Privacy Officers and Data Sharing: A Q&A with Network Attorney Sallie Milam
April 11, 2019
Building healthy communities requires access to relevant data from multiple sectors, including public health, health care, schools, human services, housing and law enforcement. Data collection, use, and sharing are governed by federal and state laws that depend on who is sharing data, the type of data to be shared, and the purpose for which data are being shared. Agencies and organizations have designated privacy officers to stay on top of these laws and regulations and identify privacy requirements as well as manage changes in policy and operations.
As privacy officers are responsible for developing policy to ensure compliance with information privacy laws, such as HIPAA, they can play a key role in promoting data sharing in their organizations.
The Network’s newest attorney and Deputy Director of our Mid-States Region Office, Sallie Milam, spent 16 years as Chief Privacy Officer for the State of West Virginia. In this Q&A, Sallie discusses how privacy officers can help their agencies navigate law to make data more accessible.
Can you highlight some data sharing initiatives you were involved in as a privacy officer in West Virginia?
As the Chief Privacy Officer, I sometimes saw agencies struggle sharing data with one another. Each agency is regulated by different laws, with different policies and different data use agreements. When presented with a request to share data, a project could get bogged down in simply trying to negotiate the differing data use agreements. Analyzing the various and conflicting terms in competing agreements was resource- and time-intensive.
At a Privacy Management Team (PMT) meeting one month, a department privacy officer requested that we pull a working group together to create a data use agreement for all agencies to utilize when sharing data with one another. Privacy officers, attorneys and epidemiologists from across the West Virginia Executive Branch rolled up their sleeves and brought their own data use agreements to the table. We had a real cross section of agencies within the working group, with some members focused on sharing health data, to others involved in sharing driver’s license data, and everything in between.
Within just a few meetings, we successfully developed a model data use agreement and made it available on our website. We received feedback that it was helpful to have a common template agreement to use in the sharing of data between agencies.
The West Virginia Health Insurance Portability and Accountability Act of 1996 (HIPAA) Preemption Analysis is another important data initiative. Since 2003, the State Privacy Office has annually prepared an overview of West Virginia health privacy related law and an analysis of the preemption issues arising under HIPAA. To assist healthcare providers within and outside state government and other entities in the complicated task of determining whether West Virginia state law is preempted by HIPAA, this legal advisory chart provides an analysis of those state law provisions which appear to implicate HIPAA. The HIPAA Preemption Analysis also identifies which West Virginia laws are more stringent than HIPAA. Additionally, the chart is a general reference guide to many of the health related laws in West Virginia.
After the annual legislative session, the State Privacy Office updates the West Virginia HIPAA Preemption Analysis, presents it to the PMT and then makes it available to all members of the West Virginia bar. Keeping this resource current supports data sharing.
Where are public health privacy officers located within state government?
There is no single best place for a privacy officer to be located within an organization. It is important for the privacy officer to have direct access to the organization’s leader, such as the health officer or commissioner, and be routinely included as part of the organization’s business strategy decision-making.
In an informal discussion within the Network’s Public Health Privacy Officers Listserv (which includes a state level privacy officer for each state and the District of Columbia who works with public health data-related issues) we learned that the majority of privacy officers are located in Legal Departments, followed by Information Technology Services Departments, the Cabinet Secretary/Commissioner/Director’s Office, Attorney General’s Office, Compliance, Health/Fiscal/Operations, Informatics, Clinical Services, and Human Resources Departments, and the Inspector General’s Office. Established in 2011, this Listserv provides a forum for privacy officers to obtain peer assistance on data-related issues and share resources. Anyone interested in joining the Network’s Public Health Privacy Officers Listserv can email me with their contact information.
How does a privacy officer promote data sharing?
The best thing that a privacy officer can do is to get trained on privacy law and identify resources that help navigate law. A great place to get started with any data sharing scenario is to complete the Network for Public Health Law’s Checklist of Information Needed to Address Proposed Data Collection, Access and Sharing. This checklist will assist public health practitioners in providing relevant factual information to resolve questions about proposed data collection, access and sharing.
How can the Network help health agencies, organizations and collaboratives navigate law and regulations to effectively use data?
The Network has a variety of toolkits and resources on legal issues that arise from the collection, use, storage and disclosure of data by public health agencies. Providing support to public health departments on issues of law and policy is at the core of what the Network does. In addition to myself, there are other attorneys at the Network with expertise in data law who are available to answer questions and provide research and consultation on legal issues related to data sharing at no charge.
Those working with data might also want to consider attending the Network’s Public Health Law Summit on data sharing this October in Michigan. The summit will provide attorneys, privacy officers, health officials, public health and community practitioners, and others with practical, in-depth information and tools to navigate what can be a complex legal landscape.
There are other resources as well. In an effort to support local collaboratives in their efforts to share data across sectors, the Network and Data Across Sectors for Health recently launched an online legal bibliography that includes more than a hundred papers, toolkits and other materials focused on privacy, consent and policy documentation for lawyers and community data practitioners..
Another resource is All In, an online community of individuals dedicated to improving community health through multi-sector data sharing and collaboration. At All In, those working with data can connect with other professionals tackling common challenges where they can share resources and news, and learn about new ideas and best practices.
The Network provides information and technical assistance on issues related to public health. The legal information and assistance provided in this document does not constitute legal advice or legal representation. For legal advice, readers should consult a lawyer in their state.
Support for the Network is provided by the Robert Wood Johnson Foundation (RWJF). The views expressed in this post do not necessarily represent the views of, and should not be attributed to, RWJF. Sallie Milam is the Deputy Director of The Network for Public Health Law Mid-States Region Office. She can be reached at firstname.lastname@example.org.