HIPAA Privacy Rule

SUBJECT: Disclosure of Protected Health Information to Cancer Registries under Federal Health Information Privacy Protections Pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

This memorandum is intended to site the regulations under which the reporting of protected health information, specifically cancer data to the Tennessee Cancer Registry (TCR), is permitted under both Tennessee law and the HIPAA Privacy Rule. 

We hope this information is helpful to allay concerns regarding disclosure of confidential information to TCR in compliance with the law. If you have any questions, please feel free to contact Ricky Tyler​, HIPAA Privacy Officer, Office of Cancer Surveillance, at (800) 547-3558 or (615) 741-5548. 

Reporting of Cancer Data to TCR: 

As required by Tennessee law and as a public health authority, disclosure of confidential patient information to TCR is permitted. The specific provisions establishing this fact are specified below:

Under legislation, T.C.A. 68-1-1001, “Tennessee Cancer Reporting System Act of 1983”: 
All hospitals, laboratories, facilities, and health care practitioners shall report to the department, within six (6) months after the date of diagnosis of cancer in a patient, information contained in the medical records of patients who have cancer…. 

According to the HIPAA Privacy Rule, 45 C.F.R, Section 164.512(a): 
Uses and disclosures required by law. (1) A covered entity may use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.

According to the HIPAA Privacy Rule, 45 C.F.R, Section 164.512(b):

A covered entity may disclose protected health information for public health activities…to a public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including but not limited to, the reporting of disease, injury, vital events, such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions…. 
Disclosure without authorization of the individual:

According to HIPAA Privacy Rule, 45 C.F.R., Section 164.512: 
A covered entity may use or disclose protected health information without the written authorization of the individual or the opportunity for the individual to agree or object as described in the requirements of this section…(b) to a public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability,…and the conduct of public health surveillance, public health investigations, and public heath interventions…. 
Liability for release of information – Compliance not violation of confidentiality:

Under legislation, T.C.A. 68-1-1007, “Tennessee Cancer Reporting System Act of 1983”: 
A hospital, laboratory, facility, or health care practitioner that reports information to the department or allows the commissioner or the commissioner’s authorized representative access to the medical records of cancer patients, as required by this part, shall not be held liable to any person for the release of such information to the department, nor shall the release of such information to the department be construed as a violation of any requirement of law or professional obligation to maintain the confidentiality of patient information. 
Casefinding and Reabstracting Studies: 

To assure completeness and accuracy of cancer reporting, casefinding and reabstracting studies must be performed. In order to complete these functions, confidential records of patients who have been diagnosed with cancer and those who have not been diagnosed with cancer must be reviewed (i.e.: disease index, master patient listing, pathology reports, etc.) Provisions covering these incidences are specified below:

According to Policies and Procedures 1200-7-2-. 05 (6a) (by authority of T.C.A. 68-1-1001): 
“Staff members of the TCR or their agents shall perform periodic quality assurance studies at all reporting facilities. These studies shall include casefinding and reabstracting.”

The HIPAA Privacy Rule, under 45 C.F.R., Section 164.512 and 164.514 (d)(3)(iii), provides no barrier to a covered entity relying on a public official’s determination of what information that official requires to accomplish its function. 
Thus, when performing casefinding and reabstracting studies, TCR may request access to documents containing information about patients who do not have cancer as a means to assure completeness and accuracy of reporting.