Public health data has become increasingly important as the country focuses on achieving theTriple Aim of improving care, reducing costs, and improving population health. As public health data has the potential to inform a wide range of policy and programmatic decisions, finding ways to maximize available data sources can help policymakers implement more effective population health interventions. For example, with public health data, policymakers and program managers can identify a region to target resources where they will make the most impact.
However misconceptions about health information privacy protections can lead to underutilization of data that can be critical to improve population health. The following nine facts explain key aspects of the Health Insurance Portability and Accountability Act (HIPAA) and how health information can be shared and used under HIPAA.
|1. HIPAA established safeguards to protect an individual’s health data. Adopted in 1996 and regularly updated, HIPAA’s Privacy Rule created the first national standards for protecting the privacy of certain individually identifiable health information, which is referred to as protected health information (PHI).2. HIPAA recognizes public health officials need to have access to PHI to implement public health and safety related activities. HIPAA’s Privacy Rule allows for disclosure of PHI without individual authorization to public health authorities for specified public health purposes. These include activities intended to prevent or control disease, injury or disability as well as conducting public health surveillance, investigation and intervention.3. Certain entities, called covered entities, may share PHI for specified public health activities and purposes. Health plans, healthcare clearinghouses, and most healthcare providers are considered to be covered entities under HIPAA. Some public health agencies and authorities are also considered covered entities, such as those that operate within a clinic that provides essential health services. This question and answer decision tool can help entities determine whether they are considered covered entities.4. HIPAA requires covered entities to implement internal privacy policies and procedures. Employees handling PHI must be trained to understand these privacy policies and procedures. In addition, an individual must be designated to be responsible for implementing the privacy policies and procedures.5. Once PHI has been sent to public health authorities, it is no longer considered as protected under HIPAA. While the data is no longer covered under HIPAA, there are public health policies, protocols, and state laws that ensure the privacy of the data is maintained.
6. Public health research allows for some exceptions to HIPAA. Covered entities are allowed under HIPAA to share PHI for the purposes of research with individual authorization. Under specified circumstances PHI can be used or disclosed for research purposes without individual authorization. Specifically, a covered entity must obtain approval from an Institutional Review Board or Privacy Board or meet other requirements outlined here.
7. De-identified data does not fall under HIPAA and does not require individual privacy protection. Data that have been stripped of individual identifiers or aggregate statistical data are considered de-identified data. Specifically removed from de-identified data are 18 pieces of information that could be used to identify an individual, such as names, account numbers and other identifiers.
8. Lawyers can establish legal agreements (data-use agreements and business agreements) to assist prospective partners with data sharing. Overcoming the real or perceived legal barriers under HIPAA can be critical to increasing the willingness of partners to share public health data. For example, business associates can assist covered entities in carrying out health care activities and functions, which may involve access to PHI. In these cases the covered entity is required to have a written contract or arrangement to define the role of the business associate and to maintain the security of PHI.
9. A data-use agreement establishes who may see or use limited data sets.Limited data sets contain health information that is not directly identifiable to specific individuals but unlike de-identified data, they may contain some identifying information such as zip codes or birth and death dates. For a covered entity to disclose a limited data set, it must establish a data-use agreement with the data recipient, which specifies the ways that the limited data set information will be used and protected.
How are states using public health data to improve population health while maintaining compliance with HIPAA? Examples shared from states during a July State Refor(u)m webinar are listed below.
- In Louisiana, specific data-use agreements have been helpful, as well as efforts led by the state’s Office of Public Health to highlight how effectively using local-level data is essential to improving population health. In New Orleans, through the Best Babies Zone initiative, which works with communities to address poor birth outcomes, public health data is used to identify at the neighborhood block level where there are the most significant rates of low birth weight, prematurity and infant mortality. This type of “problem mapping” allows public officials to more effectively target resources in the most high-risk areas.
- Maryland has also found data-use agreements to be helpful, and their state’s data-use agreement template can be found here. In the western region of Maryland, hospital data about delivery system usage helped identify high utilizers of care. Hospitals partnered with local public heath departments to use this information to target community health nurse home visits and other outreach efforts, and within a short period of time they experienced a decline in utilization rates among the identified population.
- Ohio is using data from vital statistics to help improve the timeliness of care. While maintaining federal protections concerning birth certificate information, data in the birth certificates was uniformly coded to identify high-risk cases due to either maternal or infant conditions. This information was shared with managed care organizations so that they can prioritize outreach efforts to these individuals.
Interested in learning about other state models for conducting public health research and sharing data? Read this report to learn about efforts in Kansas, South Carolina and Pennsylvania. Share your state’s successes and challenges related to using data to design public health interventions and target resources to areas of high need in a comment below.