A Legal Primer on Using Electronic Health Data for Public Health Purposes

March 14, 2018
A new report from the de Beaumont Foundation and Johns Hopkins University provides public health departments with a framework to allow them to request more real-time data from hospitals.

Despite all the electronic data flowing through health systems these days, public health agencies still largely get data in aggregated form and with significant delays. A recent survey of 45 public health officials, however, found strong interest in using electronic health data “to both guide action and geographic ‘hot spotting’ of both communicable and chronic diseases not included in statutory reporting requirements,” according to a new report jointly released by the de Beaumont Foundation and Johns Hopkins University.

So how can public health agencies get access to more real-time data and what are some of the legal and regulatory issues around sharing that data with public health?

The report, Using Electronic Health Data for Community Health: Example Cases and Legal Analysis, provides public health departments with a framework to allow them to request data from hospitals and health systems in order to move the needle on critical public health challenges.

In a March 13 webinar about the report, Joshua Sharfstein, M.D., associate dean for public health practice and training at the Johns Hopkins Bloomberg School of Public Health spoke with attorney Denise Chrysler, director of the Mid-States Region of the Network for Public Health Law at the University of Michigan School of Public Health. (The webinar was put on by the organization, All In, Data for Community Health.)

Sharfstein led Chrysler through several use cases involving a public health agency requesting data from a hospital, and asked for a legal analysis about whether HIPAA allowed it or not.

The first use case involves a public health department seeking information on childhood asthma. In this scenario, the health department requests a weekly data file from each area hospital with information about county residents under age 21 diagnosed with asthma during an emergency department visit or hospital admission. For each emergency department visit or hospital admission for asthma, the data file would include the following fields: date, age in years, gender, and race/ethnicity, but would not include name, social security number, address, or other sensitive or identifying information.

Chrysler responded that this data is considered protected health information, but that HIPAA does have provisions that allow hospitals and other providers to share fully identifiable information with public health authorities to use and act on and use in behalf of the public. She added that hospitals are allowed to share this additional data, but are not required to.

Sharfstein asked if the public health agency would be allowed to ask for particular dates of service. “We would want to look at weather and air quality and see if asthma trends to pertain to air quality. We wouldn’t know that without the dates,” he said. Chrysler agreed that this met the guidelines for a request for minimally necessary data to meet the stated need of the public health agency.

Then he asked if the health department could get street addresses of patients from the hospital to plot on a map to figure out if additional services are needed, such as housing inspections to focus on housing conditions. Again, Chrysler said that as long as it was for a legitimate public health purpose, to protect citizens from the effects of asthma, then that usage also meets HIPAA requirements for sharing data.

What if the county public health agency wanted to share the information with a community organization it partners with? Sharfstein gave the example of telling a community nonprofit that a particular neighborhood would be a good place to focus its efforts of offering mattress covers to reduce asthma. Chrysler said sharing information about areas that are of concern, and making recommendations about general outreach, services or education poses no problem at all.

Here is another use case: The public health agency wants to check the hospital’s ADT feeds against its registry of children with asthma, so the hospital can know when it has a match, which it could help them figure out what care that patient needs.

“In this case, the hospital already shares ADTs with a health information exchange,” Sharfstein explained. “We could share our lists with the HIE and that organization can see whether there is a match and if so, tell the hospital.”

Chrysler said using the HIE as an intermediary in this use case satisfies any regulatory or legal requirements.

The final use case Sharfstein asked her about involved research. If the public health agency wants to know whether its interventions involving community health workers is working well, can it do research and publish the results. She said that would fall under the definition of quality improvement in public health practice and would be acceptable.

All In will hold a second webinar on the topic May 8 devoted to questions submitted on legal issues about data sharing.

Sponsored Recommendations

A Cyber Shield for Healthcare: Exploring HHS's $1.3 Billion Security Initiative

Unlock the Future of Healthcare Cybersecurity with Erik Decker, Co-Chair of the HHS 405(d) workgroup! Don't miss this opportunity to gain invaluable knowledge from a seasoned ...

Enhancing Remote Radiology: How Zero Trust Access Revolutionizes Healthcare Connectivity

This content details how a cloud-enabled zero trust architecture ensures high performance, compliance, and scalability, overcoming the limitations of traditional VPN solutions...

Spotlight on Artificial Intelligence

Unlock the potential of AI in our latest series. Discover how AI is revolutionizing clinical decision support, improving workflow efficiency, and transforming medical documentation...

Beyond the VPN: Zero Trust Access for a Healthcare Hybrid Work Environment

This whitepaper explores how a cloud-enabled zero trust architecture ensures secure, least privileged access to applications, meeting regulatory requirements and enhancing user...