Key Legal Considerations When Using EHR Data for Public Health

When public health practitioners and their community partners have access to timely, frequent, and local data, it can have a transformative impact on their ability to develop effective interventions. Data from electronic health records (EHRs) holds significant potential for public health surveillance, but the Health Insurance Portability and Accountability Act (HIPAA) is often considered a major impediment to obtaining data from hospitals and health care systems.

To answer frequently asked legal questions about sharing data between health care and public health sectors, All In: Data for Community Health held a two-part webinar series featuring experts that contributed to the recent de Beaumont Foundation report, Using Electronic Health Data for Community Health. Denise Chrysler, JD of the Network for Public Health Law and Joshua Sharfstein, MD, of the Johns Hopkins Bloomberg School of Public Health tackled common misconceptions about perceived legal barriers to using EHR data for public health and provided illustrative examples of typical scenarios.

In this two-part discussion, presenters highlighted the following questions public health departments and their partners should consider when determining how they can legally obtain and use EHR data for community health interventions.

1. Will the data be used for a legitimate public health purpose?

HIPAA has a provision that allows fully identifiable data from medical records to be disclosed to public health authorities if the information helps them act on behalf of the public to prevent illness. This provision only to public health services provided by health departments and not clinical services. Health departments should clearly define their purpose, with input from the community, and develop a data request with a reasonable explanation of how the data will be used to achieve a specific public health goal, like preventing cardiovascular disease.

The health department can also allow “authorized agents” like community-based organizations to use the data to act on their behalf to carry out a public health mission. For example, the health department could enter into a data sharing agreement with a nonprofit agency employing community health workers to offer home visits to patients frequently admitted to the hospital for asthma.

Presenters emphasized that even if it is legal to share information in a particular situation, laws should always be implemented transparently, in accordance with ethics and evidence, and with engagement from the community.

2. Who is providing the data?

The HIPAA Privacy Rule applies to most health care entities, including hospitals, clinics, health plans and emergency departments. If a health care entity is contracting with a business associate like a university that aggregates, analyzes, or de-identifies data for them, that entity is also covered by HIPAA.

If a health department obtains EHR data to be used for public health purposes, they become responsible for its use, disclosure, and protection. The health department must have a business associates agreement to engage other organizations in merging or analyzing data. Community-based organizations should always consult a health department before requesting access to EHR/health system data. Sharfstein explained:

“The health department can act as the ‘captain’ of the data integration team because they have the core legal authority. They are responsible for developing a strategy with partners to determine the appropriate level of data release and how the data can be used and shared.”

3. Is the data protected health information?

Protected health information (PHI) is any information in a medical record that can be used to identify an individual (names, addresses, social security numbers, etc.), but HIPAA also applies to indirect identifiers that carry a risk of de-identification (e.g. demographic information, dates of service, birth dates, etc.). This list of resources and tools from the Network for Public Health Law provides guidance on laws and practices related to de-identification of health data.

If a health department needs PHI, it’s important to make the case for why those particular data elements are necessary to prevent disease. For example, addresses may be needed to protect residents from lead hazards in homes, or dates of asthma-related hospitalizations may be needed to warn the public about poor air quality during certain weather conditions.

4. Will the data be used for research or practice?

If you plan to publish any of the data, be clear at the outset about what you are studying and how you plan to use the results. If your intent is to protect the health of a specific community, the study is considered “public health practice” rather than “research” because the purpose is quality improvement, program evaluation, or assessment.

If your intent is to contribute to generalizable knowledge beyond your specific community, then the study would be considered “research.” Research is held to a different set of standards and would need approval from an institutional review board (IRB). The webinar resource list includes tools for distinguishing between research and practice.

5. Are you asking for only the minimum necessary data?

After you determine a public health goal with support from the community, consider the minimum data that is necessary to achieve that goal. For example, you may determine that street addresses can be used to track the geography of asthma while names and other PHI can easily be omitted from the dataset. If you plan to integrate multiple data sets, you may need fully identifiable information for matching purposes.

Chrysler noted that making a formal, written request explaining why the data is needed for a public health purpose can help ease privacy and security concerns. She explained:

“Years ago, when I was a privacy officer at a health department and a hospital was reluctant to share data, one thing that helped was preparing a memorandum explaining the health department’s legal authority and how this represented the minimum necessary data. That would often calm hesitancy because it showed they had done their due diligence and had a written statement.”

6. How will you make a compelling value case?

Disclosure of PHI by health care providers is voluntary, so health departments still need to make a strong case for why the data is needed address a community health need. In addition to potential legal barriers, hospitals may have other concerns about the time and investment required, technical challenges, or cultural barriers. Building relationships with health care staff can allow you to work through those issues, explain the benefits of sharing data, and determine how it can further their mission.

Also, consider who will make the data request. In some cases, a coalition member may be a better messenger than the epidemiologist handling the data if they can tell the story of how a health concern like opioids affects the community and how the health care entity can be part of the solution. A recent BUILD report provides insights on making the value case to hospital leaders, and a DASH bright spot shares lessons learned about engaging managed care organizations in data sharing.

7. Are there other laws besides HIPAA that need to be considered?

The above considerations apply to HIPAA, but of course HIPAA is not the only law governing how data can be shared. Public health practitioners may want to consider hiring a lawyer who can conduct a legal review of all the federal and state laws that may apply, especially if health data is being integrated with data from other sectors.

The Network for Public Health Law provides free technical assistance and maintains a directory of public health lawyers with expertise in various areas to help public health officials, practitioners, and advocates make full use of the law to improve health outcomes.

Continue the Conversation

Do you have a success story to share about using EHR data for public health, or a question for the webinar presenters? Join the EHRs in Public Health User Group on the All In online community to add your thoughts to the discussion.

Learn more

The slides, recording, a summary of the Q&A and other materials from this two-part webinar series can be found in the webinar resource bundle. To learn more about projects that share data across sectors to improve health, sign up for the All In newsletter.