FEATURE

By Melanie Padgett Powers , writer

Adam Greene , JD

Public health laboratories have been collecting and distributing data for decades , focused on the best practice of accessing the minimum patient data necessary to do the job required . As technology has become more and more sophisticated , federal and state governments and the public health system have worked to improve cybersecurity and data privacy protocols . But there are gaps between what the Health Insurance Portability and Accountability Act ( HIPAA ) protects versus state privacy laws and even how state health departments interpret various privacy laws .

When the COVID-19 pandemic arrived in the US in 2020 , it both underscored the gaps and exacerbated the challenges as public health laboratories began amassing data in unprecedented quantities . And , for the first time , the federal government required public health data be sent to it . In addition , more people began to question where people ’ s health information was being stored and who could see it , particularly COVID-19 test results and vaccination records .

“ COVID-19 has shone a spotlight on the importance of information flow and maintaining privacy ,” says Adam Greene , JD , partner at Davis Wright Tremaine LLP and outside counsel for APHL . “ It has highlighted , for some , the limits of HIPAA and the fact that it doesn ’ t reach throughout the health care system . It ’ s brought new attention to a longstanding issue .”

When it comes to medical privacy , public health laboratories may be bound by HIPAA ’ s privacy protections , depending on whether they electronically conduct any administrative transactions with health plans , Greene explains . However , a HIPAA public health exception allows HIPAA-covered entities , including HIPAAcovered laboratories , to disclose patient health information to public health authorities without patient authorization in the interest of public health , such as preventing and controlling disease like in the case of COVID-19 . Public health laboratories generally are covered under state privacy laws , which vary widely across the country .

“ Each of the public health labs have to also worry about whatever their state data privacy laws require ,” says APHL General Counsel Troy Willitt , JD , MPA . “ HIPAA sets the floor , and states can certainly build on top of that , and a number of states have done just that . How those data need to be handled once they ’ re at the public health lab will depend on a variety of things , not the least of which is what the law requires .”

This patchwork of laws can be confusing , but public health laboratories cannot always rely solely on the HIPAA public health exemption . “ It ’ s more nuanced than that ,” Willitt says . For instance , in some public health departments different divisions are responsible for HIPAA versus non-HIPAA compliant components . In those cases , “ it depends on the division that gets the data in order to figure out how they have to treat it .”

Public health laboratories should consider data privacy as a part of layers of data security that work together , says Michelle Meigs , MBA , APHL director of informatics . “ You need the systems in place to help