What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, was enacted on August 21, 1996. Sections 261 through 264 of HIPAA require the Secretary of the U.S. Department of Health and Human Services (HHS) to publicize standards for the electronic exchange, privacy, and security of health information. HHS issued final regulations implementing the privacy provisions of HIPAA. These regulations are called the “Privacy Rule.”
Copies of the HIPAA Privacy Rule, as well as helpful explanatory materials, may be found on the HHS Office of Civil Rights website.
Is it a violation of HIPAA for a covered entity to report information about cases of cancer to CCR?
No. Reporting information about cases of cancer in accordance with the requirements of CCR authorizing statute and regulations is permitted by HIPAA. The Privacy Rule contains a specific provision authorizing covered entities to disclose protected health information as required by law. See 45 CFR sec. 164.512(a)(1). In fact, penalties for failure to comply with state reporting are specified in state law and often consist of significant fines (California Health and Safety Code, Section 103885(f)). (Note: Covered entities include health plans, health care clearing houses, and health care providers who conduct certain financial and administrative transactions electronically. These electronic transactions are those for which standards have been adopted by the Secretary under HIPAA, such as electronic billing and fund transfers. More information on covered entities can be found at the HHS website.
Does HIPAA require covered entities to obtain written authorization from the individual before reporting protected health information to CCR?
No. The provision of the Privacy Rule authorizing disclosure of protected health information as required by law is an exception to the requirement for written authorization.
Are covered entities required to determine whether the information about cases of cancer reported to CCR is the “minimum necessary” information required to be disclosed?
No. The Privacy Rule does include a general requirement that covered entities make reasonable efforts to limit the disclosure of protected health information to the minimum necessary to accomplish the intended purpose of the disclosure. See 45 CFR sec. 164.502(b)(1). However, there is a specific exception to this requirement for disclosures that are required by law, such as the reporting of information about cases of cancer to CCR pursuant to California law and regulations. See 45 CFR sec. 164.502(b)(2)(v).
What information is required for a covered entity to meet the Privacy Rule’s verification requirements with respect to reporting information about cases of cancer to CCR?
The Privacy Rule requires covered entities to verify a requester’s identity before disclosing protected health information. See 45 CFR sec. 164.514(h)(1)(i). In the case of disclosure to a person acting on behalf of a public official, a covered entity that reasonably relies on a written statement on appropriate government letterhead that the requester is acting under the government’s authority will fulfill this requirement. See 45 CFR sec. 164.514(h)(2)(ii)(C). The Privacy Rule also requires covered entities to verify the requester’s authority. See 45 CFR sec. 164.514(h)(1)(i). A covered entity that reasonably relies on a written statement of the legal authority under which the information is requested will fulfill this requirement. See 45 CFR sec. 164.514(h)(2)(iii)(A). To assist covered entities in meeting the verification requirements, the California Department of Public Health has provided a written statement to cancer-reporting facilities with the aforementioned information.
Are covered entities required to sign “Business Associate Agreements” with regional registries that perform on-site abstracting and cancer data reporting?
No. One way that the California Department of Public Health makes sure it obtains complete information about cancer cases is to give cancer-reporting facilities that want to minimize their reporting burden the ability to contract with the regional registries for onsite abstracting and reporting. See 17 Cal. Code of Regulations, sec. 2593(b)(17). HIPAA requires business associate agreements with entities that carry out health care functions on behalf of covered entities, but the regional registries are acting on behalf of the California Department of Public Health when they provide on-site abstracting and reporting services, not the covered entity. Therefore, they are not business associates.
Does HIPAA apply to the use or disclosure of information about cancer cases after it has been reported to CCR?
No. The Privacy Rule applies to disclosure of protected health information by covered entities as required by law. It does not apply to subsequent use or disclosure by the recipient. However, CCR authorizing legislation includes strict limits on use and disclosure of reported information. Those requirements include obtaining a federally designated Institutional Review Board approval and contractual agreements to maintain confidentiality and privacy of the data and to not disclose confidential information beyond the confines of the specific research project. See Ca. Health and Safety Code sec. 103885(g). When a researcher contacts a patient, they are required to inform the patient of how they obtained the patient’s name, that the patient is under no obligation to participate in the study, that their participation or non-participation will not be reported to anyone, and that they may request that no one contact them again. Occasionally a patient will object to having their name released without prior consent, and CCR has methods to restrict those names from future contacts. But many patients are happy to participate in special studies in order that we all may learn more about cancer in order to make progress against this deadly disease. CCR was created to serve as a resource for research into the causes and cures of cancer, and it has a productive record of using CCR data for research. Furthermore, in more than 50 years of CCR’s operation, we are not aware of any unwarranted release of confidential information from CCR or researchers.
Are covered entities required to provide individuals upon request with an accounting of any protected health information that the entity has disclosed about them to CCR?
Yes. The Privacy Rule requires covered entities to provide an accounting of disclosures of protected health information. See 45 CFR sec. 164.528.