Public Health for the 21st Century: Data Modernization and Privacy Protections
December 12, 2022
Since the beginning of the COVID-19 pandemic, state and territorial health departments have identified and worked through ways to improve their complex public health data systems. Health equity efforts related to COVID-19 repeatedly revealed the need for accurate and complete racial and ethnic identity data for infectious disease reporting and immunizations. While health departments continued their work to improve data collection during the COVID pandemic, a second pandemic emerged. The global spread of human monkeypox virus (mpox) highlighted the additional need for accurate and complete demographic data on sexual orientation and gender identity. This information was crucial to guiding equitable public health interventions to detect and prevent further spread of mpox.
During the 2022 legislative sessions, states enacted laws supporting better data sharing between healthcare providers and public health authorities and sought to strengthen data privacy protections. These laws focused on health information exchanges (HIEs) and on expanding reporting data fields like sexual orientation and gender identity. New laws also focused on ensuring public health data remains protected and confidential.
Health Information Exchanges
HIEs primarily allow healthcare providers to share patient medical information with other treatment providers across different healthcare and electronic health record systems. Maryland and Oklahoma enacted laws in 2022 aimed at improving their HIEs.
Maryland passed two bills crucial to supporting data exchange between the state health department and CRISP, the state-designated HIE. The first bill established that the HIE’s privacy and security regulations may not prohibit sharing health data (1) required under federal law, (2) for purposes important to public health, or (3) for payment purposes. The second bill establishes the state-designated HIE as a health data utility, formalizing the role of healthcare data for the public good. Maryland follows Nebraska, Rhode Island, and Vermont, who have begun shifting to the health data utility model, which formalizes the HIE. Maryland’s laws now require the HIE to provide real-time data to the health department and for the health department to report data back to the HIE.
Oklahoma followed steps taken by several states in the 2021 legislative session to establish an official state-designated HIE. This law also established the Office of the State Coordinator for Health Information Exchange within Oklahoma Health Care Authority, Oklahoma’s Medicaid agency. The state coordinator is responsible for establishing the state-designated HIE entity. In addition, this bill now requires all licensed healthcare entities in Oklahoma to connect with and report to the state-designated HIE.
Sexual Orientation and Gender Identity Data
Just as COVID-19 highlighted the need for public health authorities to collect data on race and ethnicity for individuals with COVID-19, the rapid spread of mpox—particularly among populations of gay, bisexual, and other men who have sex with men—highlighted the need to collect demographic information on sexual orientation and gender identity for individuals with this disease. CDC has highlighted how important it is for healthcare providers to document this information in patient medical records to support high-quality, patient-centered care. Health departments also need access to this information to be able to quickly identify emerging disease trends and tailor public health response efforts.
In the 2022 legislative session, Colorado passed a law that permits the health department to collect data on race, ethnicity, disability, sexual orientation, and gender identity. The law also allows the state’s Office of Health Equity to use these data for strategic planning on minority health improvement.
One of the primary areas of legislative focus for health data privacy in 2022 was reproductive health data. Health departments collect reproductive health data on contraceptive use, unintended pregnancy rates, prenatal services use, birth rates, and pregnancy mortalities to better understand health disparities across populations. Reproductive health data are sensitive in nature, and several states strengthened their privacy protections related to data collection and usage.
California passed three laws establishing additional privacy protections for reproductive health data and data related to gender affirming care. These laws specifically limit the amount of information that the health department can share with law enforcement agencies outside the state. Connecticut enacted a law that expressly requires a patient’s or patient guardian’s written consent before any information about that patient’s reproductive healthcare can be shared. The law exempts sharing for public health purposes or as required by a court order. Finally, Colorado’s new law requires medical providers to collect race, ethnicity, sexual orientation, and gender identity information from all patients who have given birth, and directs providers to report this data to the health department without identifiers.
ASTHO expects states and territories to continue considering legislation that expands public health access to health data. New legislation may:
- Increase the amount of demographic data collected from patients and populations.
- Strengthen protections for identifiable health data.
- Increase public health authorities’ ability to access data more directly through systems like health information exchanges.