- Access to electronic health data can help public health agencies work toward improving patient care and addressing community health challenges, according to recent research. However, confusion over HIPAA data sharing policies and how electronic data can be used is a potential barrier.
The de Beaumont Foundation and Johns Hopkins Bloomberg School of Public Health released a report on how public health agencies can utilize electronic health data “to move the needle on critical public health challenges.”
In Using Electronic Health Data for Community Health, the organizations outlined six scenarios of how information can be used to make progress on childhood asthma. Furthermore, the report reviewed HIPAA regulations to explain permissible voluntary disclosures under federal law.
“Public health agencies obtain data from a wide variety of sources, including vital records, laboratories, inspections, public surveys, and reporting from clinicians,” the report stated. “Yet, important gaps in the understanding of the health of populations remain. These gaps relate to the fact that many existing data sources provide data, aggregated at a high level, infrequently and with a significant delay.”
It is critical that public health agencies are clear about their goals, specific in their requests for health data, and take steps to assure the confidentiality of key data, report authors stressed.
The first example explains how a county health department might go about reducing the burden of childhood asthma. Researchers suggested that the department would perhaps request “a weekly data file from each area hospital with information about county residents under age 21 diagnosed with asthma during an emergency department visit or hospital admission.”
Only certain data would be requested, including date, age in years, gender, and race/ethnicity. Social Security numbers, addresses, and other sensitive or identifying information would not be necessary.
For HIPAA regulations, this planned use of electronic health data would be permissible under the federal law and hospitals would be legally allowed to share the requested data for that purpose.
“In this use case, the health department has clearly articulated a need for information related to a public health activity—surveillance of pediatric asthma-related emergency department visits and hospitalizations by county residents,” the researchers explained. “This clear articulation gives the health department the legal authority to request and receive protected health information from local hospitals and healthcare providers under HIPAA.”
HIPAA has a “minimum necessary” requirement, the research team pointed out. HHS explains that the minimum necessary requires covered entities to “make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request.”
Another scenario involved a health department requesting certain information from area hospitals on county residents under age 21 diagnosed with asthma during an emergency department visit or hospital admission. In this example, the department is trying to identify specific areas where there may be environmental conditions leading to asthma triggers.
Individuals’ street addresses would also need to be requested, in addition to the other data from the previous example.
“In this use case, the health department has clearly articulated a need for health information, including geographic data, related to a public health activity—assessment of home hazards related to asthma and the provision of remedial services to address health risks,” the research team stated. “This clear articulation gives the health department the legal authority to request and receive protected health information from local hospitals and healthcare providers under HIPAA.”
The researchers also included a HIPAA “Frequently Asked Questions” section, and discussed how data can be shared under HIPAA regulations. Public health use of data from healthcare organizations was also reviewed, along with public records laws, disclosure by public health agencies, and how HIPAA distinguishes between public health practice and research.
The research team also suggested the following best practices for public health agencies with regard to using electronic health data:
- Define key public health issues and goals with broad community support
- Develop a data request with a clear explanation, plan for privacy protection, and plan for data use
- Obtain legal review to assure key participants of compliance with HIPAA and other applicable state and local laws
- Provide for public engagement on the purposes, use, and protection of data.
Sharing health data is allowed under HIPAA regulations, and the information could be used for improving overall public health. Organizations need to ensure that they educate themselves on all federal and state laws with regard to the data sharing process.