Cancer Surveillance System
What is the HIPAA Privacy Rule?
In 1996 the U.S. Congress passed a law requiring, among other things, uniform federal privacy protections for individually identifiable health information. This law is called the Health Insurance Portability and Accountability Act of 1996, or "HIPAA." The U.S. Department of Health and Human Services issued final regulations implementing the privacy provisions of HIPAA in Autumn 2002. These regulations are called the "Privacy Rule." Copies of the HIPAA Privacy Rule, as well as helpful explanatory materials, may be found at the HHS Office of Civil Rights website: www.hhs.gov/ocr/hipaa/.
To whom does the HIPAA Privacy Rule apply?
The Privacy Rule applies to organizations ("Covered Entities") that are involved in the health care of individuals and who transmit to other organizations information about individuals in any form.
What is a 'Covered Entity' under HIPAA?
A 'Covered Entity' is a health care plan, a healthcare clearinghouse, or a health care provider who transmits any health information in electronic form for financial and administrative transactions. A 'health care provider' is "a provider of medical or health services, and any other person who furnishes, bills or is paid for health care in the normal course of business."
HIPAA states that covered entities must receive written patient authorization to release Protected Health Information (PHI). Isn't it therefore illegal under HIPAA to fulfill Washington State law that mandates reporting PHI on cancer cases to the CSS?
No. Reporting information about cases of cancer in accordance with the requirements of Washington statutes and regulations is permitted by HIPAA. PHI can be released without patient authorization under several conditions. HIPAA specifically authorizes covered entities to disclose PHI where required by law, including laws that mandate reporting of PHI to Public Health Authorities. The CSS is a contractor for the Washington State Cancer Registry, and under HIPAA, is considered to be a Public Health Authority. Therefore, HIPAA does not conflict with Washington State law that mandates reporting of cancer cases.
HIPAA states that, when disclosing PHI without authorization, covered entities should determine the "minimum necessary" PHI that should be disclosed. Can my organization continue to give the CSS data that do not represent cancer diagnoses (e.g., such as pathology diagnoses that are not cancer) as part of our legal responsibility to report cancer cases?
Yes. There are three aspects of the "minimum necessary" standard that allow your organization to continue to provide to the CSS all data it requests for the purposes of complying with legally-mandated cancer reporting in our state. First, "minimum necessary" means "minimum necessary to accomplish the activity for which the PHI are being obtained". As part of the legal mandate to collect data on cancer patients, the CSS conducts "casefinding" to identify all possible cancer diagnoses. To accomplish this task thoroughly, the CSS needs to screen the full complement of diagnostic and hospitalization data that covered entities create in order to be certain that no cancer patients are missed. Thus, release of PHI on non-cancer patients (e.g., "negative path") meets the "minimum necessary" standard and is permitted under HIPAA. Second, under HIPAA [45 CFR 164.514(d)], when disclosures are made for the purposes of public health reporting such as is the case with cancer registration, covered entities do not need to make a "minimum necessary" determination. Instead, they are legally permitted to rely on the public health authority (in this instance, the CSS and WSCR) to determine what is the minimum necessary information to achieve cancer reporting in Washington State. Finally, HIPAA also states [45 CFR 164.502(b) and 45 164.512(a)] that the "minimum necessary" standard does not apply to disclosures required by law, as is the case with cancer reporting in our state.
The answers to the preceding questions make me think that I don't have to change anything about the PHI that my institution reports to the CSS. Is this correct?
Yes. HIPAA does not require any change in the nature of the data that covered entities need to report to the CSS in order to comply with the Washington State law regarding cancer registration.
I have received a request from the CSS for updated or missing information, such as vital status, treatment, or race, on a cancer patient I have cared for. Am I permitted to continue to provide such information to the CSS without patient authorization?
Yes. These and other PHI requested periodically by the CSS are necessary to fulfill the legally-mandated cancer reporting requirements in Washington State.
Who should I call if I have more questions about how HIPAA impacts reporting of cancer data in Washington State.
Contact David Harrelson, Program Manager, Washington State Cancer Registry. His phone number is (360) 236-3685. His e-mail address is email@example.com. Alternatively, you may contact Stephen Schwartz, PhD, Principal Investigator, Cancer Surveillance System, at (206) 667-4660 or firstname.lastname@example.org.