The Standards for Privacy of Individually Identifiable Health Information ("Privacy Rule") established, for the first time, a set of national standards for the protection of certain health information. The U.S. Department of Health and Human Services ("HHS") issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). The Privacy Rule standards address the use and disclosure of individuals' health information ("protected health information" or "PHI") by organizations subject to the Privacy Rule ("covered entities").
California has long enforced patient privacy protections, primarily through the Confidentiality of Medical Information Act (Cal. Civil Code Section 56 et seq.). However, in those instances in which California law and federal law (HIPAA) differ, HIPAA requires that providers comply with the federal or state law that provides patients with greater protection.
All UCLA Health System workforce members (i.e., staff, physicians, volunteers, etc.) must undergo regular training in UCLA Health System HIPAA policies and procedures.
The UCLA Health System HIPAA and HIPAA-related policies can be found on the UCLA Health System Office of Compliance and Privacy website. The University of California policies are also available here.
A. Summary of UCLA Health System's HIPAA Policies
1. Protection of Health Information
UCLA Health System Workforce members may not disclose, share or otherwise use any individually identifiable health information except for treatment, payment, and health care operations (referred to as "TPO") unless expressly authorized by the patient or as otherwise permitted by law.
2. Classification of PHI Information
All information contained in patient medical and billing records is confidential regardless of format. These confidentiality protections extend not only to the patient's medical record, but also to information from the record. In addition, special laws govern the disclosure of mental health, substance abuse, and HIV test result information.
3. Notice of Privacy Practices
The Privacy Rule requires UCLA Health System to give each patient detailed information about UCLA Health System's privacy practices, in the form of the University's "Notice of Privacy Practices" (see "Other Forms and Documents"). All uses and disclosures of PHI by UCLA Health System and its workforce members must be consistent with the Notice of Privacy Practices.
4. Authorization to Use PHI
The Privacy Rule requires providers to obtain a written authorization from an individual before using or disclosing a patient's PHI for purposes other than for TPO, unless otherwise authorized by law.
5. Patient Access to PHI
The Privacy Rule gives an individual (or that person's personal representative) the right of access to inspect and obtain a copy of the individual's own PHI. Providers may deny an individual access to his or her information under certain circumstances only if specified procedures are followed.
All requests for information from medical records should be referred to or coordinated with the UCLA Health System Privacy Management Office.
6. UCLA Health System Workforce Responsibilities to Maintain Confidentiality of PHI
All members of the UCLA Health System workforce are responsible for maintaining the security and confidentiality of PHI on behalf of UCLA Health System patients.
- Minimum necessary: When using or disclosing PHI, a provider must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended use, disclosure, or request.
- Employee access: All members of the UCLA Health System workforce should only read and use PHI as necessary for their job functions.
7. Release of PHI to Third Parties
In light of the specific accounting and disclosure requirements imposed by HIPAA, all copying of medical records for release to third parties or agencies must be completed by, or coordinated with, the UCLA Health System Privacy Management Office.
8. Privacy Requirements Relating to Research
Research is not considered to be a part of TPO under the Privacy Rule, except for certain studies related to health care operations, such as research that is also considered quality assurance and utilization management activities. Consequently, the use or disclosure of PHI for research purposes requires a written authorization from the individual whose information is collected. The IRB is responsible for reviewing and approving the authorization form that is used for research.
The Privacy Rule permits the use and disclosure of a limited data set of information for research purposes, without patient authorization, provided certain requirements are met, including entering into a Data Use Agreement with the recipient of the information.
9. Disclosures to Business Associates
The Privacy Rule requires UCLA Health System to enter into a confidentiality agreement with certain third parties when UCLA Health System shares PHI with the third party (e.g., non-health care providers) for TPO purposes. This is called a business associate agreement ("BAA"). A business associate relationship exists when an individual or entity, acting on behalf of UCLA Health System, assists in the performance of a function or activity involving the use or disclosure of UCLA Health System's PHI. The UCLA Purchasing Departments are responsible for completing the University's HIPAA-compliant business associate agreement with outside vendors that provide goods or services to UCLA Health System. The UCLA Health System's form BAA can be found on the UCLA Health System Office of Compliance and Privacy website.
10. Marketing and Fundraising
In general, PHI may not be disclosed for marketing purposes without the patient's authorization. PHI includes demographic information, without any accompanying diagnosis or treatment information. An authorization must be obtained from the patient even to use the patient's address or phone number for marketing.
In addition, all fundraising materials sent to an individual must describe how the individual can opt out of receiving further fundraising communications.
11. Media Inquiries
Both California law and the Privacy Rule restrict the amount of information that may be provided to the media without the patient's authorization. In general, UCLA Health System may release the condition and location of an inpatient, outpatient, or emergency patient, but only if the inquiry specifically contains the patient's name, and only if the patient has not requested that the information is withheld from disclosure. No information can be given if a request does not include the patient's name or if the patient has requested that information be withheld.
A patient's condition may only be described in general terms that does not communicate specific medical information about the individual. For example, the following general terms are acceptable: "undetermined," "good," "fair," "serious," "critical," or "deceased."
12. Safeguards to Protect PHI
Reasonable safeguards are to be used at all times to ensure that confidential information is not disclosed to individuals who are not authorized to receive the information and to minimize incidental disclosures of PHI. Additional examples of safeguards can be found on the UCLA Health System Office of Compliance and Privacy website, and in UCLA Health System policies, such as Policy HS 9401.
13. UCLA Health System Workforce Training and Education
The Privacy Rule requires that providers train their "workforce" on privacy policies and procedures at a level appropriate for the workforce members to carry out their roles and responsibilities. All members of the UCLA Health System workforce will be provided with essential instruction regarding Privacy Rule requirements and additional training specific to their job responsibilities.
14. Unauthorized Release and Disclosure
The unauthorized release of PHI is a violation of law, with potential civil and/or criminal penalties and fines.
B. Questions
Please direct any questions regarding HIPAA and/or UCLA Health System's privacy and security policies to the UCLA Health System Office of Compliance and Privacy.
All requests for UCLA Health System patient medical records should be sent to the appropriate UCLA Health System Custodian of Records or the UCLA Health System Privacy Management Office for review and handling in accordance with the applicable UCLA Health System privacy/medical records disclosure policy. These policies can be found on the UCLA Health System Office of Compliance and Privacy website.
