Transcription
A Privacy andInformationSecurity Guidefor UCLAWorkforceHIPAA and California Privacy Laws
A Privacy and InformationSecurity Guide for UCLAWorkforceHIPAA and California Privacy LawsTable of ContentsSECTION SECTIONNUMBER 18.19.20.General BackgroundMinimum Necessary Standard (MNS)Patient Privacy RightsAuthorizationsMediaUnauthorized DisclosuresAccessing Your Own (or a Family Member’s or Friend’s)Electronic and/or Paper Medical InformationSubpoenas and Court OrdersTeachingResearchFundraising and MarketingFacility Directory and Requestsfor Patient InformationSafeguards for Protecting Personal Health InformationFederal Penalties and DisciplineComplaintsQuestionsUCLA Health System PoliciesResources and HIPAA Web LinksCommon FormsImportant Provisions of HIPAA Including Rights,Standards and Disclosure 31314141516-183
1. General BackgroundThe purpose of this guide is to help you understand: what information isprotected under federal and state privacy laws; patient privacy rights; yourrole as a workforce member in maintaining privacy of protected healthinformation for patient care, teaching, research, fundraising, marketing andmedia and the consequences for non-compliance.The HIPAA Privacy regulations pertain to information in any form –electronic, written, verbal and other media.As a UCLA Workforce Member you are required to comply with the following: Complete the HIPAA training required of all staff Read this booklet Read the UCLA Health System Notice of Privacy Practices Read the UCLA Health System Notice of Privacy Practices – Mental Healthfor those who work in the Resnick Neuropsychiatric Hospital andSemel Institute Know where to find additional help or advice for HIPAA ComplianceThis guide contains a brief description of the HIPAA Policies of UCLA HealthSystem (UCLAHS). Full versions of the policies can be accessed on the UCLAHealth System Mednet home page:http://www.mednet.ucla.edu/Policies.asp4
HIPAA Privacy Rule – The Health Insurance Portability and AccountabilityAct’s (HIPAA) Privacy Rule is a Federal rule that governs the use anddisclosure of individually identifiable health information by an institution orindividual provider (covered entities). Among the many provisions arestandards for releasing medical information about patients. The State ofCalifornia Privacy Regulations (California Medical Information Act) is morestringent than the Federal Privacy Rule in most instances, and therefore maysupersede or “pre-empt” HIPAA. HIPAA mandates that all covered entities andproviders implement privacy safeguards to protect health information. TheHIPAA Privacy Rule gives specific rights to patients.Notice of Privacy Practices (NPP) – The UCLA Notice of PrivacyPractices describes how medical information about a patient may be usedor disclosed. The NPP also informs patients of their rights and how they mayaccess their information. UCLA Health System (UCLAHS) will deliver the NPPand attempt to obtain a signed acknowledgment of receipt of the NPP at leastonce at the time of initial patient care. Exceptions to obtaining theacknowledgment: emergency treatment situations; indirect treatmentrelationship; or reference laboratory tests. The Privacy Notice must be givento patients at least once and an attempt made to get their signedacknowledgement. This is usually handled by admitting, registration and/orclinic staff. The NPP allows Protected Health Information to be used anddisclosed for: treatment, payment, and health care operations (includingteaching). Patients do not have to sign the acknowledgement in orderto be treated.5
Protected Health Information (PHI) – Individually identifiable healthinformation that includes demographic information, transmitted by electronicmedia, or transmitted or maintained in any other form or medium, includingwritten and verbal. PHI includes 18 identifiers, such as: name, address,medical record number or account number, all demographic data, any dates(birth, death, date of admission/discharge, service), email and webaddresses, license, etc. PHI also includes information that is created orreceived by or relates to the individual’s health, health care, or health carepayments. [The list of 18 identifiers can be found on page 15 of this guide.]Treatment, Payment and Health System Operations (TPO) –Certain types of PHI can be collected, used and disclosed without patientauthorization. These include direct treatment (T) situations, transmittinginformation in a billing process to get paid (P), and certain specificadministrative functions necessary in the operations (O) of the health careprovider, such as accreditation, quality management, and internal trainingactivities. Together these are often referred to as TPO. However, while thesegeneral categorical exemptions exist, many actions within these processesmust be performed carefully to comply with HIPAA. These will be apparent inthe description of the policies in this booklet.Business Associate Agreements (BAA) – Disclosure of protectedhealth information to third parties, such as billing agencies or consultants,requires a separate written contract or Business Associate Agreement.Contact UCLA Health System Purchasing or Campus Purchasing to implementa BAA.6
2. Minimum Necessary Standard (MNS)A fundamental HIPAA tenet is that only the minimum amount of informationneeded to complete a particular task should be collected, used or divulged inthe process. When using or disclosing PHI/medical records, or requesting itfrom another entity, a covered entity must make reasonable efforts to limit thePHI to the minimum necessary to accomplish the intended purpose. Simplystated, MNS means to only access, use or disclose the minimum PHI neededto do your job.Examples: For physicians with a treatment relationship to the patient, accessto the entire medical record may be justified; whereas, a biller may only needaccess to a test billing code or diagnosis code to complete the billing, but notthe test results. Other physicians may not need any access at all, if they do nothave a treatment relationship to the patient. The workforce member shoulduse good judgment and not disclose extraneous additional information in anysituation.3. Patient Privacy RightsThe HIPAA Privacy Rule creates patient rights specific to PHI, including:Patient Access to their Own Record – A patient has the right to access,obtain, and inspect a copy of his/her PHI. Individuals’ requests to access theirinformation must be in writing, and should be handled by the HIMS/Releaseof Information Office. If the patient is requesting to review the originalrecord, a staff member must be present with him or her. Copies can be madeof any parts of the record for which they request to have a copy.For those practicing at the NPH, psychotherapy notes are exceptions to thepatient’s right of access. Additionally, if you believe the information may beharmful to the patient, consult with the Privacy Officer or Legal Counsel forassistance in responding to the patient.7
Amendment of PHI – Patients have the right to request, in writing, acorrection or amendment to their record. UCLA Health System may acceptthe request to correct the record, or may deny the request with a writtenexplanation of the reasons for the denial. The decision to accept or deny anyamendment is made by the originator of the entry. If the amendment isgranted, the person who wrote the entry will make the amendment. Theamendment will be added to the patient’s legal medical record.The patient also has the right under California law to add an addendum totheir record, and in such cases, the addendum is added to the patient’smedical record.Accounting of Disclosures – HIPAA grants an individual the right toreceive a written accounting of disclosures of his/her PHI whether madeverbally or in writing, with certain exceptions. The HIMS/Release ofInformation Office provides a centralized repository to capture thesedisclosures and provide a listing of them to the patient when requested. Thisdoes not include disclosures made in the course of treatment.However, we often complete a myriad of forms that disclose PHI to externalagencies. If the disclosure did not require patient authorization, thedisclosure must be captured for the accounting. The easiest way toaccomplish this is to forward a copy of the form to the HIMS/Release ofInformation Office, with the patient’s Medical Record number indicated onthe form. If the disclosure was made verbally or not on a standard form, areport of a Mandatory Disclosure of PHI must be completed and sent to theHIMS/Release of Information Office. Disclosures to the patient himself/herselfdo not need to be included in the accounting.Confidential communications – e.g., use an alternate phone numberor P.O. Box.8
Facility Directory of Inpatients and “Opt-Outs”– Patients have theright not to be listed in the facility directory. To opt out of the facility directory(census), patients are assigned an alias name by Patient Access Services(Admissions and Registration).Restriction Requests – Requests for restriction on use or disclosure ofPHI/medical records. Patients have the right to request restrictions on theuses and disclosures of their information. UCLA Health System is not requiredto accept a requested restriction, unless required by law, and will not acceptrequests that cannot be enforced or reasonably executed. Caution: Requestsfor restrictions are difficult to honor and must be reviewed by the PrivacyOfficer prior to granting approval.All requests for Access to Records, Accounting of Disclosures,Amendment and/or Addendum Requests, and RestrictionRequests must be forwarded to the Privacy Management officefor processing.4. AuthorizationsObtain the patient’s (or legal representative’s) authorization to disclosePHI/Medical Records or Medical Billing Records, e.g., disclosures toattorneys, employers, life insurance or mortgage companies, the media/newspapers/TV, or for research when the IRB has not provided a Waiverof Authorization. Information may be disclosed to another treatmentprovider without an authorization. The minimum necessary standard doesnot apply to disclosures for treatment purposes.9
5. MediaThe patient’s health care provider must be the initial contact with the patientfor communication with the media or for developing Universitycommunications that use PHI. The health care provider must obtain thepatient’s authorization for the use and disclosure to the media. Contactthe UCLAHS Media Relations office, (310) 794-0777 for assistance incoordinating any disclosures to the media and to obtain the specialauthorization form.6. Unauthorized DisclosuresUnauthorized disclosures must be recorded and reported to HIMS/Release ofInformation Office. The patient has the right to request an accountingof all disclosures not authorized by them.7. Accessing Your Own (or a Family Member’sor Friend’s) Electronic and/or Paper MedicalInformationNot permitted. Access to all medical records/billing records(electronic and paper) is being monitored. All requests for access shouldbe referred to Health Information Management Services (HIMS/Release ofInformation Office).10
8. Subpoenas & Court OrdersOfficial legal requests (such as subpoenas and court orders) for medicalrecords or other UCLA business records must be responded to in a timelymanner. Refer these requests to HIMS/Release of Information Office, RiskManagement or the Privacy Officer to verify that the request is valid, thatthe information provided is specific to the scope of what’s needed, thatthe patient was given formal notice, and to log the disclosure.9. TeachingHIPAA allows the use and disclosure of PHI for the teaching of Universityof California students (all health professionals programs). HIPAA allowsthe exchange of PHI for teaching purposes, so long as both providers havea teaching relationship with the patient. For seminars / CME conferences,speakers must either use de-identified data or obtain written patientauthorization.10. ResearchThe HIPAA Privacy rule supplements the Common Rule and the FDA’sprotections for human subjects. The HIPAA Privacy rule does not overridethe California law that provides greater protection for the privacy of healthinformation. The Privacy Rule also requires that research plans for use of thistype of protected health information undergo review and approval by anInstitutional Review Board (IRB) or Privacy Board. At UCLA, the Office forProtection of Research Subjects (OPRS) is the focal point for compliancewith the research provisions of HIPAA. Refer to the IRB HIPAA researchon-line tutorial for principal /HIPAA11
Access to PHI completed under a Waiver of Authorization must be included inthe Accounting of Disclosures (page 6). If the data for the research study hasbeen coordinated through the HIMS/Release of Information Office, theaccounting will be completed by that office. If the researcher has obtained thelist of patients involved in the study from any other source, a MandatoryReporting of PHI form must be completed and forwarded to theHIMS/Release of Information Office for inclusion in the accounting ofdisclosures.11. Fundraising and MarketingThere are additional state and federal rules that restrict the use or disclosureof protected health information for fundraising and marketing. Please referto the web-based training materials available at:http://pmo.mednet.ucla.edu/TrainingModules12 Facility Directory and Requestsfor Patient InformationBeyond the one-word condition statement, requests for patient informationfrom co-workers, neighbors, media, etc. requires a written authorizationfrom the patient (or the legal guardian). Refer all media requests to UCLAHSMedia Relations Office, (310)794-0777 for additional consent forms andcoordination with the patient’s treating physician.12
13. Safeguards for Protecting PHIEmail – A growing number of patients are requesting to communicatewith their physicians by email. This presents potential problems inprotecting privacy due to the technical shortcomings of most email systems.Currently UCLA Health System does not have encrypted email available forcommunication with patients. In addition, email must be captured forinclusion in the patient’s medical record. Patients must understand thelimitations in communicating with their health care providers by email,and provide consent before email correspondence can occur.The email consent details the privacy risks involved in this type ofcommunication, and outlines the appropriate and inappropriate usesof email. Certain information cannot by law be communicated by emailincluding: STD, HIV, mental health, alcohol abuse or drug abuse, andtest results relating to routinely processed tissues, including skin biopsies,pap smear tests, products of conception, and bone marrow aspirationsfor morphological evaluation, or if the test results reveal a malignancyor a pregnancy.The Consent to Email form is available in the forms portal and on thePrivacy Management office website.Portable Computers – Collecting and storing patient data on PDAs,laptops and home computers pose particular challenges in protectingpatient privacy. If you store logs of patients, lists of patient care tasks,copies of patient results, or data that you are using to monitor your carepatterns on a computer or other device that goes outside UCLA Health System,you are personally responsible for ensuring the privacy and securityof this information.13
As much as possible, store the data on a network drive that you can accessvia VPN when not at UCLA. Consult with your department IT staff for otheroptions such as device encryption.At a very minimum, you should: Password protect the device Keep the device in a secure location at all times when not in yourpersonal possession Erase PHI immediately when no longer using it Erase all data if you give the device to someone elseShredding – Shred all discarded documents and materials containingPHI/medical record information, medical billing information, and otherconfidential UCLA Health System information. Properly dispose of otheritems, which may contain PHI, e.g., recycled computers and storagedisks/CDs, fax film ribbons, etc.14. Federal Penalties / DisciplineIf workforce members make conscientious efforts to comply with the HIPAAPrivacy and Security regulations, there should be little need to worry aboutsanctions or penalties. The Office for Civil Rights (OCR) is the Health andHuman Service Agency charged with the primary responsibility forinterpreting and enforcing the HIPAA Privacy Rule. A violation of federalregulations or University policy can result in discipline, loss of employment,fines or imprisonment. If OCR determines that a disclosure of PHI/medicalrecord is made willfully and with intent for personal gain, the penalty can beas high as a 250,000 fine and 10-year imprisonment. The University wouldnot consider such an action as in the course and scope of your employmentand would not defend you.14
15. ComplaintsThe Privacy Rule requires a covered entity to provide a process forindividuals to make complaints concerning the covered entity’s privacypolicies. UCLA must record all complaints, their disposition, and theapplication of appropriate sanctions to members of the workforce whennoncompliance of the privacy policies and procedures is indicated.Patients have a right to file a privacy complaint either with the coveredentity or directly with the Office for Civil Rights (OCR). The OCR hasan on-line complaint process accessible by mail, fax, and e-mail, andoffers assistance by telephone.UCLA’s Complaint Process – If providers understand that manypatient complaints stem from misunderstanding and misinformation, ratherthan the actual denial of rights, we can be more proactive about how wecommunicate and welcome chances to improve our organizations’communication. The Notice of Privacy Practices recommends thatpatients file the complaint with the Patient Relations Department. UCLAworkforce members are encouraged to file incident reports related toprivacy and security either with their supervisor, or the Chief ComplianceOfficer and Chief Privacy Officer, Carole Klove, RN, JD (310)825-7166, through the Incident Reporting System, or the UCLA Hot Line,(800) 296-7188.16. QuestionsDirect questions on HIPAA Privacy and Security to the UCLA MedicalCompliance/Privacy Office at the main number: (310) 825-7135.15
17. UCLA Health System PoliciesA number of policies detail the implementation of the privacy and securityregulations at UCLA. The UCLA Health Sciences Privacy and Security Policiescan be accessed at the Intra-net site:http://www.mednet.ucla.edu/Policies.aspThe above information is intended to provide workforce members basicknowledge about HIPAA requirements that will cover most of their dailyactivities. Each physician should identify managers or others in their usualwork settings who have more advanced knowledge about HIPAA and to whomthey can turn as questions arise. Other resources for assistance include: Chief Compliance & Privacy Officer (Carole Klove - ext. 57166) IT Security Officer (Ann Chang - ext. 57003) IT Help Desk (9-HELP) HIMS Office (ext. 58662) Manager SOMITS Information Technology (ext. 74541) Release of Information Office (ext. 55958) Privacy Specialist/Trainer (Josephine(Joy) Sarti - ext. 91213)18. Resources & HIPAA Web Links Other training modules for HIPAA (Intranet site)http://pmo.mednet.ucla.edu/TrainingModules UC HIPAA /official.html Office for Civil Rights – HIPAA: Fact Sheets, Frequently Asked Questionshttp://www.hhs.gov/ocr/hipaa/ Center for Medicare and Medicaid Services (CMS) – HIPAAhttp://www.cms.hhs.gov/hipaa/ American Association of Medical Colleges (AAMC)http://www.aamc
This guide contains a brief description of the HIPAA Policies of UCLA Health System (UCLAHS). Full versions of the policies can be accessed on the UCLA . provider, such as accreditation, quality management, and internal training activities. Together these are often referred to as TPO. Howe
