FAQs
For additional FAQs, related to HIPAA please refer to
the U.S. Department of Health & Human Services HIPAA Frequently Asked Questions.
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) was passed to protect
the confidential medical and billing records of our patients. A particularly important
element of HIPAA regulation pertains to patients' rights related to access and control
of their medical information. We count on all members of the UCSF entity to incorporate
the HIPAA rules into their daily activities. Our patients have a right to privacy. We are
committed to complying with HIPAA, not only because it is the law, but also because we
value our patients and their privacy. For details refer to
the UCSF Privacy and Confidentiality Handbook.
What is the Privacy Office and what do they do?
The Privacy Office is responsible for monitoring compliance with the federal and state privacy laws and regulations.
The Privacy Office is responsible for orchestrating departmental responses in the event of a breach of patient privacy. Additionally,
the Privacy Office provides consultation on requests for all privacy related questions. The Privacy Office tracks and analyzes all privacy activities, and develops training and risk mitigation programs for the entire UCSF enterprise.
There has been a breach of patient privacy in my department. What do I do?
If the personally identifiable information was on a stolen device (computer, PDA, for example), immediately
contact UCSF Campus Police (415) 476-1414 to
report the theft and if personal health information is involved, contact the Privacy Office (415) 353-2750. The UCSF Campus Police will contact Enterprise Information Security (EIS). For disclosures not involving a stolen device, contact the Privacy Office Immediately.
In every circumstance, you will need to provide the following information:
- Date and time of breach was discovered
- Name of and contact information for person who discovered breach
- The specific patient information disclosed
- The number of patients who had their information disclosed
- How did it happen
- Actions taken following detection
- The department contact for follow up
The department is responsible, under the direction of the Privacy Office, for the
follow-up Including, but not limited to, the investigation, follow up with patients, determining and implementing corrective steps and changes in process, following up with 3rd party vendors and mailing of patient notification
letters, as needed. Please Note: Only the Privacy Office can determine if notification is required.
The above information needs to be reported ASAP. Any delay in reporting the above information to the Privacy Office delays UCSF reporting to the state and to patients. Delayed reporting to the state and patients beyond the 5-day time frame exposes you and the University to financial liability in the way of administrative fines and penalties.
How do I know what HIPAA and privacy training people in my department should receive?
Refer to the Education and Training section
of this website. Remember, all members of a department need to have some type of training, including
volunteers.
I want to provide a flyer to a specific patient population, produced
by an outside organization (i.e., American Heart Association). Can I do this?
You can post the flyer in the clinic waiting room
for interested patients to take the training. Additionally, any mass mailings that go out to patient for fundraising purposes must be approved by
the Development Office as there are certain restrictions related to the format of the mailings. Any use of the UCSF logo associated with another organization needs
to be approved by Public Affairs (415) 476-8252.
How much information can be released to family members over the phone?
According to
the Notice of Privacy Practice,
you may release personal information to anyone that the patient has identified as the recipient of such information. Refer all others to the contact person
the patient designates.
What is my responsibility related to the vendors that I bring into
the Medical Center?
Before allowing vendors' access to the Medical Center, they need to check in with Material Services. Once this is complete, they should be wearing the Visitor ID at all times while in the Medical Center. Do not leave vendors alone in areas with PHI that they do no need to have access to i.e., clinic work areas. It is recommended that they wait in the he waiting room.
My patient does not answer the phone directly. How can I leave a HIPAA compliant message
with someone else or a voice mail?
Leave the minimum amount of information needed: your name, phone number and that you are
from UCSF. A recommended best practice would be to obtain the patients preference for follow
up or appointment communication at the initial point of contact.
My patient is now on another unit. Can I access their record?
If you do not have a legitimate need to access their record, then you should not access the record.
Can I email my patient related to their care?
You can do so but by following the secure
email guidelines.You can find the secure email guidelines on the IT Security page. Best
practices includes making sure the patient prefers this form of communication and understands the risks associated with it.
How much information can I give an Insurance company?
According to Notice of Privacy Practice, we may use and disclose medical information for the purpose
of obtaining payment. Best practice is to only provide want is needed for this purpose. For example,
providing lab values is not usually information that should be provided for billing purposes.
How much information can I give a Skilled Nursing Facility (SNF)
or Home Health Agency (HHA)?
If the patient is being referred to either of these types of facilities, then you have a patient care
need to disclose PHI. You should provide all PHI that you feel they need to know to provide continuity
of safe patient care.
What information can be faxed?
Always send the minimum information necessary. Best practice is to confirm correct fax number prior to
sending, include a cover letter with a confidentiality statement and call to follow up on receipt.
Can I mail my patient's information?
If you have a patient care need to do so, yes. Best practice is to confirm correct address with the
patient prior to sending and make sure it does not have any other identifying information on the outside,
other than UCSF.
Someone wants to come into a clinical area and observe. How can I
make this happen?
There are a few forms that are required based on the number of days of observation and/or whether the observer will interact
with patients. Use the Matrix on
the Visitors and Observers page for guidance.
Our patients sign in on a clip board is that ok?
It is ok, if you are using a pull-off label system, so that patient names do not accumulate throughout
the day for subsequent patients to view. Alternatively you can use a thick black marker to cross off the
name, so the next person cannot see the previous patients' names.
For white boards or marker boards, what information can be listed?
The use of last names and first initials on the board within the department is appropriate. In the operating room, first and last names are permitted for safety reasons. The important considerations are: whether the board is visible to passers-by and whether it contains PHI. If yes to both, consider whether there are other ways that the protected data (including demographic data) could be "reasonably" limited to the minimum necessary to allow the unit to safely manage patient care.
|
