Data Privacy Policy

The purpose of this policy is to ensure the protection of personal health information (PHI) in compliance with the Health Insurance Portability and Accountability Act (HIPAA) while providing accurate, de-identified health data to the public. This policy establishes the data dissemination approval process along with guidelines for the suppression of data at various geographic levels and ensures that all public data dissemination aligns with privacy and legal standards.

This policy applies to all employees, contractors, and other personnel working within or on behalf of NKY Health who manage, handle, or disseminate health data. It pertains to all health data collection, reporting, analysis, and public distributions.

Publicly available health data will be filtered and reported at the county level or higher to minimize the risk of re-identification of individuals. NKY Health may release data at a more granular level (e.g., ZIP code, Census geographies) if data release would allow for proper safeguards to protect individuals privacy. Such releases will be assessed on a case-by-case basis by the HIPAA compliance officer and the agency Data Director or designee and will still comply with HIPAA regulations. All releases should be approved by the overseeing program manager or division director prior to being submitted for review.

For internal use within NKY Health, data may be analyzed and reported at the ZIP code, or address level. However, this local level data will be restricted to authorized staff who require access for epidemiological purposes or public health interventions. Data at this level must still conform to internal privacy and security protocols to ensure that individuals cannot be identified.

All health data collected, analyzed, or disseminated by NKY Health must comply with the requirements of HIPAA and related Kentucky state privacy laws. PHI, including names, addresses, birthdates, or any other information that could be used to identify individuals, will not be included in any public dataset. NKY Health will use appropriate de-identification methods to ensure compliance with HIPAA, such as data aggregation, data masking, or data redaction, especially in small population areas.

All health data intended for public dissemination must undergo a formal review process to ensure that it meets privacy and suppression standards.

Data will be reviewed by Program Managers and Division Directors to ensure that no personally identifiable information or potentially re-identifiable data is included. Suppression will be applied to any categories or groups with small numbers of cases (i.e., smaller geographical groupings).  Program Managers or Division Directors should also review data to ensure it is accurate and appropriate for the intended audience and messaging.

Requests for health data at a level more granular than the county level (e.g., ZIP code level) will be denied unless the requester has a legitimate, pre-approved public health or research purpose. In such cases, data will still be subject to stringent suppression and de-identification standards. These requests will be reviewed by the [new data manager position] prior to fulfilling.

During public health emergencies, NKY Health may release data at a more granular level (e.g., ZIP code) to authorized public health partners or entities, but only with proper safeguards in place to protect individuals' privacy. Such releases will be assessed on a case-by-case basis and will still comply with HIPAA regulations.

Failure to adhere to this policy or to ensure HIPAA compliance when handling or releasing health data may result in disciplinary action, up to and including termination of employment.