Data Security Guidelines for Cancer Registries
NPCR programs are subject to guidelines from policies and procedures for data security established by leading organizations in the central cancer registry and health care fields. These standards are outlined in the sections below and referenced in the November 2010 NPCR funding opportunity announcement.
Factors that have brought data security issues to the forefront include—
- Growing global concerns over privacy.
- High-profile thefts of National Institutes of Health (NIH) and U.S. Department of Veterans Affairs (VA) laptops containing databases of patient identifiers.
- Improved technology that allows for real-time encryption (encryption on the fly).
NAACCR Data Security Standards for Cancer Registries
The North American Association for Central Cancer Registries (NAACCR) provides central registry structural requirements, process standards, and outcome measures for access to source data and completeness of reporting, data quality, data analysis and reporting, and data management. NAACCR's Standards for Completeness, Quality, Analysis, Management, Security, and Confidentiality of Data (August 2008) [PDF-969KB] discusses reporting, data quality, data analysis and reporting, and data management.
NAACCR prepared its Standards for Cancer Registries volumes to develop and promote uniform data standards for all NAACCR members. These publications compile consensus standards among the North American cancer registry community as represented by NAACCR membership. The purpose of these standards is to increase the quality, comparability, and utility of cancer incidence data in North America.
NAACCR holds its member registries responsible for guarding data from unauthorized access and release. Each central cancer registry's director has the ultimate responsibility for data security at the registry. These responsibilities are described in Standards for Cancer Registries Vol. III, chapter 6, "Security and Confidentiality." Topics include—
- Structural requirements.
- Registry policies and procedures.
- Data use and release.
- Information technology policies and procedures.
- Disaster recovery.
The Health Insurance Portability and Accountability Act (HIPAA) Administration Simplification provision provides standards for the protection and privacy of customer health data. The standards are meant to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange.
The U.S. Department of Health and Human Services (HHS) issued guidance on technologies and methods to protect personal electronic health care data in an effort to expand the use of electronic health records (EHRs). The guidance document, [PDF-64KB] released April 17, 2009, describes encryption and destruction as the means to protect personal health data by making the data "unusable, unreadable or indecipherable" to unauthorized individuals. The guidelines were developed through a joint effort by the HHS Office for Civil Rights, Office of the National Coordinator for Health Information Technology, and the Centers for Medicare and Medicaid Services.