Protecting SOGI Data: What You Need to Know

September 5, 2024 · Becky Kolinski

Health care organizations are collecting sexual orientation and gender identity (SOGI) data to provide better care for all patients—and LGBTQ+ patients, in particular—but how can they ensure data are used for the intended purpose and that patients’ privacy is protected?

In a recent episode of the Quality Matters podcast, NCQA’s Andy Reynolds interviewed LGBTQ+ advocates Kellan Baker, Executive Director of the Whitman-Walker Institute, and Dr. Carl Streed, Associate Professor at the Boston University Chobanian and Avedisian School of Medicine and Research Lead for the GenderCare Center at Boston Medical Center. They explained the benefits and risks of collecting SOGI data, and the importance of building trust with LGBTQ+ patients.

As part of Health Equity Accreditation and our work to ensure inclusive, high-quality care, NCQA strongly advocates for collection of clear, accurate SOGI data. That’s why we partnered with the Whitman-Walker Institute on an issue brief, Empowering Health Care Organizations to Improve Care for LGBTQ+ Populations, to help health care organizations navigate questions regarding the collection and appropriate management of SOGI data.

Why Collect SOGI Data?

SOGI data doesn’t focus solely on the LGBTQ+ population—every person has a sexual orientation and a gender identity. But collecting these data is essential to ensuring that LGBTQ+ individuals have access to the comprehensive, high-quality health care they deserve, delivered by providers they trust.

Collecting SOGI data:

  • Lets patients share information relevant to their health care—to make sure they are getting the right care.
  • Helps providers understand the type of care a person needs. For example, a transgender man who was assigned female at birth may need to be screened for cervical cancer.
  • Enables health care organizations to evaluate the effectiveness of their programs and invest in interventions that meet the needs of LGBTQ+ patients/members.

It is a common misperception that people won’t share SOGI information because they feel it’s too private, but in reality, most people will provide this information if health care organizations are transparent about how it will be used for their benefit.

In 2022, NCQA’s Health Equity Accreditation started requiring collection and use of SOGI data to help identify disparities in health outcomes and access to care. CMS introduced SOGI questions on HealthCare.gov applications starting with Plan Year 2024, and state Medicaid and Children’s Health Insurance Programs (CHIP) have the option to include these questions during enrollment.

Federal Protections for SOGI Data

As more health care organizations collect and use SOGI data, they may need to consider how the political environment and laws in their state affect their ability to protect this information. Some states have adopted discriminatory laws that deprive transgender people of access to essential health care, putting SOGI data at risk for misuse. Law enforcement entities seeking to investigate provision of health care to LGBTQ+ people have requested data from health care organizations as part of their investigation.

Health care organizations can rely on federal guidance to help them navigate the complexities and be responsible stewards of all protected health information (PHI) and personally identifiable information (PII), including SOGI data. In April 2024, HHS issued two final rules related to protection of SOGI data.

The final rule to support reproductive health care privacy under HIPAA added heightened protections regarding the use or disclosure of PHI when sought to investigate or impose liability on individuals, health care providers or other entities that seek, obtain, provide or facilitate lawful reproductive health care. This rule can also apply to SOGI data and gender-affirming care.

The final rule for Section 1557 of the primary nondiscrimination provision of the Affordable Care Act, restored and strengthened protections for LGBTQ+ people that had been rolled back in 2020. Section 1557 prohibits health care providers, insurers, grantees and other entities that receive federal funds from discriminating based on race, color, national origin, age, disability or sex—and the final rule codified that protections for sex include LGBTQ+ patients/members.

The new rules provide clarity for health care organizations on their obligations, and empower them to protect SOGI data.

How Health Care Organizations Can Act

Health care organizations that want to be responsible stewards of SOGI data can:

  1. Develop policies and procedures to help staff understand the protections offered to SOGI data (including from law enforcement) under Section 1557 and HIPAA.
  2. Actively communicate to members/patients how they will (and will not) use SOGI data, and how data will be protected from disclosure.
  3. Adopt a culturally competent, appropriate and respectful process for collecting SOGI data from patients/members.
  4. Identify key clinical needs for SOGI data, and opportunities to use the data to improve health care for LGBTQ+ members/patients.

Read the SOGI Data Issue Brief for insight and clarity on collecting and protecting SOGI data, and for information about accessing additional resources.

Listen to the Quality Matters podcast, “Gender, Lawyers and the Law,” here.

  • Save

    Save your favorite pages and receive notifications whenever they’re updated.

    You will be prompted to log in to your NCQA account.

  • Email

    Share this page with a friend or colleague by Email.

    We do not share your information with third parties.

  • Print

    Print this page.

Section background
Section graphic
Section element
Section element
Stay Informed

Get updates, announcements and trending topics

Join 53k+ health care professionals