2: The Legal Basis for Public Health Surveillance

The Legal Basis for Public Health Surveillance

Gail Horlick¹ and Jean O’Connor²

¹ Centers for Disease Control and Prevention, Atlanta, GA, USA

² Georgia Department of Public Health and Rollins School of Public Health, Atlanta, GA, USA

Introduction

Surveillance for diseases and conditions is one of the main means by which public health practitioners assess the health of the population. Public health surveillance is the “ongoing systematic collection, analysis, and interpretation of outcome-specific data for use in the planning, implementation, and evaluation of public health practice” [1]. Surveillance data are used for a variety of purposes including detecting emerging diseases and conditions; drawing conclusions about the causes of cases of diseases or illnesses; determining when to implement control measures; assessing the effectiveness of public health interventions and programs; and understanding the underlying causes of morbidity and mortality [2–4].

There are many approaches to and types of public health surveillance including passive, active, sentinel, special systems (e.g., syndromic surveillance), and statistical (e.g., sampling the population to infer the burden of a certain disease across a larger population) [5]. In each type of surveillance, data are collected or analyzed by different means. For example, passive surveillance involves direct reporting to a state or local health department of cases of diseases, most often infectious diseases such as HIV. However, generally speaking, public health surveillance involves the collection of information about individual cases of diseases or illnesses. These data are frequently collected along with identifying demographic information, such as name, age, sex, and county of residence. Because health authorities collect and use individually identifiable data, ethics and trust play a very important role in the relationship between health authorities and the public.

The unwarranted disclosure of personally identifiable healthcare information may adversely affect an individual’s ability to obtain or maintain insurance, employment, or housing [6]. There may be financial harm as well, such as the inability to obtain a loan based on a diagnosis of cancer or another illness or condition. A person may also experience mental distress, social stigmatization, and discrimination [7]. In situations involving intimate partner violence, the disclosure of an address can be harmful to a person and their family. Individuals concerned about their immigration status may also avoid health care if they fear disclosure of their address. If a person avoids care or treatment because of these concerns, their health may deteriorate; in some cases, a person with a communicable disease may become a threat to the public’s health.

De-identified health information neither identifies nor provides a reasonable basis to identify an individual [8]. The disclosure of de-identified information also may be harmful. Although de-identified data does not include names, de-identification of information does not usually remove information about race, ethnicity, gender, or religion [9]. Thus, all members of a group (e.g., ethnic) with an increased risk for developing a particularly stigmatizing condition (e.g., mental illness), could potentially suffer based on association with the group, even if an individual’s health records are not identified [9].

In the United States, law plays a very important role in public health surveillance and in protecting the privacy, confidentiality, and security of health information (Table 2.1). All surveillance, regardless of the type, is conducted based on a mandate from a legislative body. The legal mandate is either a general one granting health officials the broad authority to carry out the activities necessary to control disease or is specific to a certain disease. In some cases, the law also limits the information that can be collected by health authorities or limits disclosure of that information. The laws and the diseases and conditions covered by the laws vary significantly across jurisdictions in the United States [10]. Federal law also plays an important role in protecting individuals’ privacy and the confidentiality of public health data.

Table 2.1 Role of law in public health surveillance.

Source: Gostin, LO. Public Health Law: Power, Duty, Restraint. California/Milbank Books on Health and the Public (2000). Reproduced with permission of University of California Press.

Privacy	An individual’s claim to limit access by others to some aspect of her personal life
Health informational privacy	An individual’s claim to control the circumstances in which personal health information is collected, used, stored, and transmitted
Confidentiality	A form of health information privacy that focuses on maintaining trust between two individuals engaged in an intimate relationship, characteristically a physician–patient relationship
Security	The technological, organizational, and administrative safety practices designed to protect a data system against unwarranted disclosure, modification, or destruction and to safeguard the system itself

This chapter elaborates on this legal basis for public health surveillance; examines the balance between individual rights and the common good; and explores the relationships among law, surveillance, and technology using examples from the past decade.

The Roles of State and Federal Laws in Infectious Disease Surveillance

To understand the role of law in disease surveillance, particularly infectious disease surveillance, it is helpful to have a basic understanding of the legal framework that defines public health practice in the United States. The U.S. Constitution divides power between the federal government and the states [11]. It limits the authority of the federal government to specific enumerated powers (e.g., the regulation of interstate commerce), some of which are closely connected to public health and disease surveillance, but it reserves to the states the primary authority to regulate the public’s health.

These state powers are primarily in areas known as police powers, which include the power to take steps to protect and promote the public’s health. States exercise police powers through the adoption of statutes, which are written laws that specifically and generally authorize public health and other government officials to take steps to carry out the core functions of public health, including assessing the health of the population through disease surveillance. These and other public health–related statutes are carried out by state agencies—usually the public health agency—through programs, licensure, and regulations that implement laws.

States also adopt laws that control the ways in which disease surveillance can be conducted. All states have some sort of broad statutory language that requires some reporting of diseases of public health significance. The specific diseases and conditions that must be reported are not uniform throughout the United States [10,12]. For example, some state statutes and regulations allow public health officials to collect only certain types of information regarding individual cases of diseases, such as HIV or tuberculosis; or they limit the use of the information collected [13]. Some states do not have complete reporting laws. A Centers for Disease Control and Prevention (CDC) study published in 2002 showed that many states have deficiencies in immediate reporting requirements for category A agents (e.g., anthrax, botulism, plague, smallpox, and tularemia) [14]. A 2011 survey of states found that at least three nationally notifiable infectious conditions were not explicitly reportable across all states [12].

Federal laws also play an important role in conduct of surveillance. Although the federal government does not possess police powers, exercise of very broad specific powers of the federal government can impact how states carry out infectious disease surveillance and use the resulting data. The sections that follow describe examples of federal laws that protect the confidentiality of health information.

Privacy Act of 1974

The Privacy Act of 1974, as amended in 2009, governs the collection, use, and dissemination of personally identifiable information about living individuals that is maintained by a federal agency in a system of records [15]. A system of records is a group of records under the control of the agency from which information is retrieved by the name of the individual or by some identifier that uniquely identifies the individual such as a Social Security number [16]. The Privacy Act requires that agencies notify the public about their systems of records by publishing a notice in the Federal Register whenever a system of records is developed or revised [17]. The notice must include the name and the location of the system of records, the categories of individuals on whom records are maintained, the routine uses of records contained in the system, and individuals’ rights with regard to their records (e.g., the right to seek access to and request amendments to their records). The Privacy Act prohibits the disclosure of information from a system of records without the written consent of the individual, unless the disclosure is pursuant to one of 12 statutory exceptions. For example, the Privacy Act permits the disclosure of identifiable information pursuant to a court order or pursuant to a showing of compelling circumstances affecting the health or safety of an individual [18].

HIPAA Privacy Rule

The U.S. Department of Health and Human Services issued the HIPAA Privacy Rule [19] to implement the Health Insurance Portability and Accountability Act of 1996 (HIPAA) [20]. The Privacy Rule became fully effective in 2004; and it established, for the first time, a set of national standards for the protection of individually identifiable health information called protected health information (PHI). The Privacy Rule regulates the use and disclosure of PHI in any form (e.g., paper, electronic) by entities subject to the rule. These so-called “covered entities” include health plans, healthcare clearinghouses, and providers (and their business associates) who conduct certain healthcare transactions electronically [21].

The Privacy Rule generally prohibits the use or disclosure of PHI without the written authorization of the individual. There are several exceptions to this requirement including an exception for public health. The Privacy Rule expressly permits covered entities to disclose PHI, without the authorization of the individual, to a public health authority that is authorized to collect or receive it for specified public health purposes, including prevention or control of disease, public health surveillance, public health investigations, and public health interventions [22]. The definition of a public health authority includes an entity working under a grant of authority from or a contract with public health [23]. In addition, the Privacy Rule permits covered entities to use and disclose PHI without individual authorization as required by law [24]. Thus, the Privacy Rule permits covered entities to report communicable diseases and other conditions to the state or local health department if a state law or regulation requires the reporting of the disease or condition.

Only gold members can continue reading. Log In or Register to continue