When an infectious disease breaks out, access to data in a timely manner is often critical.
To start, it’s important to know with whom an infected individual was in contact or sitting close to on a flight or a train. It is important to know who lives in the same dwelling, and it may be important to examine credit card transactions and mobile phone traces to know where the person traveled within a city to track the potential spread of the disease. In fact, public health surveillance, monitoring the spread of disease and contact tracing are data-intensive exercises that raise individual privacy concerns.
All of this comes into sharp focus today as Ebola spreads in West Africa and cases start popping up around the world.
Do privacy laws or practices impede access to the required data or facilitate it? Clearly, the confusion caused by this issue was evidenced this week when the Department of Health and Human Services released a bulletin detailing how HIPAA applies in emergency situations.
In most jurisdictions, public health professionals are permitted to have access to identifiable individual data. The reality is that our data privacy laws are quite permissive with the disclosure of personal information to public health authorities. But even though the laws and regulations allow the disclosure of personal information for public health purposes, healthcare providers and other data custodians do not always play ball.
A good example of this reluctance was found in a study of family doctors we conducted during the H1N1 pandemic in 2009. During peak pandemic week, a series of focus groups with family doctors revealed that they were hesitant to share information about influenza-like illness with public health officials.
Plus, in addition to general privacy concerns, providers may not want to share their data because they do not understand what their obligations are under the law and it consumes scarce resources with no obvious short-term benefit to their practices.
If doctors are not enthusiastic about sharing their data, what about airlines, cell-phone service providers, credit card companies, car rental companies and supermarkets? Will the mobile phone companies share cell-tower data so that the movement of individuals can be tracked and any individuals in close proximity to a case be detected and identified?
The practical way to address this problem is to anonymize the data before sharing it for surveillance purposes.
Public health professionals can perform their analysis and identify a small subset of individuals that they need to contact. Only data for that small subset of at-risk individuals would need to be re-identified for public health to contact them. This strategy would address data custodians’ concerns about invading the privacy of large swaths of the population when only a small fraction actually needs to be identified and contacted.
Anonymization methods for health data have been used in practice for at least a decade. While the narrative around anonymization in the popular press emphasizes attacks, all of the published examples have dealt with data sets that were not properly anonymized. When generally accepted statistical and computational techniques have been applied to anonymize health data, subsequent re-identification attempts have failed to produce meaningful results.
Being able to introduce anonymization methods into practice to ensure data custodians are willing to share data for public health purposes is important in the age of such epidemics as Ebola. The efficiency with which we track and investigate outbreaks is directly related to the spread of the disease. There is an urgency to get access to data. And it is not always health data that is important.
Ongoing public health surveillance systems would allow rapid detection of and reaction to outbreaks. But this can only happen if privacy concerns that currently act as a barrier are addressed. Privacy does not have to be an obstacle, but it is an issue that needs be dealt with upfront when these surveillance systems are put into place. We cannot take for granted that data custodians are willing to share their data, even when there is an outbreak, as we saw during H1N1.
Expecting providers to share personal information en masse is just wishful thinking.
The privacy protocols used must also be transparent and known. The public needs to trust the systems and mechanisms in place are legally and ethically defensible and that adequate governance mechanisms are in place to protect their data.
This is work that needs to be done now, before the next outbreak. If such mechanisms are not put into place, we may see governments compel the release of this data.