Frequently Asked Questions about HIPAA
These FAQs were prepared by the Louisiana Tumor Registry to help explain the effect of HIPAA on cancer registration.
What is the HIPAA Privacy Rule?
In 1996 the U.S. Congress passed a law requiring, among other things, uniform federal
privacy protections for individually identifiable health information. This law is
called the Health Insurance Portability and Accountability Act of 1996, or “HIPAA.”
The U.S. Department of Health and Human Services recently issued a final “Privacy
Rule” implementing the privacy provisions of HIPAA. Copies of the HIPAA Privacy Rule,
as well as helpful explanatory materials, may be found at the HHS Office of Civil
Rights website: http://www.hhs.gov/ocr/hipaa/.
What is the Louisiana Tumor Registry?
The Louisiana Tumor Registry (LTR) is a population-based registry that collects information
on cancer cases in Louisiana. In 1983 the Louisiana Legislature passed a law (R.S.
40:1299.80 et seq.) mandating the collection of these data. Under the authorizing
legislation, licensed healthcare providers, such as hospitals, freestanding radiation
facilities, pathology laboratories, and physicians, are required to report diagnostic,
treatment, and follow-up information on cancer cases that they diagnose or treat to
the Louisiana Tumor Registry or its regional registries. The law stresses the confidential
nature of data released to the LTR and protects healthcare providers who participate
in the cancer registration program.
The HIPAA rules refer to “covered entities.” What are they?
A covered entity is any healthcare provider, including hospitals, physicians, pathology
labs, radiation facilities, insurance companies, and data processors, that transmits
any health information in electronic form for financial and administrative transactions.
HIPAA rules also mention “public health authorities.” What are they?
A public health authority is an agency of the government acting under government authority
with a public health function as part of its official mandate. Such agencies are authorized
by law to collect or receive information for the purpose of public health surveillance.
Because of the state mandate to collect cancer information, the Louisiana Tumor Registry,
including its regional registries, qualifies as a public health authority.
Does HIPAA allow a covered entity to report information about cases of cancer to the
Louisiana Tumor Registry?
Yes. Reporting information about cases of cancer in accordance with the requirements
of the Louisiana Tumor Registry’s statute and regulations is permitted by HIPAA. The
LTR is considered a public health authority, and as such is authorized to obtain protected
health information without patient consent. See 45 CFR sec. 164.512(a)(1).
Does HIPAA require covered entities to obtain written authorization from the individual
before reporting protected health information to the Louisiana Tumor Registry?
No. The state registry law does not require patient consent, and HIPAA exempts public
health surveillance activities from the patient consent provisions.
What legal documentation supports the requirement to release cancer patient information
to an agency?
The state law and legislative rules document cancer-reporting requirements. The LTR
and its regional registries can provide copies of these upon request.
Are covered entities required to sign “business associate agreements” with LTR regional
registries that perform on-site abstracting and cancer data reporting?
No. HIPAA requires business associate agreements with groups or individuals who carry
out healthcare functions on behalf of covered entities, but the regional registries
are acting on behalf of the state-mandated public health program when they provide
on-site abstracting and reporting services. Therefore, they are not business associates.
Are covered entities required to provide individuals upon request with an accounting
of any protected health information that the entity has disclosed about them to the
Louisiana Tumor Registry?
Yes. The Privacy Rule requires covered entities to provide an accounting of disclosures
of protected health information. Covered entities must document the date of disclosure,
the name of the recipient or reviewer, the description of data released, and the reason
for disclosure. This information must be retained for six years.
Must healthcare providers obtain patient permission to share health information about
a patient?
No. Diagnostic, treatment, and follow-up information may be exchanged by healthcare
providers, providing they both have a medical relationship with the patient for this
condition.
Doesn’t HIPAA nullify the state law?
No. HIPAA does not obstruct any state law that supports or mandates the reporting
of diseases or injuries for public health purposes.
If a public health authority is located in a different state from the covered entity,
is it still OK under HIPAA to provide data?
Yes. The Louisiana Tumor Registries has interstate data-sharing agreements, which
also include strict limits on use and disclosure of reported information.