The HIPAA Privacy Rule and Bioterrorism Planning, Prevention, and Response

James G. Hodge, Jr.; Erin Fuse Brown; Jessica P. O'Connell


Biosecur Bioterror. 2004;2(2) 

In This Article

The Privacy Rule and Bioterrorism

The Privacy Rule contains several provisions to allow for disclosures of PHI that are relevant to a bioterrorism scenario. Specifically, covered entities may disclose PHI without written individual authorization to law enforcement officials, for judicial and administrative proceedings, to public health authorities for public health purposes, to avert a serious threat to health or safety, and to protect national security.[29] Government authorities conducting public health functions, law enforcement, and national security or intelligence functions are not considered covered entities. Although other state and federal privacy laws may apply to these various actors, the Privacy Rule does not largely interfere with the exchange of information between them. Rather, the Rule affects the flow of PHI from covered entities (or those performing covered functions) to these authorities.

In preparing for a possible bioterrorist event, and for public health emergencies more generally, state and local public health authorities routinely collect PHI from health-care providers through surveillance and reporting practices. Syndromic surveillance, for example, uses pre-diagnostic health data to identify potential disease outbreaks that would require public health responses.[30] Through this type of surveillance, authorities can use acquired data to help detect a potential or actual bioterrorist attack or a natural disease epidemic by monitoring symptoms that suggest exposure of community members to dangerous biological or chemical agents. Multiple actors are involved in conducting syndromic surveillance, including health-care providers, pharmacists, workers in clinics and hospitals, lab workers, and others who engage in frontline encounters with patients and acquire their health data for treatment purposes.[31] These people transmit health information to local and state public health authorities for analysis and tracking of sentinel occur-rences. The data are examined for signals or clusters of symptoms or health complaints, such as a spike in respiratory illness in a particular geographic location. Syndromic surveillance may require disclosure of identifiable health data even if the initial transfers that make up the majority of data exchanged involve only nonidentifiable data.[32] State or local public health authorities need to be able to follow up with specific individuals who may be affected by an unusual cluster of symptoms.

Although the Privacy Rule permits the disclosure of identifiable health information to public health authorities for public health purposes, such as syndromic surveillance, other provisions of the Privacy Rule can limit the free flow of health data for bioterrorism prevention. Covered entities are allowed, but not required by the Privacy Rule, to make PHI available to public health authorities. This aspect of the Rule has led to misinterpretations in the guise of protecting privacy that ultimately hinder public health activities. For example, some health-care providers have been very protective of releasing any personal information associated with victims of the recent flu outbreak to public health authorities, fearing potential violations under the Privacy Rule.[33] In addition, health-care providers and other covered entities cite the accounting requirement under the Privacy Rule as a reason for delays or unwillingness to provide PHI for public health purposes.[34] They resist providing PHI for public health reporting requirements because of the increased administrative burdens incurred by the record-keeping of frequent and numerous data disclosures requested by public health authorities.[34] Although the Office of Civil Rights, as discussed above, has clarified that routine, repeated disclosures of PHI to public health authorities need only be accounted for generally,[21] some covered entities have delayed or denied data to public health authorities for fear of failing to meet accounting requirements. As well, covered entities may provide incomplete data or request public health authorities to assist them with their accounting responsibilities. These barriers can thwart public health authorities in their efforts to identify potential bioterrorist activity in a timely and efficient way.[34]

Once a bioterrorist event has occurred, the focus shifts from prevention to response. So shifts the anticipated actors, health data uses, and health information privacy concerns. As before, health-care providers and public health authorities are a likely source of detection of a bioterrorist attack. Unlike other disease outbreaks or epidemics, a bioterrorist attack is uniquely defined to involve some criminal act or act of war.[35] Law enforcement and national security officials will necessarily become involved to investigate the event. Information will likely need to flow among covered entities, public health authorities, law enforcement officers, and national security officials as epidemiologic and criminal investigations proceed simultaneously.

Criminal and public health authorities will require identifiable health data to reach people who are at risk of becoming ill, to identify the sources of pathogens and the mechanisms of exposure, and to estimate the magnitude of the event. These data may be essential to making decisions whether to (1) implement quarantine or isolation measures; (2) require mass vaccination, testing, or screening of the population; (3) impose travel restrictions; or (4) seek criminal sanctions against aggressors. In addition to these public actors, private sector employers, employees, health-care workers, insurers, and others may seek identifiable health data to assist in the control and investigation of an attack. For example, in 2001 following the anthrax exposures, the U.S. Postal Service needed to know which of its employees had become ill to help identify the timing and location of the exposures, notify additional employ-ees or customers who may have been exposed, clean facilities and equipment, and provide workers' compensation benefits to affected employees.[36] Other private sector actors may not have as compelling a need for identifiable health information in response to a bioterrorist event. These include medical suppliers, affected industries, and the media. The roles of these and other actors in supplying needed medicines or remedies, controlling vectors of dis-ease, or keeping the public informed may be fulfilled without access to identifiable health data.

Finally, traditional mechanisms to safeguard sensitive health data and maintain patient confidentiality may be inadequate in a bioterrorism event or similarly acute dis-ease outbreak. As Janlori Goldman of Georgetown University's Health Privacy Project notes, the conspicuous nature of the treatment and response to a bioterrorism event, such as quarantine or isolation, may result in a de facto disclosure of a person's health status even if the health record itself is held confidential. While this information may not be electronically transmitted under the Privacy Rule, additional safeguards may be needed to avoid inadvertent, damaging disclosures.[37]

As we have stated, the Privacy Rule prohibits the use or disclosure of PHI without individual written authorization, subject to a series of exceptions. These exceptions, found in the Rule's disclosure provisions, are critical to assessing the effect of privacy protections in a bioterrorism scenario. These provisions govern how and under what circumstances covered entities can divulge PHI, to public authorities or others, without written authorization. Requiring public health or law enforcement authorities to secure individual authorization for releases of PHI during a bioterrorism event would be catastrophic to prevention and response efforts. As examined below, many disclosures of PHI without individual authorization in response to a potential or actual bioterrorism event are permitted by the Rule.

Treatment by a health-care provider. Individual medical care during a large-scale public health emergency, such as a bioterrorist attack, will predictably be scattered, fragmented, and chaotic. In some cases, the provision of health care may resemble triage settings. Health-care workers have prepared for this potential scenario through technical, administrative, and medical training. Must they also be wary of health information privacy concerns related to their exchange with each other of PHI about their patients? In most cases, no. The Rule permits the flow of this information among health-care providers when necessary for appropriate treatment. Covered entities may thus exchange PHI without individual authorization for treatment or payment activities in preparation for and during public health emergencies.[38]

Averting a serious threat to health and safety. The Privacy Rule allows covered entities to use or disclose PHI without individual authorization to avert a serious threat to the health or safety of a person or the public.[39] In such a situation, PHI may be disclosed to a person who is reasonably able to abate the threat. The Rule imparts a good faith requirement upon covered entities acting under this exception, presuming a belief that the disclosure of PHI would be necessary to avert an imminent threat.[40] This exception could apply when a health-care provider or other covered entity identifies an unexplained disease outbreak suspected to be the result of a bioterrorist attack. By providing public officials with information about infected individuals, health-care providers could assist in controlling an out-break and preventing further infection. Public health authorities or law enforcement officials may use this information to locate and quarantine or isolate infected individuals, in addition to tracking the infection and locating its source.

Public health. Once a potential bioterrorist attack has been identified, public health authorities are responsible for containing threats and minimizing exposures. The Privacy Rule allows covered entities to disclose PHI in multiple ways in the interests of protecting the public's health. This includes:

  • disclosures to public health or other authorities when required by law (e.g., statutory reporting requirements);[41]

  • permissive disclosures to public health authorities when requested;[42] and

  • disclosures to notify individuals who may have been exposed to a communicable disease or who might be at risk of contracting or spreading a disease (e.g., partner notification provision), when authorized by law for public health purposes.[43]

Through these disclosures, covered entities play an important role in identifying and notifying individuals at risk of infection, thus allowing public health authorities to provide treatment and implement interventions expeditiously.

National security. An additional exception allowed by the Privacy Rule involves uses and disclosures for specialized government functions. Specifically, a covered entity is allowed to disclose PHI to federal officials to assist with intelligence and other national security activities authorized by the National Security Act.[44] In most cases, bioterrorism poses a substantial threat to the nation's security. Federal national security agencies routinely investigate the possibility of such an attack. The Privacy Rule allows covered entities to provide these authorities with information necessary to their investigation. Additionally, the Rule permits the transfer of PHI to federal officials to assist in protecting the President or foreign heads of state.[45]

Law enforcement. Law enforcement officials responding to a bioterrorist event may need to investigate and prosecute those responsible for the attack and to warn the public of the potential for infection. The Privacy Rule allows a covered entity to disclose PHI to law enforcement officials under certain conditions. A covered health-care provider responding to a medical emergency may provide a law enforcement official with PHI to report the commission of a crime and its characteristics.[46] Such disclosures may alert officials to a suspected bioterrorist attack evidenced by a suspicious medical emergency. During a bioterrorism investigation, a court order, subpoena, or other administrative request could also be used by law enforcement officials to obtain PHI from a covered entity, provided that the information requested is relevant to the investigation.[47] Furthermore, covered entities may provide limited health information to law enforcement officials to aid in identifying or locating a suspect, fugitive, or witness involved in a bioterrorist event. Under the Rule, this information is limited to individual characteristics such as name, blood type, injury type, and distinguishing physical features,[48] all of which could be helpful in locating criminal suspects. Additional disclosures allowed by the Privacy Rule for law enforcement purposes include PHI of suspected crime victims or decedents whose death may have resulted from criminal conduct, or PHI that could be evidence of criminal conduct on the covered entity's premises.

Judicial or administrative proceeding. Covered entities are also permitted to disclose PHI without individual authorization in response to a court or administrative order, or to a subpoena or discovery request. If PHI is provided without a court order, the covered entity must obtain assurance of reasonable efforts to notify those individuals whose information was released.[49] This exception would be helpful in providing information regarding a bioterrorism event's impact on the public's health and safety to officials responsible for its investigation and any criminal prosecution.


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.