclosure, the “minimum necessary” standard introducessome uncertainty. For purposes of syndromic surveillance,public health agencies have defined this minimum in variousways, with varying degrees of acceptance by hospitals andother health care providers. In particular, the minimum necessarydetermination depends on a range of factors, includingthe purpose and scope of the program (is it focused onbioterrorism, looking for patterns indicative of an infectiousdisease epidemic, or collecting data on any problem or conditionthat might be of public health concern?) and the possiblepublic health actions that might be taken in response to theinformation (will some of these actions require public healthofficials to contact individual patients or ask clinicians to reidentifyindividual patients to obtain further information?).In an effort to define “individually identifiable,” theHIPAA Rule provides different ways to ensure that dataare sufficiently stripped of identifying information so thatthey can be disclosed without patient authorization. Thefirst, sometimes referred to as “the safe harbor,” is to stripthe data of 18 specified kinds of information that could beused to re-identify individuals (13). A second, less extremeapproach (intended to make data available for research purposes)is to strip out all obvious identifiers, while leaving insome information such as Zip Code of the place of residenceand age group. The resulting data are called a “limited dataset,” which can be disclosed if the covered entity obtains satisfactoryassurance, in the form of a “data use agreement,”that establishes who is permitted to use the limited data setand for what purposes, and that the recipient will not use itfor other purposes and will safeguard it appropriately (11).Under either of these approaches, the Privacy Rule permitsa covered entity to assign to, and retain with, the de-identifiedhealth information, a code or other means of recordre-identification if that code is not derived from or relatedto the information about the individual and is not otherwisecapable of being translated to identify the individual.Another issue facing public health officials is whethersome data collection and assessment activities should beconsidered research. Research at institutions receiving federalresearch funds must conform to federal regulations thatprotect human subjects in research and require institutionalreview board (IRB) approval. If a public health activity isresearch, then the question also arises as to whether the publichealth or research exemptions in HIPAA apply (2,11,14).This distinction is sometimes unclear or debatable (15,16), aswas evident from the differing views of meeting participants.As a result, the participants did not attempt to clarify orredefine this boundary in the context of syndromic surveillancedevelopment, operation, or evaluation. However, to theextent that surveillance is conducted for research purposesrather than for authorized public health functions, it is likelyto be subject to the consent requirements of applicable laws.In other words, agencies that conduct surveillance must bealert to the purpose for which they collect data, because thepurpose and use of the data—research versus public healthpractice—largely determine what laws apply.FAIR INFORMATION PRACTICESIn the absence of definitive court decisions or law fullyspecifying what data can be collected and used for differentpurposes, those working in syndromic surveillance can seekguidance from the principles known as the fair informationpractices (FIPs).” The FIPs are a widely accepted privacyframework, first developed in the 1970s by an AdvisoryCommittee to the U.S. Department of Health, Education andWelfare, and later refined and expanded. They have beenembodied in privacy or “data protection” law worldwide,serving as the basis for directives of the European Union,influential guidelines of the Organization for EconomicCooperation and Development, and an emerging privacyAdvances in Disease Surveillance 2009;7:2

6 Stoto et al.framework in Asia. In the United States, the FIPs can befound in the federal Privacy Act (17), which is generallyapplicable to all U.S. government systems of records, and inother federal privacy laws. Most importantly, the FIPs servedas the basis for the HIPAA Privacy Rule, although that ruleis so complicated that it is hard to discern the framework.There are various formulations of FIPs, but we find thefollowing 10 to be most comprehensive and useful as aframework for considering the privacy issues raised in syndromicsurveillance practice. The relevance and implicationsfor the FIPs for syndromic surveillance are discussedin the next section.1. Notice (or openness). An entity (in this case, both theentity that engages with the patient and the public healthauthority) should disclose when it is collecting data andspecify what data it is collecting, through a publishednotice and wherever possible on an individual basis.Sometimes notice is combined with individual choiceor consent, which may be expressed through an opt-outor an opt-in. Public health uses, however, may not besubject to a requirement of individual consent, at leastnot when disclosure is required by law.2. Purpose specification. The notice should specify thepurpose for which data is being collected. This importantprinciple impels the data collector to think throughin advance what are all the purposes for which the datawill or could be used.3. Collection limitation. The entity collecting data shouldcollect no more than is relevant and necessary for thespecified purpose.4. Retention limitation. An entity should retain informationin personally identifiable form no longer than isnecessary for a specified purpose.5. Use and disclosure limitation. An entity should not useor disclose information for purposes other than thosespecified at the time the information was collected. Inother words, uses and disclosures should be tied backto the purpose specification. An entity should obtainindividual consent before disclosing data for uses thatdepart from the purpose specification.6. Data quality. An entity holding personal information isresponsible for ensuring that it is timely, accurate, andcomplete.7. Security. An entity holding personal information shouldtake reasonable measures to protect it against loss orunauthorized destruction, disclosure or alteration.8. Access to one’s own records. An individual should beable to obtain a copy of his or her records. Sometimes thisis more broadly defined as “individual participation” andmay include the element of individual control or consent.9. Redress. The subject of data should have the right tochallenge inaccurate data, to correct mistakes and toobtain redress for abuse.10. Accountability. Any privacy system should have a systemfor enforcement of the foregoing principles; thereshould be monitoring and auditing of information flows,and it should be clear who is responsible for enforcingthe rules.The FIPs are not absolutes, but rather serve as a frameworkor roadmap to navigate through the confusion aboutthe HIPAA Rule and the challenges posed by rapid changesin public health. The FIPs can serve as the basis for a “conceptof operations,” clarifying what information is being collected,for what purpose, with whom will it be shared, howlong will it be retained, how accurate and reliable is the information,how will the data be secured against loss or unauthorizedaccess, and how individuals will know the basis fordecisions affecting them and be able to respond to mistakes.The FIPs can also guide the drafting of a local ordinancerequiring designated entities to submit certain data, and canhelp legislative staff and public health officials to write a“legislative history” showing why it was justified and howits implementation will be accomplished. Such a historycan provide public health authorities a ground for defendingpolicies should they be challenged in court. Likewise,the FIPs can help in drafting data use agreements, providingin essence a checklist of issues that must be addressed andhelping allocate responsibilities among participants.Considerations for Syndromic SurveillanceThe relative importance of specific principles outlined inthe FIPs differ in the context of information managementsystems that are geared to providing health care services,reimbursement, or insurance versus syndromic surveillancesystems. We have outlined several considerations forthe interpretation of the FIPs as they relate to syndromicsurveillance.First, syndromic surveillance is essentially a secondaryuse of data collected in the process of providing health careto individuals, and the FIPs must be interpreted in this context.For example, given that syndromic data are generallycollected from institutions rather than individuals, the practiceof “notice” must be applied in that same framework.While public health uses of syndromic data are not subject toindividual consent, the notice principle could guide syndromicsurveillance practitioners to educate data sources aboutthe purpose and scope of data collection, including descriptionsof instances when investigations into public healththreats may prompt follow-back to individual patients, withthe involvement of health care providers where appropriate.Broadly, public health data collection purposes and proceduresshould be transparent to the communities that publichealth agencies serve.Second, it is important to recognize that, as understandingis growing about the types of events and situations wheresyndromic surveillance is more or less useful, the purposeAdvances in Disease Surveillance 2009;7:2

Privacy, Confidentiality, and Other Legal and Ethical Issues in Syndromic Surveillance 7of these systems have shifted over time. Systems that wereat one time designed for bioterrorism detection or as earlywarning systems might now be used for situational awareness.Indeed, such flexibility is a recognized desirableattribute. The FIPs relating to purpose specification and collectionlimitation should not be so rigid as to restrict thesesystems from evolving to meet the standard of practice; however,they could serve to guide practitioners to communicatewith data providers when the purpose of their systems hasshifted over time, and periodically reevaluate, as appropriate,the necessity of collecting certain data elements to supportthat specified purpose.For infectious diseases, the following criteria can help todetermine how much data to collect and how to use the data.Although no single factor is definitive, the following shouldbe considered: (a) the extent to which the disease in questionis transmissible from person to person; (b) disease severity;(c) the extent to which identification and reporting of peoplewith the condition benefits those individuals; (d) the extentto which identification and reporting of people with the conditionis effective in controlling spread in the population (eg,treatment may also lessen transmissibility); (e) the value ofimplementing such interventions sooner rather than later; (f)the vulnerability of the affected population; and (g) the sensitivityof the information reported (10,18). Similar considerationsmay shape assessments of the level of detail neededin to allow for “drill down” assessments in syndromic datafollowing statistical alerts.Third, the principle of “retention limitation” may havelimited relevance for syndromic surveillance, if the informationreceived by public health agencies is generally nottraceable to individuals without collaboration from healthcare providers, where such assessment is merited and justifiableunder state laws. To the extent that syndromic recordsmaintained by health departments contain record numbersthat can be used to link back to patient records, considerationshould be given to the duration of time that such numbersare needed.Similarly, the interpretation of the “use and disclosurelimitation” has different implications for health care settings,where medical records serve the primary purpose ofenabling individual patient care versus public health departments,which legitimately use those data for the secondarypurpose of health surveillance without obtaining patientconsent. This FIP cautions public health agencies against“tertiary” uses and could also help guide them in describinghow they might share syndromic surveillance data withthird parties, such as research investigators, for example, byproviding data in aggregate form and enacting strict assuranceswhich prevent the potential identification of individuals.This FIP could also guide health departments tocommunicate with, and seek permission from, data providerswhen considering use of the data that shifts from theoriginal intent.Finally, the FIPs describing “data quality,” “access to one’sown records” and “redress” have special considerations inthe context of syndromic surveillance. “Data quality” doesnot mean absolute accuracy, but rather a level of adequacylikely to produce reliable outcomes in the particular context.Even though health departments have limited, if any,control over the quality of the data captured from individualpatients, they should consider whether the data they areacquiring is suitably accurate for that purpose and whetherthere are ways to obtain more accurate data. Furthermore,any public health intervention that might result in a directinteraction with a patient as the result of a syndromic surveillancerecord would necessarily occur through collaborationwith the data provider, who must account for its disclosuresto public health unless a data use agreement is signed. Interms of access, health departments are appropriate pointsof contact for individual access to one’s own records onlyto the extent that their data is reasonably accessible by individualidentifiers.DEALING WITH CONCERNS ABOUT SHARING DATAConsideration of the FIPs suggests a number of strategiesfor dealing with concerns about sharing data between healthcare providers and with public health agencies.First, it is important to improve communication with thepublic about how data are used to safeguard the population’shealth and how confidentiality is protected. The latterincludes distinguishing between identifiable patient-leveldata and aggregated and processed information such as diseaseincidence rates and the role of different types of informationin detecting, characterizing, or monitoring potentialor actual outbreaks of disease in a community. It shouldalso be noted that approaches to sharing data vary in thedegree to which the data are de-identified, and that the needfor identified data varies with the intended application andwhether it will be used at the local, state, or federal level.The need for individual-level data is most clear at the locallevel, where it allows for “drill down” assessments of statisticalalerts and follow-back to individuals when required.Individual-level data also allow for substantial flexibility inanalyses, justifying such data collection even when individual-levelpublic health interventions are unlikely. Sometimes,however, aggregate data alone are sufficient to guide publichealth actions, particularly at the federal level. For instance,aggregate data could be analyzed for anomalies that wouldtrigger collection of identified individual level data. At thepoint when there is evidence of an emerging event of concern,accessing personal information may be important foridentifying and containing the threat. Alternatively, in thelater stages of an influenza pandemic, when tracking individualpatients is no longer feasible or has diminished value,aggregate data can be evaluated to identify the populationsthat are most heavily affected and to help distribute resourcesAdvances in Disease Surveillance 2009;7:2

8 Stoto et al.accordingly, without knowing which particular patients areinfected.However, even at the state and federal levels, analysesof data to examine risk factors for disease or characterizetrends, while taking into account potentially confoundingfactors, may require access to individual-level data (but notnecessarily as many data elements, as are needed for localuses). Other multi-state or national-level uses, however, maynot require individual-level data, as illustrated by the ISDS’proof-of-concept project for collating aggregate syndromicsurveillance data for influenza surveillance (see http://www.syndromic.org/projects/DiSTRIBuTE.htm).Second, public health authorities and other stakeholdersshould further develop approaches to sharing data in aggregateor de-identified form that have “drill-down” or “breakthe glass” capability when it is necessary, such as examiningspecific chief complaints that contribute to a statisticalalert in a syndrome category or patient demographic attributesto assess whether the events that contributed to analert were related. As described above, consultation participantsdescribed the current norm of syndromic surveillancepractice that allows this by collecting individual-level datawithout specific identifiers or with a code or record numberwhere the link to patients’ identity is retained by participatinghealth care providers.Changing the process so that aggregates are created byeach participating hospital could ease confidentiality concerns,but could result in substantial increases in requestsfrom public health agencies for hospitals to conduct assessmentsthat could otherwise be done by health departmentstaff when statistical alerts occur, as they often do. Otheroptions include using a regional data repository, collectingdata only from individuals with certain syndromes (witha process for approval of an expanded list when necessary),and a direct connection to provider data systems.The operating policies of such systems need to specifywhat data are shared on a regular basis, what can be sharedwhen there is an indication of a potential public healthproblem, and the conditions that would trigger expandedaccess. The optimal approach is to retain data where theywere created, allowing access as needed. However dataaccess is arranged, practitioners at the meeting stressedthe importance of keeping its interpretation as close to thesource of data as possible, in other words ensuring thatthose who know the data systems and local health caresituations best are involved in conducting and interpretingthe analyses.Third, statistical approaches to anonymization and aggregationshould be explored and further developed to mitigateprivacy concerns. For example, spatial data can be highlyidentifying and thus pose a special confidentiality threat.Even geographical data published in low-resolution mapscan reveal exact or nearly exact patient home addresses(19). While individual-level data and spatial visualizationsmay be needed by a local health department to conduct itsepidemiologic investigations, anonymized, or even dataaggregated by day and age group may be almost as usefulin many routine applications (20), and may be sufficient forsurveillance at the national level, where the primary objectivemay be to summarize spatial and temporal trends, andwhere drill-down capability to an individual level may notbe necessary to support that objective.Anonymization can be accomplished, for instance, byaggregating data with the same Zip code or age group, removingportions of those fields (eg, the last two digits ofZip code and the month and day of birth), aggregatingnearest neighbors, and randomly skewing geocoded data.Another recent advance includes population-density adjustedGaussian anonymization (19,20), which is designedto increase anonymity (at a cost of decreased sensitivityand specificity of cluster detection). Research suggests thatexisting algorithms can add anonymity to a dataset in a waythat does not appreciably alter the detection performance ofclustering and machine learning algorithms (20,21). Thesemethods and their potential tradeoffs may be worthy of furtherexploration in the context of sharing local data withnational surveillance systems. Questions to address includethe level of anonymization that best balances public healthutility and privacy protection, and whether these approachescan assuage concerns yet still provide useful surveillancedata.Finally, since the justification for any particular surveillanceprogram should be linked to public health uses andactions, there is a need for additional evaluations that demonstratethe utility of syndromic surveillance for variouspurposes and clarify how privacy and confidentiality areprotected across the stages of event recognition, assessment,and response.ACKNOWLEDGMENTSThis meeting was supported in part by the O’Neill Institutefor National and International Health Law at GeorgetownREFERENCES1. Drociuk D, Gibson J, Hodge J. Health information privacyand syndromic surveillance systems. MMWR. 2004;53(Suppl):221–5.2. HIPAA Privacy Rule, 45 CFR § 164.3. HIPAA Privacy Rule, 45 CFR § 160.203.4. Buehler JW. Surveillance. In: Rothman KJ, Greenland S, LashT, eds. Modern Epidemiology. 3rd edition, Philadelphia, PA:Lippincott, Williams and Wilkens; 2008:459–80.5. Bayer R, Fairchild A. Surveillance and privacy. Science.2000;5498:1898–99.Advances in Disease Surveillance 2009;7:2

Privacy, Confidentiality, and Other Legal and Ethical Issues in Syndromic Surveillance 96. Centers for Disease Control and Prevention. Biosense, 2008.CDC Web site. http://www.cdc.gov/biosense.7. Whalen v. Roe, 429 U.S. 589 (1977) (upholding New York lawrequiring prescriptions of certain drugs to be reported).8. Mariner WK. Mission creep: public health surveillance andmedical privacy. Boston Univ Law Review. 2007;87:347–95.9. Gostin LO. Public health law: power, duty, restraint. London,England: University of California Press; 2000:287–304.10. Stoto MA. Public health surveillance in the 21st century:achieving population health goals while protecting individuals’privacy and confidentiality. Georgetown Law Journal.2008;96:703–19.11. Centers for Disease Control and Prevention. HIPAA privacyrule and public health: guidance from the CDC andthe US Department of Health and Human Services. MMWR.2003;52(S-1):1–12.12. HIPAA Privacy Rule, 45 CFR §164.512(b)(1)(i).13. HIPAA Privacy Rule, 45 CFR § 164.514 (e).14. Council of State and Territorial Epidemiologists (CSTE). Publichealth practice vs. research: a report for public health practitionersincluding cases and guidance for making distinctions.CSTE Web site. http://www.cste.org/pdffiles/newpdffiles/CSTEPHResRptHodgeFinal.5.24.04.pdf. Published May 24,2004.15. MacQueen KM, Buehler JW. Ethical issues in HIV, STD, andTB public health practice and research: results of a workshop.Am J Public Health. 2004;94:928–31.16. Fairchild A. Dealing with Humpty Dumpty: research, practiceand the ethics of public health surveillance. J Law, Med &Ethics. 2003;31:615.17. The Privacy Act of 1974. 5 U.S.C. §552a.18. Centers for Disease Control and Prevention. UpdatedGuidelines for Evaluating Public Health Surveillance Systems.MMWR. 2001;50(RR13):1–35.19. Brownstein JS, Cassa CA, Mandl KD. No place to hide: reverseidentification of patients from published maps. N Engl J Med.2006;355:1741–42.20. Brownstein JS, Cassa CA, Kohane IS, Mandl KD. An unsupervisedclassification method for inferring original case locationsfrom low-resolution disease maps. International Journalof Health Geographics. 2006;5:56.21. Cassa CA, Wieland SC, Mandl KD. Re-identification of homeaddresses from spatial locations anonymized by Gaussian skew.International Journal of Health Geographics. 2008;7:45.APPENDIX IList of ParticipantsAtar Baer, PhD, Public Health-Seattle & King CountyBenjamin E. Berkman, JD, MPH, O’Neill Institutefor National and Global Health Law, GeorgetownUniversityJames Buehler, MD, Department of Epidemiology andCenter for Public Health Preparedness and Research,Rollins School of Public Health, Emory University, andGeorgia Division of Public HealthChristopher Cassa, PhD, Harvard/MIT Division of HealthSciences and Technology, Massachusetts Institute ofTechnologyJames Dempsey, JD, Center for Democracy andTechnologyP. Joseph Gibson, MPH, PhD, Health & HospitalCorporation of Marion County (Indianapolis)Julia E. Gunn, RN, MPH, Boston Public HealthCommissionMelissa Higdon, School of Nursing and Health Studies,Georgetown UniversityW. Gary Hlady, MD, MS, Medical Epidemiologist forEmergency Preparedness, California Department ofHealth ServicesJoseph Lombardo, Johns Hopkins Applied PhysicsLaboratory/ESSENCEWendy K Mariner, JD, LLM, MPH, Boston UniversitySchool of Public HealthJohn Monahan, O’Neill Institute for National and GlobalHealth Law, Georgetown UniversityElizabeth Rea, Toronto Public Health and University ofTorontoRobert Rolfs, Utah Department of HealthHenry Rolka, Centers for Disease Control and PreventionMark Smith, MD, MedStar HealthAmy Sonricker, MPH, International Society for DiseaseSurveillanceMichael A. Stoto, PhD, Professor of Health ServicesAdministration and Population Health, School ofNursing and Health Studies, Georgetown UniversityAdvances in Disease Surveillance 2009;7:2

10 Stoto et al.APPENDIX IIAgenda for Thursday, October 4, 20079:00–9:15 Welcome and meeting objectives9:15–9:30 Introductions9:30–11:00 Public health practice perspective; presentationsby• Julia Gunn, Boston Public Health Commission• Atar Baer, Public Health-Seattle & KingCounty• Joe Gibson, Health & Hospital Corporationof Marion County• Gary Hlady, California Department ofHealth Services• Elizabeth Rea, Toronto Public Health11:00–11:15 Break11:15–12:15 Issues in sharing health-related data for syndromicsurveillance; presentations by• Chris Cassa, Harvard/MIT Division ofHealth Sciences and Technology• Mark Smith, Department of EmergencyMedicine, Georgetown University School ofMedicine & Washington Hospital Center• Joe Lombardo, Johns Hopkins AppliedPhysics Laboratory• Henry Rolka, CDC12:15–1:00 Lunch provided in meeting room1:00–2:00 Discussion of practice issues• What data are needed for effective syndromicsurveillance? How does this vary bytarget condition, stage of the surveillanceprocess (eg, outbreak detection, investigation,case tracking, situational awarenessetc.), and other factors?• What concerns prevent or discourage hospitalsand other data owners from providingsyndromic surveillance data to public health?Patient privacy concerns? Proprietary concerns?HIPAA regulations? Personnel or othercosts for sharing data? Other concerns?• What are effective strategies for dealing withthe concerns of data owners about sharing informationsyndromic surveillance data withpublic health? Can technical approaches to deidentificationassuage concerns yet still provideuseful surveillance data? What level of aggregationbest balances utility and privacy protection?Can data be shared in aggregate form butwith “drill-down” capability when necessary?2:00–3:00 Legal perspective; presentations by• Jim Dempsey, Center for Democracy andTechnology• Wendy Mariner, Boston University3:00–3:15 Break3:15–5:00 Discussion of legal authorities and ethicalresponsibilities• What are the legal authorities that enablesyndromic surveillance at the local, state,and federal level? Is more specific authorityneeded?• What does the HIPAA Privacy Rule actuallyimply for syndromic surveillance? In whatcircumstances does the public health practiceclause allow syndromic surveillance? Isspecific legal authority necessary? Are datause agreements (DUA) necessary? Is personalhealth information (PHI) that is “deidentified”according to HIPAA standardsuseful for syndromic surveillance?• How do other federal, state and local lawsand regulations enable, restrict, and otherwiseinfluence the ability to share data forpublic health surveillance purposes?• How does the application of the HIPAAprivacy rule and other laws and regulationsdepend on whether data are being used forresearch as opposed to public health practice?In this context, how are distinctionsmade between research, practice, and evaluationof public health practice? Is some newform of ethical review called for?• If syndromic surveillance data are sharedwith law enforcement and intelligence agencies,or used for other nonpublic health purposes(or perceived by the public as beingused for these purposes), how with that affectthe public’s confidence in public health andpublic health’s ability to function?Agenda for Friday, October 5, 20079:00–10:30 Discussion of issues from previous day10:30–10:45 Break10:45–12:00 Identification of areas of consensus andwhere further research is needed12:00–12:30 Dissemination plansAdvances in Disease Surveillance 2009;7:2