HIPAA

No. The provision of the Privacy Rule authorizing disclosure of protected health information as required by law is an exception to the requirement for written authorization.

No. The Privacy Rule does include a general requirement that covered entities make reasonable efforts to limit the disclosure of protected health information to the minimum necessary to accomplish the intended purpose of the disclosure. See 45 CFR sec. 164.502(b)(1). However, there is a specific exception to this requirement for disclosures that are required by law, such as the reporting of information about cases of cancer to CCR pursuant to California law and regulations. See 45 CFR sec. 164.502(b)(2)(v).

The Privacy Rule requires covered entities to verify a requester’s identity before disclosing protected health information. See 45 CFR sec. 164.514(h)(1)(i). In the case of disclosure to a person acting on behalf of a public official, a covered entity that reasonably relies on a written statement on appropriate government letterhead that the requester is acting under the government’s authority will fulfill this requirement. See 45 CFR sec. 164.514(h)(2)(ii)(C). The Privacy Rule also requires covered entities to verify the requester’s authority. See 45 CFR sec. 164.514(h)(1)(i). A covered entity that reasonably relies on a written statement of the legal authority under which the information is requested will fulfill this requirement. See 45 CFR sec. 164.514(h)(2)(iii)(A). To assist covered entities in meeting the verification requirements, the California Department of Public Health has provided a written statement to cancer-reporting facilities with the aforementioned information.

No. One way that the California Department of Public Health makes sure it obtains complete information about cancer cases is to give cancer-reporting facilities that want to minimize their reporting burden the ability to contract with the regional registries for onsite abstracting and reporting. See 17 Cal. Code of Regulations, sec. 2593(b)(17). HIPAA requires business associate agreements with entities that carry out health care functions on behalf of covered entities, but the regional registries are acting on behalf of the California Department of Public Health when they provide on-site abstracting and reporting services, not the covered entity. Therefore, they are not business associates.

No. The Privacy Rule applies to disclosure of protected health information by covered entities as required by law. It does not apply to subsequent use or disclosure by the recipient. However, CCR authorizing legislation includes strict limits on use and disclosure of reported information. Those requirements include obtaining a federally designated Institutional Review Board approval and contractual agreements to maintain confidentiality and privacy of the data and to not disclose confidential information beyond the confines of the specific research project. See Ca. Health and Safety Code sec. 103885(g). When a researcher contacts a patient, they are required to inform the patient of how they obtained the patient’s name, that the patient is under no obligation to participate in the study, that their participation or non-participation will not be reported to anyone, and that they may request that no one contact them again. Occasionally a patient will object to having their name released without prior consent, and CCR has methods to restrict those names from future contacts. But many patients are happy to participate in special studies in order that we all may learn more about cancer in order to make progress against this deadly disease. CCR was created to serve as a resource for research into the causes and cures of cancer, and it has a productive record of using CCR data for research. Furthermore, in more than 50 years of CCR’s operation, we are not aware of any unwarranted release of confidential information from CCR or researchers.

Yes. The Privacy Rule requires covered entities to provide an accounting of disclosures of protected health information. See 45 CFR sec. 164.528.