Can the North Carolina Medical Database Commission, by changing its own administrative rules, start releasing patient-level health data instead of only aggregate statistics, even if the patient identities are encrypted? Who legally 'owns' the data submitted by hospitals, and are hospitals exposed to liability if a patient is inadvertently identified despite encryption?

Plain-English summary

The Director of the North Carolina Medical Database Commission asked the AG three connected questions about the Commission's authority to do something it had not done before: release patient-level (rather than aggregate) data, even if patient identities were masked through encryption. The questions were practical, but the answers turned on a clean statutory line.

The Commission's enabling statute, G.S. 131E-210, authorizes release of aggregate data only. Subsection (b) makes the compiled data available "in aggregate form" to interested persons. The Commission collects data from hospitals (G.S. 131E-211) and uses it within statutorily authorized purposes (G.S. 131E-212(g)).

Question 1: rule change vs. legislative change. Can the Commission redefine "aggregate" to mean "non-aggregate" through rulemaking?

The 1993 AG said no. G.S. 150B-2(8a) restricts a rule to one that "implement[s] or interpret[s]" a statute. Redefining the word "aggregate" to mean its opposite is not implementation or interpretation; it is amendment. A rule cannot amend a statute. The Legislature can change the substantive scope of permitted disclosure, but the Commission cannot.

Question 2: ownership of the data. Who owns the submitted data? The 1993 AG concluded that neither the hospital nor the Commission has exclusive ownership rights in the data. The Commission may require submission (G.S. 131E-211). It may release in the statutorily prescribed manner (aggregate form under G.S. 131E-210(b)). And it may use the data only for statutorily authorized purposes (G.S. 131E-212(g)).

The practical effect: hospitals have not litigated over ownership because the existing disclosure practice (aggregate only) fits within statutory authority. If the Commission moved to a different disclosure form without legislative authorization, the ownership question might surface, but the antecedent question (statutory authorization to release in that form) is the binding one. As Question 1 establishes, the antecedent question fails: the Commission cannot release patient-level data under its current authority, so the ownership question does not become operative.

Question 3: hospital liability for inadvertent identification. If a patient is inadvertently identified despite encryption, can the submitting hospital be sued? The 1993 AG said no. G.S. 131E-212(e) immunizes any person who submits data to the Commission from liability in civil actions. The immunity is statutory, broad, and unconditional within its scope.

The Commission's broader takeaway: if it wants to release patient-level data, even with encryption, it must go to the Legislature. The existing statute reserves aggregate-only release.

Currency note

This opinion was issued in 1993. Subsequent statutory amendments, court decisions, or later AG opinions may have changed the analysis. Treat this page as historical context, not current legal advice. Verify current law before relying on any specific rule, deadline, or remedy mentioned here. The Medical Database Commission has been restructured multiple times since 1993. North Carolina's health-data infrastructure now operates partly through the Department of Health and Human Services and partly through public-private arrangements. Federal HIPAA (1996) and the HITECH Act (2009) overlay a privacy and disclosure regime that did not exist in 1993. Anyone considering health-data release today should consult current state and federal law and current Commission (or successor body) rules.

Historical context: what the AG concluded

The opinion sits in the early-1990s movement toward more granular health-data analytics. Researchers, payers, and policymakers wanted patient-level data to study outcomes, costs, and utilization patterns. The Medical Database Commission was the natural collector for this data. The pressure to release it in more useful (less aggregated) form was real.

The Commission's question was whether it could meet that demand through a rule change. The AG's answer was a clean statutory boundary. A rule can interpret or implement; it cannot rewrite. The Legislature made an aggregate-disclosure choice in G.S. 131E-210, and that choice belonged to the Legislature to revisit.

The encryption argument was sophisticated but did not change the result. The Commission's pitch was that encrypted patient-level data is functionally aggregate (no one can identify any individual). The AG implicitly rejected the argument by treating "aggregate" as the statutory term that controls. Encryption may reduce identification risk but does not transform patient-level data into aggregate data for the statute's purposes.

The hospital-immunity holding is short but important. Hospitals submitting required data should not bear the risk of downstream re-identification or other unforeseen disclosure events. G.S. 131E-212(e) is the legislative bargain: submit the data, and the State takes the liability risk for what happens after submission.

For health-data administrators in 1993 the takeaway was simple: aggregate-only release until the Legislature says otherwise. If you want patient-level disclosure (encrypted or not), draft a bill.

Common questions

What is "aggregate" data?

Statistical data that does not identify individual patients. Examples: total admissions for a diagnosis in a county; average length of stay; case-mix indexes by hospital. The Commission's statute authorizes release in this form.

Why doesn't encryption fix the patient-level disclosure problem?

The 1993 AG read "aggregate" as the statutory term that controls. Encrypted patient-level data is still patient-level data in form; it just makes identification harder. Whether encryption sufficiently de-identifies the data for legal or policy purposes is a separate question, but it does not turn patient-level into aggregate under the statute.

Who owns hospital-submitted data after submission?

Neither the hospital nor the Commission has exclusive ownership. The hospital has not been deprived of its underlying records; the Commission has the use-rights granted by statute. The framework works through use restrictions, not ownership transfers.

Are hospitals at risk if a patient is identified despite encryption?

G.S. 131E-212(e) gives broad statutory immunity from civil liability to submitters. The 1993 AG's reading was that this immunity protects hospitals even in inadvertent-identification scenarios.

Has the Commission ever obtained authority for patient-level release?

The 1993 opinion did not anticipate later legislative changes. Anyone interested in current authority should consult current Chapter 131E and current Commission (or successor) rules.

Did this opinion address research uses or other special-purpose uses?

No. The opinion addressed the threshold question of whether the Commission can release patient-level data at all under existing law. Specific use cases (research, payment, public-health surveillance) are addressed by separate provisions and were not in the question presented.

Background and statutory framework

The Commission's enabling statute. G.S. 131E-210 (Commission may disseminate aggregate data). G.S. 131E-210(b) (aggregate form to interested persons). G.S. 131E-211 (mandatory submission by providers). G.S. 131E-212(e) (statutory immunity for submitters). G.S. 131E-212(g) (Commission may use data only for authorized purposes).

The rulemaking limit. G.S. 150B-2(8a) (definition of "rule" — implement or interpret a statute).

Citations

• G.S. 131E-210, G.S. 131E-210(b)
• G.S. 131E-211
• G.S. 131E-212(e), G.S. 131E-212(g)
• G.S. 150B-2(8a)

Source

• Landing page: https://ncdoj.gov/opinions/release-of-patient-specific-information-by-the-north-carolina-medical-database-commission/

Original opinion text

April 12, 1993

Mr. James Hazelrigs, Director
Medical Database Commission
3901 Barrett Drive, Suite 204
Raleigh, North Carolina 27609

Re: Advisory Opinion Regarding the Release of Patient-Specific Information by the North Carolina Medical Database Commission Pursuant to G.S. 131E-210

Dear Mr. Hazelrigs: You have raised a number of questions concerning the authority of the North Carolina Medical Database Commission. Those questions generally relate to the Commission's desire to begin releasing reports which contain patient-specific data. You have asked this Office to review the Commission's enabling legislation and respond to three questions. Those questions, along with our responses, are set out separately below.

Question 1: Can the Commission change its administrative Rules to allow the release of patient level data as long as the general guidance of the legislature is followed, or is specific legislative modification needed?

The Medical Database Commission is authorized by G.S. 131E-210 to disseminate aggregate data. Pursuant to G.S. 150B-2(8a), a rule can only "implement or interpret" a statute. Therefore, the Commission may not, by rule, change "aggregate" to mean "non-aggregate". It is our opinion that legislative action would be required to authorize the Commission to release patient level data.

Question 2: Who "owns" the data submitted to the Commission? Since the Commission releases aggregated information by statute now without permission, how is this policy changed if we release patient level information that has been encrypted so as to prevent actual patient "John Doe" identification?

Neither the hospital nor the Medical Database Commission has exclusive ownership rights in the data. G.S. 131E-211 provides that the Medical Database Commission may require that data be submitted to it from all medical care providers. G.S. 131E-210(b) provides that the data compiled will be made available in aggregate form to interested persons. G.S. 131E-212(g) provides that the Commission may not use the data collected for a purpose other than one authorized by this Article. The Commission does not need a statutory amendment in order to continue to collect the data. So long as the data is collected and disseminated in a manner authorized by statute, the Commission does not violate any ownership rights that the hospitals may have in the data.

Although hospitals have been providing this data to the Commission since its inception, they raised no ownership issues so long as the Commission's release of the data provided was consistent with the requirements of G.S. 131E-210. You correctly note that issues as to who owns the data are not affected by your plans to release the data in a new form. However, in our response to your first question, we concluded that legislation would be required before the Commission could release data other than in "aggregate" form.

Question 3: Are there any considerations concerning liability for the original providers of the information (the hospital) to the Commission, if for any reason a patient is inadvertently identified despite all attempts to mask the identification?

No. G.S. 131E-212(e) provides that any person who submits data to the Commission shall be immune from liability in any civil action. I hope you find this information useful.

Jo Ann Sanford, Special Deputy Attorney General

Evelyn B. Terry, Associate Attorney General