Legal & data sharing frameworks


  • Establish legal data sharing frameworks within state jurisdictions, e.g. local/municipality to city (major metro), and direct to state.

  • Consider formulating policies and orders at the local jurisdiction level that refer to specific data sharing regulations that permit reporting; i.e. healthcare providers having the ability to share data with specific entities related to contact tracing efforts and what data will be released for broad public consumption vs. restricted public health use.

  • Designate certain collaborative entities with limited public health authority related to COVID-19 e.g. Health Information Networks, and Health Information Exchanges typically can’t easily share data bi-directionally with public health; state-based entities (e.g. New Jersey Health Information Network, Indiana HIE, SHINY) will be able to move faster on sharing clinical information with public health to scope contact tracing efforts

  • Define data sharing use cases that fall under the following:

    • Public Health Practice

    • De-identified Data (per HIPAA); aggregate and line-level

    • Consumer Data (non-HIPAA; regulated by FTC

    • Anonymous Data

    • Open Data (public consumption)

  • Patient and Consumer Consents

  • Data destruction policies

State & Local Jurisdiction Data Sharing

If there is a local NEDSS system in place, provide local jurisdictions with the ability to enter case reports. Establish a process to capture case investigations that relate to emerging contract tracing emergence of symptoms but confirmatory testing may not be in place yet (typically a quarantine section of the system to help prioritize confirmed case reports).

Data Sharing Use Cases

  • Symptom checker information into a NEDSS

  • Symptom checker information connected with contact traced social network (identifiable, and aggregate level)

  • Contact-traced individuals to healthcare records/testing (consent)

  • Surveillance of negatives for a certain period of time with symptom checker & monitoring tools

Public Health Practice

Covers the following:

  • Healthcare provider to public health

  • Clinical data provider (Labs, EHRs, Payors & their vendors) to public health

  • Behavioral and mental health data provider to public health

  • Public health to public health; state and local jurisdictions

  • Local state agencies (e.g. Departments of Human Services, Prison & Correctional Facilities) to public health

  • Local public health to federal public health

Permissible data linkages:

  • Identifiable data (PHI or PII) to consumer-consented data

  • Limited data to identifiable data

  • De-identified data to identifiable data (re-identification under public health practice)

  • De-identified data to de-identified data

De-identified Data

Covers the following:

  • Healthcare providers to public health

Consumer Data

Open Data

Last updated