The Standards for Privacy of Individually Identifiable Health Information ("Privacy Rule") established, for the first time, a set of national standards for the protection of certain health information. The U.S. Department of Health and Human Services ("HHS") issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). The Privacy Rule standards address the use and disclosure of individuals' health information ("protected health information" or "PHI") by organizations subject to the Privacy Rule ("covered entities").
California has long enforced patient privacy protections, primarily through the Confidentiality of Medical Information Act (Cal. Civil Code Section 56 et seq.). However, in those instances in which California law and federal law (HIPAA) differ, HIPAA requires that providers comply with the federal or state law that provides patients with greater protection.
All UCR Health workforce members (i.e., staff, physicians, volunteers, etc.) must undergo regular training in UCR Health HIPAA policies and procedures.
The UCR Health HIPAA and HIPAA-related policies can be found on the UCR Health Office of Compliance Services website. The University of California policies are also available here.
A. Summary of UCR Health's HIPAA Policies
1. Protection of Health Information
UCR Health Workforce members may not disclose, share or otherwise use any individually identifiable health information except for treatment, payment, and health care operations (referred to as "TPO") unless expressly authorized by the patient or as otherwise permitted by law. Patients also have the right to request that UCR restrict how their PHI is used or disclosed.
2. Classification of PHI Information
All information contained in patient medical and billing records is confidential regardless of format. These confidentiality protections extend not only to the patient's medical record, but also to information from the record. In addition, special laws govern the disclosure of mental health, substance abuse, and HIV test result information.
3. Notice of Privacy Practices
The Privacy Rule requires UCR Health to give each patient detailed information about UCR Health's privacy practices, in the form of the University's "Notice of Privacy Practices.” All uses and disclosures of PHI by UCR Health and its workforce members must be consistent with the Notice of Privacy Practices.
4. Authorization to Use PHI
The Privacy Rule requires providers to obtain a written authorization from an individual before using or disclosing a patient's PHI for purposes other than for TPO, unless otherwise authorized by law.
5. Patient Access to PHI
The Privacy Rule gives an individual (or that person's personal representative) the right of access to inspect and obtain a copy of the individual's own PHI. Providers may deny an individual access to his or her information under certain circumstances only if specified procedures are followed.
6. UCR Health Employee (Workforce) Responsibilities to Maintain Confidentiality of PHI
All members of the UCR Health workforce are responsible for maintaining the security and confidentiality of PHI on behalf of UCR Health patients.
Minimum necessary: When using or disclosing PHI, a provider must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended use, disclosure, or request.
Employee access: All members of the UCR Health workforce should only read and use PHI as necessary for their job functions.
7. Release of PHI to Third Parties
In light of the specific accounting and disclosure requirements imposed by HIPAA, all copying of medical records for release to third parties or agencies must be completed by, or coordinated with, UCR Health Compliance Office.
8. Privacy Requirements Relating to Research
Research is not considered to be a part of TPO under the Privacy Rule, except for certain studies related to health care operations, such as research that is also considered quality assurance and utilization management activities. Consequently, the use or disclosure of PHI for research purposes generally requires either: (1) a written authorization from the individual whose information is collected or (2) a waiver of authorization from UCR's IRB. The IRB is responsible for reviewing and approving the authorization form that is used for research.
The Privacy Rule permits the use and disclosure of a limited data set of information for research purposes, without patient authorization, provided certain requirements are met, including entering into a Data Use Agreement with the recipient of the information.
Health Information that does not identify an individual ("de-identified information") is generally not considered PHI and may be disclosed without the patient's authorization. In order to de-identify PHI, UCR Health must remove all 18 of the HIPAA identifiers specified in the HIPAA Privacy Rule.
9. Disclosures to Business Associates
The Privacy Rule requires UCR Health to enter into a confidentiality agreement with certain third parties when UCR Health shares PHI with the third party (e.g., non-health care providers) for TPO purposes. This is called a business associate agreement ("BAA"). A business associate relationship exists when an individual or entity, acting on behalf of UCR Health, assists in the performance of a function or activity involving the use or disclosure of UCR Health's PHI.
10. Marketing and Fundraising
In general, PHI may not be disclosed for marketing purposes without the patient's authorization. PHI includes demographic information, without any accompanying diagnosis or treatment information. An authorization must be obtained from the patient even to use the patient's address or phone number for marketing.
In addition, all fundraising materials sent to an individual must describe how the individual can opt out of receiving further fundraising communications.
11. Media Inquiries
Both California law and the Privacy Rule restrict the amount of information that may be provided to the media without the patient's authorization. No information can be given if a request does not include the patient's name or if the patient has requested that information be withheld.
A patient's condition may only be described in general terms that does not communicate specific medical information about the individual. For example, the following general terms are acceptable: "undetermined," "good," "fair," "serious," "critical," or "deceased."
12. Safeguards to Protect PHI
Reasonable safeguards (physical, electronic and administrative) are to be used at all times to ensure that confidential information is not disclosed to individuals who are not authorized to receive the information and to minimize incidental disclosures of PHI.
13. UCR Health Workforce Training and Education
The Privacy Rule requires that providers train their "workforce" on privacy policies and procedures at a level appropriate for the workforce members to carry out their roles and responsibilities. All members of the UCR Health workforce will be provided with essential instruction regarding Privacy Rule requirements and additional training specific to their job responsibilities.
14. Unauthorized Release and Disclosure
The unauthorized release of PHI is a violation of law, with potential civil and/or criminal penalties and fines. In addition, workforce members who are found to have violated the law and/or UCR Health policies may be subject to disciplinary action, up to and including termination. Workforce members should immediately report any unauthorized release or disclosure of PHI to the Privacy and Information Security Offices and their supervisor.
Please direct any questions regarding HIPAA and/or UCR Health's privacy and security policies to the UCR Health Office of Compliance Services.