home
education & training
policies & procedures
documentation and forms
research
it security
frequently asked questions
privacy office
related links

FAQs

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) was passed to protect the confidential medical and billing records of our patients. A particularly important element of HIPAA regulation pertains to patients' rights related to access and control of their medical information. We count on all members of the UCSF entity to incorporate the HIPAA rules into your daily activities. Our patients have a right to privacy. We are committed to complying with HIPAA, not only because it is the law, but also because we value our patients and their privacy. For details refer to the HIPAA Handbook.


What is the Privacy Office and what do they do?

The Privacy Office is responsible for monitoring compliance with the HIPAA Regulations. We provide direction and consultation in the event of a breach of patient privacy. Additionally, we provide consultation on requests for any privacy related questions. We trend consultations, then develop training and risk mitigation programs for the Covered Entity.


There has been a breach of patient privacy in my department. What do I do?

If the information was on a stolen device, immediately contact UCSF Campus Police to report the theft. They will contact Enterprise Information Security (EIS). If there is ePHI involved, EIS will notify the Privacy Office. If no ePHI is involved but SS#s are, EIS will conduct the follow up. For disclosures not involving a loss or stolen device, contact the Privacy Office directly.

In any of these cases you will need to provide the following:

  • What specific patient information was disclosed?
  • How many patients had their information disclosed?
  • How did it happen?
  • What has been done so far?
  • Who will be the department contact for follow up?

FYI, the department is responsible under the direction of the Privacy Office for the follow up. Including, but not limited to, the investigation, follow up with patient, needed changes in process, follow up with 3rd party vendors and mailing of patient notification letters, if needed. Please Note: Only the Privacy Office can determine if notification is required.

It is important this information is provided ASAP. Any delays in notifying the patient in the event of disclosure puts the Entity at risk.


How do I know what HIPAA and privacy training people in my department should receive?

Refer to the Education and Training section of this website. Remember all members of a department need to have some type of training, including volunteers.


I want to send a flyer to a specific patient population, produced by an outside organization (i.e., American Heart Association). Can I do this?

No. By targeting a specific patient population, you have linked the patient to a specific disease, thus exposing their PHI. What you can do is post the flyer in the clinic waiting room for interested patients to take or have the clinic staff hand the flyer to the appropriate patients. Additionally, any mass mailings that go out to patients should be approved with the Development Office. Any use of the UCSF logo associated with another organization needs to be approved by Legal Counsel.


How much information can be released to family members over the phone?

According to the Notice of Privacy Practice, you may release information to anyone that the patient has identified to do so. Refer all others to the contact person the patient designates.


I received a call from the police and ambulance company that brought the patient to the Medical Center, what can I tell them?

After the patient is here in the medical center the ambulance company does not have a patient care need to know any patient health information obtained after arrival. The same is true for the police, if they have a need to have to patient health information for a case they should be referred to Risk Management.


What is my responsibility related to the vendors that I bring into the Medical Center?

Prior to arrival, you need to place them into the Visitor system either yourself, if you have access, or contact Material Services to do so. You need to make sure that they have checked in with Materials Services prior coming to your department. When coming to your department, they should be wearing the Visitor ID, if they do not have one on arrival, send them to Material Services prior to admitting them to your department. If you follow this process, you can be confident that the appropriate confidentiality paperwork has been signed by the vendor with Materials Services. It is important to remember to not leave vendors alone in areas with PHI that they do not need to have access to i.e.: clinic work areas. It is better to have them wait in the waiting room.


My patient does not answer the phone directly. How can I leave a HIPAA compliant message with someone else or a voice mail?

Leave the minimum amount of information needed, your name, phone number and that you are from UCSF. A recommended best practice would be to obtain the patients preference for follow up or appointment communication at the initial point of contact.


My patient is now on another unit. Can I access their record?

No, now that your patient is not in your care. You do not have a patient care need to access their record.


Can I email my patient related to their care?

You can do so but only by following the secure email guidelines. Best practices include making sure the patient prefers to be communicated with in this manner.


My clinic holds group treatment sessions. How can I do this in a way that is HIPAA compliant?

You would need to create a consent form. After creating the consent, contact the Privacy Office for review and approval prior to use.


How much information can I give an Insurance company?

According to Notice of Privacy Practice, we may use and disclose medical information for the purpose of obtaining payment. Best practice is to only provide want is needed for this purpose. For example, providing lab values is not usually information that should be provided for payment.


How much information can I give a Skilled Nursing Facility (SNF) or Home Health Agency (HHA)?

If the patient is being referred to either of these types of facilities, then you have a patient care need to disclose PHI. You should provide all PHI that you feel they need to know to provide continuity of safe patient care.


What information can be faxed?

Always send the minimum information needed. Best practice is to confirm correct fax number prior to sending, include a cover letter with a confidentiality statement and call to follow up on receipt.


Can I mail my patient's information?

If you have a patient care need to do so, yes. Best practice is to confirm correct address with the patient prior to sending and make sure it does not have any other identifying information on the outside, other than UCSF Medical Center.


Someone wants to come into the Medical Center and observe. How can I make this happen?

There are a few forms based on how many days of observation and/or whether they will they interact with patients etc. Use the Matrix on the Visitors and Observers page to determine where your person fits and for guidance.


Our patients sign in on a clip board is that ok?

It is ok, if you are using a pull off label system, so that patient names do not accumulate throughout the day for subsequent patients to view. Alternatively you can use a thick black marker to cross off the name, so the next person cannot see the previous patients' names.


For additional FAQs, related to HIPAA please refer to the UCSF HIPAA Handbook.

Search  
 
         
  news   hipaa handbook   hipaa forms   training faqs