Improved data interoperability should be accompanied by a renewed focus on communicating both the public health benefits of sharing and the protections provided individual health information.

Efforts to modernize public health data infrastructure in the wake of COVID-19 are rightly focusing on data standardization and enhanced sharing between clinical providers and public health authorities. However, such modernization must also address the federalist legal framework that governs health data collection: just as public health functions involve federal, state, and local governments, similar complexity exists in the laws that govern when individual data may be collected, used, or shared for public health purposes. As enhanced standardization enables greater data access and exchange, public health should not only enhance disclosure about the ways in which individual privacy rights will continue to be protected but also provide greater transparency about the goals of such data collection — going beyond purely legal disclosures to explain the community benefits.

Assurance of appropriate privacy protection for individual data is fundamental in both the clinical and public health contexts. Not all public health objectives require individually identifiable information — for example, response resources can be allocated based solely on aggregated case mapping and population health outcomes measured using records de-linked from patient identity. However, when individually identifiable health information is needed for public health purposes, a complex framework of federal and state laws applies. States exercising their police power to protect public health may compel access to this individual health information without patient consent, most conspicuously for monitoring for disease outbreaks. When patient data is needed for other public health data purposes, the federal HIPAA health information privacy law provides a baseline: health care providers can disclose individually identifiable health information without patient authorization, but they may provide only the minimum necessary information to accomplish the public health objective. States, however, may also impose more stringent requirements limiting when individual information can be shared without patient consent.

When public health authorities seek access to individually identifiable information held in health information exchanges rather than clinical provider records, an additional layer of regulation comes into play. Some states require health care providers to obtain patient consent before individual health information is transferred to either private or state-chartered exchanges, while others permit automatic transfer to exchanges so long as the patient is informed and can opt out. Although the totality of these requirements provides important protections for patient health data, including for the most sensitive information, the resulting federal and state patchwork can create potential disincentives to data sharing. Indeed, at the height of last winter’s COVID-19 surge, the U.S. Department of Health and Human Services (HHS) issued clarifying guidance on how providers and exchanges might still share data for public health consistent with HIPAA.

A similar variety of laws governs the collection of vaccination information for children and adults in state-chartered immunization information systems (IIS). A majority of states require providers to report both childhood and adult vaccinations to their state IIS and permit the sharing of individual vaccination status with health care providers, exchanges, and public health authorities. Some states afford no individual control over the collection and use of such information, while others impose significant limitations. Texas, for example, mandates reporting for children but requires consent for storing or sharing adult vaccination status for any health purpose. Because of this complexity, attempts to access IIS information during COVID-19 revealed regulatory uncertainty about when primary care providers could access IIS vaccination status, either via direct query or health information exchanges. 

It remains challenging for clinical providers — as the front line in disclosure — to communicate to patients the full range of potential public health uses of individual health information. Depending on state law requirements across their operational footprints, providers must not only adequately disclose their own internal data collection and sharing practices under HIPAA but must also provide additional disclosures and patient choices for sharing with health information exchanges. While some major health systems, like Geisinger, Kaiser, and Common Spirit Health, address clinical use and health information exchange sharing in a single disclosure, others, like Cleveland Clinic and Trinity Health, layer on notices to address separately exchange sharing and patient choice (either opt-out or opt-in). For those providers that do furnish more specific information about the benefits of health information exchange, electronic disclosure may be the only viable option — leaving out patients who receive only paper-based disclosure.  

For public health uses of patient data, provider notices currently provide high-level disclosures that patient data can be shared for public health as required or permitted by law; for disease control; for reporting population statistics and adverse drug events; and for safety. The aftermath of COVID-19 offers an opportunity to consider how patients could be provided less abstract descriptions of public health uses of their data, such as how the integration of patient health and vaccination records can allow for better prioritization of outreach efforts to those most at risk. As particular public health use cases are articulated, so too can the corresponding privacy protections for patient data.  Depending on the public health data objective, patients could be more clearly apprised of applicable protections, such as data minimization, retention limits, or limits on the identifiability of patient records — and equally important, the relevant choice mechanism to limit such use.

It will be equally important to go beyond data practices disclosures to consider other ways to educate patients about the fundamental purposes and benefits of sharing for public health. The need for effective public education has already been demonstrated in populous states like Florida and New York that require patients’ consent to the sharing of their records with health information exchanges. Federal and state exchange FAQs currently explain the individual patient benefits in clinical care, such as improved emergency care and avoidance of drug interactions. But greater education will be needed about the public benefits of such sharing, whether at a local, regional, or national level. Such messaging could emphasize improved community health protection from specific threats, such as COVID-19 or future infectious epidemics, or broader equitable objectives, such as addressing disparities in treating chronic disease. Drawing on appropriate research on public attitudes and expectations, enhanced education messaging could be provided in clinical or other health care settings, as well as through regionally or locally-focused public health campaigns. Such outreach could be appropriately tailored to reflect differing levels of health literacy and linguistic diversity. In the aftermath of COVID-19, public health has an opportunity to better educate and persuade patients about how improved data access and use will make tangible differences in the health of their communities.

Chuck Curran is a data policy consultant currently participating in the U.S. Health Law Certificate program at Georgetown University Law Center.