A policy framework for public health uses of electronic health data


D. McGraw, Center for Democracy & Technology (CDT), 1634 I Street, NW, #1100, Washington, DC 20006, USA. E-mail: deven@cdt.org


Successful implementation of a program of active safety surveillance of drugs and medical products depends on public trust. This article summarizes how the initial pilot phase of the FDA's Sentinel Initiative, Mini-Sentinel, is being conducted in compliance with applicable federal and state laws. The article also sets forth the attributes of Mini-Sentinel that enhance privacy and public trust, including the use of a distributed data system (where identifiable information remains at the data partners) and the adoption by participants of additional mandatory policies and procedures implementing fair information practices. The authors conclude by discussing the implications of this model for other types of secondary health data uses. Copyright © 2012 John Wiley & Sons, Ltd.


The US Food and Drug Administration (FDA) officially launched the Sentinel Initiative in May 2008, beginning a long-term effort to implement a national electronic system, the Sentinel System, for actively monitoring the safety of drugs and other medical products already on the market. Congress authorized the program in the Food and Drug Administration Amendments Act (FDAAA) of 2007 and set targets for the FDA to have the ability to access health care data from 25 million people by July 2010 and 100 million by July 2012. The FDA has met the initial goal and is on track to reach the second milestone.

There is tremendous public benefit to active surveillance of approved drugs and other medical products to gain early knowledge about potential drug and device safety issues. However, because active surveillance requires access to health information, the success of Sentinel depends on whether it is designed and implemented in a way that merits public trust.

Public trust has at least two key components. First, the Sentinel System must be created in a manner that complies with existing privacy and security laws covering health information.i Second, because compliance with law establishes only the minimum requirements for the use of health information, additional protections must be put in place in order to build public trust. These include implementation of a robust set of information practices and policies, ideally built on commonly accepted fair information practices and using privacy-protective data architectures.

Legal experts have analyzed in detail the legal issues that may arise with respect to access to health information by the FDA and its contracting partners, and have mapped out a path to compliance with applicable federal law.ii This article will explain the Sentinel data model, briefly summarize key legal issues and how they have been addressed, and then focus on the additional policies and practices that have been adopted to build public trust in the initial pilot phase of Sentinel, referred to as Mini-Sentinel.iii


Mini-Sentinel is a pilot project of the Sentinel Initiative intended to provide the foundational work necessary to inform and facilitate the development of a fully operational active surveillance system for monitoring the safety of FDA-regulated medical products (the Sentinel System). The Mini-Sentinel pilot is being conducted as a collaborative effort by a consortium that includes a variety of hospital systems, health plans, universities, and research institutes.

The design of Mini-Sentinel—the building blocks of which were laid by Congress in FDAAA—implements sound privacy and security principles and practices right from the start. Congress directed the FDA to establish Sentinel using disparate data sources and linking and analyzing health care data from multiple sources.iv Such data sources include, but are not limited to, federal health programs such as Medicare and the Veterans Administration, and also private sector sources such as health plans, existing research centers, and major academic medical centers.v

The FDA is creating a distributed data network for Mini-Sentinel that leaves identifiable health data at the source. No directly identifiable data will flow to the FDA or the Mini-Sentinel Operations Center (operated under an FDA contract with Harvard Pilgrim Health Care). Data sources (called “data partners” in Mini-Sentinel) will maintain physical and operational control over the data. They will execute analysis programs distributed by the Operations Center and will provide the output of these programs to the Operations Center. Whenever possible, the output that the data partners share will contain only summary or aggregate information, such as counts of health plan members categorized by the following: (i) the presence or absence of a particular health condition; (ii) exposure to a particular medication; (iii) the presence or absence of a particular health outcome; and (iv) age group. When person-level information is provided, it will be stripped of all directly identifiable data. For example, in order to confirm an adverse drug reaction, data partners may provide clinical data about a particular individual, but this data will exclude any direct identifiers such as name and contact information.

This distributed data model allows data partners to remain in control of their data while ensuring timely availability of the data for critical safety analysis. Essentially, the medical product safety questions are brought to the data, in contrast to a model that requires copies of data to be fed into one or more centralized databases for further analysis. This distributed data model enhances privacy by decreasing the risk of inappropriate exposure.vi


A variety of federal health privacy and research laws potentially apply to Sentinel. This section briefly summarizes those laws.

First, the Health and Human Services (HHS) Office for Human Research Protections has determined that the Common Rule (the federal regulations that govern the conduct of human subject research) does not apply to the use of data for Sentinel, because Sentinel constitutes public health practice, not research.3 Consequently, data partners participating in Mini-Sentinel do not need to obtain review by their Institutional Review Boards to participate in Mini-Sentinel or to use or provide data for Mini-Sentinel purposes.

Second, the regulations under the Health Insurance Portability and Accountability Act (HIPAA) apply to most data partners participating in Mini-Sentinel. Because the access to and use and disclosure of protected health information (PHI) for purposes of Mini-Sentinel is a public health activity conducted by the FDA and its contracting partners, individual authorization is not required to utilize PHI for Mini-Sentinel.vii Moreover, data partners are entitled to rely on the FDA and any of its contractors working on Mini-Sentinel regarding what constitutes the minimum amount of information necessary to perform and respond to a Mini-Sentinel safety analysis.viii

Third, federal regulations governing substance abuse treatment information (called “Part 2 regulations”) may apply to data partners participating in Mini-Sentinel, if those data partners are “federally assisted” substance abuse treatment “programs.”ix However, the Part 2 regulations only protect information that identifies a patient as an alcohol or drug abuser or someone who has applied for or received that type of treatment. Because the information disclosed in Mini-Sentinel is aggregate data stripped of identifiers, it is unlikely that any covered information will be disclosed in Mini-Sentinel.x

Finally, the data partners also must comply with any state health information confidentiality laws that require consent before use or disclosure of certain types of health information, such as HIV or genetic testing.xi Mini-Sentinel data partners are expected to carefully analyze and comply with state laws that impose any additional restrictions, which will depend on the type of information sought in a particular Mini-Sentinel query and the applicable state laws.


In describing the privacy-enhancing and security-enhancing policies and practices of Mini-Sentinel, we have grouped them into commonly accepted categories of “fair information practices.” Other data exchange models, such as the Markle Foundation in its Connecting for Health Common Framework for electronic health information exchange,xii similarly employ these fair information practices.

Data integrity and quality

As noted earlier, data partners utilize their own data—health information that they collect and maintain in the ordinary course of business—to answer safety queries formulated by the FDA. The underlying information is put into the Mini-Sentinel Common Data Model (MSCDM) before it is analyzed for a particular safety query.xiii The MSCDM is a data structure that standardizes administrative and clinical information across data partners and makes it possible to consistently execute standardized data analysis programs.xiv To ensure safety analyses can be confirmed, Mini-Sentinel Policies require data partners to keep the information that has been transformed into the MSCDM and used to respond to Mini-Sentinel queries for 3 years.xv

Collection and use limitations

In general, data partners use their own health information to answer Mini-Sentinel queries. There is accordingly no need to collect or aggregate the data partners' health information in a new, separate database in order to answer safety queries. Once a query has been answered, the underlying health information in the data partners' records continues to be held by the data partners in accordance with applicable law and the data partners' applicable policies.xvi

However, in some instances there may be a need to confirm a safety signal with additional information not in the possession of the data partner. For example, there may be a need to collect additional clinical information from a treating health care provider in order to confirm or further investigate a suspected signal suggested by health plan claims data, such as when a particular drug was administered to a patient or whether there are other underlying health problems that might explain an adverse outcome. In such a case, the data partner is expressly limited to collecting additional data solely for the purpose of confirming the signal—the data must be destroyed within 3 years according to national standards for data destruction.xvii

Purpose specification and minimization

Mini-Sentinel is designed to minimize who has access to identifiable data and to limit the use of that data for Mini-Sentinel purposes only. Data partners run the safety queries and send summary responses to the Mini-Sentinel Operations Center, which then aggregates the results and transmits them to the FDA.xviii In most instances, the summary or aggregate data shared with the Operations Center and the FDA will qualify as “de-identified” under the HIPAA Privacy Rule.xix Even where de-identification may be technically difficult to achieve because of small sample size, all data shared outside of the data partners is only in summary or aggregate form and with any direct identifiers masked.xx No directly identifiable data will be released to the FDA by the Operations Center or the data partners.xxi Finally, as noted before, any additional information collected by a data partner to confirm a safety signal may only be used for Mini-Sentinel purposes.

Openness and transparency

Moreover, the FDA has launched the Sentinel Initiative—and the Mini-Sentinel Pilot—with a high degree of transparency to stakeholders, including academia, data partners (potential and actual), vendors, consumers, patient representatives, Federal partners, and industry.xxii In March through September of 2008, the FDA's Sentinel team hosted a series of stakeholder meetings before issuing a report outlining the Sentinel program and its goals.xxiii In December 2008, the Sentinel Team and the eHealth Initiative cosponsored a public workshop, Sentinel Initiative: Structure, Function and Scope, in cooperation with The Brookings Institution. The FDA also awarded a cooperative agreement to The Brookings Institution to convene several meetings on Sentinel-related topics, and the third public workshop was held in January 2011. Required policies for Mini-Sentinel and papers developed in support of Sentinel are available to the public on the FDA's website.xxiv The FDA also is committed to communicating to the public relevant and timely safety information obtained through Sentinel evaluations.xxv

Meetings on the Sentinel Initiative and the Mini-Sentinel Pilot have been open to the public, but the degree to which members of the general public are aware of this work is unclear. The Mini-Sentinel data partners subject to HIPAA regulations are required to issue a Notice of Privacy Practices that tells patients that their health information may be used for public health activities.xxvi Because the HIPAA notice does not have to list specific public health activities and because individuals rarely read or understand HIPAA notices,xxvii we recommend FDA engage stakeholders to explore more effective ways to promote public transparency regarding Mini-Sentinel and its participating data partners, as well as important safety outcomes revealed through the Sentinel System.

Individual Participation

Participation in Mini-Sentinel is voluntary by data partners. While patients are not asked to consent to the use of their information for this purpose, public health uses of data have a long and established history in the USA and are generally seen as unproblematic by policymakers and ethicists.xviii In public health contexts, ethical protection of patients arises from the general ethical and legal duties of the implementing public health authority and its accountability to the public.xxix Consequently, public health uses and disclosures do not require advance patient authorization under the HIPAA Privacy Rule,xxx although state law may require consent for use of certain types of sensitive health data for Mini-Sentinel.xxxi Congress, by passing FDAAA, determined that active postmarket surveillance activities are an appropriate use of patient data.

Security safeguards and controls

Data partners covered by HIPAA are required to adopt reasonable administrative, physical, and technical safeguards in compliance with the HIPAA Security Rule.xxxii In addition, the Mini-Sentinel Coordinating Center and the FDA are required to manage Mini-Sentinel data in accordance with the Federal Information Security Management Act of 2002.xxxiii

Accountability and oversight

The Mini-Sentinel policies are enforced by contractual agreements executed by all of the data partners with the Mini-Sentinel Coordinating Center, which is acting on behalf of the FDA. The Mini-Sentinel Coordinating Center must also abide by FDAAA and applicable policies under contract with the FDA. In addition, Mini-Sentinel data partners that are HIPAA covered entities are subject to oversight an enforcement by the HHS Office for Civil Rights.xxxiv


The Sentinel Initiative demonstrates that it is possible to construct effective systems for health data analysis leveraging existing sources of data and using a distributed data model. The architecture of Sentinel, and the careful design of its policies and procedures, is intended to lay the foundation for public trust in this important program.

There is significant potential for benefit in borrowing from the Sentinel System model in building networks for health research, such as for comparative effectiveness research purposes. Indeed, the basic building blocks of Sentinel—the distributed system, policies built on an application of fair information practice principles, and contractual accountability—could be the initial building blocks of a trust framework that supports the use of electronic health information for other purposes in a way that is endorsed by the public.xxxv


The authors are participants in a Privacy Panel for the Mini-Sentinel Pilot phase of the FDA's Sentinel Initiative. Ms. McGraw and Ms. Rosati received compensation from the Mini-Sentinel Coordinating Center, Harvard Pilgrim Health Care, for their work on the panel; Ms. Evans' work on this project was conducted under a sponsored research agreement between Harvard Pilgrim Health Care and the University of Houston. Ms. Evans also receives funding from the Greenwall Foundation and the University of Houston Law Foundation.


  • Successful implementation of the Sentinel Initiative depends on public trust.
  • The Mini-Sentinel pilot is in compliance with applicable federal laws.
  • Mini-Sentinel achieves additional privacy protection by using a distributed network, leaving identifiable data in control of the data sources and under the stewardship of, the original data partners.
  • Mini-Sentinel also established binding policies and procedures that set expectations above and beyond current law.
  • Mini-Sentinel establishes building blocks of a model for secondary data use that has potential applicability beyond the Sentinel Initiative.


Mini-Sentinel is funded by the Food and Drug Administration (FDA) through Department of Health and Human Services (HHS) Contract Number HHSF223200910006I.

  • i

    FDAAA required Sentinel to be conducted in compliance with the regulations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and in a manner that does not disclose individually identifiable health information. 21 U.S.C.A. Section 355(k)(3)(C)(i)(I).

  • ii

    See Rosati, K, An Analysis of Legal Issues Related to Structuring FDA Sentinel Initiative Activities. eHealth Initiative Foundation; March 2009 (funded by FDA Purchase Order #HHSF223200811188P), http://www.regulations.gov/#!documentDetail;D=FDA-2009-N-0192-0003.2 (accessed 18 January 2011) (hereinafter Rosati 2009); McGraw, D and Rosati, K. Protecting Patient Privacy in Medical Product Safety Surveillance. FDA Sentinel Initiative Meeting Series Issue Brief 2010. http://www.brookings.edu/~/media/Files/events/2010/0308_FDA_legal_issues/Panel%202%20Issue%20Brief.pdf (accessed 17 January 2011).

  • iii

    For a brief description of Mini-Sentinel, see Sentinel Report at 5–6.

  • iv

    21 U.S.C.A. Section 355(k)(3)(B)(i).

  • v

    21 U.S.C.A. Section 355(k)(3)(C)(i)(III).

  • vi

    For a discussion of the advantages of distributed models for population health, see Diamond, CC, Mostashari, F, and Shirky, C. Collecting and sharing data for population health: a new paradigm. Health Affairs 2009; 28; 2: 454–466.

  • vii

    Id. at 5. See also Evans, BJ. Congress' new infrastructural model of medical privacy. Notre Dame Law Review 2009; 84: 585, 615–618 (hereinafter Evans 2009).

  • viii

    Id. at 8.

  • ix

    See 42 Code of Federal Regulations (CFR) Part 2.

  • x

    Rosati 2009 at 5.

  • xi

    Id. at 65.

  • xii

    For more information, see http://www.connectingforhealth.org/commonframework/index.html (accessed 18 January 2011).

  • xiii

    Mini-Sentinel Principles and Policies Nov. 2010 at 3.1.2. http://mini-sentinel.org/about_us/principles_and_policies.aspx (accessed on 18 January 2011).

  • xiv

    Id. at 3.1.2.

  • xv

    Id. at 3.4.1. Because this is information held in the data partners' core records, it is likely that other applicable laws and policies dictate longer record retention times.

  • xvi

    Id. at 3.3.1.

  • xvii

    Id. at 3.2.2, 3.3.2, 3.4.1 (referencing data destruction standards set by the National Institutes of Standards and Technology (NIST)).

  • xviii

    Id. at 3.1.1.

  • xix

    Mini-Sentinel White Paper at 3–5.

  • xx


  • xxi

    Mini-Sentinel White Paper at 8.

  • xxii

    See Sentinel Report Attachment 1—Sentinel Initiative Milestones.

  • xxiii


  • xxiv

    http://mini-sentinel.org/about_us/principles_and_policies.aspx (accessed 18 January 2011).

  • xxv

    Sentinel Report at 8.

  • xxvi

    See 45 CFR Section 164.520. Most data partners are obligated by HIPAA to disclose only the minimum necessary amount of information in responding to a Mini-Sentinel query. Under current law, data partners are permitted to rely on the FDA and its contractors (such as the Operations Center) to determine which data constitute the minimum amount necessary to fulfill a particular query.

  • xxvii

    See Hochhauser, M. Readability of HIPAA Privacy Notices 2003; 5–6. http://benefitslink.com/articles/hipaareadability.pdf (accessed 18 January 2011); Hochhauser, M. Why Patients Won't Understand Their HIPAA Privacy Notices 2003. Privacy Rights Clearinghouse. http://www.privacyrights.org/ar/HIPAA-Readability.htm (accessed 18 January 2011); Pollio, M. The Inadequacy of HIPAA's Privacy Rule: The Plain Language Notice of Privacy Practices and Patient Understanding. N.Y.U. Ann. Surv. Am. Law 2005; 60: 579.

  • xviii

    See generally, Gostin, LO. Public Health Law: Power, Duty, Restraint. University of California Press, 2008 (discussing the history of, and rationales for, public health activities in the U.S.).

  • xxix


  • xxx

    45 CFR Section 164.512(b).

  • xxxi

    Rosati 2009 at 65.

  • xxxii

    Mini-Sentinel Principles and Policies at 4.5.

  • xxxiii


  • xxxiv

    See 45 CFR Part 160, Subpart D.

  • xxxv

    Evans 2009 at 622.