Exchange of Blood Lead Data to Facilitate Responsive Action Under the Lead Safe Housing Rule
June 4, 2019
Data are the lifeblood of public health practice and research. The Network was asked what pathways exist under the HIPAA Privacy Rule to enable data exchange between a local health department and a HUD-supported housing program?
Background: Data Sharing Requirements under the Lead Safe Housing Rule
Sharing data—especially data regarding children’s elevated blood lead levels—is key to coordinating lead poisoning prevention efforts between health departments, housing agencies, and community partners. Recognizing the importance of data exchange, recent amendments to the U.S. Department of Housing and Urban Development’s (HUD) Lead Safe Housing Rule (LSHR) encourage and in some cases require exchange of information between public housing agencies and public health departments.1
In general, the LSHR requires that if the entity responsible for a HUD-supported housing unit is notified that an occupant under age 6 has an elevated blood lead level2 (EBLL), the entity must complete an environmental investigation of the child’s dwelling unit and common areas serving that unit. If lead-based paint hazards are identified, the entity must undertake appropriate hazard reduction, control, or abatement actions as specified in the LSHR; must notify affected occupants of the actions taken; and must conduct lead risk assessments (and appropriate follow-up) for all other federally assisted units within the property in which a child under age 6 resides or is expected to reside.3
To facilitate these activities, the rule requires HUD-supported housing entities4 to share certain information with public health agencies, including the following:
- If the housing entity is notified of a child’s EBLL by a person who is not a medical health care provider, the housing entity must immediately verify this information with the public health department or another health care provider. [If the information is verified, the verification is treated as notification for purposes of triggering an environmental investigation, which must occur within 15 days of notification.]
- Within 5 business days of being notified by a medical professional that a child has an EBLL, the owner must report the child’s name and address to the public health department.
- Within 5 business days of being notified of a child’s EBLL (by either a health care professional or a public health department), the owner must report the case to the HUD field office and HUD Office of Lead Hazard Control and Healthy Homes (OLHCHH) (and must subsequently report completion of required activities within 10 business days of the deadline).5
The LSHR requires additional data collection, record keeping, and reporting by housing entities or subrecipients (or their designees) responsible for administering tenant-based rental assistance programs (e.g., Section 8). These requirements are as follows:
- At least quarterly, the housing entity or designee must “attempt to obtain” from their local public health department the names and/or addresses of children under 6 years old who have been identified as having an EBLL. If the housing entity receives EBLL data from the health department, it must match the data with names and addresses of families receiving tenant-based rental assistance (unless the health department performs this matching function instead).
- On a quarterly basis, the housing entity or designee must report to the public health department “an updated list of the addresses of units receiving assistance under a tenant-based rental assistance program” (unless the health department states that it does not want the report).6
Thus, the LSHR requires HUD-supported housing entities to proactively report data to public health agencies, and it encourages mutual exchange of data to facilitate reduction and remediation of lead hazards. However, because state laws generally require health care providers and laboratories to report EBLL data to state or local health departments—but not to housing agencies—it is important to facilitate mutual data exchange rather than just the one-way transfer of data from housing agencies to public health departments as required by the LSHR.
We discuss below potential pathways for mutual data exchange between a local health department and a HUD-supported housing program under the HIPAA Privacy Rule. The Network for Public Health Law provides information about public health laws. We do not provide legal representation or advice on taking a particular course of action. For legal advice, we urge you to consult with your attorney.
Navigating the HIPAA Privacy Rule to enable mutual data exchange between a local health department and a HUD-supported housing program
The Alliance for Healthy Homes has developed a guide for state and local childhood lead poisoning prevention programs titled Overcoming Barriers to Data-Sharing Related to the HIPAA Privacy Rule. The guide outlines several pathways for local health departments and public housing agencies to share data without violating the Health Insurance Portability and Accountability Act (HIPAA) Standards for Privacy of Individually Identifiable Health Information (referred to as the “Privacy Rule”).7 Though the guide was published in 2004 (shortly after HIPAA took effect), the pathways and guidance appear to remain viable today. The most salient points are summarized here, but readers may wish to also consult the guide’s in-depth explanations for additional information.
First, when defining a HIPAA-compliant pathway for sharing data between housing and public health agencies, two key questions that should begin the inquiry are whether the HIPAA Privacy Rule applies: (1) to the entity that holds the relevant data, and (2) to the relevant data. If the answer to either of these questions is no, the HIPAA Privacy Rule does not apply and the data may be shared in accordance with other applicable laws. Part c below discusses potential pathways for sharing data if the HIPAA Privacy Rule applies to both the entity and the relevant data.
a. Is the entity that is holding relevant data a “covered entity” under the HIPAA Privacy Rule?
The HIPAA Privacy Rule applies only to data shared by “covered entities,” defined to include health plans, health care clearinghouses, and most health care providers.8 Generally, housing agencies are not covered entities and therefore are not subject to the Privacy Rule. In contrast, the Privacy Rule is more likely to apply to a public health department because many health departments provide health care services. If the health department provides health care services, it may be fully covered by HIPAA or it may be a hybrid entity, meaning that certain components are covered by the Privacy Rule while other components are not.9 If the health department is not a covered entity, or if it is a hybrid entity but the program that holds the relevant data is not part of the designated health care component, the HIPAA Privacy Rule does not apply.
b. Is the relevant data considered “protected health information” under the HIPAA Privacy Rule?
With regard to which data is covered, the Privacy Rule safeguards use and disclosure of “protected health information” (PHI), which is defined as individually identifiable health information that is transmitted or maintained in electronic media or in other forms.10 Health information is defined fairly broadly:
Health information means any information, including genetic information, whether oral or recorded in any form or medium, that:
(1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.11
Thus, individual blood lead level data would be considered PHI. A health department’s housing-related data alone (e.g., lead ordinance violation records) is less likely to contain PHI. c. Pathways for public health departments that are covered entities to share PHI with housing agencies or community partners to investigate and remediate lead hazards. If a health department is a covered entity, or it is a hybrid entity and the program that holds EBLL data is part of the designated health care component, the Privacy Rule applies to the agency’s use and disclosure of EBLL data. In general, disclosure of PHI is prohibited unless for purposes specified in the rule (e.g., treatment, payment, or health care operations) or in accordance with a valid authorization.12 While obtaining individual consent is one potential method for enabling exchange of information between public housing and public health agencies, this is not always a viable method, particularly where private health care providers have reported EBLLs to the health department and the health department has not had direct contact with the affected children or their families. Nevertheless, health departments that are covered by the HIPAA Privacy Rule may be allowed to share individual EBLL data with a public housing agency without obtaining individual authorization under the Privacy Rule’s public health exception.13 Among other public health uses and disclosures, this exception allows covered entities to use or disclose PHI to a public health authority that is authorized by law to collect the data for purposes of preventing or controlling disease, injury, or disability, including by conducting public health surveillance, investigations, and interventions. 45 C.F.R. § 164.512(b)(1)(i). For a covered entity that is also a public health authority (e.g., a local health department that provides health care services), 45 C.F.R. § 164.512(b)(2) allows the entity to use PHI “in all cases in which it is permitted to disclose such information for public health activities.” The public health exception provides at least two potential pathways to allow a local health department to share data with a housing agency or community partner. First, the local health department could designate the housing agency or community partner as its agent for purposes of using the data to conduct an authorized public health activity, such as investigations and interventions related to lead exposure. This arrangement would align with 45 C.F.R. § 164.512(b)(2) because the local health department would be using the data, through its agent, to accomplish authorized public health activities. The CDC has provided sample language that may be used to accomplish a grant of public health authority.14 A local health department would likely also develop an agreement or memorandum of understanding with the housing agency or community partner to further define the scope of the grant of public health authority, including limits on the partner’s use and redisclosure of the data. A second possible pathway involves the public health department recognizing a housing agency as a public health authority in its own right, based on the agency’s specific responsibilities under the Lead Safe Housing Rule to evaluate and control lead hazards. The Privacy Rule defines a public health authority as follows:
- Public health authority means an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate.15
Encouraging use of this pathway, HUD in its response to public comments about the LSHR explained that grantees of the HUD Office of Lead Hazard Control and Healthy Homes are considered public health authorities under HIPAA and thus may receive protected health information necessary to accomplish their public health responsibilities. HUD’s question and answer published in the Federal Register are included here for reference: c. Coordination With HIPAA and Local Data Privacy Laws Comment: Several commenters (8) requested clarification of the protocols for reporting, including the interaction with other federal laws such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Pub. L. 104–191), and state and local privacy laws. HUD Response: For the purpose of preventing or controlling childhood lead poisoning, in regard to lead hazard evaluation and control activities, the OLHCHH and its lead hazard control grantees acting on its behalf, are considered public health authorities under HIPAA; thus, they may receive related private health information that is minimally necessary to accomplish the intended purpose of the disclosure, including the addresses of housing units and vital information about the children and their families, and must protect that information.16 Likewise, the CDC and HUD have together recognized in a letter that this specific interpretation of “public health authority” is consistent with the OLHCHH’s legal mandate.17 Their interpretation is also consistent with the following explanation from the U.S. Department of Health and Human Services Office for Civil Rights in response to a question about whether the National Institutes of Health is considered a public health authority under the HIPAA Privacy Rule:
- The definition of a “public health authority” requires that an agency’s official mandate include the responsibility for public health matters. The mandate can be responsibility for public health matters, generally, or it can be for specific public health programs. Furthermore, an agency’s official mandate does not have to be exclusively or primarily for public health. Therefore, to the extent a government agency has public health matters as part of its official mandate, it qualifies as a public health authority.18
Upon recognizing a housing agency as a public health authority, the public health department is then permitted to disclose PHI to the agency pursuant to 45 C.F.R. § 164.512(b)(1)(i).
Note that in addition to presenting pathways for data exchange between public health and housing agencies, the public health exception may be used to involve community organizations that are authorized to act as agents of either entity. In all contexts, agencies will need to be cognizant of the Privacy Rule’s other requirements relating to use and disclosure of health information, such as the requirement to use and disclose only the minimum necessary information.19 In addition, agencies will need to consider and comply with other applicable federal, state, and/or local laws.
1 The LSHR defines “public health department” as “a State, tribal, county or municipal public health department or the Indian Health Service.” 24 C.F.R. § 35.110.
2 EBLL is defined at 24 C.F.R. § 35.110 to align with the most recent guidance from the U.S. Department of Health and Human Services. Currently, CDC guidance recommends intervention at 5 µg/dL (5 micrograms of lead per deciliter of blood). See Requirements for Notification, Evaluation and Reduction of Lead-Based Paint Hazards in Federally Owned Residential Property and Housing Receiving Federal Assistance; Response to Elevated Blood Lead Levels, 82 Fed. Reg. 4151, 4152 (Jan. 13, 2017), available at https://www.federalregister.gov/documents/2017/01/13/2017-00261/requirements-for-notification-evaluation-and-reduction-of-lead-based-paint-hazards-in-federally.
3 24 C.F.R. §§ 35.730, 35.830, 35.1130, 35.1225. See also 24 C.F.R. § 35.325 (establishing more general requirements for providers of project-based assistance provided by federal agencies other than HUD).
4 These requirements apply to entities providing project-based assistance under a HUD program (24 C.F.R. § 35.730), HUD-owned multifamily property (or a multifamily residential property for which HUD is the mortgagee-in-possession) (24 C.F.R. § 35.830), HUD public housing programs (24 C.F.R. § 35.1130), and tenant-based rental assistance (24 C.F.R. § 35.1225).
5 24 C.F.R. §§ 35.730, 35.830, 35.1130, 35.1225.
6 24 C.F.R. § 35.1225(g).
7 45 C.F.R. Parts 160 and 164, subparts A and E.
8 45 C.F.R. § 160.103.
9 45 C.F.R. § 164.105.
10 45 C.F.R. § 160.103.
11 45 C.F.R. § 160.103.
12 45 C.F.R. § 164.502(a)(1), 164.508.
13 45 C.F.R. § 164.512(b).
14 Centers for Disease Control and Prevention, HIPAA Privacy Rule and Public Health: Guidance from CDC and the U.S. Department of Health and Human Services, 52(S-1) Morbidity and Mortality Weekly Report 19-20 (2003), at Appendix B, available at https://www.cdc.gov/mmwr/preview/mmwrhtml/su5201a3.htm.
15 45 C.F.R. § 164.501.
16 Requirements for Notification, Evaluation and Reduction of Lead-Based Paint Hazards in Federally Owned Residential Property and Housing Receiving Federal Assistance; Response to Elevated Blood Lead Levels, 82 Fed. Reg. 4151, 4156 (Jan. 13, 2017), available at https://www.federalregister.gov/documents/2017/01/13/2017-00261/requirements-for-notification-evaluation-and-reduction-of-lead-based-paint-hazards-in-federally.
17 Letter from the U.S. Department of Housing and Urban Development and the Centers for Disease Control and Prevention (CDC), Subject: Confidentiality of Childhood Lead Poisoning Data, (undated), at http://www.cdc.gov/nceh/lead/partnership/HUD_letter.pdf.
18 Department of Health and Human Services Office for Civil Rights, Does the HIPAA Privacy Rule’s public health provision permit covered entities to disclose protected health information to authorities such as the National Institutes of Health (NIH)? (created Dec. 20, 2002, last reviewed July 26, 2013), https://www.hhs.gov/hipaa/for-professionals/faq/297/does-the-hipaa-public-health-provision-permit-covered-entities-to-disclose-information-to-authorities/index.html (last visited May 17, 2019).
19 See 45 C.F.R. § 164.514.
Network attorneys are available to answer questions on this and other public health topics at no cost to you, and can assist you in using law to advance your public health initiatives. Contact a Network Attorney in your area for more information. The legal information and assistance provided in this document does not constitute legal advice or legal representation. For legal advice, readers should consult a lawyer in their state.