When responding to a public health threat, public health officials must understand both their authority and their responsibilities. An important responsibility of public health officials is to protect the privacy of individuals. This responsibility must be balanced against the responsibility to protect the public.
While federal and state laws protect personal and individually identifiable health information, these laws often recognize situations where protecting the public trumps individual privacy. For example, the HIPAA Privacy Rule allows public health agencies to share identifiable information among themselves for public health purposes. It also permits disclosure of identifiable information outside public health agencies when necessary to avert a serious threat to health or safety.
The Association of State and Territorial Health Officials (ASTHO) identified privacy as a barrier to effective response to the 2009 H1N1 outbreak based on its survey of state public health agencies:
States noted challenges in balancing the need to release information to the public with the need to maintain privacy and protect resources from becoming overwhelmed. States had to weigh the level of detail to publicly provide when reporting confirmed H1N1 cases against individuals’ privacy considerations.[i]
In particular, states identified privacy questions and concerns in situations such as:[ii]
Even without personal identifiers, the more information the health agency discloses, the greater the risk to personal privacy. Information is like e-mail: once sent, it travels to unintended places and is used for unintended purposes. Information disclosed by public health staff might be used by the press as leads or combined with other information to identify an individual.
Andrew Speaker, who got worldwide attention in 2007 after flying overseas while knowing he had tuberculosis, sued the Centers for Disease Control in Federal District Court for violating the federal Privacy Act by disclosing his identity and confidential medical information relating to the treatment of his tuberculosis.[iii] Speaker claimed that CDC had directly disclosed his identity. Alternatively, he claimed that even if CDC had not identified him directly, it did so indirectly by providing sufficient details about him that the media was able to use – along with its other sources – to publicly identify him. These CDC disclosures included details of his medical history and his alleged medical condition (including a detailed timeline of his medical treatment), details of his profession and residence, details of the purpose of his trip (to Greece to get married) and details of his flights.
On November 23, 2009 the District Court dismissed Speaker’s lawsuit for failure to state a cause of action. In this regard, the court found that Speaker alleged no specific facts establishing that a CDC employee or agent revealed Speaker’s identity. If a news agency identified Speaker, it was because it discovered Speaker’s identity using other information sources. For example, Speaker’s identity could have been revealed by state or local public health agencies, law enforcement, health care providers, or others who knew it.
The District Court also rejected Speaker’s claim that CDC violated the Privacy Act by releasing detailed information about him. The court held that information provided by CDC had a public health purpose, that it was not identifying and that CDC did not violate its responsibility to protect privacy just because the press was able to use information that it obtained from multiple sources to publish Speaker’s identity. The court observed: “If releases at issue here were to constitute a Privacy Act violation as Speaker alleges, it would severely inhibit the reasonable and appropriate conduct of public health officials responding to possible public health emergencies.”
The District Court’s decision against Speaker provided reassurance to state and local public health officials who must make difficult judgments about the level of detail to reveal during an emergency, even though the decision might not directly apply to them. However, any reassurance was short-lived.
Speaker appealed, and the United States Court of Appeals, Eleventh Circuit, reversed on October 22, 2010. The Court of Appeals ruled that Speaker sufficiently alleged in his amended complaint that CDC itself made the disclosure of his identity. Thus, Speaker was entitled to discovery and an opportunity to try to prove his claim. Whether Speaker succeeds to prove that CDC directly revealed his identity remains to be seen. The court did not reach the legal issues “of whether the CDC disclosed enough, or the requisite type of, identifying particulars to constitute a Privacy Act violation, which in turn caused the press to identify him.” There had been no discovery and the court concluded that those issues are better addressed once the parties have had a chance to develop the record.
As illustrated by the Speaker case, public health officials and their staff walk a tightrope when disclosing information about individuals. They need to be careful and use common sense. They should also be able to clearly articulate a public health purpose for the disclosure and disclose only the amount of information necessary to protect the individual or others. Yet, often disclosure decisions must be made quickly with limited information as the event unfolds. Public health and safety must not be jeopardized by “what ifs” or second guessing. Decisions should be judged by good faith and reasonableness that takes the circumstances into account, not from a position of hindsight after the event in question.
The ASTHO report includes the following recommendations suggested by states on Disclosure and Privacy Issues:[iv]
What do you think?
Share your thoughts and ideas by commenting on the blog post. To ask questions or make comments directly to Network staff, e-mail the Public Health Law Network –Mid-States Region.
 Not all public health agencies or functions are covered by the HIPAA Privacy Rule; it is cited here as an example of a law that is intended to balance individual privacy and protecting the public.
[i] Assessing Policy Barriers to Effective Public Health Response in the H1N1 Pandemic, Project Report to the Centers of Disease Control and Prevention (June 2010) page 149.
[ii] Page 59 of the Assessing Policy Barriers Report
[iii] Speaker v U.S. Department of Health and Human Services, Centers for Disease Control and Prevention, 680 F.Supp.2d 1359, 1369-70 (N.D.Ga.2009)
[iv] Assessing Policy Barriers report, page 61