The CDC’s model emergency health powers act expanded surveillance authority, not just during pandemics, but every day of the year. Through the power and expanded electronic health data systems, public health departments have increased electronic surveillance on individuals. Many states have passed the surveillance sections of the health powers bills into law.
How did government surveillance expand and how did privacy infringements begin?
First, although there had been state laws allowing specific intrusions (i.e., state cancer registries), the 1996 Health Insurance Portability and Accountability Act (HIPAA), supported and fashioned by NCVHS (National Committee on Vital Health Statistics) and WEDI (Workgroup for Electronic Data Interchange), eliminated patient consent and dissent rights over access to private medical records, enabled the building of electronic medical records and tracking systems, and provided government officials with broad access rights under “public health
The 1996 law provides federal, state and other government agencies access to private medical records without patient consent for ‘public health purposes.’ The term ‘public health purposes’ is not defined. Even the Federal Aviation Administration (FAA) is considered a “public health” entity and allowed to access private medical data without consent.
Second, the 2009 economic stimulus bill provided $19 Billion to create a national electronic medical records and health surveillance system, the National Health Information Network (NHIN). As stated above, the so-called federal HIPAA privacy Rule does not protect patient privacy and laid the foundation for the NHIN.
Third, the 2004 introduction of BioSense by the Centers for Disease Control and Prevention (CDC) has created a national government health surveillance system through regular data sharing on patients seen in hospitals, particularly the Emergency Room. As noted below, planners hope the BioSense system will be connected to the NHIN in the future.
Fourth, federal tax dollars distributed to state health departments under the auspices of bioterrorism and pandemic preparedness have also facilitated the build-up of government surveillance capabilities.
Relevant News – Swine Flu/H1N1
Next step in H1N1 scare: Microchip implants
Company developing under-the-skin devices to detect ‘bio-threats’ US Patent 7,125,382; “Embedded Bio-Sensor System”
BioSense – National 24/7 Surveillance
Centers for Disease Control and Prevention: BioSense
- “BioSense is a national program that provides real-time biosurveillance and health situational awareness for public health…”
- “The BioSense System…serves as a national automated surveillance system [and] currently receives data from >590 civilian hospital capturing about 11% of all U.S. emergency department (ED) visits.” Median times from patient visit to receipt of ED data at CDC are 8 hours for chief complaints and 5 days for diagnosis codes (Automated Monitoring of Asthma Using the…):
- Analyzed microbiology laboratory data from >599,000 patients during January 2007 and August 2008 from 50 hospital laboratories. (BioSense System, CDC, December 4, 2008 at International Society for Disease Surveillance Conference)
- “The BioSense Program goal is to support a national surveillance network through which healthcare organizations, public health, Health Information Exchanges (HIEs), and other national health data sources are able to contribute to the picture of the health of the nation.”
- “BioSense is a national program intended to improve the nation’s capabilites for disease detection, monitoring, and real-time situational awareness through access to existing data from health care organizations across the country.” (BioSense Soup to Nuts Progress Report, August 2008, p 13)
- BioSense has several “unique capabilities”
- Current Approach: “Intensive data gathering from medical facilities, state & locals into a giant CDC owned data warehouse“
- BioSense Individual Identifier: “Allows for combining data on an individual over time to create a complete clinical picture.”
- Provides National monitoring in CDC BioIntelligence Center (established in 2004)
Real-Time Biosurveillance: Strategy and Approach (look ABOVE Red arrow)
The overall BioSense Surveillance Strategy
Combining State Surveillance Data with BioSense Hospital Clinical Data. Diagram
False Claims of Privacy – BioSense
“While information about the health of individuals in a community is necessary for national preparedness, preserving the privacy of U.S. citizens is equally important to the BioSense program. NCPHI works with organizations that provide data (like hospitals) to guarantee the confidentiality of data. Individual names or other personal identifiers are not used within the BioSense application. BioSense collects only necessary information-such as the type of illness, the patient’s gender and age, and zip code of residence.” (Biosense: Benefits of BioSense Today and in the Future, p. 2)
Exchange of Health Information Between Public Health and Clinical Care: The vision, challenges, and benefits – Dr. Leslie Lenart, Director, National Center for Public Health Informatics
- “NEDSS (National Electronic Disease Surveillance System) is an Internet-based infrastructure for public health surveillance data exchange that uses specific Data Standards for notifiable disease reporting….The richness of data from the BioSense feed includes laboratory test results, which may be required for notifiable reporting in a health jurisdiction.”
No Privacy
The collection of the data through BioSense is a violation of individual privacy, and despite the CDC’s privacy claim, these collected data (illness, gender, age, zipcode) are not unidentifiable data. These data plus other data collected, including hospital, doctor, hospital admission and discharge dates, are data that can re-identify individuals through matching databases and other technology.
The 2002 preamble of a proposed change to the 2003 HIPAA Privacy Rule – the development of a “Limited Data Set” to promote research and government surveillance without patient consent – noted that the remaining data, after 16 identifiers have been removed, is still identifiable:
- Limited Data Sets (LDS) contain beneficiary level health information but exclude specified direct identifiers as outlined in the Privacy Rule. LDS are considered identifiable even without the specified direct identifiers. Because the information is considered identifiable, it remains subject to the Privacy Act of 1974 as well. These data are identifiable because of the potential for identifying a beneficiary due to technology, particularly in linking and re-identifying data files.” (Centers for Medicare & Medicaid Services)
- “… [Private health information] in limited data set form is not completely de-identified…”(Guidance Specifying the Technologies and Methodologies That Render Protected Health Informaiton Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of Breach Notification…” Federal Register, Vol 74, No. 79, Aprilf 27, 2009, p 19009)
- Data expert Latanya Sweeney writes: “{date of birth, gender, 5-digit ZIP} combine to uniquely identify about 87% (216 of 248 million) of the population in the United States. About half of the U.S. population (132 million of 248 million or 53%) is likely to be uniquely identified by only {place, gender, date of birth}” (Comments of Latanya Sweeney, Ph.D., Director, Laboratory for International Data Privacy…To the Department of Health and Human Services On “Standards of Privacy of Individually Identifiable Health Information.” April 26, 2002)
CDC regarding the “Limited Data Set” (HIPAA Privacy Rule and Public Health,” MMWR, April 11, 2003/52; 1-12):
NIH regarding the “Limited Data Set”:
Turning Point – Collaborating for a
New Century in Public Health
(RWJF Project)
“Government Surveillance of Populations 24/7/365 Proposed”
This Robert Wood Johnson Foundation funded project proposes that state public health departments:
- “Monitor health status to identify and solve community health problems” (Essential Public Health Services and Functions, p. 19)
- “Identify, assess, prevent, and ameliorate conditions of public health importance through surveillance; epidemiological tracking, program evaluation, and monitoring; testing and screening programs; treatment; abatement of public health nuisances; administrative inspections; or other techniques” (Public Health Powers – in General, p. 19)
- “The agency may request information from or inspect health care records maintained by health care providers that identify patients or characteristics of patients with reportable diseases or other conditions of public health importance.” (Sec. 5-102. Surveillance Activities – Sources of Information, p. 28)
- “A health care provider, coroner, or medical examiner shall report to the state or local public health agency all cases of individuals who harbor any condition of public health importance that may be potential causes or indicators of a public health emergency.” (Sec. 5-103 – …Reporting to Detect and Track a Public Health Emergency, p. 29)
NOTE: The Robert Wood Johnson Foundation, the nation’s largest health care grantmaker has long provided various and ongoing funding to state health departments to advance single-payer health care, managed care and government health powers.
April is “Truth About HIPAA” Month!