1.Should you give the data out?
The answer is no. Disclosure of Protected Health Information (PHI) to the third party even in a good research project could violate Ethical informatics standards and also, has potentially risk for misused and violate the law as HIPAA violation.
2.How do you not violate any of the general principles of informatics ethics
In this scenario, as a health informatics professional, I would keep in mind, respect and follow the fundamental and general ethical principle of informatics, especially in respect for subjects, privacy and doing no harm. We have to know and abide by the applicable government regulation and local policies. We are expected to be familiar and follow with a related law and be mindful that we have responsibilities to all the works and action.
3.If you want to provide the data to them, what and how will you do it?
As review project proposal, we can provide the aggregate data in sub-district level or other specific data set relevant or perform parallel methodology as multicenter study. The data must be deidentified and encoded and has time-limit use. Research ethical committee or IRB must be approved to research methodology and shared data agreement. And for the public health surveillance, if there are intension to use the data set contain PHI, the disclosure of PHI requires HIPAA security rule compliance.