Fever. Nausea. Vomiting. Diarrhea. \n\nAt first, bioterrorism\u2014whether it's inhalation anthrax, smallpox, pneumonic plague or something else entirely\u2014will probably feel like the flu. You'll be miserable, but you probably won't be alarmed. You'll go to your local drugstore, clinic, maybe an emergency room. Doctors in one place or another might notice a small uptick in patients with flulike symptoms. But no one will see the pattern. Until people start dying.\n\nThat is, unless a sophisticated computer network could transmit and integrate patient information in real-time so\n\nthat health officials could see what was happening across hundreds, if not thousands, of facilities. And that's just what legions of technologists and clinicians in public health departments, hospitals, laboratories and pharmacies are trying to develop right now.\n\n"The systems are being defined and created as we speak," says Rosemary Nelson, chairman of National Preparedness and Response, a new bioterrorism task force created by the Healthcare Information Management and Systems Society (HIMSS). If such a network existed, health officials could sound the alarm in that precariously short window of time when the spread of the disease could be stopped.\n\nThe system could be information technology's finest hour, saving lives as well as money. Even without a bioterrorism attack, a surveillance system would be useful in detecting the early stages of any disease, such as the recent outbreak of the mysterious ailment called SARS, or severe acute respiratory syndrome. Such a system could also help lay the groundwork for a long-desired standardization of electronic medical records, which would significantly reduce errors in patient care and save substantial amounts of time and money.\n\nBut if the pieces don't come together\u2014or if they do but in the process erode the concept of patient confidentiality\u2014then that could be IT's greatest failure.\n\n"[Technology] has so much potential use in bioterrorism and health care, but the word is potential," says Dr. Eduardo Ortiz, a senior fellow with the Agency for Health Care Research and Quality at the U.S. Department of Health and Human Services, which in August 2002 released a 354-page report about how IT could be used for bioterrorism preparedness and response. "We're not there yet; we're not even close," he says.\n\nSince the anthrax attacks in Connecticut, Florida, New York and Washington, D.C., definite progress has been made in creating an effective early warning system for bioterrorism. But wildly disparate computer systems, disconnected and often overlapping projects, and a lack of industry standards still stand in the way of creating the kind of network that can save lives.\n\nIn late January, HHS Secretary Tommy Thompson unveiled a $3.5 million command center in Washington, D.C. Seeking to reassure a public nervous about biological and chemical attacks, Thompson explained that this new command post would let him coordinate the response to a bioterrorist attack and bring together everyone from the CIA to the Centers for Disease Control and Prevention (CDC), which is part of HHS. As CNN cameras filmed a wall of video screens 24 feet wide and 7 feet tall, correspondent Wolf Blitzer told viewers that they were witnessing "how your life could be saved."\n\nIt was all window dressing. In many parts of the country, the primary mechanism for detecting bioterrorismor any epidemicis still the cards that doctors are required to fill out with the patient's name, address and diagnosis, and submit to local health departments when they come across a disease that poses a significant health risk. The diseases that must by law be reported vary state to state: West Nile in New York; the hantavirus in New Mexico; most sexually transmitted diseases, everywhere. The root philosophy is that doctor-patient confidentiality must sometimes be secondary to preserving public health. (The notable exception to that rule is when a patient has AIDS or is HIV-positive.)\n\nOn a local level, health officials use those reports to track treatment, notify others who may have been infected or quarantine an individual if necessary. On a broader level, epidemiologists look for disease patterns across the city, county, state or nation, and alert health-care practitioners and the CDC to anything unusual.\n\nSome local health departments have started allowing clinicians to submit this information electronically, but not many do. Many health departments still worry about upgrading their dial-up Internet connections to broadband.\n\nFor doctors, the reporting process is so labor intensive that observers put the compliance rate at less than 20 percent. That means that four times out of five, doctors never even bother to fill out a report. Fortunately, the laboratories where they send their tests tend to be more automated and therefore more likely to file that information electronically with the public health department. But no one believes that public health departments have anywhere near a complete view of what's going on\u2014regardless of the bank of video screens that adorn Thompson's command center.\n\n"In retail America, they long ago made the entire supply chain of data electronic from cradle to grave," says CDC CIO James D. Seligman. "The chairman of Wal-Mart can find out how many widgets got sold an hour and a half ago anywhere in America. That's where we're trying to get with health datato enable that electronic passage of information from the point of encounter, when a patient sees a health-care professional, and then pass all that data on electronically to the appropriate jurisdictions."\n\nThe health-care system is a long way away from that, says Jim Klein, a vice president and research director for Gartner. Even in areas where local health departments do accept information electronically, Klein estimates that only about 5 percent of hospitals have fully automated medical records. That lack of automation and standardization means that the disease-reporting process is not only spotty but also slow. A doctor's office might wait until the end of the month to mail its stack of forms to the local health department. From there, the forms could take another month to be processed, analyzed and sent on.\n\nNeedless to say, that's just not fast enough for bioterrorist incidents, which doctors say they must respond to in hours, not weeks. Anthrax victims, for instance, should be treated in the first couple of days after exposure. By day six, when a person is sick enough to go to the emergency room, she might be too sick to be saved.\n\n"Epidemiology is good and gets you to disease recognition, but unfortunately [the recognition comes] a month or two after the information is worth anything," says Dr. Michael Allswede, an emergency room physician and clinical associate professor at the University of Pittsburgh School of Medicine, who was also a U.S. Army medical company commander in Desert Storm.\n\nIt gets worse. Even if all the information available about disease diagnoses were collected and analyzed in real-time, that still wouldn't be enough to short-circuit a biological attack. That's because the information we possess under current law and practice is insufficient. Doctors have no reason or obligation to report many of the early warning signs of bioterrorism\u2014the flulike symptoms that could be public health officials' first hint that something has gone wrong. In fact, the Health Insurance Portability and Accountability Act (HIPAA) prevents doctors from sharing any kind of personally identifiable patient information with a third party, except in cases when the public health departments need to know about a legally reportable disease. In other words, a doctor is legally obligated to notify public health that a certain patient has anthrax but legally forbidden from notifying public health that a specific patient has the symptoms of anthrax.\n\nNevertheless, a few local health departments are starting to gather symptom information that could give early warnings about the outbreak of a disease. But this "syndromic surveillance," as it's known, is being held back not just by technological challenges but by political ones, as health-care providers grapple with the line between trend information\u2014perhaps including a patient's age, gender and ZIP code along with his symptoms\u2014and the personally identifiable information protected by the HIPAA legislation.\n\nTracking Symptoms in New York\n\nNew York City has stopped waiting for doctors to fill out those little cards. Instead, the city is working on what it hopes will one day be a model of how to identify the outbreak of a disease in its earliest stages. More than two years ago, the New York City Department of Health and Mental Hygiene started gathering 911 call data for cases involving sickness and respiratory distress. Then, shortly after Sept. 11, the department also began collecting from emergency rooms what's known as the "chief complaint" of incoming patients, such as fever, nausea or a persistent cough. This is the most likely health information to be entered into a computer because even if patient case files are not automated, insurance and admittance systems usually are. That information also includes a patient's age, gender and ZIP code, but not his name, ethnicity or other personal data.\n\nThe information comes in to the NYC Health Department via secure FTP once or twice a day, sometimes just in ASCII format, with about 40 of the city's 90 hospitals participating so far. "We said, 'Give us whatever you have, and we'll put it in a common form for analysis,'" says Ed Carubis, CIO of the NYC Health Department. "We didn't force them to use a certain data standard or make them jump through hoops because what we really wanted was participation."\n\nUsing that information, public health officials can now identify the start of flu season two weeks before the trend shows up in laboratory results, allowing them to get a jump on awareness campaigns. The department has also started gathering information about certain kinds of prescription and over-the-counter drug sales (from at least one major pharmacy chain) and absentee rates (from a few major employers in the city).\n\nWill the city start tracking sales of orange juice and Kleenex next? Carubis can't be sure because the NYC Health Department is still trying to figure out how, exactly, to extract meaning from pharmacy sales and absentee rates. (What red flag goes up when there's a run on Maalox?) He also won't say which pharmacies or employers are sharing numbers with the city. That probably has something to do with the fact that this kind of system, frankly, gives some people the creeps. Privacy advocates wonder how useful this kind of information can really be and what further invasions of privacy it might lead to.\n\nWho's Doing What?\n\nFor one researcher, New York's fledgling surveillance project is just line 47 on a spreadsheet of projects. John McLamb has been trying to pull together a comprehensive list of all the national, state and local bioterrorism initiatives that health departments, universities, professional associations and even the Department of Defense are currently attempting. McLamb, who is director of informatics for emergency medicine at the University of North Carolina at Chapel Hill, is doing the work for HIMSS's group on bioterrorism and not at the behest of any federal agency.\n\nEvery line on his spreadsheet has a story. In Kansas City, for instance, health-care vendor Cerner is working with local hospitals to automatically send certain computerized lab reports to health departments in Kansas and Missouri. Only health departments have the key to unencrypt identifying information, but physicians at any of the 23 participating hospitals can view the region's trend data for research purposes. "Before, we were living in our own little pockets of data," says John Wade, vice president and CIO of Saint Luke's Health System, one of the participating organizations.\n\nIn the Minneapolis area, after much wrangling over HIPAA, the nonprofit health-care organization HealthPartners started sending information about flulike illnesses to researchers at the Harvard Medical School, as part of a $1.2 million early warning system funded by the CDC. Other participants include the HMO Kaiser Permanente and Optum, which operates a national 24-hour health hotline. "I've spent as much time working on the privacy concerns as everything else combined," says Dr. James Nordin, a clinical research investigator at HealthPartners. "What we have done is to be very limited about the information that goes out to the Minnesota Department of Health and even more limited about the information that we send to the data center at Boston."\n\nAnd in New Mexico, researchers at Sandia National Labs have developed a system called the Rapid Syndromic Validation Projectthe only one of the bunch that, instead of fishing information out of existing data streams, requires health-care providers to actually log on to a secure website and type in information about a patient's symptoms in exchange for trend and treatment information. "We tell the doctor that we only want sick people, and we give the doctor something back that's relevant to the patient they're treatingnot in 10 days but in 10 seconds," says Alan Zelicoff, the senior scientist who developed the system and hopes it will eventually be used across the country.\n\nIn those programs and dozens of similar ones in the works, there's more than a little braggadocio involved. "This one's the best," Zelicoff says, by way of greeting this reporter when I called for an interview.\n\nAnd there's more than a little overlap too. "I see a lot of efforts out there that are redundant," McLamb says. "If people who are doing the same thing would get together, they wouldn't have to reinvent the wheel."Pocketbook PersuasionWith so many projects being developed by so many entities, the ultimate success of any national bioterrorism surveillance system will depend on one thing: whether those systems can ever talk to each other. And if there's one thing that everyone involved agrees on, it's the need for standards.\n\nThe federal government has taken one big step in that regard. In March, the U.S. Department of Health and Human Services along with the departments of Defense and Veterans Affairs jointly released the first set of uniform health information standards for exchanging clinical data electronically across the federal government. When developing new systems, all federal agencies are now obligated, among other things, to use the Health Level 7 messaging format\u2014a set of drug-ordering guidelines already adopted under HIPAA\u2014and a group of codes for laboratory results.\n\nUltimately, though, public health is a very local activity. It's you, your doctor, your exam room, your lab test results. When it comes to reaching the state and local health departments that interact with all the players, the federal government has a lot less control than one might expect. "Typically, if there's an outbreak of a disease at the local or state level, they will handle it locally or invite the CDC in on an as-needed basis," the CDC's Seligman says. "We offer our assistance, but ultimately it's their call."\n\nThe one way that the federal government does have power to persuade is with its pocketbook. And that's where the CDC's National Electronic Disease Surveillance System (NEDSS) comes in. This system lays out a sort of meta-standard for both health-care information and IT standards. All state health-department systems must be NEDSS- compatibleat least they do if they want a piece of the $918 million in bioterrorism grants that the CDC is handing out this year.\n\nThis pocketbook persuasion could pave the way for electronic medical records in the health-care industry. "These standards that make national disease surveillance work are the same standards that we'll need if we're going to move forward to a day when you can ask a doctor to send your medical records electronically to a new doctor," Gartner's Klein says. But the work also highlights just how difficult the journey will be.\n\nPennsylvania is one of the few states that has already adopted the system. There, the state Department of Health built a NEDSS-compliant application that allows doctors to go to a secure website to report a disease. As soon as a doctor hits "save," the information is available to public health investigators.\n\nDevelopment was no small task, says Mary Benner, CIO and IT director for the Pennsylvania Health Department. The state had to consolidate some 6,000 data fields from 100 forms to 600 actual data elements in the database, and also work out problems with providers on antiquated operating systems trying to use the digital certificates that enable secure, encrypted communications.\n\nNow, the biggest challenge is getting doctors to register. Since July 1, when the system went live, the department has received 57,000 cases of reportable diseases electronically. It also gets several hundred reports a week in paper form. "Some [doctors] are very enthusiastic, and others don't have a computer in their office and don't want one," Benner says.\n\nWith that kind of reluctance and the ongoing challenge of getting the industry to adopt a set of standards, a national bioterrorism surveillance system seems far off, indeed. Right now, truly effective public health surveillance must await the resolution of a national debate on how homeland security will play out in a country that has always prided itself on its freedoms. And that debate will increasingly depend on how well technology balances the public's need to know with the individual's right to privacy.\n\n"We have to decide as a nation how much security and privacy we need when those two things are in a trading relationship," says Pittsburgh School of Medicine's Allswede. "What we're doing in terms of information technology\u2014and where it has to progress\u2014is a microcosm of that larger sociological change."