Frequently Asked Questions about HIPAA

These FAQs were prepared by the Louisiana Tumor Registry to help explain the effect of HIPAA on cancer registration.

What is the HIPAA Privacy Rule?
In 1996 the U.S. Congress passed a law requiring, among other things, uniform federal privacy protections for individually identifiable health information. This law is called the Health Insurance Portability and Accountability Act of 1996, or “HIPAA.” The U.S. Department of Health and Human Services recently issued a final “Privacy Rule” implementing the privacy provisions of HIPAA. Copies of the HIPAA Privacy Rule, as well as helpful explanatory materials, may be found at the HHS Office of Civil Rights website: http://www.hhs.gov/ocr/hipaa/.

What is the Louisiana Tumor Registry?
The Louisiana Tumor Registry (LTR) is a population-based registry that collects information on cancer cases in Louisiana. In 1983 the Louisiana Legislature passed a law (R.S. 40:1299.80 et seq.) mandating the collection of these data. Under the authorizing legislation, licensed healthcare providers, such as hospitals, freestanding radiation facilities, pathology laboratories, and physicians, are required to report diagnostic, treatment, and follow-up information on cancer cases that they diagnose or treat to the Louisiana Tumor Registry or its regional registries. The law stresses the confidential nature of data released to the LTR and protects healthcare providers who participate in the cancer registration program.

The HIPAA rules refer to “covered entities.” What are they?
A covered entity is any healthcare provider, including hospitals, physicians, pathology labs, radiation facilities, insurance companies, and data processors, that transmits any health information in electronic form for financial and administrative transactions.

HIPAA rules also mention “public health authorities.” What are they?
A public health authority is an agency of the government acting under government authority with a public health function as part of its official mandate. Such agencies are authorized by law to collect or receive information for the purpose of public health surveillance. Because of the state mandate to collect cancer information, the Louisiana Tumor Registry, including its regional registries, qualifies as a public health authority.

Does HIPAA allow a covered entity to report information about cases of cancer to the Louisiana Tumor Registry?
Yes. Reporting information about cases of cancer in accordance with the requirements of the Louisiana Tumor Registry’s statute and regulations is permitted by HIPAA. The LTR is considered a public health authority, and as such is authorized to obtain protected health information without patient consent. See 45 CFR sec. 164.512(a)(1).

Does HIPAA require covered entities to obtain written authorization from the individual before reporting protected health information to the Louisiana Tumor Registry?
No. The state registry law does not require patient consent, and HIPAA exempts public health surveillance activities from the patient consent provisions.

What legal documentation supports the requirement to release cancer patient information to an agency?
The state law and legislative rules document cancer-reporting requirements. The LTR and its regional registries can provide copies of these upon request.

Are covered entities required to sign “business associate agreements” with LTR regional registries that perform on-site abstracting and cancer data reporting?
No. HIPAA requires business associate agreements with groups or individuals who carry out healthcare functions on behalf of covered entities, but the regional registries are acting on behalf of the state-mandated public health program when they provide on-site abstracting and reporting services. Therefore, they are not business associates.

Are covered entities required to provide individuals upon request with an accounting of any protected health information that the entity has disclosed about them to the Louisiana Tumor Registry?
Yes. The Privacy Rule requires covered entities to provide an accounting of disclosures of protected health information. Covered entities must document the date of disclosure, the name of the recipient or reviewer, the description of data released, and the reason for disclosure. This information must be retained for six years.

Must healthcare providers obtain patient permission to share health information about a patient?
No. Diagnostic, treatment, and follow-up information may be exchanged by healthcare providers, providing they both have a medical relationship with the patient for this condition.

Doesn’t HIPAA nullify the state law?
No. HIPAA does not obstruct any state law that supports or mandates the reporting of diseases or injuries for public health purposes.

If a public health authority is located in a different state from the covered entity, is it still OK under HIPAA to provide data?
Yes. The Louisiana Tumor Registries has interstate data-sharing agreements, which also include strict limits on use and disclosure of reported information.