HIPAA’s Impact on the CTR Professional

Vol. 12 •Issue 4 • Page 20
HIPAA’s Impact on the CTR Professional

The primary intent of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 is to protect health insurance coverage for workers who change or lose their jobs. The Administrative Simplification provisions of HIPAA, found in Title II, Subtitle F, aim to improve the efficiency and effectiveness of the health care system by standardizing the electronic transmission of certain administrative and financial transactions, and protect the security and privacy of transmitted information. So what does it all mean to the certified tumor registrar (CTR)?

Compliance Dates

The regulations were approved by President Bush on April 12, 2001. The official effective date of the regulations is April 14, 2001. Covered entities, including hospitals and physicians, have two years to comply (by April 14, 2003), except for small health plans which have until April 14, 2004, to comply.

HIPAA’s Public Health Authority

Under HIPAA, a “Public Health Authority” refers to “an agency or authority of the United States, a State or territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate” (C.F.R. 164.501).

“…Such agencies are authorized by law to collect or receive such information for the purposes of preventing or controlling disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations and public health interventions” (www.naaccr.org FAQ).

Central cancer registries and hospital cancer registries–if required to report cancer cases–are considered public health authorities because their duties are mandated by state laws.

What Does This Mean to Me?

HIPAA mandates the adoption of new security standards (in Subtitle F) for protected health information (PHI), while permitting the appropriate access and use of that information by providers, clearinghouses and health plans. In addition, the HIPAA privacy regulations govern the way a patient’s health information is treated.

For the CTR, it is important to understand the flow of PHI within the organization (i.e., case identification, abstracting, follow-up, preparing reports, etc.). In addition, hospitals should determine and document the uses of registry information (other than reporting to the public health entities/central statewide cancer registries), and whether a general notice and consent form is enough to cover the PHI used in health care operations.

For uses outside of reporting to the state that is excluded under HIPAA, the cancer registry’s organization needs to make the distinction between research and health care operations. HIPAA’s minimum disclosure rule that requires health professionals to release only the health data necessary, does not apply for treatment-related information used for research.

In cases where the facility has a cancer registry that may use data for various purposes, it should be determined whether or not the patient needs to give written consent acknowledging that he or she understands you maintain a registry of information on certain illnesses. There is no right or wrong in these scenarios, they are decisions with many implications that need to be made by each organization.

It’s all considered private information. It’s a matter of what you release, to whom and why you’re releasing it. But most importantly, from the CTR’s standpoint, it’s a matter of knowing where to turn for answers when handling PHI comes into question.

Implementing Registry Policies

There is an existing need in organizations to document current policies for the release of PHI within the organization, as well as to external requestors. Furthermore, all of the employees need to go through inservice education and training on these policies and procedures. For example, would your em-ployees know what to do if the marketing department called and asked for a list of everyone with breast cancer for the next fundraiser? Unless the patient has given authorization, this PHI should not be turned over to the marketing department. The same logic would be used for any kind of marketing-related fundraisers.

The cancer registry is a source of information that may be overlooked by some hospitals as they are writing their privacy policies and procedures. The best protection for HIPAA compliance is to have policies and procedures in place. Here are some things you can do as a registrar to gear up:

•Organize a coordinated approach for your cancer registry.

•Join a HIPAA compliance steering committee or work group.

•Perform a gap analysis.

•Define “health care operations” vs. “research” within the cancer registry.

•Educate your cancer registry team–this involves allocating budget and time.

•Assess existing policies, forms, contracts and procedures for releasing data.

•Look at information technology (IT) system compliance, including source data systems, and consider upgrades, if necessary.

•Review all vendor and outsourcing contracts to assure that there are provisions to address information security and confidentiality.

The bottom line is simple. Know what your position is on handling, storing and releasing data, and if you don’t have one, at least ensure that the registry personnel are involved in some HIPAA task force.

Does HIPAA Nullify State Law for Reporting Cases?

No. Public health reporting under the authority of state law is specifically exempted from HIPAA rules. The reporting of data (who, when, etc.) to the central registry by the cancer registry or hospital should be maintained by the cancer registry.

What HIPAA Doesn’t Mean to Me

Hospital administration might not be thinking about the cancer registry information flow and privacy implications, but the CTR should be prepared. It’s really a great opportunity to gain an awareness of how their work can be impacted, as well as where the regulations don’t apply. There may be nothing reported to anyone except the state/central registry in your organization, but you do want to know that it has been thoroughly examined.

State-mandated cancer reporting typically does not require patient informed consent, nor can individuals elect to be removed from reporting. In a state that allows the collection of follow-up cancer data for public health purposes, it can be collected regardless of consent from a patient.

The Hospital CTR: A Part of the Whole Entity

Nonetheless, all of the information in the hospital is considered part of that covered entity, and the commitment to protect that information is the responsibility of everyone in the organization. Keep in mind that most hospitals will be planning baseline HIPAA privacy, security and confidentiality training for all employees. Those less informed may begin to dispute or question what information can be released, but again, it’s important to define the information in terms of the rules. With the proper policies and procedures in place, the organization is well prepared to do the best job they can.

There is a HIPAA task force or committee in most organizations that is functioning in an advisory capacity. The registrar’s role is to keep the HIPAA task force informed of any privacy and security concerns.

To summarize, HIPAA has very little impact on the actual cancer reporting to central cancer registries. Specifically, HIPAA provides for the continuation of reporting identifiable data for reportable diseases to public health entities for the purpose of public health surveillance. HIPAA does not obstruct any state law that supports or mandates the reporting of disease or injury for public health purposes.

Written informed consent from each cancer patient reported to public health entities is not required under HIPAA; rather hospitals must document that reporting has occurred. This can be done simply for all cancer cases because reporting is mandatory for all cases. This is a tremendous opportunity for registrars to step up to the plate and demonstrate their skills and expertise in cancer-related health information management and be enthusiastic about achieving HIPAA compliance for the cancer registry.



Cassidy, Bonnie. “HIPAA On the Job: Understanding the Requirements.” Journal of AHIMA, April 2000.

Bonnie Cassidy is a principal with The North Highland Company in Atlanta and can be e-mailed at [email protected].

The Business of the Cancer Registry And HIPAA

If you’re in the cancer registry business, you should probably know a thing or two about the Health Insurance Portability and Accountability Act (HIPAA), even if your knowledge consists of the various reasons why the legislation doesn’t apply to you.

“I think there’s a potential impact on this industry,” contemplated Beth A. Kost, vice president of professional services for Precyse Solutions in King of Prussia, PA. “But the impact won’t be on the day-to-day work of the registrar so much. In general, I think there will be a heightened awareness of the need to protect information.”

If registrars will have a heightened sense of privacy and security, it may follow that registry software vendors should know a thing or two about the regulations. But as Thomas Faris, chief privacy officer and lead for HIPAA implementation and compliance efforts at IMPAC Medical Systems in Mountain View, CA, pointed out, technically, they’re not legally required to comply with HIPAA.

“Registry software vendors are not covered within the scope of the HIPAA regulations,” said Faris. But, he added, “The ‘covered entity’ health care facilities are required to ensure that their use and application of the software complies with the requirements.”

In Faris’s opinion, software vendors must still be held accountable for product and operational im-provements required for the covered entity’s HIPAA compliance. “Vendors who do not [comply] will be selling products that the customers cannot use,” he said. “Further, covered entities should enter into contractual agreements with their software vendors to adequately assure themselves that the vendor will meet the requirements.”

Toni Hare, RHIT, CTR, executive director of oncology data services for CHAMPS Management Ser-vices in Cleveland, OH, shares this perspective. “We just went through a whole gap analysis,” said Hare. According to her, the biggest efforts her business has undergone relative to HIPAA preparation is to get down in writing the policies and procedures already practiced, as well as drafting HIPAA contractual language for the agreements they enter into with clients.

Both Hare and Precyse’s Kost suggest a visit to the North American Association of Central Cancer Registries’ (NAACCR) Web site, located at www.naaccr.org/training/index/html. It provides registrars with, among other things, a letter assuring members that “HIPAA has very little impact on cancer reporting to central cancer registries.”

Faris concluded, “HIPAA seeks nothing more [than] to facilitate the greatest potential use of modern technology, while providing common sense protections for the patient’s private information reflected in the data.” For years, registrars have already been operating within the spirit of this legislation, as he sees it. “Registrars have been responsible for electronically compiling the most personal data of patients and performing mandatory state reporting functions to enable comparative studies for advancement of the effectiveness and treatment of cancer.” In this sense, for many, keeping up with HIPAA is just business as usual.

–By Linda Gross

About The Author