The first case of COVID-19 in North Carolina was announced on March 3. By April 9, the state was reporting over 3500 cases and 65 deaths from the disease.
Rapid spread of a new communicable disease is a historic and newsworthy event. It is understandable that the public and the media will have many questions. Public health officials must provide information that is necessary to protect the public health, and they also have an important role in keeping the public informed about communicable diseases affecting their communities. At the same time, public health officials are obliged to protect the confidentiality of information that identifies individuals, or that could be used to identify individuals.
When a local health department receives a request for county-specific data, may it disclose it? This post describes the relevant parts of two laws that may affect the answer.
A North Carolina law limits the disclosure of information about reportable communicable diseases such as COVID-19 (G.S. 130A-143). When the information is maintained by a local health department, it may be protected by the federal HIPAA Privacy Rule as well (45 C.F.R. Parts 160 and 164).
North Carolina Communicable Disease Confidentiality Law (G.S. 130A-143)
Under North Carolina law, information that identifies an individual who has or may have a reportable communicable disease or condition is strictly confidential, is not a public record, and may be disclosed only as allowed by G.S. 130A-143. There are presently nearly 80 communicable diseases and conditions that are reportable and covered under this law, including novel coronavirus infections and deaths, as well as tuberculosis, most of the vaccine-preventable illnesses, hepatitis, HIV, and other diseases and conditions of public health significance.
The state law protects “all information and records, whether publicly or privately maintained,” that contain such information. It does not define what is meant by information that identifies a person. HIPAA-covered entities should refer to HIPAA’s definition of individually identifiable health information. For entities that are not covered by HIPAA, I believe it is reasonable to use HIPAA’s concept of “individually identifiable” and assume that information that could used to identify an individual is protected by G.S. 130A-143, even if it doesn’t include names or other unique identifiers.
The law allows release of medical or epidemiological information for statistical purposes, provided that no person can be identified from the information released. It does not specify methods that can be used for assuring that information has been sufficiently de-identified.
HIPAA Privacy Rule (45 C.F.R. Parts 160 and 164)
The HIPAA Privacy Rule governs the use and disclosure of protected health information (PHI), which is defined as individually identifiable information that relates to any of the following:
- An individual’s health status or condition,
- Provision of heath care to an individual, or
- Payment for the provision of health care to an individual.
Information is considered identifiable even if it doesn’t contain the person’s name or other unique identifiers, if there is a reasonable basis to believe the information can be used to identify the individual. 45 C.F.R. 160.103. For example, an address that is associated with an individual with a particular health status or condition constitutes PHI when the information is created, received or maintained by a covered entity.
HIPAA does not apply to every person or entity that happens to have health information. It applies only to covered entities and their business associates.
The term “covered entity” is defined to include most health care providers, as well as health insurers and certain others. 45 C.F.R. 160.103. Local health departments are covered under HIPAA if they provide clinical health care services. In North Carolina, most health departments are county departments, so the county is actually the covered entity, and the health department is one of its HIPAA-covered components. Some health departments, such as multi-county district health departments, are separate legal entities and are covered entities in their own right.
In either case, a local health department may be what HIPAA calls a hybrid entity, which means that some of their activities and functions aren’t covered by HIPAA and don’t have to comply with the HIPAA Privacy Rule when they use or disclose health information. However, any department that claims this designation must have documentation (often called the “hybrid entity designation”) that clearly specifies which of its divisions, programs, activities, or functions make up its “health care component” that is covered by HIPAA. 45 C.F.R. 164.105(a). A full discussion of how a county or a department determines and documents its hybrid entity status and its covered components is beyond the scope of this post—for more information, see this post by my colleague Aimee Wall.
If a health department cannot answer the question of whether it is a hybrid entity or produce its written documentation describing which health department activities are covered, I feel obliged to operate under the assumption that the entire department is covered and that the individually identifiable health information it creates, receives or maintains is protected health information (PHI) under HIPAA.
A covered entity may use or disclose PHI only as allowed by the HIPAA Privacy Rule. As a general rule, this means that information may not be disclosed without the written authorization of the individual who is the subject of the PHI. There are several exceptions to this general rule, which I will not detail in this post but you can read about them here.
The HIPAA Privacy Rule also allows information to be disclosed if it is de-identified in accordance with strict procedures that are laid out in the rule. These procedures are described in detail later in this post.
Effect of the Laws on Disclosure of County-Specific Data
Careful readers will have noticed that both HIPAA and the state communicable disease confidentiality law protect information when it is individually identifiable, and both make provisions for disclosing information that does not identify individuals. How does this affect the disclosure of county-specific data? Isn’t that just numbers?
Confidentiality laws must be taken into account when disclosing communicable disease data so that information is disclosed in a manner that prevents the individuals who are the subjects of the information from being identified. Even when information is just numbers, in some cases individuals could be identifiable, especially if the numbers are small or the data released is too granular.
Because of the risk that individuals’ privacy may be compromised by the disclosure of data, both HIPAA and the state confidentiality law address the use of de-identified data.
HIPAA De-Identification Standard [45 C.F.R. 164.514(a)]
A HIPAA-covered entity may disclose PHI that has been de-identified in accordance with specific procedures set out in HIPAA’s de-identification standard. 45 C.F.R. 164.514(a); see also U.S. DHHS, Office for Civil Rights, Guidance Regarding Methods for De-Identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability (HIPAA) Privacy Rule. If PHI can be de-identified, it is no longer considered PHI and may be disclosed freely.
When data are derived from information created, received or maintained by a HIPAA-covered component of a health department, it must be de-identified before it is disclosed. The HIPAA regulations provide two methods for de-identifying PHI: the safe harbor method, and the expert determination method.
Safe harbor. The safe harbor method requires a covered entity to remove 18 specific identifiers from the PHI. The identifiers that must be removed include (but are not limited to) names, birth dates, addresses, telephone numbers, email addresses and similar unique identifiers, and all geographic subdivisions smaller than a state, including the name of the county. I emphasize the last item because that is the element that makes it difficult for many local health departments to de-identify PHI in order to disclose information about communicable disease within the health department’s jurisdiction. Because the safe harbor method requires the removal of the county name, the safe harbor method is not viable for NC local health departments that want to de-identify PHI so that it can be disclosed publicly as county-specific information.
Expert determination. The expert determination method provides an alternative way for a covered entity to de-identify PHI. This method requires the use of a person who has knowledge and experience in generally accepted statistical and scientific principles and methods for rendering information not individually identifiable—in other words, an expert. The expert must apply the statistical and scientific principles and methods to determine whether PHI has been de-identified to a degree that “the risk is very small that the information could be used, alone or in conjunction with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information.” 45 C.F.R. 164.514(a)(1)(i) (emphasis added). The expert must document the methods the expert used and the results of the analysis that justify the expert’s determination. In other words, they can’t just eyeball it.
De-identified Information and State Law
The state communicable disease confidentiality law allows release of medical or epidemiological information for statistical purposes, provided that no person can be identified from the information released. Unlike HIPAA, the state law does not specify methods that can be used for rendering information de-identified.
For a health department that is a covered entity, the HIPAA de-identification rules would apply, with the caveat that if the expert determination method is used, the state law would appear to require a determination that no person can be identified. In contrast, HIPAA requires a determination that there is a low risk of an individual being identified.
What about an agency that is not a HIPAA-covered entity? In short, the agency still must not disclose data that identifies an individual, but it is not required to adhere to HIPAA’s standard when evaluating whether the information has been de-identified. A good example of such an agency is the state agency that releases data about communicable disease to the public during outbreaks: the North Carolina Department of Health and Human Services (NC DHHS). NC DHHS has adopted a hybrid entity designation that clearly excludes from HIPAA coverage its sections and branches that receive and disclose data about communicable diseases. Because these parts of the agency are not covered by HIPAA, they are constrained only by state law in disclosing data. The state has its own protocols for assuring data are not individually identifiable, and they are able to release county-specific data when the criteria of those protocols are satisfied.
Providing Data to Counties in Light of These Laws
At this point, you may be wondering how a county can ever get any data about communicable disease, given these laws?
It is likely that most of the time, county-specific data about communicable disease comes from NC DHHS. As explained in the previous section of this post, NC DHHS follows internal protocols for assuring that data are sufficiently de-identified for purposes of the state communicable disease confidentiality law. Because the state law also forbids disclosure of information that could allow a person to be identified, the state does not always provide county-specific data or highly granular data, especially when numbers are small. But when it does provide the data, local health departments may re-disclose the data they receive from the state. They don’t have to worry about de-identifying it in that case, because it isn’t derived from their own PHI.
It is also possible that a local health department has a sophisticated hybrid entity designation that allows it to disclose information from a non-HIPAA covered component. A department must consult its own hybrid entity designation to determine whether this is the case. A department that does not have a hybrid entity designation must comply with HIPAA with respect to all the individually identifiable health information it creates, receives, or maintains.
Finally, a local health department that is covered by HIPAA may be able to de-identify its data using one of the methods the Privacy Rule prescribes. However, the requirement to remove the county name from the data will likely inhibit the use of the safe harbor method by most local health departments in North Carolina.