Welcome to the California Cancer Registry

Web Query Tool

Web Query Tool

Generate customized maps and tables of California cancer incidence or mortality rates.

Inquiry System

HIPAA Legislation Information


 

WHAT IS THE HIPAA PRIVACY RULE?

In 1996 the U.S. Congress passed a law requiring, among other things, uniform federal privacy protections for individually identifiable health information.  This law is called the Health Insurance Portability and Accountability Act of 1996, or “HIPAA.”  The U.S. Department of Health and Human Services issued final regulations implementing the privacy provisions of HIPAA.  These regulations are called the “Privacy Rule.”  Copies of the HIPAA Privacy Rule, as well as helpful explanatory materials, may be found at the HHS Office of Civil Rights website: http://www.hhs.gov/ocr/hipaa.

 

Top of Page

IS IT A VIOLATION OF HIPAA FOR A COVERED ENTITY TO REPORT INFORMATION ABOUT CASES OF CANCER TO THE CALFORNIA CANCER REGISTRY?

No.  Reporting information about cases of cancer in accordance with the requirements of the California Cancer Registry authorizing statute and regulations is permitted by HIPAA.  The Privacy Rule contains a specific provision authorizing covered entities to disclose protected health information as required by law.  See 45 CFR sec. 164.512(a)(1).  In fact, penalties for failure to comply with state reporting are specified in state law and often consist of significant fines (California Health and Safety Code, Section 103885(f)).
(Note: Covered entities include health plans, health care clearinghouses and health care providers who conduct certain financial and administrative transactions electronically. These electronic transactions are those for which standards have been adopted by the Secretary under HIPAA, such as electronic billing and fund transfers.  More information on covered entities can be found at the HHS website: http://www.hhs.gov/ocr/privacy/hipaa/faq/covered_entities/)

Top of Page

DOES HIPAA REQUIRE COVERED ENTITIES TO OBTAIN WRITTEN AUTHORIZATION FROM THE INDIVIDUAL BEFORE REPORTING PROTECTED HEALTH INFORMATION TO THE CALIFORNIA CANCER REGISTRY?

No. The provision of the Privacy Rule authorizing disclosure of protected health information as required by law is an exception to the requirement for written authorization. See 45 CFR sec. 164.512(a)(1).

Top of Page

ARE COVERED ENTITIES REQUIRED TO DETERMINE WHETHER THE INFORMATION ABOUT CASES OF CANCER REPORTED TO THE CALIFORNIA CANCER REGISTRY IS THE "MINIMUM NECESSARY" INFORMATION REQUIRED TO BE DISCLOSED?

No. The Privacy Rule does include a general requirement that covered entities make reasonable efforts to limit the disclosure of protected health information to the minimum necessary to accomplish the intended purpose of the disclosure. See 45 CFR sec. 164.502(b)(1). However, there is a specific exception to this requirement for disclosures that are required by law, such as the reporting of information about cases of cancer to the California Cancer Registry pursuant to California law and regulations. See 45 CFR sec. 164.502(b)(2)(v).

Top of Page

WHAT INFORMATION IS REQUIRED FOR A COVERED ENTITY TO MEET THE PRIVACY RULE'S VERIFICATION REQUIREMENTS WITH RESPECT TO REPORTING INFORMATION ABOUT CASES OF CANCER TO THE CALIFORNIA CANCER REGISTRY?

The Privacy Rule requires covered entities to verify a requester's identity before disclosing protected health information. See 45 CFR sec. 164.514(h)(1)(i). In the case of disclosure to a person acting on behalf of a public official, a covered entity that reasonably relies on a written statement on appropriate government letterhead that the requester is acting under the government's authority will fulfill this requirement. See 45 CFR sec. 164.514(h)(2)(ii)(C). The Privacy Rule also requires covered entities to verify the requester's authority. See 45 CFR sec. 164.514(h)(1)(i). A covered entity that reasonably relies on a written statement of the legal authority under which the information is requested will fulfill this requirement. See 45 CFR sec.
164.514(h)(2)(iii)(A). To assist covered entities in meeting the verification requirements, the California Department of Public Health has provided a written statement to cancer reporting facilities with the aforementioned information.

Top of Page

ARE COVERED ENTITIES REQUIRED TO SIGN "BUSINESS ASSOCIATE AGREEMENTS" WITH REGIONAL REGISTRIES THAT PERFORM ON-SITE ABSTRACTING AND CANCER DATA REPORTING?

No. One way that the California Department of Public Health makes sure it obtains complete information about cancer cases is to give cancer reporting facilities that want to minimize their reporting burden the ability to contract with the regional registries for onsite abstracting and reporting. See 17 Cal. Code of Regulations, sec. 2593(b)(17).  HIPAA requires business associate agreements with entities that carry out health care functions on behalf of covered entities, but the regional registries are acting on behalf of the California Department of Public Health when they provide on-site abstracting and reporting services, not the covered entity. Therefore, they are not business associates.

Top of Page

DOES HIPAA APPLY TO THE USE OR DISCLOSURE OF INFORMATION ABOUT CANCER CASES AFTER IT HAS BEEN REPORTED TO THE CALIFORNIA CANCER REGISTRY?

No. The Privacy Rule applies to disclosure of protected health information by covered entities as required by law. It does not apply to subsequent use or disclosure by the recipient. However, the California Cancer Registry authorizing legislation includes strict limits on use and disclosure of reported information. Those requirements include obtaining a federally designated Institutional Review Board approval, and contractual agreements to maintain confidentiality and privacy of the data and to not disclose confidential information beyond the confines of the specific research project. See Ca. Health & Safety Code sec. 103885(g). When a researcher contacts a patient, they are required to inform the patient of how they obtained the patient’s name, that the patient is under no obligation to participate in the study, that their participation or non-participation will not be reported to anyone, and that they may request that no one contact them again. Occasionally a patient will object to having their name released without prior consent, and CCR has methods to restrict those names from future contacts. But many patients are happy to participate in special studies in order that we all may learn more about cancer in order to make progress against this deadly disease. CCR was created to serve as a resource for research into the causes and cures of cancer, and it has a productive record of using CCR data for research. Furthermore, in over 50 years of CCR’s operation, we are not aware of any unwarranted release of confidential information from CCR or researchers.

Top of Page

ARE COVERED ENTITIES REQUIRED TO PROVIDE INDIVIDUALS UPON REQUEST WITH AN ACCOUNTING OF ANY PROTECTED HEALTH INFORMATION THAT THE ENTITY HAS DISCLOSED ABOUT THEM TO THE CALIFORNIA CANCER REGISTRY?

Yes. The Privacy Rule requires covered entities to provide an accounting of disclosures of protected health information. See 45 CFR sec. 164.528.

HIPAA Resources