Improving Access to EHRs



Address Patient Privacy, Authority, and Security Concerns

The privacy and security of electronic health information is a shared responsibility of public health and healthcare facilities in outbreak investigations, including those involving HAIs. Early conversations between public health officials and healthcare facility staff should address concerns about public health authority, patient privacy, and the secure transfer and storage of patient information to ensure the information is appropriately protected.

Patient Privacy

The Federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule establishes protection for health information while also allowing certain uses for public health purposes. Healthcare facilities may share protected health information with a public health authority without the patient’s authorization if the information is needed to prevent or control disease. Public health officials consistently reported perceived HIPAA barriers as a reason healthcare facilities were hesitant to provide health departments with access to patient information. Understanding and making the public health exemption of HIPAA available to healthcare facilities helps to overcome barriers to access during outbreaks.

Learn more »

“We are exercising our statutory authority to review the medical record.”

– Health Department Staff

Best Practices for Health Departments

  • Institute policies and practices necessary to ensure health information is kept confidential and secure
  • Address who will have access, how the data will be used by public health
  • Engage the right health department officials
  • Communicate the need for the data clearly, and develop documents to prepare for an outbreak investigation

This toolkit is not intended to serve as legal advice. We recommend seeking the advice of an attorney or other qualified professional with questions regarding the application of law to a specific circumstance.

State Examples

Privacy and Security

  • New York uses governance documents as well as privacy and security policies and procedures to ensure privacy and security of patient health information  
  • Michigan and Minnesota use letters and reminders about HIPAA and the disclosure of protected health information for prevention and control under the public health code
  • Kansas regulations require staff “engaged in the collection, handling, and dissemination of healthcare data” in the health department’s database to be informed of data protection responsibilities, accountability, and consequences for breaches, such as termination of employment (Kan. Admin. Regs. § 28-67-8). Additionally, Kansas has provisions on system security (Kan. Admin. Regs. § 28-67-9).
  • Virginia prohibits disclosure or re­disclosure of patient health information unless permitted by state law or HIPAA provisions relating to the privacy of electronic transmission of data (Va. Code Ann. § 32.1-127.1:03).
  • New Hampshire public health officials discuss the delicate balancing act they confronted in seeking patient health information without specific patient consent during a hepatitis C outbreak.

Click on the link to the state legislative home page, then copy the legislative code number into the search or section look up field.

Data Use Agreements

  • Michigan and Virginia have Data Use and Confidentiality Agreements in place with hospitals. Michigan also has an addendum that addresses use of information for data validation.
  • New York City uses Department of Health Data Use and Reciprocal Support Agreement (DURSA) to create data use agreements about EHR use with healthcare facilities in their jurisdiction
  • Virginia uses Business Associates Agreements (BAAs) to create data agreements about EHR use with healthcare facilities in their state


« Return to main page

Information for this toolkit was collected through interviews with state health agencies and feedback from national-level stakeholders. See the methodology for more details.