April 12, 1993
Mr. James Hazelrigs, Director Medical Database Commission 3901 Barrett Drive, Suite 204 Raleigh, North Carolina 27609
Re: Advisory Opinion Regarding the Release of Patient- Specific Information by the North Carolina Medical Database Commission Pursuant to G.S. 131E-210
Dear Mr. Hazelrigs: You have raised a number of questions concerning the authority of the North Carolina Medical Database Commission . Those questions generally relate to the Commission’s desire to begin releasing reports which contain patient-specific data. You have asked this Office to review the Commission’s enabling legislation and respond to three questions. Those questions, along with our responses, are set out separately below.
Question 1: Can the Commission change its administrative Rules to allow the release of
patient level data as long as the general guidance of the legislature is followed, or is
specific legislative modification needed?
The Medical Database Commission is authorized by G.S. 131E-210 to disseminate aggregate data. Pursuant to G.S. 150B-2(8a), a rule can only "implement or interpret" a statute. Therefore, the Commission may not, by rule, change "aggregate" to mean "non-aggregate". It is our opinion that legislative action would be required to authorize the Commission to release patient level data.
Question 2: Who "owns" the data submitted to the Commission? Since the Commission
releases aggregated information by statute now without permission, how is this policy
changed if we release patient level information that has been encrypted so as to prevent
actual patient "John Doe" identification?
Neither the hospital nor the Medical Database Commission has exclusive ownership rights in the data. G.S. 131E-211 provides that the Medical Database Commission may require that data be submitted to it from all medical care providers. G.S. 131E-210(b) provides that the data compiled will be made available in aggregate form to interested persons. G.S. 131E-212(g) provides that the Commission may not use the data collected for a purpose other than one authorized by this Article. The Commission does not need a statutory amendment in order to continue to collect the data. So long as the data is collected and disseminated in a manner authorized by statute, the Commission does not violate any ownership rights that the hospitals may have in the data.
Although hospitals have been providing this data to the Commission since its inception, they raised no ownership issues so long as the Commission’s release of the data provided was consistent with the requirements of G.S. 131E-210. You correctly note that issues as to who owns the data are not affected by your plans to release the data in a new form. However, in our response to your first question, we concluded that legislation would be required before the Commission could release data other than in "aggregate" form.
Question 3: Are there any considerations concerning liability for the original providers of the information (the hospital) to the Commission, if for any reason a patient is inadvertently identified despite all attempts to mask the identification?
No. G.S. 131E-212(e) provides that any person who submits data to the Commission shall be immune from liability in any civil action. I hope you find this information useful.
Jo Ann Sanford Special Deputy Attorney General
Evelyn B. Terry Associate Attorney General