Beyond the EHR: Why Public Health IT (PHIT) Systems Play by Different Rules
Somewhere in your community, there is a database you have probably never heard of. It may already have your name in it. It knows which vaccines you received, whether a lab result was ever filed under your address, and possibly whether you were ever near an outbreak that didn’t become one. You didn’t opt into it the way you opt into an app. It exists because your government decided that protecting the public requires knowing something about everyone, and that someone has to be responsible for that data.
Every country handles that responsibility differently. Some systems are national. Some are regional. Some are robust and well-funded; others are held together by underpaid staff and aging software. But nearly every government in the world operates at least one of them.
That system has a name. It is called a public health IT system, or PHIT, and most people will go their entire lives without knowing it exists.
So what exactly is a PHIT? A public health IT (PHIT) system is any digital repository used to collect, manage, analyze, and store data that supports population health services. Immunization information systems are the most common example, but some of the most consequential PHIT systems are the ones used to track outbreak responses and case management for reportable conditions. Lesser-known PHIT systems include systems that document food inspection results and syndromic surveillance systems (used in various countries to collect de-identified emergency room data for early outbreak signals).
What would public health look like without them?
PHIT systems are the backbone of community protection. Imagine trying to stop a wildfire without being able to see where it started, how fast it is moving, or how many fires are burning at once. That is essentially what public health would look like without information technology. The work would still happen, but it would be slower, narrower, and far more deadly.
Built Differently, On Purpose
Public health IT (PHIT) systems are fundamentally different from other types of health technology in several ways. Most health technology is built around a single patient seeking care. Public health IT systems are built around everyone, whether they are seeking care or not. That distinction shapes everything about how these systems are designed, governed, and operated.
Who owns the data (and who's responsible for it)?
PHIT systems are typically owned by public entities (e.g., city, county, state, province, township, federal government, or international assembly) and funded with public taxpayer dollars.
One state, one set of rules. Why no two systems are the same.
PHIT systems are required to operate within the boundaries set by the jurisdiction responsible for managing the public health data.
Local public health laws dictate: what data MUST be collected (compulsory/required reporting), what data points CAN be collected (discretionary reporting), what data points CANNOT be collected (mandatory data exclusions), where the data goes, and what happens to it when it gets there.
For example, the Texas Immunization Registry (ImmTrac2) is an opt-in system that requires consent to store the immunization data that is sent to it. Since providers have no systematic way of knowing who has consented and who hasn't, data flows into the system and is only stored for the people who have an active consent on file. This structure is in place because the Texas Legislature mandates that citizen immunization data cannot be stored in the state system without the individual's consent.
Contrast that with the District of Columbia Immunization Information System (DOCIIS), which is structured as an opt-out system, with records being stored in the system unless a parent or adult specifically opts out.
Texas and Washington, D.C., are just two examples of how differently this can look within a single country. Multiply that variation across provinces, nations, and continents, and the idea of a universal standard for public health IT becomes nearly impossible to imagine.
For this reason, there is no such thing as a standard PHIT across jurisdictions. State, county, and city governments legislate and delegate the authority to operationalize data collection to specific entities (usually the health department overseeing that jurisdiction). This means that the only organizations approved to receive that data are public health agencies and the organizations they contract with to carry out specific services.
There is a major emphasis on individual privacy, public safety, and emergency response, three priorities that do not always point in the same direction, and PHIT systems have to navigate all three simultaneously.
Built for everyone, not just patients (population focus)
PHIT systems, like most public health programs, cover the entire population, not just the people who are specifically seeking care. In that sense, many private citizens have no idea what is in these systems and how the data is used to protect their community.
When 'Mike' and 'Michael' might be the same person (or might not).
PHIT systems are often set up to support the flow of data from external entities that are required by local law to send data on reportable conditions and other data points that are critical for effective population health services. External reporting agencies include labs, pharmacies, hospitals, medical providers, and even individual citizens.
This means PHIT systems have to collect data from a lot of different external sources and are forced to reconcile multiple records for the same individual or event. PHIT systems need strong entity analytics and entity resolution capabilities to make sure that records that may seem duplicate at first glance are truly covering the same person and not someone with similar information.
For example, if a lab submits a test result for 'Michael Moore' and a hospital submits a case report for 'Mike Moore' at the same address with the same date of birth, the system needs to determine whether they are the same person (or twins) before acting on either record. Getting that wrong in either direction has real consequences.
Data comes from everywhere. Someone has to make sense of it.
A single outbreak investigation might draw on data from a local hospital, a regional lab, a national disease registry, and a customs database tracking international travel. None of those systems were designed to talk to each other. And in most countries, public health isn’t managed from a single central point. Data collected at the national or state level still has to flow down to local health offices, where the actual follow-up happens: the phone calls, the contact tracing, the services that reach people. Someone has to sit at the center of all of that, reconcile what is coming in, and make sure it reaches the right hands in time to matter. In most cases, that someone is a public health agency operating a PHIT system that was never quite built for the scale it is being asked to handle.
Most people will never log into a public health IT system. They will never see their name in one, never know a record was matched, and never realize an outbreak was caught early because the data got there in time. That invisibility is not a flaw; it is the point. The best public health infrastructure is the kind that works so quietly, so reliably, that the people it protects never have to think about it.
The next time you hear about an outbreak that was contained, a recall that reached the right people in time, or a disease that didn’t become an epidemic, there was a system behind that. Probably several. Built by governments, governed by law, and operated by people most of the public will never meet. That is public health IT (PHIT). Unremarkable until it isn’t.