|
|
|
|
|
|
|
|
Policy and Procedure ManualChapter 320, Records and Archives Responsible Department: Risk Management Services This section explains the general legal requirements for the use, maintenance, and disclosure of protected health information (PHI) collected by University employees in the course of patient care activities at the UC Davis Health System (including the UCDHS Employee Health Services), Cowell Student Health Center, campus Employee Health Services, and other academic and service units that provide treatment, generate, or use PHI, conduct electronic billing using PHI, or otherwise have access to such information in the course or scope of the work of the unit or the individual employee. A. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a Federal law that mandates significant changes in the legal and regulatory environment governing the provision of health benefits, the delivery of and payment for health care services, and the security of individually identifiable PHI in written, electronic, and oral formats. Within the Act are the Privacy Rule and the Security Rule, defined in III, below. B. The University of California is a hybrid covered entity. Under the provisions of the Act, UC has also been designated as a single health care component (SHCC). This means that for the purposes of compliance with HIPAA, all UC HIPAA-covered entities are considered as one entity, governed under a set of Systemwide standards and implementation policies. This includes using standardized notification and release forms (see V, below), and units are required to maintain an accounting of disclosures of PHI to others. A. Covered entity--health care plans; health care clearinghouses; and health care providers who transmit health information to insurers. B. Health care--care, services, or supplies related to the health of an individual. Health care includes, but is not limited to, the following: 1. Preventive, diagnostic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body. 2. Sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription. C. Health care clearinghouse--billing services, repricing companies, health management information systems, or community health information systems that process information on behalf of other entities. D. Health care provider-- 1. A facility such as a hospital, critical access hospital, skilled nursing facility, comprehensive outpatient rehabilitation facility, home health agency, hospice program. 2. An individual, group, or organization that supplies or delivers medical and other health services, such as physicians, certain diagnostic laboratories, durable medical equipment suppliers. 3. Any other person or organization who furnishes, bills, or is paid for health care in the normal course of business. E. Hybrid covered entity--a covered entity that is a single legal entity and that performs both covered and noncovered functions. F. Privacy Official--the designated individual who has overall responsibility and accountability for the development and implementation of policies, and for compliance to the Privacy Rule. G. Privacy Rule--HIPAA standards (45 CFR 160 and 164) that protect access, use, and disclosure of an individual's health information. H. Protected health information (PHI)--individually identifiable health information created or received by a health care provider, health plan, or health care clearinghouse that relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual. This applies to information that is transmitted or maintained in any form or medium. Protected health information excludes employment records and education records I. Security Rule--HIPAA regulations (45 CFR 160, 162, and 164) that provide for the security of PHI when the information is transmitted by or maintained by electronic media. A. It is the policy of the University's individual and institutional providers of health care to recognize and respect a patient's expectations that the privacy and security of individual health information will be protected. UCD providers shall comply with privacy and security mandates of HIPAA and shall develop local policies and procedures that are consistent with Systemwide standards and policies. Each UCD unit responsible for providing patient care shall develop internal policies and procedures related to its specific operational needs, under the Systemwide umbrella. In the absence of an explicit policy within specific campus provider units, the relevant UCDHS policy will be applied. HIPAA compliance at UCD is overseen by the Privacy Official. B. As a teaching and research institution, the University will use PHI for the purposes of conducting teaching and research in accordance with its mission. The PHI may be further protected through a process of creating a limited data set or de-identification. See Section 320-36 for information on access to PHI for research. C. All UCD workforce who work in a covered unit responsible for patient care will be trained in the relevant privacy policies and procedures, as will all UCD workforce who receive PHI in the course of supporting a covered unit. D. The following units are designated as covered entities under HIPAA: Cowell Student Health Center, campus Employee Health Services, and UC Davis Health System, including UCDHS Employee Health Services. Other units may also be designated as covered by the Privacy Official. V. Standardized Form Templates (available at http://www.ucdmc.ucdavis.edu/compliance/guidance/privacy/index.html) A. Notice of Privacy Practices--Medical. This document describes how medical information about an individual may be used and disclosed and how the individual can get access to this information. B. Notice of Privacy Practices--Mental Health (http://www.universityofcalifornia.edu/hipaa/docs/mh.pdf). This document describes how mental health information about an individual may be used and disclosed and how the individual can get access to this information. C. Acknowledgment of Receipt of Privacy Notice. D. Authorization for Release of Health Information. E. Terms and Conditions of Service (recommended but not mandatory). This form is used to further inform patients of the terms and conditions under which the University will provide medical care. A. Additional information on HIPAA is available at: 1. UCDHS/Campus Compliance Department. 2. UC Office of the President. 3. U.S. Department of Health and Human Services. B. Questions regarding this section or the appropriateness of disclosing PHI should be referred to the UCDHS/Campus HIPAA Privacy Official, Compliance Department, UC Davis Health System. VII. References and Related Policies B. UCD Policy and Procedure Manual: 1. Section 320-20, Privacy of and Access to Information. 2. Section 320-36, Access to Protected Health Information for Research. C. UCDHS Hospital Policies and Procedures: 2. Section 1927, Notice of Privacy Practices. 3. Section 2358, Medical Record Requests. 4. Section 2380, Reporting and Disclosure of Patient Information. 5. Section 2903, Orientation and Education of All Employees Working at UCDHS. Additional related UCDHS policies are listed at the Compliance Department website. D. Federal law: 2. Health Insurance Portability and Accountability Act of 1996, Public Law 104-191. E. California law: 1. Confidentiality of Medical Information Act, Civil Code, Section 56 et seq. 2. Information Practices Act, Civil Code, Section 1798 et seq. 4. Patient Access to Health Records Act, Health and Safety Code, Section 123100 et seq. 5. Public Records Act, Government Code, Section 6250 et seq. Copyright © 2006 The Regents of the
University of California, Davis Campus. All Rights Reserved. |
|
