# Legal & data sharing frameworks Summary: * Establish legal data sharing frameworks within state jurisdictions, e.g. local/municipality to city (major metro), and direct to state. * Consider formulating policies and orders at the local jurisdiction level that refer to specific data sharing regulations that permit reporting; i.e. healthcare providers having the ability to share data with **specific entities** related to contact tracing efforts and what data will be released for broad public consumption vs. restricted public health use. * Designate certain collaborative entities with limited public health authority related to COVID-19 e.g. Health Information Networks, and Health Information Exchanges typically can’t easily share data bi-directionally with public health; state-based entities (e.g. New Jersey Health Information Network, Indiana HIE, SHINY) will be able to move faster on sharing clinical information with public health to scope contact tracing efforts * Define data sharing use cases that fall under the following: * Public Health Practice * De-identified Data (per HIPAA); aggregate and line-level * Consumer Data (non-HIPAA; regulated by FTC * Anonymous Data * Open Data (public consumption) * Patient and Consumer Consents * Data destruction policies ### State & Local Jurisdiction Data Sharing If there is a local NEDSS system in place, provide local jurisdictions with the ability to enter case reports. Establish a process to capture case investigations that relate to emerging contract tracing emergence of symptoms but confirmatory testing may not be in place yet (typically a quarantine section of the system to help prioritize confirmed case reports). ### Data Sharing Use Cases * Symptom checker information into a NEDSS * Symptom checker information connected with contact traced social network (identifiable, and aggregate level) * Contact-traced individuals to healthcare records/testing (consent) * Surveillance of negatives for a certain period of time with symptom checker & monitoring tools **Public Health Practice** Covers the following: * Healthcare provider to public health * Clinical data provider (Labs, EHRs, Payors & their vendors) to public health * Behavioral and mental health data provider to public health * Public health to public health; state and local jurisdictions * Local state agencies (e.g. Departments of Human Services, Prison & Correctional Facilities) to public health * Local public health to federal public health Permissible data linkages: * Identifiable data (PHI or PII) to consumer-consented data * Limited data to identifiable data * De-identified data to identifiable data (re-identification under public health practice) * De-identified data to de-identified data **De-identified Data** Covers the following: * Healthcare providers to public health **Consumer Data** **Open Data**