HIPAA Compliance for Oncology Practices and Cancer Centers (2026)

Oncology handles some of the most sensitive protected health information in all of medicine. A single cancer patient’s record can combine a diagnosis, genomic sequencing results, clinical trial enrollment, mental health notes, and reporting to a state cancer registry — each governed by HIPAA, and several governed by additional rules on top of it. For oncology practices and cancer centers, HIPAA compliance is not a checkbox exercise; it is the operating discipline that lets you share the right data with the right people while keeping everything else locked down. This guide covers what makes oncology distinct under HIPAA in 2026 and how to build a defensible program around it.

Why oncology PHI carries elevated risk

The Privacy Rule treats all protected health information the same on paper, but in practice oncology data attracts more parties, more movement, and more scrutiny. Cancer care is rarely delivered by one entity: a patient may see a community oncologist, an infusion center, an NCI-designated academic center, a genomic testing lab, an imaging provider, and a clinical trial sponsor — all touching the same record. Every external party that creates, receives, maintains, or transmits PHI on your behalf is a business associate and needs a signed business associate agreement before any data moves.

Genetic and genomic information adds another layer. The 2013 HIPAA Omnibus Rule explicitly classified genetic information as protected health information and prohibited its use or disclosure for underwriting purposes. Tumor sequencing, hereditary cancer panels, and germline testing therefore sit squarely inside HIPAA’s scope — and because that data can implicate a patient’s blood relatives, the consequences of a mishandled disclosure extend beyond the individual.

Cancer registry reporting is a permitted disclosure — but it is not a free pass

Every state requires reportable cancers to be submitted to a central cancer registry, and most feed the CDC’s National Program of Cancer Registries or the NCI’s SEER program. HIPAA permits these disclosures without patient authorization under the public health activities provision at 45 CFR §164.512(b), which allows covered entities to report to public health authorities legally authorized to collect the data. That permission is real, but it is narrow: it covers the registry report itself, performed under the minimum necessary standard, not a broader release of the chart. Oncology programs should document which staff are authorized to make registry submissions, what data elements each submission includes, and the legal authority being relied on, so a permitted disclosure never blurs into an unpermitted one.

Clinical trials and research: authorization, waivers, and limited data sets

Research is where oncology compliance most often goes sideways, because the permitted pathways are specific and easy to confuse. HIPAA gives you three main routes to use PHI for research:

• Patient authorization under 45 CFR §164.508 — a signed, research-specific authorization that is distinct from the general consent to treat.
• An IRB or Privacy Board waiver of authorization under 45 CFR §164.512(i), used when obtaining individual authorization is impracticable and the privacy risk is minimal.
• A limited data set with a data use agreement under 45 CFR §164.514(e), which strips direct identifiers and binds the recipient to defined uses.

Cancer centers running multiple sponsored trials need a clear map of which pathway governs which dataset, and a process that prevents trial coordinators from pulling identifiable records outside the route the protocol approved. A HIPAA risk assessment that explicitly models your research data flows — not just clinical ones — is the most reliable way to catch a coordinator emailing an unencrypted patient list to a sponsor before it becomes a reportable breach.

The Security Rule obligations every oncology program shares

Underneath the oncology-specific wrinkles, the HIPAA Security Rule baseline still applies in full. Every practice and cancer center must conduct an accurate and thorough risk analysis of all electronic PHI, implement administrative, physical, and technical safeguards, and document the whole program. The pieces that matter most for oncology’s data-heavy, vendor-heavy environment are:

• A current security risk analysis that inventories every system holding PHI, including genomics platforms, imaging archives, and trial management systems.
• A complete business associate agreement inventory covering every lab, CRO, sponsor, and cloud vendor that touches patient data.
• Access controls and audit logging tight enough to enforce minimum necessary across a large, multi-disciplinary care team.
• Encryption of PHI in transit and at rest, and a breach response plan that meets the 500-individual reporting threshold at 45 CFR §164.408.

Looking ahead, the proposed 2026 update to the Security Rule would tighten several of these expectations — mandating encryption, multifactor authentication, and more frequent risk analysis among other changes. As of mid-2026 that rule remains proposed, not final: OCR is still reviewing public comments, more than 100 hospital systems and provider associations have asked the Department to withdraw it, and no final rule has been published. Oncology programs should treat the proposal as a strong signal of direction rather than a current legal obligation, and prepare on a “would” basis.

Building a defensible oncology compliance program

The practical path for an oncology practice or cancer center looks like this: start with a documented risk analysis that includes research and registry data flows, close the gaps it surfaces with a remediation plan, get every business associate under agreement, train staff on the difference between permitted and unpermitted disclosures, and keep evidence of all of it. Larger programs that resemble a small hospital in scale can borrow the same governance approach used by small and community hospitals, and any program expecting growth or an OCR data request should keep an audit preparation checklist current year-round rather than scrambling after a letter arrives.

Oncology’s compliance burden is heavier than most specialties because its data is more sensitive, more shared, and more regulated. The upside is that a well-run risk analysis and a tight vendor program address the large majority of that burden at once — and they are entirely achievable with the right structure.

Frequently asked questions

Does HIPAA allow oncology practices to report cancer cases to a state registry without patient authorization?

Yes. Reporting reportable cancers to a state cancer registry is a permitted public health disclosure under 45 CFR §164.512(b), which allows covered entities to disclose PHI to public health authorities legally authorized to collect it. The disclosure should follow the minimum necessary standard and be limited to what the registry requires.

Is genomic and genetic testing data covered by HIPAA?

Yes. The 2013 HIPAA Omnibus Rule classified genetic information as protected health information and prohibited its use or disclosure for underwriting. Tumor sequencing, hereditary cancer panels, and germline testing results are PHI and must be safeguarded like any other patient data.

How can a cancer center use patient data for clinical trials under HIPAA?

There are three main pathways: a research-specific patient authorization under 45 CFR §164.508, an IRB or Privacy Board waiver of authorization under §164.512(i), or a limited data set with a data use agreement under §164.514(e). Each protocol’s approved pathway should govern how identifiable data moves to sponsors or research partners.

What is the most important first step for HIPAA compliance in an oncology practice?

A current, accurate HIPAA risk analysis that maps every system and data flow holding PHI — including genomics platforms, imaging, registry reporting, and clinical trial systems. The risk analysis is both a Security Rule requirement and the foundation OCR looks for first in any investigation.

Ready to assess where your oncology program stands? Explore Medcurity’s HIPAA solutions to see how a structured risk analysis and BAA program fit your practice or cancer center.