Frequently Asked Questions (FAQs)
About HIPAA And Cancer Reporting in Washington State
- What is the HIPAA Privacy Rule?
In 1996 the U.S. Congress passed a law requiring, among other things,
uniform federal privacy protections for individually identifiable health
information. This law is called the Health Insurance Portability and Accountability
Act of 1996, or "HIPAA." The U.S. Department of Health and Human Services issued
final regulations implementing the privacy provisions of HIPAA in Autumn 2002.
These regulations are called the "Privacy Rule." Copies of the HIPAA Privacy Rule,
as well as helpful explanatory materials, may be found at the HHS Office of Civil
Rights website: www.hhs.gov/ocr/hipaa/.
- To whom does the HIPAA Privacy Rule apply?
The Privacy Rule applies to organizations ("Covered Entities") that are
involved in the health care of individuals and who transmit to other organizations
information about individuals in any form.
- What is a 'Covered Entity' under HIPAA?
A 'Covered Entity' is a health care plan, a healthcare clearinghouse,
or a health care provider who transmits any health information in electronic
form for financial and administrative transactions. A 'health care provider'
is "a provider of medical or health services, and any other person who furnishes,
bills or is paid for health care in the normal course of business."
- HIPAA states that covered
entities must receive written patient
authorization to release Protected Health Information (PHI). Isn't it therefore
illegal under HIPAA to fulfill Washington State law that mandates reporting PHI
on cancer cases to the CSS?
No. Reporting information about cases of cancer in accordance with the
requirements of Washington statutes and regulations is permitted by HIPAA.
PHI can be released without patient authorization under several conditions.
HIPAA specifically authorizes covered entities to disclose PHI where required by law,
including laws that mandate reporting of PHI to Public Health Authorities. The CSS
is a contractor for the Washington State Cancer Registry, and under HIPAA, is considered
to be a Public Health Authority. Therefore, HIPAA does not conflict with Washington
State law that mandates reporting of cancer cases.
- HIPAA states that, when disclosing PHI
without authorization, covered entities should determine the "minimum necessary"
PHI that should be disclosed. Can my organization continue to give the
CSS data that do not represent cancer diagnoses (e.g., such as pathology
diagnoses that are not cancer) as part of our legal
responsibility to report cancer cases?
Yes. There are three aspects of the "minimum necessary" standard that allow
your organization to continue to provide to the CSS all data it requests for the
purposes of complying with legally-mandated cancer reporting in our state. First,
"minimum necessary" means "minimum necessary to accomplish the activity for which the
PHI are being obtained". As part of the legal mandate to collect data on cancer patients,
the CSS conducts "casefinding" to identify all possible cancer diagnoses. To accomplish
this task thoroughly, the CSS needs to screen the full complement of diagnostic and
hospitalization data that covered entities create in order to be certain that no cancer
patients are missed. Thus, release of PHI on non-cancer patients (e.g., "negative path")
meets the "minimum necessary" standard and is permitted under HIPAA. Second, under
HIPAA [45 CFR 164.514(d)], when disclosures are made for the purposes of public health
reporting such as is the case with cancer registration, covered entities do not need to
make a "minimum necessary" determination. Instead, they are legally permitted to rely
on the public health authority (in this instance, the CSS and WSCR) to determine what
is the minimum necessary information to achieve cancer reporting in Washington State.
Finally, HIPAA also states [45 CFR 164.502(b) and 45 164.512(a)] that the "minimum
necessary" standard does not apply to disclosures required by law, as is the case with
cancer reporting in our state.
- The answers to the preceding questions make me
think that I don't have to change anything about the PHI that my institution
reports to the CSS. Is this correct?
Yes. HIPAA does not require any change in the nature of the data that covered
entities need to report to the CSS in order to comply with the Washington State law
regarding cancer registration.
- I have received a request from the CSS for updated or
missing information, such as vital status, treatment, or race, on a cancer patient
I have cared for. Am I permitted to continue to provide such information to the
CSS without patient authorization?
Yes. These and other PHI requested periodically by the CSS are necessary to fulfill
the legally-mandated cancer reporting requirements in Washington State.
- Who should I call if I have more questions about how
HIPAA impacts reporting of cancer data in Washington State.
Contact Katie Golub, Program Manager, Washington State Cancer Registry.
Her phone number is (360) 236-3624. Her e-mail address is
kathryn.golub@doh.wa.gov.
Alternatively, you may contact Stephen Schwartz,
PhD, Principal Investigator, Cancer Surveillance System, at (206) 667-4660
or sschwart@fhcrc.org.
Fred Hutchinson Cancer Research Center
1100 Fairview Ave. N. PO Box 19024 Seattle, WA 98109
©2008 Fred Hutchinson Cancer Research Center, a nonprofit organization.
Terms of Use & Privacy
Policy.
