CRGC and HIPAA Compliance: Frequently Asked Questions

The Health Insurance Portability and Accountability Act (HIPAA) governs how protected health information may be used, by whom, and for what purposes. The law and its regulations relate to the operation of cancer registries and registry-supported cancer research in many ways. This Frequently Asked Questions document presents information specifically relevant to the Cancer Registry of Greater California (CRGC), a program of the Public Health Institute.

How do HIPAA regulations accommodate cancer reporting?

HIPAA regulations include a section pertaining to uses and disclosures for public health activities. Under this section, a covered entity may use or disclose protected health information for various public health activities and purposes to “a public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority” (45 CFR 165.512).


Is the CRGC a covered entity?

No. A covered entity is defined as “(1) A health plan. (2) A health care clearinghouse. (3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter” (45 CFR 160.103 Definitions).

The CRGC is not an entity of any of these types.

Under what authority may the CRGC access medical information?

CRGC, as a program of the Public Health Institute, is a designated agent (authorized representative) of the State of California for the purposes of cancer reporting pursuant to California Health and Safety Code 103885. The current designation for these purposes is provided through Grant Agreement 17-10098 which includes specific terms, conditions, goals, and objectives as required by the California Department of Public Health.

Is the CRGC a business associate of each reporting facility and physician office that reports cancer data?

No.  The reporting of cancer data to the CRGC does not engage the CRGC as a business associate of the reporting entity.

Neither HIPAA regulations nor the state statute require agreements between the CRGC and reporting entities for the above purposes.

Furthermore, if a facility should fail to meet its mandatory reporting requirements, the CRGC will (as the authorized agent for cancer data collection of the state of California) access the information from the hospital or the facility and report it in the appropriate format. In these cases, the hospital or other health facility shall reimburse the authorized representative for its cost to access and report the information. If a pathologist fails to report electronically and with an approved format, the CRGC will, as the authorized agent, access the information and report it in the appropriate format. The pathologist shall then reimburse the CRGC accordingly.


Does the CRGC become a business associate when it conducts an audit at a covered entity?

No. The CRGC conducts audits of cancer cases at facilities and physician offices in order to confirm the accuracy, completeness, and timeliness of cancer reporting, and thereby substantiate the cancer data that the CRGC collects as a complete, population-based census of reportable cancers.

This activity is not conducted by or on behalf of a covered entity but rather in accordance with the duties of the CRGC contained in Grant Agreement 17-10098 which includes quality assurance and control objectives as required by the California Department of Public Health.

Performance of an audit does not involve a relationship between a covered entity and a business associate of that entity.  With respect to access to medical information, the statute provides that “All physicians and surgeons, hospitals, outpatient clinics, nursing homes and all other facilities, individuals or agencies providing diagnostic or treatment services to patients with cancer shall grant to the department or the authorized representative access to all records that would identify cases of cancer or would establish characteristics of the cancer, treatment of the cancer, or medical status of any identified cancer patient.” Because this provision affords the CRGC comprehensive access to records that would contain reportable cancer information, it supports quality assurance and control efforts, enables identification of missing and/or unreported cancer data, and affords the CRGC authority to reject pre-selection of content by a reporting facility or physician office for audit purposes.

The California Code of Regulations provides further detail at: 17 CCR 2593 (8) Quality Control System. The criteria of accuracy, completeness, and timeliness are defined in Volume I of the California Cancer Reporting System Standards.

Is the CRGC a business associate of a reporting facility that contracts to CRGC the activities of cancer reporting?

Yes.  The CRGC performs cancer reporting on a fee-for-service basis to facilities that are unable to meet reporting requirements.  Fee-for-service contracts can be used for both temporary purposes (such as to avoid a backlog of reportable cancer cases during staffing transitions) and to satisfy ongoing reporting responsibilities at facilities that opt to use this service in lieu of hiring internal staff or securing the services of one or more qualified, independent contractors. Only certified tumor registrars are qualified to perform cancer reporting in California.

When the CRGC performs cancer reporting on a fee-for-service basis, it “provides data transmission services with respect to protected health information to a covered entity.” These services routinely require access to protected health information. This activity constitutes a business associate relationship between the CRGC and the covered entity (45 CFR 160.103 Definitions).

Since the CRGC is not a covered entity, how is the confidentiality of cancer registry data secured?

Because cancer data are “(1) … created or received by a health care provider, health plan, public health authority, … or health care clearinghouse,” and (2) relate “to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual,” cancer registry data are inclusive of health information, as defined in HIPAA regulations (45 CFR 160.103 Definitions).

Cancer data also are defined as confidential in the Ken Maddy California Cancer Registry Act at California Health and Safety Code Section 103885(g). As such, these data are only released in accordance with strict statutory requirements.  The data also benefit from protection against subpoena. Section 103885(g)(8) specifically provides, “Notwithstanding any other law, no part of the confidential information shall be available for subpoena, nor shall it be disclosed, discoverable, or compelled to be produced in any civil, criminal, administrative, or other proceeding, nor shall this information be deemed admissible as evidence in any civil, criminal, administrative, or other tribunal or court for any reason.”

Why do CRGC researchers present documentation of a waiver of HIPAA authorization to conduct medical records review for research purposes?

HIPAA regulations distinguish between 1) uses and disclosures of protected health information that are coupled a requirement of a patient’s approval from uses and 2) disclosures for which no such opportunity is required. The regulations state that patient approval requirements associated with individual medical care, facility purposes, emergency care, and disaster relief, and specify, for example, how family members may be designated for information and communications purposes.

Uses for which patient approval is not required range from public health oversight and programs to reporting instances of abuse, child neglect, and domestic violence, to coroner and medical examiner needs, law enforcement needs, judicial proceedings, tissue donation, research, serious threats to health and safety, and further extend to national security and military intelligence.

In the research context, the regulations further include Institutional Review Board (IRB) and Privacy Board approvals that may include full and/or partial waivers of HIPAA authorizations in accordance with specific criteria. See generally 45 CFR 164.512 (i) Standard: Uses and disclosures for research purposes.

In addition to data collection conducted in support of state and federal cancer registration programs, the CRGC is involved in various research endeavors.  For these research purposes, CRGC investigators submit their research projects for IRB review to confirm the adequacy of human subjects protections and to receive, where appropriate, waivers of HIPAA authorization that may enable, for example, medical records review and abstraction.

CRGC investigators will supply documentation of IRB approvals and HIPAA authorization waivers at facilities where they request medical information.

CRGC researchers often combine registry data with additional medical information in their studies. State law supports this activity.  “Persons with a valid scientific interest who are engaged in demographic, epidemiological, or other similarly studies related to health who meet qualifications as determined by the department, and who agree, in writing, to maintain confidentiality, may be authorized access to confidential information.” (California Health and Safety Code Section 103885 (g) (3).)

When a facility relies on a waiver of HIPAA authorization to facilitate access to medical information, is the facility engaged in human subjects research for which a local IRB approval is required?

No. Guidance regarding the engagement in human subjects research from the Office of Human Research Protections (OHRP) includes an example of activities that do not constitute engagement in human subjects research as follows: “Institutions whose employees or agents release to investigators at another institution identifiable private information or identifiable biological specimens pertaining to the subjects of the research” (, at B.6).

If, however, such a research activity also involves an investigator from the data-providing facility, or if the facility is involved in the investigative activities, then the data-providing facility may also be engaged in the research (and may require IRB oversight accordingly).