Privacy officers and other essential but non-traditional public health practitioners may, from time to time, be asked to articulate how their work advances health equity or anti-racist systems. The connection between privacy officers, health equity and dismantling racist systems may be more obvious than one might imagine.  

The Role of the Public Health Privacy Officer 

The role of a public health privacy officer is multifaceted, and it varies from one agency to another. The HIPAA Privacy Rule requires covered entities to designate a privacy official who is responsible for developing and implementing HIPAA policies and procedures that are designed to comply with the HIPAA Privacy Rule. On any given day, a privacy officer may:  

• answer questions on privacy-related policies and procedures,  

• investigate a potential breach,  

• draft or update policies,  

• provide guidance on non-routine requests for health information,  

• determine the validity of an authorization to release protected health information,  

• evaluate sufficiency of documentation of authority to receive data,  

• provide guidance on possible data flows for a new project,  

• provide privacy training to new hires,  

• participate on a data-governance committee, and/or  

• respond to a letter from an enforcement agency. 

Exercising Discretion to Protect Individuals, Promote Health Equity, and Reduce Risk of Harm to Marginalized Populations 

The privacy officer exercises influence and discretion that can impact whether, and the degree to which, data is used or disclosed. Although they are often perceived as defaulting to answering “no,” they are in fact routinely called on to say “yes” to proposed uses or disclosures of individually identifiable health information to improve population health. Privacy officers are often faced with interpreting different legal requirements that are sometimes in conflict with each other. These requirements may be specific at times, but at other times very general; sometimes clear and at other times vague, ambiguous or open to interpretation. Such provisions require careful consideration, assessment of risks, balancing of interests, and sometimes the selection of the best option from a number of equally reasonable possibilities.  

A privacy officer may be faced with subjective statutory or regulatory provisions requiring a judgment call, such as that data may be shared “as necessary for the purposes of… illness investigation,” or that data shall not be shared “except as necessary… for the protection of the health of others,” or that, within a certain dataset, a state or local health department may not share “any group of facts that tends to lead to the identity of any facility or person,” or that a state health department may disclose “what it considers to be appropriate and necessary… when… [it] will contribute to the protection of the public health.”  

But what is “necessary”? Which data elements “tend to lead to” identification? What is “appropriate”? When will a potential use or disclosure of data “contribute to the protection of public health”? Privacy officers often find themselves in the position of answering these questions. To do so, they bring awareness of systemic racism and a history of data being used to harm marginalized communities. They use knowledge, experience and good judgment, with a focus on improving public health, advancing health equity, reducing health disparities, and promoting the health of marginalized communities.  

Building Trust Between Marginalized Communities and the Health System 

The privacy officer helps repair trust between the community and the health system. The many tasks of the privacy officer put them in the position of ensuring the health department’s compliance with privacy rules, promoting effective governance and appropriate use and disclosure of data, while protecting the individual’s privacy interest throughout. As such, the privacy officer builds confidence between the individual and the health care system.  

It is little surprise that trust and confidence in the health system have historically been lower among individuals that have experienced discrimination “based on race, ethnicity, gender or other identities.” Medical mistrust leads to poor health outcomes, delayed diagnosis, and even believing in social-media-driven medical misinformation, to the detriment of public health. In the role of privacy-policy enforcer, privacy officers help rebuild trust by ensuring compliance with policies that are carefully designed to promote and respect individual privacy-related rights. 

Privacy Officer as Gatekeeper 

Privacy officers are often the gatekeepers of individually identifiable health information. They may make decisions, or inform the decisions of others, on whether to grant or deny requests for health data. They may be faced, for example, with requests for data for judicial and administrative proceedings, law enforcement or immigration purposes. In such instances, the privacy officer may be called on to determine whether the request is permitted and required under applicable rules and whether all necessary documentation has been provided.  

In other situations, the privacy officer may be called on to apply not just a compliance lens but also an important public health ethics lens. In such instances, the privacy officer may shift the conversation past “may we disclose the data?” or “must we disclose the data?” to “should we disclose the data? Is it a good idea to disclose the data, even where it is permitted by law?” or “could this data be used to directly or indirectly exacerbate disparities in health?” These questions might be asked, for example, in the context of a request for data for research, which might satisfy Institutional Review Board (IRB), HIPAA, and state law requirements, but is still granted only at the discretion of the health department. 

Privacy Officer as Steward of Essential Public Health Disparities Data 

Finally, privacy officers are often protectors of essential public health data, which itself is key to identifying disparities in health. The link between data and advancing health equity is well-documented. Public health data tells us clearly that health, as measured by such things as life expectancy, has a lot to do with which zip code you live in, your race, ethnicity, economic stability and other factors. Public health data shines a light on health disparities. Privacy officers play a key role in the protection and availability of this data through implementation of policies, procedures and practices, and other components of strong data governance.  

Did Someone Say Hero? 

Whether as data-use facilitator, gatekeeper, trust builder, or steward, the privacy officer plays a key role in effective data governance that safeguards the privacy of community members, while promoting the effective use of public health data to reduce disparities and dismantle racist systems. 

The Network’s Privacy Officer Peer Group (POPG) provides support, resources, and learning opportunities related to current and emerging data privacy and sharing issues faced by public health agencies. You can learn more and join the POPG here. 

This post was written by Stephen Murphy, J.D., Director, Network for Public Health Law—Mid-State Region, and former privacy officer. 

The Network promotes public health and health equity through non-partisan educational resources and technical assistance. These materials provided are provided solely for educational purposes and do not constitute legal advice. The Network’s provision of these materials does not create an attorney-client relationship with you or any other person and is subject to the Network’s Disclaimer.  Support for the Network is provided by the Robert Wood Johnson Foundation (RWJF). The views expressed in this post do not represent the views of (and should not be attributed to) RWJF.