Legal

AISP_Legal_Icon copy

Legal frameworks: the rules, regulations, and authority that determine why, when, what, how, and with whom data can be shared

When governments and their partners bring data together safely and responsibly, policymakers and practitioners are better equipped to understand the complex needs of individuals and families. Data sharing and integration is also not without risks, and clear legal frameworks are essential to mitigate those risks, protect privacy, and guide responsible data use. Designing the appropriate legal framework for the context can be a complex task. It is important to engage legal counsel early and often to ensure your data sharing effort has clear legal authority, and to design a framework to facilitate data sharing, spelling out the why, what, who, and how. We recommend a tiered framework for these agreements and a templated approach, whenever possible. 

Legal is one of five components of quality for integrated data systems and the foundation for IDS success. For more on other components of quality, check out AISP’s Quality Framework for IDS.

Featured Resources

AISP offers a range of guidance, case studies, consulting supports, and peer exchange opportunities related to legal frameworks for data sharing. Check out the resources below to learn more.

Report: Finding a Way Forward: How to Create a Strong Legal Framework for Data Integration

Brief: Yes, No, Maybe?: Legal & Ethical Considerations for Informed Consent in Data Sharing and Integration

Journal Article: Strong Legal Frameworks for Data Integration: Four Questions for Moving Forward

Journal Article: A governance and legal framework for getting to “yes” with enterprise-level data integration (NCDHHS)

Survey Brief: Legal

The second in AISP’s network survey series, this brief describes how 37 diverse network members are developing legal frameworks for cross-sector data governance.

Explore the brief here.

Call and Webinar Recordings

  1. Legal Frameworks for Data Integration (1.8.24)
  2. Yes, No, Maybe? Legal & Ethical Considerations on Informed Consent in Data Sharing and Integration (4.24.25) – co-hosted with DISC
  3. De-Identification & Preventing Re-Identification (2.20.25) – co-hosted with DISC
  4. Navigating the Data Frontier: The Role of Lawyers in Data Sharing and Integration (2.26.24) – co-hosted with DISC  

Additional resources

Cross-sector data sharing and integration has become more routine and commonplace, as cross-sector data provide valuable insights to inform resource allocation and evaluate policies. Importantly, as health data is frequently shared and integrated, practitioners must decipher the Health Insurance Portability and Accountability Act (HIPAA) legal safeguards for sharing and integrating health data. The following matrix was designed to help practitioners begin to understand legal safeguards under HIPAA.

Access the Matrix

Cross-sector data sharing and integration has become more routine and commonplace, and for good reason. When governments and their partners bring together data safely and responsibly, policymakers and practitioners are better equipped to understand student needs and improve schools. Importantly, as education data is frequently shared and integrated, practitioners must decipher the Family Educational Rights & Privacy Act’s (FERPA) legal safeguards for sharing and integrating education data. The following matrix was designed to help practitioners begin to understand legal safeguards under FERPA.

Access the Matrix

Sharing and integrating substance use disorder (SUD) records safely and responsibly can help governments and their partners facilitate early identification and intervention, allocate resources effectively and implement targeted prevention programs. However, sharing SUD data is not without risks and this data is subject to a set of stringent regulations in 42 CFR Part 2 (commonly referred to as “Part 2”). Many local and state governments find Part 2 intimidating, often mistakenly believing that it completely prohibits the sharing of substance use disorder patient records.

This brief aims to demystify Part 2, a critical regulation governing the confidentiality of these records, by providing a broad overview of its core components. This brief is not intended to be exhaustive and does not cover every instance in which Part 2 data can be shared. This brief only covers federal law and does not address more restrictive state law.

Access the Brief

DISC and AISP: Legal Professionals Workshop Series
Council of State and Territorial Epidemiologists: Tribal Epidemiology Toolkit – Data Sharing
Network for Public Health Law: Pathways to Yes: A legal framework for achieving data sharing for health, well-being, and equity
State of Connecticut: Legal Issues in Interagency Data Sharing
HHS Office for Civil Rights: National Forum on Youth Violence Prevention: HIPAA Privacy Rule Considerations 

AISP Legal Support

In 2023, with funding from the Washington state legislature to establish a centralized data repository for population and policy research (“WashPop”), a team from the University of Washington engaged AISP to provide technical assistance. AISP conducted a comprehensive legal scan of relevant statutes, provided hands-on support in developing foundational legal documents, and facilitated meetings to generate momentum with partners during an in-person site visit. We’re proud to support UW’s pioneering work and welcome the opportunity to assist other jurisdictions pursuing similar data integration efforts.

Need help navigating the legal landscape for data sharing? Contact Deja Kemp to learn more about our legal services.

“AISP is more than just a technical advisor—they are a wise and strategic ally, helping us navigate the complexities of establishing strong governance.”
Jennie Romich
Director, WashPop
This site is registered on Toolset.com as a development site.