The Standards for Privacy of Individually Identifiable Health Information ("Privacy Rule") established, for the first time, a set of national standards for the protection of certain health information. The U.S. Department of Health and Human Services ("HHS") issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). The Privacy Rule standards address the use and disclosure of individuals' health information ("protected health information" or "PHI") by organizations subject to the Privacy Rule ("covered entities").
California has long enforced patient privacy protections, primarily through the Confidentiality of Medical Information Act (Cal. Civil Code Section 56 et seq.). However, in those instances in which California law and federal law (HIPAA) differ, HIPAA requires that providers comply with the federal or state law that provides patients with greater protection.
All UCLA Health workforce members (i.e., staff, physicians, volunteers, etc.) must undergo regular training in UCLA Health HIPAA policies and procedures.
1. Protection of Health Information
UCLA Health Workforce members may not disclose, share or otherwise use any individually identifiable health information except for treatment, payment, and health care operations (referred to as "TPO") unless expressly authorized by the patient or as otherwise permitted by law. Patients also have the right to request that UCLA restrict how their PHI is used or disclosed.
2. Classification of PHI Information
All information contained in patient medical and billing records is confidential regardless of format. These confidentiality protections extend not only to the patient's medical record, but also to information from the record. In addition, special laws govern the disclosure of mental health, substance abuse, and HIV test result information.
3. Notice of Privacy Practices
The Privacy Rule requires UCLA Health to give each patient detailed information about UCLA Health's privacy practices, in the form of the University's "Notice of Privacy Practices" (see "Other Forms and Documents"). All uses and disclosures of PHI by UCLA Health and its workforce members must be consistent with the Notice of Privacy Practices.
4. Authorization to Use PHI
The Privacy Rule requires providers to obtain a written authorization from an individual before using or disclosing a patient's PHI for purposes other than for TPO, unless otherwise authorized by law.
5. Patient Access to PHI
The Privacy Rule gives an individual (or that person's personal representative) the right of access to inspect and obtain a copy of the individual's own PHI. Providers may deny an individual access to his or her information under certain circumstances only if specified procedures are followed.
All requests for information from medical records should be referred to or coordinated with UCLA Health Information Management Services.
6. UCLA Health Employee (Workforce) Responsibilities to Maintain Confidentiality of PHI
All members of the UCLA Health workforce are responsible for maintaining the security and confidentiality of PHI on behalf of UCLA Health patients.
7. Release of PHI to Third Parties
In light of the specific accounting and disclosure requirements imposed by HIPAA, all copying of medical records for release to third parties or agencies must be completed by, or coordinated with, UCLA Health Information Management Services.
8. Privacy Requirements Relating to Research
Research is not considered to be a part of TPO under the Privacy Rule, except for certain studies related to health care operations, such as research that is also considered quality assurance and utilization management activities. Consequently, the use or disclosure of PHI for research purposes generally requires either: (1) a written authorization from the individual whose information is collected or (2) a waiver of authorization from UCLA's IRB. The IRB is responsible for reviewing and approving the authorization form that is used for research.
The Privacy Rule permits the use and disclosure of a limited data set of information for research purposes, without patient authorization, provided certain requirements are met, including entering into a Data Use Agreement with the recipient of the information.
Health Information that does not identify an individual ("de-identified information") is generally not considered PHI and may be disclosed without the patient's authorization. In order to de-identify PHI, UCLA Health must remove all 18 of the HIPAA identifiers specified in the HIPAA Privacy Rule.
9. Disclosures to Business Associates
The Privacy Rule requires UCLA Health to enter into a confidentiality agreement with certain third parties when UCLA Health shares PHI with the third party (e.g., non-health care providers) for TPO purposes. This is called a business associate agreement ("BAA"). A business associate relationship exists when an individual or entity, acting on behalf of UCLA Health, assists in the performance of a function or activity involving the use or disclosure of UCLA Health's PHI. The UCLA Purchasing Departments are responsible for completing the University's HIPAA-compliant business associate agreement with outside vendors that provide goods or services to UCLA Health. The UCLA Health's form BAA can be found on the UCLA Health Office of Compliance Services website.
10. Marketing and Fundraising
In general, PHI may not be disclosed for marketing purposes without the patient's authorization. PHI includes demographic information, without any accompanying diagnosis or treatment information. An authorization must be obtained from the patient even to use the patient's address or phone number for marketing.
In addition, all fundraising materials sent to an individual must describe how the individual can opt out of receiving further fundraising communications.
11. Media Inquiries
Both California law and the Privacy Rule restrict the amount of information that may be provided to the media without the patient's authorization. In general, UCLA Health may release the condition and location of an inpatient, outpatient, or emergency patient, but only if the inquiry specifically contains the patient's name, and only if the patient has not requested that the information is withheld from disclosure. No information can be given if a request does not include the patient's name or if the patient has requested that information be withheld.
A patient's condition may only be described in general terms that does not communicate specific medical information about the individual. For example, the following general terms are acceptable: "undetermined," "good," "fair," "serious," "critical," or "deceased."
12. Safeguards to Protect PHI
Reasonable safeguards (physical, electronic and administrative) are to be used at all times to ensure that confidential information is not disclosed to individuals who are not authorized to receive the information and to minimize incidental disclosures of PHI. Examples of safeguards (such as locking medical and billing records at the end of the day, not sharing passwords, etc.) can be found on the UCLA Health Office of Compliance Services website, and in UCLA Health policies, such as Policy HS 9401.
13. UCLA Health Workforce Training and Education
The Privacy Rule requires that providers train their "workforce" on privacy policies and procedures at a level appropriate for the workforce members to carry out their roles and responsibilities. All members of the UCLA Health workforce will be provided with essential instruction regarding Privacy Rule requirements and additional training specific to their job responsibilities.
14. Unauthorized Release and Disclosure
The unauthorized release of PHI is a violation of law, with potential civil and/or criminal penalties and fines. In addition, workforce members who are found to have violated the law and/or UCLA Health policies may be subject to disciplinary action, up to and including termination. Workforce members should immediately report any unauthorized release or disclosure of PHI to the Privacy and Information Security Offices and their supervisor.
Please direct any questions regarding HIPAA and/or UCLA Health's privacy and security policies to the UCLA Health Office of Compliance Services.
All requests for UCLA Health patient medical records should be sent to the appropriate UCLA Health Custodian of Records or the UCLA Health Health Information Management Services for review and handling in accordance with the applicable UCLA Health privacy/medical records disclosure policy. These policies can be found on the UCLA Health Office of Compliance Services website.