Collection of EHR-based information by public health is in its infancy compared to traditional procedures for disease surveillance. Legal and policy clarification authorizing EHR data collection and use must be analyzed in terms of acceptability and appropriateness from the perspectives of policy makers, health care providers, and the general public.

This section helps you explore the legal and policy support for your proposed surveillance program. It will help you clarify whether existing law or regulation covers your proposed collection of or access to EHR-based clinical data and where you have “grey areas” that may require more exploration with your agency’s legal counsel and/or legislative liaisons.

Questions addressed in this section:

• Do you have the legal and/or regulatory authority to establish the surveillance program and to collect data at the level of granularity you believe necessary?
• How applicable are existing laws and policies to the proposed surveillance system?
• Will the proposed surveillance activity require new data use agreements or Business Associate Agreements, or can existing agreements be used?
• What are the security and privacy requirements and how will they be addressed?

Likely stakeholders and participants:

• Senior and programmatic public health leadership
• Representatives from the agency’s offices for legal and legislative affairs
• Attorneys from data exchange partner organizations
• Privacy advocates