Fred Hutch, Seattle Cancer Care Alliance, and UW Medicine Complete Restructure of Partnership

Learn More

HIPAA FAQ

We’re often asked how the data we collect can be used in accordance with HIPAA regulations. Below are the most common questions we hear; email Tiffany Janes or call her at 206.667.7902 if you need additional information.

What is the HIPAA Privacy Rule?

+

In 1996, the U.S. Congress passed a law called the Health Insurance Portability and Accountability Act, or HIPAA. Among other things, it requires uniform federal privacy protections for individually identifiable health information. The U.S. Department of Health and Human Services issued final regulations implementing the privacy provisions of HIPAA in Autumn 2002. These regulations are called the "Privacy Rule." Copies of the HIPAA Privacy Rule, as well as helpful explanatory materials, can be found at the HHS Office of Civil Rights website.

To whom does the HIPAA Privacy Rule apply?

+

The rule applies to covered entities involved in the healthcare of individuals and who may transmit information about those individuals to other organizations, in any form.

What is a 'Covered Entity' under HIPAA?

+

A 'Covered Entity' is a healthcare plan, clearinghouse or provider who transmits any health information for financial and administrative transactions. A 'healthcare provider' is "a provider of medical or health services, and any other person who furnishes, bills or is paid for healthcare in the normal course of business."

To whom does the HIPAA Privacy Rule apply?

+

The rule applies to covered entities involved in the healthcare of individuals and who may transmit information about those individuals to other organizations, in any form.

HIPAA states that covered entities must receive written patient authorization to release Protected Health Information (PHI). Doesn’t that make it illegal to fulfill the Washington State law that mandates reporting PHI on cancer cases to the CSS?

+

No. Reporting information about cases of cancer in accordance with the requirements of Washington statutes and regulations is permitted by HIPAA. PHI can be released without specific patient authorization under several conditions. HIPAA authorizes covered entities to disclose PHI where required by law, including laws that mandate reporting of PHI to Public Health Authorities. The CSS is a contractor for the Washington State Cancer Registry, and under HIPAA, is considered to be a Public Health Authority. Therefore, HIPAA does not conflict with the Washington State law.

HIPAA states that when disclosing PHI without authorization, covered entities should determine the ‘minimum necessary’ PHI that should be disclosed. Can my organization report data that does not represent cancer diagnoses (e.g., pathology diagnoses that are not cancer) as part of our legal responsibility to report cancer cases?

+

Yes. There are three aspects of the ‘minimum necessary’ standard that allow organizations to report all data we request for the purposes of complying with legally-mandated cancer reporting in our state. First, ‘minimum necessary’ means "the minimum necessary to accomplish the activity for which the PHI is being obtained". As part of the legal mandate to collect data on cancer patients, we conduct "case-finding" to identify all possible cancer diagnoses. To accomplish this task thoroughly, we need to screen the full complement of diagnostic and hospitalization data that covered entities create in order to be certain that no cancer patients are missed. Thus, release of PHI on non-cancer patients (e.g., ‘negative path’) meets the ‘minimum necessary’ standard. Second, under HIPAA [45 CFR 164.514(d)], when disclosures are made for the purposes of public health reporting, covered entities do not need to make a ‘minimum necessary’ determination. Instead, they are legally permitted to rely on the public health authority (in this instance, the CSS and WSCR) to determine what is the minimum necessary information to achieve cancer reporting in Washington State. Finally, HIPAA also states [45 CFR 164.502(b) and 45 164.512(a)] that the ‘minimum necessary’ standard does not apply to disclosures required by law, as is the case with cancer reporting in our state.

The answers to the preceding questions make me think that I don't have to change anything about the PHI that my institution reports to the CSS. Is this correct?

+

Yes. HIPAA does not require any change in the nature of the data that covered entities report to us in compliance with the Washington State law regarding cancer registration.

I have received a request from the CSS for updated or missing information, such as vital status, treatment or race, on a cancer patient I have cared for. Am I permitted to provide this information without patient authorization?

+

Yes. We periodically request additional PHI to fulfill the legally-mandated cancer reporting requirements in Washington State.

Who should I call if I have more questions about how HIPAA impacts reporting of cancer data in Washington State?

+

Contact Patti Migliore-Santiago, Cancer Prevention and Control Manager of the Washington State Cancer Registry, at 360.236.3645 or email.

You can also contact Stephen Schwartz, PhD, Principal Investigator of the Cancer Surveillance System, at 206.667.4660 or email.