Policy Considerations to Help Protect Patient Privacy

Kathryn Marchesini & Elisabeth Myers (ONC), Deven McGraw (Ciitizen)


Federal and state laws establish both permissions and restrictions around data sharing. Generally, under federal law, disclosures of data to public health are allowed without authorizations from individuals. It is important for regulators and public health authorities to be as detailed as possible when providing guidance around permitted disclosures and data element/information reporting requirements. The 21st Century Cures Act introduces a paradigm shift wherein data blocking is a restricted activity and where a broader baseline of data will be more readily available to be shared via standard mechanisms.

Key Takeaways

HIPAA Allows Disclosure of “Minimum Necessary” Data to Public Health Authorities for Public Health Purposes

Federal privacy requirements, such as those mandated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), are agnostic to the underlying technologies being used. The HIPAA Privacy Rule permits covered entities to disclose protected health information directly to public health authorities who are legally authorized to receive such information for the purpose of preventing or controlling disease, injury, or disability (including to an organization that has a contractual relationship or some other grant of public health authority, such as a health information exchange, with the public health authority) without an individual’s authorization. Under HIPAA, covered entities include healthcare providers, health plans, and clearinghouses whereas business associates are persons or entities acting on behalf of covered entities (e.g., healthcare providers) such as a health information exchange or an EHR vendor. The HHS Office for Civil Rights has announced enforcement discretion external iconallowing business associates to share information with public health authorities (or their contractors) notwithstanding terms in their contracts (business associate agreements) with covered entities for the duration of the COVID-19 national public health emergency.

When covered entities and business associates disclose protected health information for public health purposes, the HIPAA Privacy Rule includes a “minimum necessary” requirement, meaning that protected health information must not be used or disclosed when it is not necessary to satisfy  a particular purpose or carry out a specific function. The Privacy Rule generally requires covered entities to take reasonable steps to limit the use or disclosure of, and requests for, protected health information to the minimum necessary to accomplish the intended purpose. Covered entities

and business associates can rely on the public health authorities’ request for such information as the minimum amount of information that is needed, without the entity having to make its own determinations or decisions about the minimum amount of information that is needed. Such reliance must be reasonable under the particular circumstances of the request.

It is important for regulators and public health authorities to be as detailed as possible when providing guidance around permitted disclosures and (data elements/information) reporting requirements to public health. Covered entities are risk averse and may fear being out of compliance with the law. Public health authorities or their associations can help assuage this fear by making explicit determinations about the minimum data elements necessary and being clear about how the protected health information will be handled once received by public health.

The 21ST Century Cures Act Introduces a Paradigm Shift Wherein Health Information will be More Readily Available to Support Multiple Needs

In general, under the 21st Century Cures Act, information blocking external iconis a practice by a health IT developer of certified health IT, health information network, health information exchange, or healthcare provider that, except as required by law or specified by the Secretary of Health and Human Services (HHS) as a reasonable and necessary activity, is likely to interfere with access, exchange, or use of electronic health information (EHI).

In the ONC Cures Act final rule, ONC identified eight categories of such reasonable and necessary activities that do not constitute information blocking, provided certain conditions are met—these are referred to as “exceptionspdf iconexternal icon.” The exceptions support seamless and secure access, exchange, and use of EHI and offer actors certainty that practices that meet the conditions of an exception will not be considered information blocking. The exceptions are divided into two classes: exceptions that involve not fulfilling requests to access, exchange, or use EHI; and exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI. An example of the first class of exception is the “Privacy Exception” that states that an actor should not be required to use or disclose EHI in a way that is prohibited under state or federal privacy laws. One such exception in the latter class is the “Content and Manner” exception that relates to the data classes and types that must be included as well as outlining a technical framework for the manner of the response.

In section 4003 of the Cures Act, Congress directed ONC to “develop or support a trusted exchange framework, including a common agreement among health information networks (HINs) nationally.” In developing a Trusted Exchange Framework (TEF) and a Common Agreement that meets the industry’s needs, ONC has focused on three high-level goals: provide a single “on-ramp” to nationwide connectivity, enable EHI to securely flow when and where it is needed, and support nationwide scalability. The TEF describes a common set of principles that facilitate trust between HINs for nationwide electronic health information exchange, and the Common Agreement will provide the governance necessary to scale a functioning system of connected HINs to meet multiple use cases, including public health.

The ONC Cures Act final rule also operationalizes the manner in which, under HIPAA, patients can invoke their right to access their own health information and share that information however and with whomever they choose by implementing requirements for certified health IT related to standardized application programming interfaces (APIs). Standardized APIs broaden the possibility for public health authorities to receive and share data directly with patients or consumer-facing technologies as directed by patients. These consumer-facing technologies are not covered by a comprehensive privacy law, however the commitments these technology vendors make about how they handle sensitive data are enforceable by the Federal Trade Commission.

Filters can be Applied at Multiple Points in the Data Flow to Ensure Only Necessary Data are Shared

Technology offers opportunities to develop and apply filters to help ensure that only data that should be shared are shared. These filters could be applied at multiple points in the data flow to support both covered entities and public health authorities in sharing or disclosing only what is needed for the use case or purpose, and appropriately disposing of information that may not be minimally necessary. Data segmentation and filtering technologies that would not rely on manual support are largely still under development; however, there are efforts throughout the industry to address and develop new tools for high priority use cases. Examples of evolving standards that could facilitate the development of these filters include the provenance resource in FHIR; the development of National Library of Medicine value sets for specific purposes, patient sets, or reportable cases for use in querying via a FHIR-based API; and the continued evolution of security labelling standards like the HL7 Data Segmentation for Privacy standard.