Modernizing Public Health Data and Protecting Privacy

November 27, 2024

Introduction

To improve population health outcomes, public health agencies must regularly receive and analyze timely and accurate data. In alignment with federal initiatives like the Trusted Exchange Framework and Common Agreement (TEFCA), which establishes a set of guiding principles and standards for interoperability governance and policies across a national health data exchange network, state policymakers continue taking steps to modernize the way public health partners collect and share data. Legislatures are considering measures to enhance consumer health privacy data, bolster health information exchanges, and improve vital records access through digital platforms.

Legislative Trends

Enhancing Consumer Health Data Privacy and Supporting Public Health Data Access

In 2018, California became the first state to enact a consumer privacy act, creating legal protections for collecting and selling sensitive data including health data generated outside of a provider-patient relationship (e.g., health data generated by wearable fitness trackers). Since then, there has been a rapid adoption of similar laws nationwide. As of July 2024, at least 18 state legislatures passed a consumer privacy act to protect sensitive health data. Under these laws public health entities continue to have access to authorized data, ensuring their ability to meet their responsibility to improve population health outcomes.

At least 14 states considered bills establishing or refining a statewide consumer privacy act to place privacy protection on consumer health data during the 2024 legislative sessions. Kentucky (HB 15), Maryland (SB 541), Minnesota (HF 4757), Nebraska (LB 1074), New Jersey (SB 332), and Rhode Island (H 7787) passed consumer privacy legislation to protect sensitive data, including health data, while still facilitating data sharing to support public health activities. Additionally, Colorado refined its consumer privacy law by amending its definition of “sensitive data” to include biological data (e.g., genetic information or physiological measurements) by enacting HB 24-1058.

Vermont’s legislature passed H 121 in June 2024, allowing consumers to prevent the sale of their personal data, including health and genetic data, and require companies to limit their data collection to what is reasonably necessary and proportionate to meet the needs of the particular product or service. Shortly after the legislature passed H 121, Vermont’s governor vetoed the bill citing its creation of an individual consumer’s right to sue for privacy violations.

Health Information Exchanges

Originally developed to allow streamlined health data connections between different health providers, health information exchanges (HIEs) have become vital health data collection and aggregation partners to public health agencies. Currently there are more than 165 HIEs operating nationwide.

During the 2024 legislative sessions at least four states enacted laws reshaping how—and by whom—data from an HIE can be entered, shared, or used. Oklahoma, which created its state-operated HIE in 2021, enacted HB 3556, making provider participation voluntary. Maine enacted LD 227, prohibiting HIEs and providers from disclosing healthcare information for marketing or sales purposes as well as limiting the ability to share information about reproductive healthcare or gender-affirming healthcare services without the patient’s written consent or a court order. Utah enacted HB 319, authorizing emergency medical services providers to share clinical data through a qualified HIE network within the bounds of HIPAA. Maryland enacted HB 1143, authorizing a new commission to use HIE data when identifying factors leading to increased emergency department wait times.

Vital Records

State and territorial public health agencies are often responsible for maintaining vital records—certified records reporting birth, death, or marriage—with many jurisdictions working to digitize and modernize their vital records systems. In 2024, at least six states passed laws related to modernizing or maintaining vital records. Rhode Island enacted HB 7663, requiring that all local registrars have electronic copies of records before transferring records to the state archives. New Hampshire enacted HB 1220-FN, removing the collection of race and education data on marital applications.

Wisconsin enacted SB 174, requiring physicians to sign death certificates using the state registrar's electronic system of vital records rather than faxing an attestation to the department. A new Tennessee law (SB 2398) increased the time physicians or medical examiners have to determine a cause of death and sign death certificates from 48 hours to two business days. Utah enacted HB 212, requiring birthing facilities and birthing centers to submit birth registrations via its electronic system within 10 days of birth rather than submitting a paper certificate. Illinois enacted a law (SB 3182) requiring hospitals to notify a gestational parent of their right to receive a birth certificate and fetal death certificate for miscarriages and still-births.

Looking Ahead

ASTHO anticipates states and territories will continue to grapple with the complexities of expanding public health access to health data while safeguarding individual privacy. This ongoing effort is likely to manifest in the following legislative trends:

• Strengthen protections for consumer health data, such as information collected by wearable devices and genetic testing.
• Allow public health agencies to access a wider range of health data through secure platforms like HIEs and nationwide data exchange networks (e.g. through TEFCA), while establishing clear legal and ethical guidelines for data use.
• Develop standards for using Artificial Intelligence in public health, ensuring fairness and avoiding discrimination while exploring its potential for early disease detection.