Good morning. I am Dr. James J. Gibson, State Epidemiologist and Director of Disease Control of the South Carolina Department of Health and Environmental Control (DHEC). As State Epidemiologist I served on my health department’s HIPAA working group, to assess our confidentiality vulnerabilities and plan our policy changes and staff training. I am also representing the Council of State and Territorial Epidemiologists (CSTE), the national organization representing state and local practicing public health epidemiologists. We are grateful for the opportunity to present our experience on these challenging issues. I will focus my report on influences of the HIPAA Privacy Rule on disease surveillance, that is, the reporting, investigation and response to acute communicable diseases in general, and also on surveillance of bioterrorist agents, including the syndromic surveillance systems being piloted for early detection of such agents.
The HIPAA legislation has had a wide range of influences on acute disease surveillance and control, and our consensus experience is that it has clearly strengthened the security and confidentiality of state and local public health data, although there appears to be little evidence that this had been dangerously threatened in recent years. But two aspects of the HIPAA Privacy Rule have raised concern about their potential to reduce the effectiveness of disease surveillance: a) uncertainty among Covered Entities about the interpretation of the Rule’s exclusion of disclosures to public health agencies, and b) the requirement that Covered Entities account for (or “track”) disclosures, including to public health. For that reason, my bureau and CSTE staff recently conducted two emailed surveys of all state and territorial public health epidemiologists, and also of all CDC Bioterrorism state grantees responsible for the disease surveillance and response Focus Area. One survey asked for their experience with the impact of providers’ concerns about confidentiality and privacy on their acute disease surveillance systems; the other asked for more detail on the influence on bioterrorism syndromic surveillance. I will describe briefly the response to those surveys.
The survey on syndromic surveillance systems was done first, included nine questions encouraging open-ended answers, and yielded responses from 35 jurisdictions including over half the states and cities with such systems. Eleven of 31 with significant experience (35%) stated that reporting organizations’ concerns with HIPAA Privacy had caused major obstruction or delay in disease reporting. They reported needing to take special new regulatory or legislative actions, repeatedly provide detailed letters of explanation, or reduce the level of reporting detail they requested. Two states’ quotes exemplify the problems: “Even our routine investigations of outbreaks have encountered roadblocks. Many people in the trenches don’t know enough about HIPAA, and therefore err on the side of not releasing information that we used to obtain routinely. Moreover they are less likely to give us information beyond the absolute minimum.” And the second: “Almost every hospital we have approached has raised the issue of their compliance with HIPAA regulations when providing syndromic data. And the first issue always addressed is the public health exemption under the legislation.”
We asked about the effect of the requirement for Covered Entities to account for disclosures to public health. Twenty five percent of the respondents said this was a significant problem for their disease reporters. Statements included: “These could be issues of feasibility or cost of tracking disclosures to public health, or of how such tracking could be accomplished.” “There are issues arising from this misconception questioning the do-ability (of disclosure tracking) or the limit to aggregated data only. Unfortunately it is not clear who has the authority to correct this misinterpretation. Providers are cautious and it is not clear what we could provide to reassure them that a general accounting rather than transaction-specific accounting would work.” The excellent Centers for Disease Control and Prevention guidance on HIPAA does suggest that documentation of individual disclosures is not necessary, but just what method is acceptable is not clear.
Our other survey, on confidentiality concerns for general surveillance, yielded an additional eight responses from states. Seven said it was a severe or somewhat severe problem. Comments included this from a state epidemiologist: “We have almost weekly examples of people refusing to give us routine (or outbreak-related) surveillance data, citing HIPAA concerns as their reason for refusal. So far we have been able to argue our way through them, but it has consumed several hours a month of my time, or that of my staff. The most recent two examples were yesterday” (they were data on a varicella outbreak, and on a group of hepatitis C cases). Several respondents said they were routinely or often asked to provide a signed release from the patient before the covered entity would disclose the information. (Obviously impossible) In my state, two different health district epidemiologists said independently that 20 to 30% of investigations of reported disease are obstructed by HIPAA concerns. For example, physicians have said to us “this is my license at risk” in refusing. Usually a detailed explanation or a written statement from the department’s counsel will solve the problem but sometimes data is not obtainable. Note that incomplete reporting of surveillance data requires the staff to make a second request of the provider. That takes time, which is in short supply during a communicable disease investigation.
I would draw five conclusions. First, no respondent questioned the impact of the Privacy Rule on causing public health agencies to examine and strengthen their confidentiality protections, although several questioned the need. Second, it appears that misunderstanding or ignorance of the true requirements of the Privacy Rule is widely present among Covered providers, and that their reaction is to reduce required disclosures to public health. Third, while explanations, educational brochures or letters are helping reduce these refusals to disclose disease information, the burden on public health staff may be substantial. And most of this impact is on disease data we ask providers for. We could find no information on the extent to which providers may have simply stopped sending acute disease reports, which we might therefore never know about. And finally, it is not clear how to find an authoritative source to state, for example, clearly and publicly the details of a process that would satisfy the disclosure accounting requirement without specific documentation of each disclosure by covered providers.
Our recommendation is that an authoritative source, i.e. the Office for Civil Rights, prepare and proactively disseminate to health care providers a clear statement of policy in the areas of greatest uncertainty, e.g. on the simplest process acceptable for a covered entity to account for routine disclosures for public health disease surveillance and investigation.
In conclusion, state and local public health is where the rubber meets the road for acute disease control. Our ability to rapidly collect essential data, mandated by state law, cannot be compromised.
Thank you for this opportunity to comment. I will be happy to answer questions.