Data Security Guidelines for Cancer Registries

NPCR programs are subject to guidelines from policies and procedures for data security established by leading organizations in the central cancer registry and health care fields. These standards are outlined in the sections below and referenced in the November 2008 NPCR funding opportunity announcement.

Factors that have brought data security issues to the forefront include—

• Growing global concerns over privacy.



• Recent high-profile thefts of National Institutes of Health (NIH) and U.S. Department of Veterans Affairs (VA) laptops containing databases of patient identifiers.



• Improved technology that allows for real-time encryption (encryption on the fly).

NAACCR Data Security Standards for Cancer Registries

The North American Association for Central Cancer Registries (NAACCR) provides central registry structural requirements, process standards, and outcome measures for data access and completeness in Standards for Cancer Registries Vol. III: Standards for Completeness, Quality, Analysis, and Management of Data.* This document discusses reporting, data quality, data analysis and reporting, and data management.

NAACCR prepared its Standards for Cancer Registries volumes to develop and promote uniform data standards for all NAACCR members. These publications compile consensus standards among the North American cancer registry community as represented by NAACCR membership. The purpose of these standards is to increase the quality, comparability, and utility of cancer incidence data in North America.

NAACCR holds its member registries responsible for guarding data from unauthorized access and release. Each central cancer registry's director has the ultimate responsibility for data security at the registry. These responsibilities are described in Standards for Cancer Registries Vol. III, chapter 6, "Security and Confidentiality." Topics include—

• Structural requirements
• Registry policies and procedures
• Data use and release
• Information technology policies and procedures
• Disaster recovery

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) Administration Simplification provision provides standards for the protection and privacy of customer health data. The standards are meant to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange.

HHS

The U.S. Department of Health and Human Services (HHS) issued guidance on technologies and methods to protect personal electronic health care data in an effort to expand the use of electronic health records (EHRs). The guidance document (PDF-64KB), released April 17, 2009, describes encryption and destruction as the means to protect personal health data by making the data "unusable, unreadable or indecipherable" to unauthorized individuals. The guidelines were developed through a joint effort by the HHS Office for Civil Rights, Office of the National Coordinator for Health Information Technology, and the Centers for Medicare and Medicaid Services.

Please note: Some of these publications are available for download only as *.pdf files. These files require Adobe Acrobat Reader in order to be viewed. Please review the information on downloading and using Acrobat Reader software.

*Links to non-Federal organizations found at this site are provided solely as a service to our users. These links do not constitute an endorsement of these organizations or their programs by CDC or the Federal Government, and none should be inferred. CDC is not responsible for the content of the individual organization Web pages found at these links.