HIPAA FAQ

We’re often asked how the data we collect can be used in accordance with HIPAA regulations. Below are the most common questions we hear; email Tiffany Janes at tjanes@fredhutch.org or call her at 206.667.7902 if you need additional information.

In 1996, the U.S. Congress passed a law called the Health Insurance Portability and Accountability Act, or HIPAA. Among other things, it requires uniform federal privacy protections for individually identifiable health information. The U.S. Department of Health and Human Services issued final regulations implementing the privacy provisions of HIPAA in Autumn 2002. These regulations are called the "Privacy Rule." Copies of the HIPAA Privacy Rule, as well as helpful explanatory materials, can be found at the HHS Office of Civil Rights website.

The rule applies to covered entities involved in the healthcare of individuals and who may transmit information about those individuals to other organizations, in any form.

A 'Covered Entity' is a healthcare plan, clearinghouse or provider who transmits any health information for financial and administrative transactions. A 'healthcare provider' is "a provider of medical or health services, and any other person who furnishes, bills or is paid for healthcare in the normal course of business."

The rule applies to covered entities involved in the healthcare of individuals and who may transmit information about those individuals to other organizations, in any form.

No. Reporting information about cases of cancer in accordance with the requirements of Washington statutes and regulations is permitted by HIPAA. PHI can be released without specific patient authorization under several conditions. HIPAA authorizes covered entities to disclose PHI where required by law, including laws that mandate reporting of PHI to Public Health Authorities. The CSS is a contractor for the Washington State Cancer Registry, and under HIPAA, is considered to be a Public Health Authority. Therefore, HIPAA does not conflict with the Washington State law.

Yes. There are three aspects of the ‘minimum necessary’ standard that allow organizations to report all data we request for the purposes of complying with legally-mandated cancer reporting in our state. First, ‘minimum necessary’ means "the minimum necessary to accomplish the activity for which the PHI is being obtained". As part of the legal mandate to collect data on cancer patients, we conduct "case-finding" to identify all possible cancer diagnoses. To accomplish this task thoroughly, we need to screen the full complement of diagnostic and hospitalization data that covered entities create in order to be certain that no cancer patients are missed. Thus, release of PHI on non-cancer patients (e.g., ‘negative path’) meets the ‘minimum necessary’ standard. Second, under HIPAA [45 CFR 164.514(d)], when disclosures are made for the purposes of public health reporting, covered entities do not need to make a ‘minimum necessary’ determination. Instead, they are legally permitted to rely on the public health authority (in this instance, the CSS and WSCR) to determine what is the minimum necessary information to achieve cancer reporting in Washington State. Finally, HIPAA also states [45 CFR 164.502(b) and 45 164.512(a)] that the ‘minimum necessary’ standard does not apply to disclosures required by law, as is the case with cancer reporting in our state.

Yes. HIPAA does not require any change in the nature of the data that covered entities report to us in compliance with the Washington State law regarding cancer registration.

Yes. We periodically request additional PHI to fulfill the legally-mandated cancer reporting requirements in Washington State.

For the Washington State Cancer Registry, contact:

You can also contact Stephen Schwartz, PhD, Principal Investigator of the Cancer Surveillance System, at 206.667.4660 or email sschwart@fredhutch.org.