HIPAA, an acronym for the Health Insurance Portability and Accountability Act, was established in 1996 to safeguard patients from the unpermitted disclosure of their confidential medical data. HIPAA regulations and policies when it comes to safeguarding patient information apply not only to registrars or medical personal who work in a medical facility or hospital, but to remote workers as well.  “One of the most important responsibilities of cancer registry professionals is to protect the confidentiality of cancer patient information.” As a remote cancer registrar, it is our responsibility to ensure that our patient’s medical records and abstracts are protected from prying eyes, and not to be used or discussed for things not related to an abstract. While providing industry-leading cancer registry services, we can never let our guard down when it comes to protecting our patient’s information just because we are sitting in the comfort of our homes. 

The first steps a remote cancer registrar can make to safeguard a patient’s information is when setting up a home office. It is important that the office be set up in a safe and secure area within the home and away from others. The layout and design of the office should focus on the location and setup of the desk as well as the location of the monitors. These should be turned away from any window and in a direction that remains unseen by others. Computer desktops must also remain locked when not in use and never used by other members in the household or for personal use for any reason. With the technology and software available today, there is rarely if ever a need for paper copies of a patient’s personal information. If such material is to be used and/or printed, then these documents must be destroyed or locked up when not in use. Additional safeguards to consider is the use of strong passwords to access the computer’s desktop, VPNs, routers, and much more. Public WIFI’s must also never be used when abstracting or accessing a patient’s information.

While abstracting a patient’s case, it also important to protect a patient’s identity. The patient demographics section of the abstract comprises a collection of information elements that describe personal details of an individual patient. When analyzed collectively, this data can facilitate research on the variations in cancer rates based on geographical location and the identification of groups more prone to specific cancer types. However, given the confidential nature of much of the information contained in this section, caution must be exercised to ensure patient confidentiality when reporting cases. Information that falls within the “HIPPA Identifiers and HIPPA Privacy Rule” and must be omitted from any field within an abstract that doesn’t identify the patient, includes the patient names, phone numbers and addresses, social security numbers, health insurance numbers, and much more. No personal information must be included within the notepad or text sections of the abstract outside of the patient demographics section.

Hospitals and healthcare facilities report their complete abstracts monthly to their state cancer registries within a secure website. These central registries then in turn consolidate the patient information from multiple facilities into one abstract. Annually, the majority of state central cancer registries transmit data to the CDC’s National Program of Cancer Registries (NPCR). The transmitted information does not contain any identifiable data, such as the patient’s name, residential address, or Social Security number. The NPCR cross-references and combines this information with the data from the National Cancer Institute’s Surveillance, Epidemiology, and End Results (SEER) Program and the CDC’s National Center for Health Statistics National Vital Statistics System. This information is updated every year and published as the United States Cancer Statistics (USCS).

Patient information must remain confidential at each level, from the moment a patient provides their information to a healthcare worker until the information reaches the central registry. This ensures patient confidence in knowing their information is not being used for anything outside of medical and research purposes that they authorize access to. Any breach in the patient’s information getting out could lead to a monetary fine to a healthcare facility, medical personal, and/or abstractor.