Health Affairs

Health Care Law Services include, but are not limited to:

  • Providing legal advice, counsel, and training to University faculty and staff.
  • Assisting in the development of University policy and procedures.
  • Reviewing contracts and other legal documents.
  • Providing legal advice regarding patient care, compliance, and medical staff matters.
  • Providing advice on proposed collaborations with external entities.
  • Helping to resolve disputes, claims, and litigation.
  • Securing and coordinating the services of outside legal counsel when necessary.

Request Legal Assistance

  • Request for Legal Assistance

Key Topics

  • Conflict of Interest and Vendor/Industry Guidelines
    A. Conflict of Interest and the California Political Reform Act

    As a California public agency, the University of California is subject to the conflict of interest requirements contained in the California Political Reform Act (the "Act").  The Act is based on the premise that public employees should perform their duties in an impartial manner, free from bias caused by their own financial interests.

    The University of California's Conflict of Interest Code, developed in response to the Act, requires that all University employees and officers disqualify themselves from making, participating in making, or attempting to influence any decision of the University where the individual has more than a nominal personal financial interest in the decision.

    Employees must be aware of:

    • What is meant by making or participating in making a University decision
    • What constitutes a conflict of interest
    • How to disqualify oneself
    • What could happen if one does not disqualify oneself

    The Act further requires certain state and local government officials to publicly disclose their private economic interests on an official Statement of Economic Interests form (Form 700).

    Please direct any questions you may have to the Chief Compliance Office.


    B. Vendor/Industry Relations

    The University has adopted several policies and guidelines regarding vendor/industry relations, which can be found here

    These vendor/industry-related policies address such issues as:

    • Gifts and compensation provided by industry
    • Access to clinical and non-clinical areas by sales and marketing representatives
    • Industry support for educational and other professional activities
    • Student and other trainee interactions with industry
    • Faculty, staff, and trainee disclosure of relationships with industry


    1. The University of California Health Care Vendor Relations Policy

    On March 12, 2008, the University of California adopted The University of California Policy on Health Care Vendor Relations

    Guidance is provided in the following areas:

    • Vendor preceptorships
    • Publicity of industry support
    • The applicability of the Anti-Kickback Statute
    • Confidentiality (HIPAA) assurances
    • The responsibility of committees that oversee purchasing decisions
  • Contracting Authority
    A. Legal Authority to Bind the University

    The legal authority to bind the UCR Health, including its specific operating divisions, resides exclusively with the Board of Regents and the Officers of The Regents of the University of California in accordance with the University's Bylaws and Standing Order 100.  Specific responsibility may be delegated in writing by the administrators in accordance with University policy. 

    Only those individuals who have been delegated the legal authority to negotiate and execute agreements by The Regents may sign contracts on behalf of the University. 

    UCR managers and administrative officers should ensure that they have the appropriate delegated authority before signing or approving any contracts on behalf of the University, and before committing any University resources.  See a list of the UCR delegations of authority.


    B. Name of the Contracting Entity for the UCR Health

     "The Regents of the University of California" is the legal entity for contracts with the University, UCR, and the UCR Health.  The Regents of the University of California is a corporation established under the Constitution of the State of California and is charged with the duty under Section 9 of Article IX of the Constitution of the State of California to administer the University as a public trust. The legal name of the corporation is "The Regents of the University of California."

    Neither the UCR School of Medicine nor any of the other UCR Health licensed healthcare facilities or clinics are separate legal entities.  They are all owned and operated by The Regents of the University of California.  Accordingly, the name of the contracting party in all UCR Health contracts is The Regents of the University of California followed by the specific operating division, as set forth in the following examples:

    • The Regents of the University of California, a California constitutional corporation, on behalf of The University of California, Riverside
    • The Regents of the University of California, a California constitutional corporation, on behalf of the School of Medicine at UCR 
  • Faculty Consulting Activities/ Agreements

    Consulting agreements between UCR faculty or employees and outside entities are considered to be personal agreements to which the University is not a party.  Thus, it is the responsibility of a University faculty member or employee to ensure that the terms of a consulting agreement do not conflict with the faculty member/employee's University duties, such as research and teaching obligations, and that the terms are consistent with University policies regarding disclosure and assignment of inventions to the University.  Ideally, the faculty member/employee should talk with a personal attorney before executing an agreement with a non-UCR entity, to ensure that his or her personal interests are protected and that the terms of the agreement do not conflict with his or her employment obligations to the University.  The Office of Legal Affairs is available to review a consulting agreement for compliance with University and UCR policies. Please contact us if you have questions about the scope of such review or additional questions about outside consulting.

  • Fraud and Abuse Laws and Regulations

    Numerous federal laws regulate the referral of patients by healthcare providers.  These laws are intended to prevent conflicts of interest between provider financial incentives and best patient care practices.  Federal "fraud and abuse" law is actually a compilation of several laws, including the Federal Anti-Kickback Statute, the Stark Law, and the False Claims Act.   


    A. The Federal Anti-Kickback Statute

    The Federal Anti-Kickback Statute (42 U.S.C. § 1320a-7(b)) prohibits providers of services or goods covered by a federal healthcare program ("Federal Healthcare Program") from knowingly and willingly soliciting or receiving or providing any remuneration, directly or indirectly, in cash or in kind, to induce either the referral of an individual, or furnishing or arranging for a good or service for which payment may be made under a Federal Healthcare Program.   The Federal Anti-Kickback Statute is an intent-based statute.  For purposes of the Federal Anti-Kickback Statute, a "Federal Healthcare Program" is defined as "any plan or program that provides health benefits, whether directly through insurance, or otherwise, which is funded directly, in whole or in part, by the United States Government; or any State health care program . . ." (42 U.S.C. § 1320a-7(b)(f)).  The Medicare, Medicaid, and TRICARE Programs are all Federal Healthcare Programs.  

    Certain transactions and arrangements are statutorily exempt from the Federal Anti-Kickback Statute (e.g., compensation paid pursuant to a bona fide employment relationship).  In addition, transactions and arrangements that comply fully with established Safe Harbor regulations will not be prosecuted under the Federal Anti-Kickback Statute.  Significantly, however, a transaction or arrangement that does not meet all the requirements of a Safe Harbor regulation is not per se illegal.

    The Federal Anti-Kickback Statute is a criminal statute and the penalties for violations of the law can be severe.  They include fines of up to $25,000 per violation, felony conviction punishable by imprisonment up to five years, or both, as well as possible exclusion from participation in Federal Healthcare Programs.


    B. The Stark Law

    The Stark Law, 42 U.S.C. § 1395nn (also known as the "Physician Self-Referral Statute"), generally prohibits the referral of Medicare and Medicaid beneficiaries by a physician to an entity for the provision of "designated health services" if the physician, or the physician's immediate family member, has a financial relationship with the entity, unless a statutory exception applies to that financial relationship.  For purposes of the Stark Law, a "financial relationship" can include an ownership interest, an investment interest, and/or a compensation arrangement.  Unlike the Anti-Kickback Statute, the Stark Law is a strict liability statute and thus, no proof of bad intent is required to violate the Stark law.  As a result, any arrangement that does not satisfy all of the criteria of a statutorily-defined Stark Law exception is illegal. 

    The Stark law provides for significant civil sanctions for violations including, but not limited to: the denial of payment of a claim; refunds of amounts collected in violation of the statute; and civil monetary penalties up to $15,000 for each claim submitted in violation of the statute.


    C. The False Claims Act

    The False Claims Act, 31 U.S.C. § 3729, imposes liability upon any person who knowingly submits or causes the submission of false or fraudulent claims for payment or approval.  Under the False Claims Act's qui tam provisions, a person with evidence of fraud against the government (known as a "relator" or a "whistle-blower") is authorized to file a case in federal court and sue on behalf of the government. 

    In the healthcare context, examples of conduct that can arguably lead to charges of violations of the statute include, but are not limited to: billing for medical services not rendered; misrepresenting the level of services rendered; falsely certifying compliance with federal laws; and submitting a claim for payment that is contrary to Medicare or Medicaid payment requirements.

    The False Claims Act provides that a person who violates the statute is subject to civil penalties of not less than $5,000 or more than $10,000, plus potential treble damages, for each false claim filed. 

    These fraud and abuse laws can be implicated in a variety of health care contracts and arrangements such as clinical services agreements, joint venture arrangements, and certain educational grants. 

    Please direct any questions regarding UCR Health's compliance with fraud and abuse laws to the Office of Legal Affairs.


    The Standards for Privacy of Individually Identifiable Health Information ("Privacy Rule") established, for the first time, a set of national standards for the protection of certain health information.  The U.S. Department of Health and Human Services ("HHS") issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA").  The Privacy Rule standards address the use and disclosure of individuals' health information ("protected health information" or "PHI") by organizations subject to the Privacy Rule ("covered entities"). 

    California has long enforced patient privacy protections, primarily through the Confidentiality of Medical Information Act (Cal. Civil Code Section 56 et seq.).   However, in those instances in which California law and federal law (HIPAA) differ, HIPAA requires that providers comply with the federal or state law that provides patients with greater protection.

    All UCR Health workforce members (i.e., staff, physicians, volunteers, etc.) must undergo regular training in UCR Health HIPAA policies and procedures.

    The UCR Health HIPAA and HIPAA-related policies can be found on the UCR Health Office of Compliance Services website.  The University of California policies are also available here. 


    A. Summary of UCR Health's HIPAA Policies

    1. Protection of Health Information

    UCR Health Workforce members may not disclose, share or otherwise use any individually identifiable health information except for treatment, payment, and health care operations (referred to as "TPO") unless expressly authorized by the patient or as otherwise permitted by law.  Patients also have the right to request that UCR restrict how their PHI is used or disclosed.

    2. Classification of PHI Information

    All information contained in patient medical and billing records is confidential regardless of format.  These confidentiality protections extend not only to the patient's medical record, but also to information from the record.  In addition, special laws govern the disclosure of mental health, substance abuse, and HIV test result information. 

    3. Notice of Privacy Practices

    The Privacy Rule requires UCR Health to give each patient detailed information about UCR Health's privacy practices, in the form of the University's "Notice of Privacy Practices.” All uses and disclosures of PHI by UCR Health and its workforce members must be consistent with the Notice of Privacy Practices.

    4. Authorization to Use PHI

    The Privacy Rule requires providers to obtain a written authorization from an individual before using or disclosing a patient's PHI for purposes other than for TPO, unless otherwise authorized by law.

    5. Patient Access to PHI

    The Privacy Rule gives an individual (or that person's personal representative) the right of access to inspect and obtain a copy of the individual's own PHI. Providers may deny an individual access to his or her information under certain circumstances only if specified procedures are followed.

    6. UCR Health Employee (Workforce) Responsibilities to Maintain Confidentiality of PHI

    All members of the UCR Health workforce are responsible for maintaining the security and confidentiality of PHI on behalf of UCR Health patients. 

    Minimum necessary: When using or disclosing PHI, a provider must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended use, disclosure, or request.

    Employee access: All members of the UCR Health workforce should only read and use PHI as necessary for their job functions.

    7. Release of PHI to Third Parties

    In light of the specific accounting and disclosure requirements imposed by HIPAA, all copying of medical records for release to third parties or agencies must be completed by, or coordinated with, UCR Health Compliance Office.

    8. Privacy Requirements Relating to Research

    Research is not considered to be a part of TPO under the Privacy Rule, except for certain studies related to health care operations, such as research that is also considered quality assurance and utilization management activities.  Consequently, the use or disclosure of PHI for research purposes generally requires either: (1) a written authorization from the individual whose information is collected or (2) a waiver of authorization from UCR's IRB. The IRB is responsible for reviewing and approving the authorization form that is used for research.

    The Privacy Rule permits the use and disclosure of a limited data set of information for research purposes, without patient authorization, provided certain requirements are met, including entering into a Data Use Agreement with the recipient of the information.

    Health Information that does not identify an individual ("de-identified information") is generally not considered PHI and may be disclosed without the patient's authorization.  In order to de-identify PHI, UCR Health must remove all 18 of the HIPAA identifiers specified in the HIPAA Privacy Rule.

    9. Disclosures to Business Associates

    The Privacy Rule requires UCR Health to enter into a confidentiality agreement with certain third parties when UCR Health shares PHI with the third party (e.g., non-health care providers) for TPO purposes.  This is called a business associate agreement ("BAA"). A business associate relationship exists when an individual or entity, acting on behalf of UCR Health, assists in the performance of a function or activity involving the use or disclosure of UCR Health's PHI. 

    10. Marketing and Fundraising

    In general, PHI may not be disclosed for marketing purposes without the patient's authorization. PHI includes demographic information, without any accompanying diagnosis or treatment information.  An authorization must be obtained from the patient even to use the patient's address or phone number for marketing.

    In addition, all fundraising materials sent to an individual must describe how the individual can opt out of receiving further fundraising communications.

    11. Media Inquiries

    Both California law and the Privacy Rule restrict the amount of information that may be provided to the media without the patient's authorization.  No information can be given if a request does not include the patient's name or if the patient has requested that information be withheld.

    A patient's condition may only be described in general terms that does not communicate specific medical information about the individual.  For example, the following general terms are acceptable: "undetermined," "good," "fair," "serious," "critical," or "deceased."

    12. Safeguards to Protect PHI

    Reasonable safeguards (physical, electronic and administrative) are to be used at all times to ensure that confidential information is not disclosed to individuals who are not authorized to receive the information and to minimize incidental disclosures of PHI. 

    13. UCR Health Workforce Training and Education

    The Privacy Rule requires that providers train their "workforce" on privacy policies and procedures at a level appropriate for the workforce members to carry out their roles and responsibilities.  All members of the UCR Health workforce will be provided with essential instruction regarding Privacy Rule requirements and additional training specific to their job responsibilities.

    14. Unauthorized Release and Disclosure

    The unauthorized release of PHI is a violation of law, with potential civil and/or criminal penalties and fines.  In addition, workforce members who are found to have violated the law and/or UCR Health policies may be subject to disciplinary action, up to and including termination.  Workforce members should immediately report any unauthorized release or disclosure of PHI to the Privacy and Information Security Offices and their supervisor.


    B. Questions

    Please direct any questions regarding HIPAA and/or UCR Health's privacy and security policies to the UCR Health Office of Compliance Services

  • Use of the 'UCR' Name

    The name the "University of California," and variations on the name such as UCR, are the property of the State of California.  Permission of The Regents of the University of California is required to use the University's name (including campus names) for commercial or non-commercial purposes.  According to Section 92000 of the California Education Code:

    "(a) The name of the 'University of California' is the property of the state. No person shall, without the permission of the Regents of the University of California, use this name or any abbreviation of it or any name of which these words are a part, in any of the following ways:

    (1) To designate any business, social, political, religious, or other organization, including but not limited to, corporation, firm, partnership, associate, group, activity, or enterprise.

    (2) To imply, indicate or otherwise suggest that any such organization, or any product or service of such organization is connected or affiliated with, or is endorsed, favored, or supported by the University of California..."

    In light of this restriction, advertising that displays or lists the University as a user of a product or service or as the source of information on which a commercial product, program, or publication is based is prohibited.  This prohibition extends to advertising using any UCR name, picture, landmark, building, or other indication. 

    Similarly, employees may not use the University's names or campus names, or their affiliation with the University in a manner which suggests or implies University support or endorsement of any activity or program. Employees may, however, use the University and campus names in making a true and accurate statement regarding their relationship with, or employment by, the University of California in the course of application for other employment or stating the employee's experience or qualifications.