by Dave Pasquarelli
Monday, Nov. 26, 2001 at 9:42 PM
DaveACTUP@aol.com (415) 864-6686 1884 Market Street, SF, CA 94102
The US government is waging war on Americans! The Emergency Health Powers ACT will give the feds legal power to quarantine and remove civil libirties for US citizens! It is imperative that all activists spread the word and speak out against this maddness.
The following is a letter by the Washington D.C.-based Health Privacy Project of Georgetown University strongly condemning aspects of the Model State Emergency Health Powers Act -- pending legislation pushed in all 50 states by the U.S. Centers for Disease Control and John Hopkins University. Passage of this act will give federal health officials sweeping powers to investigate and publicize citizens' medical files, quarantine individuals without a court order, confiscate and destroy personal property, and mandate medical treatment against one's will.
While ostensibly initiated to combat possible acts of bioterrorism, the Act makes no distinction about what can trigger the legislation's extreme provisions. As a result of its vague language, people with HIV and hepatitis diagnoses are in serious jeopardy of losing their civil liberties.
Fight back! Challenge the dangerous Model State Emergency Health Powers Act!
ACT UP San Francisco
The following letter is available at:
The Model State Emergency Health Powers Act is available at: http://www.publichealthlaw.net
November 7, 2001
Lawrence O. Gostin, J.D., LL.D (Hon.)
Professor and Director, Center for Law & the Public's Health
Georgetown University Law Center
600 New Jersey Avenue, NW
Washington, DC 20001
Dear Professor Gostin:
Thank you for the opportunity to review the recently released draft Model State Emergency Health Powers Act. We appreciate your efforts at bolstering existing public health law; however, we write to raise important questions concerning the breadth of the draft model law, as well as its approach to protecting the privacy of medical information. As you know, the Health Privacy Project is dedicated to the position that protecting the privacy of medical information is an essential component of promoting and preserving public health. Unfortunately, despite the draft's statement that liberty, bodily integrity, and privacy must be respected to the fullest extent possible, we believe that too little attention has been paid to even rudimentary aspects of privacy.
This draft act comes on the heels of the September 11 terrorist attacks and the subsequent bioterrorism scares and its release appears targeted to address these events, yet the actual draft addresses a much broader range of concerns about gaps in existing public health law and authority. Given the current political climate and the intense desire of policymakers and the public to be fully prepared for similar attacks and acts of bioterrorism, we believe it is critical for proponents of any proposed model legislation to be especially vigilant in protecting civil liberties and privacy rights. Accordingly, as we explain below, we urge that changes be incorporated into this draft act (1) to narrow the definition of public health emergency; (2) to clarify that state public health authorities have the power to exercise less restrictive means than quarantine, isolation, and forced treatment and should invoke such powers only as a last resort when justified; and (3) to more consistently and comprehensively incorporate information privacy principles.
Definition of "Public Health Emergency"
As an initial matter, we are extremely concerned with the breathtakingly expansive scope of the definition of "public health emergency" -- a definition that is central to the invocation of the extraordinary powers granted to state authorities. Most alarming is the inclusion of "epidemic" and "pandemic" in this definition (terms which themselves are not defined).
We approached this model with the understanding that it was intended to combat new, emerging threats, specifically the outbreak of disease caused by bioterrorism, but the model act, as drafted, appears to allow the existence of any epidemic, whatever the cause, to trigger the emergency powers vested in state authorities -- powers that include the ability to quarantine individuals and compel treatment. In earlier published work, you have referred to the HIV and hepatitis "epidemics" in this country. (See Gostin, et al., The Law and the Public's Health: A Study of Infectious Disease Law in the United States, 99 Colum. L. Rev. 59, 64 (1999).) Is it your intention to permit state authorities to declare public health emergencies and quarantine people with HIV or hepatitis? Even if a state governor did not use the power vested in him or her to declare a public health emergency and quarantine people with HIV or hepatitis, this act puts in place mandatory names-based reporting for epidemics, presumably including at least HIV and hepatitis, a controversial proposition indeed.
Quarantine and Isolation
We do not argue that quarantine, isolation, or forced treatment -- with the obvious attendant loss of liberty and autonomy -- are never an appropriate exercise of government power. There may be circumstances where such action is the only and last resort. We do question, however, the breadth of situations in which state authorities would have these powers under the model act, and we urge you to more precisely define and limit the circumstances under which such extraordinary powers could be invoked. Moreover, while the draft includes in section 503(a)(2) the important qualification that isolation or quarantine be accomplished "by the least restrictive means necessary to protect the public health," we note the absence of a clear standard that governs when public health authorities are permitted to resort to quarantine, isolation, or forced treatment in the first place, given less restrictive alternatives. We also urge you to share the draft model widely with civil liberties experts, who are in the best position to assess whether the important due process protections included in the draft are indeed sufficient.1
We have several concerns about the draft's approach to protecting the privacy of medical information. As you advocate in your 1999 article on public health (p. 125), It is unrealistic to try to craft a public health information system that ensures ready access and absolute privacy protections. What government can do is create fair, comprehensive rules to ensure that data are acquired, used, and disseminated according to unambiguous criteria and procedures, under mandated security arrangements, with strict penalties for breaches of privacy.
Your article (p. 125) also urges the existence of rules that specify "how long the data will be stored, the circumstances under which the data will be expunged, and the extent to which third parties (e.g., regulators, researchers, and government officials) may obtain access thereto." Your article continues (p. 126):
The subjects of health data should have protected rights to access and to correct their records, and be assured that personal information will be properly held and used. . . . Subjects should be able to obtain copies of their records without undue effort or expense and to correct information that is inaccurate. Personal data should be expunged when no longer needed for the public health purposes. . . .
Legally binding assurances of privacy and security should attach to all personally identifiable public health information. The collector of the data should bear a legal duty to maintain their confidentiality, to store the data in a secure system, and to use the data only for the purposes for which they were collected. Significant penalties should be imposed for breach of these assurances. . . .
Disclosure of public health data should be made only for purposes that are consistent with the original collection. It follows that public health data should only be disclosed where necessary to avert a significant health risk, for the subject's therapeutic benefit, for public health research, or for surveillance purposes. . . .
A methodical and systematic review of information privacy and security measures is essential to ensure a fair and effective public health information infrastructure. Government should establish an independent data protection commission at the national or state level to carefully evaluate information privacy and security protocols and practices, justifications for collection and disclosure, informed consent procedures, information given to subjects, fair information practices, and secondary uses.
When viewed through this lens, it becomes clear that changes in the draft are needed.
The draft does not consistently restrict access to protected health information (PHI) to those within the public health authority (or the public safety authority) with a need to know, or put explicit limits on disclosure of such PHI by state authorities. Several sections, notably section 201(which creates a mandatory reporting system), section 202 (which requires public health authorities to identify, interview, and counsel exposed individuals and track other potentially exposed individuals), and section 203 (which requires public health and public safety authorities to share information about reportable illnesses) will result in the accumulation of PHI by public health and safety authorities. We believe it is essential for this model law to state explicitly that all PHI collected or received by state public health or public safety authorities will be available only to those within the authorities with a need to know. (Section 203(c)'s reference to exchanges between "authorized personnel" is a start.) It also is essential for this model law to prohibit disclosures of PHI by state authorities, with stated exceptions that are limited to the reasons why the information was collected in the first place.
Section 506, which is the section in the draft that explicitly addresses access to PHI and disclosure of PHI, does not respond fully to these concerns. The protections in section 506 apply only to PHI of people who are isolated, quarantined, or under the care of the public health authority. Although "under the care of" is not defined, surely the sections cited above, which govern public health and public safety authorities at all times, not just during a declared public health emergency, will result in the collection of PHI in other circumstances.
It is certainly possible that some existing state laws governing state public health and public safety authorities already contain explicit limitations on who within the authority may access PHI and how PHI may be disclosed, but we gather from your 1999 article that such privacy protections are the exception, not the norm. Since many, if not most, state laws do not contain sufficient privacy protections, we urge you to include them in this model, with a comment noting that states considering the model may instead simply refer explicitly to existing privacy protections in state public health and safety statutes.
We also have specific concerns about section 506:
1. By its placement in the draft, section 506 appears to apply only during a declared public health emergency. Yet public health and safety authorities will surely collect, retain, and use PHI when there is no declared emergency in effect. Research, including the epidemiological research contemplated by section 506, is likely to be undertaken by the public health authority when no such emergency is in effect. Accordingly, we suggest that internal use and disclosure protections be included that clearly apply whenever PHI is collected or received by state authorities.
2. We assume that the limits on "access" in section 506(a) apply to persons employed by the state authority because "disclosures" to outside people are handled in section 506 (b). Nonetheless, this should be clarified since the draft's use of the word "acquire" in addition to the verb "use" could be taken to mean that people outside the authority would have access to PHI under section 506(a).
3. While the draft limits access to those persons with a need to know, it does not limit access to the amount or type of information necessary to accomplish specific purposes. For example, while people involved in treatment of affected individuals may need access to a person's entire nmedical file, researchers investigating an particular issue might need access to considerably less PHI. The minimum necessary concept in the new HIPAA medical privacy regulation is a good model. The idea is to limit access to those people who need it and to limit the type of information they use to what is necessary to accomplish the intended purpose. (The same principle should apply to disclosures of PHI -- only the minimum amount necessary to accomplish the purpose of the disclosure should be disclosed, regardless of recipient.)
4. It is not clear whether section 506 applies only to use of PHI in the possession of public health or public safety authorities 2 or whether this section is intended to authorize public health authorities to access PHI about individuals from outside sources. We assume only the former. If so, this should be clarified. Also, it should be clear that these use and disclosure provisions apply to information held by public health or public safety authorities.
5. Section 506(b) requires "individual specific informed consent" for disclosures of PHI (with stated exceptions). We encourage you to specify that such consent must be in writing. With respect to disclosures that are permitted without consent, the inclusion of "to appropriate federal agencies or authorities" is too vague. As your article states, "public health data should only be disclosed where necessary to avert a significant health risk, for the subject's therapeutic benefit, for public health research, or for surveillance purposes."
6. Finally, consistent with the recommendations in your 1999 article, we urge you to include strict penalties for breaches of privacy protections, provisions to ensure access to an individual's own PHI (and to amend it), security requirements, and provisions requiring expungement when PHI is no longer needed.
By its very name, this draft act is intended to be a model. We hope you will agree that, to be a model, strong privacy protections must be woven in.
We believe the most effective way to resolve the issues we have raised here is to work together to address critical public health gaps while fully protecting civil liberties and privacy rights. These ends are not mutually exclusive; rather, they are integrally linked.
We look forward to hearing from you.
Director, Health Privacy Project
Joanne L. Hustead
Senior Counsel, Health Privacy Project
M. Gregg Bloche, Professor of Law, GULC
Chai R. Feldblum, Professor of Law, GULC
John Podesta, Professor of Law, GULC
James G. Hodge, Adjunct Professor of Law, GULC
1 We also have questions about what constitutes a "public safety authority." Do you intend for law enforcement agencies to fall within the definition of public safety authority? Do you intend for public health authorities and law enforcement agencies to share protected health information?
2 Section 506(b), pertaining to disclosures, refers to "information held by the public health authority," but section 506(a) does not.
ACT UP San Francisco
1884 Market Street * San Francisco, California 94102
Phone: (415) 864-6686 * Fax: (415) 864-6687 * www.actupsf.com
Original: Stop The Emergency Health Powers Act