Getting information collected on Covid outbreaks and responses from state and local health authorities to the federal government could pose a challenge to the Biden administration’s push to share data across agencies.
The data-sharing initiative is outlined in an executive order President Joe Biden issued Jan. 21. The order directs the Secretary of Health and Human Services to review the interoperability of public health data systems nationwide.
Communication between records systems used by doctors or hospitals is often an issue in health care, since information may be maintained differently in different jurisdictions.
“We don’t have a national health records system among health care providers, let alone public health authorities,” said Elizabeth Litten, partner and chief privacy and HIPAA compliance officer at Fox Rothschild LLP. “So it’s very spotty and piecemeal.”
The White House didn’t respond to a request for comment on what it envisions for the Covid data pipeline. The administration’s Covid-19 task force held its first briefing Wednesday.
For Covid testing data, the Centers for Disease Control and Prevention has access to information submitted by state health departments as well as other sources, including commercial, public health, and in-house hospital laboratories. Other Covid data resources such as the Covid Tracking Project rely on manual collection of state-level information, while some trackers use county-level records instead.
Sharing Covid data across the government would help direct vaccines and other resources to communities with the greatest need. It’s also meant to further public understanding of the pandemic and limit the spread of misinformation or disinformation, according to the executive order.
Further guidance is coming from the White House on how to de-identify Covid-related data, which would be necessary to comply with the Health Insurance Portability and Accountability Act. HIPAA is a federal privacy law that outlines rules for sharing personal health information.
The order directs the head of the White House Office of Management and Budget to work with other federal officials to review the government’s current data approach and issue guidance on how to de-identify Covid information and make it open to the public as quickly as possible.
De-identification under HIPAA typically involves stripping information such as names, Social Security numbers, and other data that could be used to pinpoint individuals. The executive order doesn’t specify what kind of Covid data it covers, though it could include information on test results, treatments, and vaccines, as well as demographic data used to measure the impact of the pandemic on different populations.
“There’s an inherent tension between the privacy needs of an individual and the public health needs of society,” said Jo-Ellyn Sakowitz Klein, senior counsel at Akin Gump Strauss Hauer & Feld LLP focusing on privacy and data protection. “Here the stakes are really high.”
Litten said even data that’s de-identified can be traced back to individuals in some cases. Individuals identified in news reports, for example, could be matched back to anonymized records from hospitals.
In taking steps to protect privacy, the government could audit the data to make sure it’s not re-identifiable, she said.
Without interoperability, it could be difficult to understand the scope of the pandemic or identify areas of the U.S. that are struggling or having more success in their response to Covid, according to Jon Knight, a privacy and security-focused senior associate at Alston & Bird LLP.
“Making sure those systems are able to talk with each other” will be important, Knight said.
HHS issued new interoperability rules last year meant to give individual patients more control over their health data and how it’s shared. Applying the same concept on a larger scale during a pandemic could be more challenging, said Dianne Bourque, a health care attorney at Mintz, Levin, Cohn, Ferris, Glovsky and Popeo P.C.
“There’s been a lot of time and effort and expertise expended over the years to facilitate interoperability in the normal care system,” Bourque said. “If it’s a challenge in regular health care, it’s a much bigger challenge as a larger public health effort.”
Any interoperability or privacy issues that could arise from broader scale data sharing by public health agencies may be less of a concern because of how aggregated the records are, according to Kirk Nahra, a privacy-focused partner at Wilmer Cutler Pickering Hale and Dorr LLP.
“Sending numbers is a question of sending a spreadsheet. It’s easy,” Nahra said. “Sending medical records is hard.”