Why Law and Policy Are Essential to Public Health Data Modernization
April 28, 2026
Overview
Public health data modernization holds the power to transform public health, facilitating real-time or near real time disease detection, data-driven decision making and greater health equity. Although the discussion around data modernization often centers on systems, technical infrastructure, and data standards, there are many reasons why law and policy are indispensable components of the movement to modernize public health data.
Part one of a series of articles exploring how law and policy are a cornerstone of public health data modernization.
Public health data modernization holds the power to transform public health, facilitating real-time or near real time disease detection, data-driven decision making and greater health equity. Forward momentum of the initiative endures with a continued focus on Fast Healthcare Interoperability Resources (FHIR); health data intermediaries, such as qualified health information networks (QHINs) and, increasingly, health data utilities (HDUs); implementation of electronic case reporting (eCR); and other strategies. At the same time, health departments continue to explore emerging uses of artificial intelligence (AI). Although the discussion around data modernization often centers on systems, technical infrastructure, and data standards, there are many reasons why law and policy are indispensable components of the movement to modernize public health data.
Navigating An Ever-Shifting Public Health Data Legal Landscape
States continue to evolve their laws around health data. In addition to funding data modernization through appropriations, these legislative changes include bolstering data governance, as well as privacy, security and access. For example, Washington’s My Health, My Data Act, a first-of-its-kind comprehensive consumer health privacy law, took effect in 2024. Nevada quickly followed suit with its own consumer health privacy law. And, changes to Connecticut’s Data Privacy Act, to add protections for health data, go into effect in July of this year. Illinois passed the Access to Public Health Data Act, granting better access by local public health agencies in the state to datasets such as adverse pregnancy outcomes reporting system (APORS) and the prescription monitoring program (PMP). Meanwhile, the emerging application of AI in public health will undoubtedly add to the regulatory landscape. Last year, all 50 states, Puerto Rico, the Virgin Islands, and Washington DC introduced legislation on the topic of AI, and 38 states adopted AI-measures. Finally, 20 states now have comprehensive general consumer privacy protection laws, some of which, such as California’s Consumer Privacy Act, may impact health data.
Understanding an Ever-Evolving Body of Legal Frameworks and Agreements
Contemporary legal frameworks for public health data exchange are built on trust and an increasing number of complex, and often multilateral, agreements. Examples include:
- TEFCA’s Common Agreement for Nationwide Health Information Interoperability,
- eHealth Exchange’s Data Use and Reciprocal Support Agreement (DURSA),
- Center for Disease Control and Prevention’s (CDC’s) Core Data Use Agreement (DUA), and
- Immunization (IZ) Gateway’s Multi-jurisdictional Vaccine Provider Organization and Jurisdiction Data Exchange Agreement.
These and other agreements create a complex web of compliance requirements, underscoring the need for legal alignment among initiatives and their respective frameworks.
Interpreting Disparate Public-Health-Data-Specific Confidentiality Protections
Many public health data protections, primarily found in state law, are data-specific. Illinois, for example, has a communicable disease code, sexually transmissible infections code, HIV code, and immunization registry code, all containing different protections for different public health data. And each jurisdiction across the country has similar but not identical protections. However, interoperability of data systems, nationwide uptake of TEFCA, DURSA and other frameworks, and exchange of large amounts of data through intermediaries, all require legal alignment and ongoing legal analysis by attorneys steeped in public health law. Such alignment can be a challenge in a legal landscape characterized in large part by jurisdiction-, disease-, and condition-specific laws, requiring careful legal analysis.
Keeping Up with Enforcement, Rulemaking and Other Legal Developments
The success of data modernization requires ongoing analysis of continuously shifting legal requirements, policy priorities, and enforcement activity. For example, the Information Blocking Rule, created as a result of the 21st Century Cures Act, prohibits certain practices by health care providers, health information exchanges (HIEs), and others, that impede access to electronic health information. This rule creates a new challenge for health care providers, HIEs and other actors, shifting the conversation from “am I permitted to share this data?” to “am I permitted to not share this data?” The rule has implications for health departments that provide health care, data intermediaries, and availability of real time data through electronic health records (EHRs) and electronic case reporting (eCR).
The rule currently includes several exceptions relevant to public health data modernization, including an exception specifically for practices relating to participation in TEFCA. The Department of Health and Human Services (HHS) announced in September 2025 it will “take an active enforcement stance” against actors that violate the rule, suggesting actors subject to the rule should engage legal support to assess their compliance.
Meanwhile, the Office of the National Coordinator (ONC) published a proposed rule, HTI-5, on December 22, 2025, which, the agency says, “focuses on deregulatory actions identified in HHS regulations regarding health information.” The proposed rule included, but was not limited to, changes to the Information Blocking Rule, such as repealing the exception for TEFCA participation. Public health data stakeholders are already strategizing for an anticipated HTI-6. These ever-shifting priorities require close attention by public health attorneys engaged in the support of data modernization initiatives.
As we begin to see siloed data systems in the rearview mirror, and interoperability in the foreground, the need for clarity of legal requirements and legal frameworks is ever more important. Data modernization will require legal alignment across jurisdictions, frameworks and data types, necessitating the consistent inclusion of legal and policy support.
This post was written by Stephen Murphy, J.D., Director, Network for Public Health Law—Mid-State Region.
The Network promotes public health and health equity through non-partisan educational resources and technical assistance. These materials provided are provided solely for educational purposes and do not constitute legal advice. The Network’s provision of these materials does not create an attorney-client relationship with you or any other person and is subject to the Network’s Disclaimer. Support for the Network is provided by the Robert Wood Johnson Foundation (RWJF). The views expressed in this post do not represent the views of (and should not be attributed to) RWJF.