Why HIPAA shouldn't be an impediment to public health data sharing

A new report from de Beaumont Foundation and Johns Hopkins aims to clear the air with regard to what the privacy law does and doesn't do.
By Mike Miliard
10:47 AM
HIPAA compliance

Despite the fact that the law has been on the books for more than two decades, there's still a lot of misconceptions about HIPAA and the ways it applies to information sharing. We've even heard horror stories about hospitals refusing to furnish patients with their own data, saying that doing so would be a HIPAA violation.

A new report from de Beaumont Foundation and Johns Hopkins Bloomberg School of Public Health aims to demystify some of the lingering questions about HIPAA protections, and in so doing help break down some of the potential barriers to more widespread electronic health data exchange for public health.

The study, "Using Electronic Health Data for Community Health," is meant as a roadmap of sorts for overcoming those perceived legal impediments.

[UPDATE: Updated HHS privacy framework for sharing drug abuse treatment data breaks from HIPAA]

Thanks to the now-widespread adoption of electronic health records, easy access to digital patient data "offers an opportunity for a leap forward in data access to address community health challenges," according to the report. For example, "a recent survey of 45 senior public health officials found particular interest in using electronic health data to both guide action and geographic 'hot spotting' of both communicable and chronic diseases not included in statutory reporting requirements."

But too often, HIPAA has seen an impediment to information sharing between health systems and public health departments, the authors say. In the report, they highlight the legal underpinnings for data sharing and offer a series of constructive uses where an exchange of patient data improves population health.  

"HIPAA, and its implementing regulations recognize the legitimate need for public health agencies to gain access to private health information to carry out public health activities," the report authors write. "To do so responsibly and successfully under the law, public health agencies must be clear about their goals, specific in their requests, and take steps to assure the confidentiality of key data."

[Also: Is HIPAA outdated? AHIMA questions whether law is keeping pace with change]

By presenting a series of use cases – focused on disease surveillance, direct messages to providers, quality improvement initiatives and more – the report spotlights permissible voluntary disclosures under HIPAA, explaining what health systems can share with public health agencies under the law. 

It also offers a lengthy FAQ section, with questions ranging from the basic (What is HIPAA? What is the HIPAA Privacy Rule? What is Protected Health Information?) to the advanced (What should covered entities do to comply with the minimum necessary standard? What is best practice for releasing data that includes geocodes?).

In addition, the report offers a series of recommendations for public health departments for more HIPAA-compliant access to electronic health data:

1. Define key public health issues and goals with broad community support. "Public health agencies can start by defining critical issues and building consensus around the need to address them," according to the report. "A discussion on data sharing can then be set in the context of public interest in addressing childhood asthma, the opioid epidemic, or other important challenges. (It is rarely persuasive to ask anyone to share data for the sake of sharing data.)"

2. Develop a data request with a clear explanation, plan for privacy protection, and plan for data use. "As the use cases demonstrate, the specificity of a request makes it possible for others to consider the value and cost of participation. It may be helpful to engage with key sources of data as the request is developed to be sure that what is requested is feasible."

3. Obtain legal review to assure key participants of compliance with HIPAA and other applicable state and local laws. "A legal review can provide assurance that plans are compatible with key standards in HIPAA and other applicable state laws. It is hoped that this paper can serve as a starting point for this review."

4. Provide for public engagement for the purposes, use, and protection of data. "Public engagement provides an important measure of transparency about plans for data sharing and public health action. Public health agencies can create and implement an engagement strategy that strengthens support for actions to improve health outcomes."

Twitter: @MikeMiliardHITN
Email the writer: mike.miliard@himssmedia.com