The HIPAA Privacy Rule and Bioterrorism Planning, Prevention, and Response

James G. Hodge, Jr.; Erin Fuse Brown; Jessica P. O'Connell


Biosecur Bioterror. 2004;2(2) 

In This Article

Abstract and Introduction

Effective bioterrorism planning, prevention, and response require information sharing between various entities, ranging from public health authorities and health-care workers to national security and law enforcement officials. While the source of much information exchanged may be nonidentifiable, many entities legitimately need access to personally identifiable health information (or "protected health information" [PHI]) in planning for and responding to a bioterrorism event. The HIPAA Privacy Rule allows for essential exchanges of health data during a public health emergency while protecting against unnecessary disclosures of PHI. In the event of a bioterrorist attack, the Privacy Rule allows covered entities to disclose PHI without individual authorization in the following instances: (1) for treatment by health-care providers, (2) to avert a serious threat to health or safety, (3) to public health authorities for public health purposes, (4) to protect national security, (5) to law enforcement under certain conditions, and (6) for judicial or administrative proceedings. Despite these favorable disclosure provisions, some privacy challenges remain. The flow of PHI may be slowed by misunderstandings of the Privacy Rule's accounting requirement. In addition, in a bioterrorism scenario, nontraditional entities may find themselves acting as health-care providers, triggering Privacy Rule provisions. Finally, the potential for de facto disclosures of individuals' disease or exposure status increases where conspicuous treatment methods, isolation, or quarantine are implemented without additional measures to protect privacy. Understanding the Privacy Rule's impact on bioterrorism planning and response ensures that various entities can conduct their activities with needed information while still protecting individual privacy.

Planning for, preventing, and responding to a potential or actual bioterrorism event requires coordination and information sharing among multiple people and entities. These include public health and environ-mental authorities, law enforcement and national security officials, private sector health-care workers and hospitals, medical suppliers, pharmacists, politicians, and media representatives. They and others must be able to communicate effectively and to exchange an array of vital information about potential or existing threats or agents of bioterrorism, the manifestation of a bioagent among human populations, and the likely spread of a bioagent through communicable or other means. A large subset of this information is health data, including data about the specific health status of identifiable individuals or known groups, such as families, assemblies, employees, or people within defined geographic boundaries.

In many cases, these data may be shared as generalized, aggregated information without disclosing the identities of individuals. Public health authorities may share health-oriented data, for example, that merely state the number of people exposed to an infectious condition within a population. Law enforcement officers may need to know that these people are all related, centrally located, or visited a specific location where their exposure to a bioagent may have occurred. Media may report, for example, that dozens of people in a county in Mississippi have shown symptoms of a condition that is caused by a known bioterrorism agent without identifying any of these people individually. In these and many other examples, there is little need to disclose the identities of affected people, their families, or their contacts, especially considering the significant interests of these people in protecting the privacy of their health data.

Detection of a bioterrorism attack, however, may predictably begin with the diagnosis of patient medical symptoms by health-care or public health authorities. It is inevitable that individually identifiable health information will be shared with many people. Health-care work-ers, such as physicians, nurses, lab technicians, and pharmacists, need identifiable data to provide therapeutic or pharmaceutical care as well as to avoid potential bio-agent exposures when universal protections may be inadequate. People who may have been exposed to a communicable disease have a legitimate right to know their source of exposure, which may directly or indirectly include a person's identity through contact tracing efforts. Health authorities need identifiable data to protect the public's health through epidemiologic or environmental investigations, surveillance, laboratory testing, and other tools. Law enforcement officials or national security authorities may need identifiable health data to effectively investigate criminal aspects of a bioterrorism event.

In public health emergencies, including bioterrorism events, access to personal health data is justifiably compelling. Options for exchanging nonidentifiable data may be limited, or there may be little time to strip the identity from the data. The use of nonidentifiable health data may also lead to information inaccuracy or duplication that may thwart prevention or response efforts. Amidst strong justifications and practical realities favoring the exchange of identifiable health data, the question is whether the acquisition, use, or disclosure of such data is limited by individual health information privacy protections.

Individual exposure to or infection with a bioterrorism agent is highly sensitive and personal information. People who have been infected with or exposed to a bioterrorism agent are entitled to significant health information privacy protections of their relevant health data, like all health information, under national and state privacy laws. Pursuant to the Health Insurance Portability and Accountability Act (HIPAA) of 1996,[1] the Department of Health and Human Services (DHHS) developed the first national standard for health information privacy protections.[2] Known as the Privacy Rule, these regulations provide comprehensive privacy protections of identifiable health data for most individuals seeking health care or health insurance in the United States. DHHS's intent in drafting the Privacy Rule was to balance communal and individual interests in the sharing of identifiable health data. Thus, as is explained below, although the Rule limits access and disclosures of health data, it also allows disclosures without individual authorization for limited purposes like public health, law enforcement, and national security. Collectively, these provisions of the Rule allow for many exchanges of identifiable health data to prevent or respond to a bioterrorism event without infringing on individual privacy.

Individual privacy interests should not trump societal needs for health data sharing during a bioterrorism event, but they cannot simply be dismissed. Protecting individual privacy and communal health and safety are synergistic. Maintaining some standard of privacy of identifiable health data even during a bioterrorism event may be essential to accomplishing public health and law enforcement objectives. People will not tolerate objectionable privacy abuses by the government or the private sector. Failing to respect the confidentiality of a person's health information leads individuals to avoid, or limit their participation in, public health programs, criminal investigations, research, and even their own clinical care.[3] Large-scale avoidance of these services or activities during a bioterrorism event would be disastrous.

Conversely, everyone benefits from governmental and societal efforts to control the spread of disease or other conditions resulting from a bioterrorism event. Individuals alone cannot ensure their own safety. They need to cooperate with public health and other authorities to protect their own and others' health and welfare. People must be willing to confidentially share their health data for public health or law enforcement purposes during a bioterrorism event.

The Privacy Rule allows needed exchanges of health data during public health emergencies, but some privacy challenges remain. Misinterpretations, misunderstandings, and misstatements concerning the Rule contribute to concerns among health-care, public health, and law enforcement communities about how the Rule's provisions may slow or interfere with bioterrorism prevention and response efforts. In the following sections, we seek to resolve some of the existing confusion. We begin with a brief legal overview of the Privacy Rule. Our analysis continues with a discussion of the sorts of anticipated acquisitions, uses, and disclosures of identifiable health data are needed to prevent or respond to a bioterrorism event. We review relevant privacy interests concerning these data exchanges, offering an assessment of how these interests are addressed in the Privacy Rule. Of principal concern are the limits of health data disclosures without individual authorization during a bioterrorism event. Accordingly, we thoroughly explain how the Privacy Rule permits a range of disclosures without individual authorization for public health, law enforcement, and national security purposes.


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.