FAQs
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) was passed to protect
the confidential medical and billing records of our patients. A particularly important
element of HIPAA regulation pertains to patients' rights related to access and control
of their medical information. We count on all members of the UCSF entity to incorporate
the HIPAA rules into your daily activities. Our patients have a right to privacy. We are
committed to complying with HIPAA, not only because it is the law, but also because we
value our patients and their privacy. For details refer to
the HIPAA Handbook.
What is the Privacy Office and what do they do?
The Privacy Office is responsible for monitoring compliance with the HIPAA Regulations.
We provide direction and consultation in the event of a breach of patient privacy. Additionally,
we provide consultation on requests for any privacy related questions. We trend consultations,
then develop training and risk mitigation programs for
the Covered Entity.
There has been a breach of patient privacy in my department. What do I do?
If the information was on a stolen device, immediately
contact UCSF Campus Police to
report the theft. They will contact Enterprise Information Security (EIS). If there is ePHI
involved, EIS will notify the Privacy Office. If no ePHI is involved but SS#s are, EIS will
conduct the follow up. For disclosures not involving a loss or stolen device, contact the
Privacy Office directly.
In any of these cases you will need to provide the following:
- What specific patient information was disclosed?
- How many patients had their information disclosed?
- How did it happen?
- What has been done so far?
- Who will be the department contact for follow up?
FYI, the department is responsible under the direction of the Privacy Office for the
follow up. Including, but not limited to, the investigation, follow up with patient, needed
changes in process, follow up with 3rd party vendors and mailing of patient notification
letters, if needed. Please Note: Only the Privacy Office can determine if notification is required.
It is important this information is provided ASAP. Any delays in notifying the patient in
the event of disclosure puts the Entity at risk.
How do I know what HIPAA and privacy training people in my department should receive?
Refer to the Education and Training section
of this website. Remember all members of a department need to have some type of training, including
volunteers.
I want to send a flyer to a specific patient population, produced
by an outside organization (i.e., American Heart Association). Can I do this?
No. By targeting a specific patient population, you have linked the patient to a specific
disease, thus exposing their PHI. What you can do is post the flyer in the clinic waiting room
for interested patients to take or have the clinic staff hand the flyer to the appropriate
patients. Additionally, any mass mailings that go out to patients should be approved with
the Development Office. Any use of the UCSF logo associated with another organization needs
to be approved by Legal Counsel.
How much information can be released to family members over the phone?
According to
the Notice of Privacy Practice,
you may release information to anyone that the patient has identified to do so. Refer all others to the contact person
the patient designates.
I received a call from the police and ambulance company that brought the patient to the
Medical Center, what can I tell them?
After the patient is here in the medical center the ambulance company does not have a patient
care need to know any patient health information obtained after arrival. The same is true for
the police, if they have a need to have to patient health information for a case they should be
referred to Risk Management.
What is my responsibility related to the vendors that I bring into
the Medical Center?
Prior to arrival, you need to place them into the Visitor system either yourself, if you have
access, or contact Material Services to do so. You need to make sure that they have checked in with
Materials Services prior coming to your department. When coming to your department, they should be
wearing the Visitor ID, if they do not have one on arrival, send them to Material Services prior to
admitting them to your department. If you follow this process, you can be confident that the
appropriate confidentiality paperwork has been signed by the vendor with Materials Services. It is
important to remember to not leave vendors alone in areas with PHI that they do not need to have
access to i.e.: clinic work areas. It is better to have them wait in the waiting room.
My patient does not answer the phone directly. How can I leave a HIPAA compliant message
with someone else or a voice mail?
Leave the minimum amount of information needed, your name, phone number and that you are
from UCSF. A recommended best practice would be to obtain the patients preference for follow
up or appointment communication at the initial point of contact.
My patient is now on another unit. Can I access their record?
No, now that your patient is not in your care. You do not have a patient care need to access
their record.
Can I email my patient related to their care?
You can do so but only by following the secure
email guidelines. Best
practices include making sure the patient prefers to be communicated with in this manner.
My clinic holds group treatment sessions. How can I do this in
a way that is HIPAA compliant?
You would need to create a consent form. After creating the consent, contact the Privacy Office
for review and approval prior to use.
How much information can I give an Insurance company?
According to Notice of Privacy Practice, we may use and disclose medical information for the purpose
of obtaining payment. Best practice is to only provide want is needed for this purpose. For example,
providing lab values is not usually information that should be provided for payment.
How much information can I give a Skilled Nursing Facility (SNF)
or Home Health Agency (HHA)?
If the patient is being referred to either of these types of facilities, then you have a patient care
need to disclose PHI. You should provide all PHI that you feel they need to know to provide continuity
of safe patient care.
What information can be faxed?
Always send the minimum information needed. Best practice is to confirm correct fax number prior to
sending, include a cover letter with a confidentiality statement and call to follow up on receipt.
Can I mail my patient's information?
If you have a patient care need to do so, yes. Best practice is to confirm correct address with the
patient prior to sending and make sure it does not have any other identifying information on the outside,
other than UCSF Medical Center.
Someone wants to come into the Medical Center and observe. How can I
make this happen?
There are a few forms based on how many days of observation and/or whether they will they interact
with patients etc. Use the Matrix on
the Visitors and Observers page to determine
where your person fits and for guidance.
Our patients sign in on a clip board is that ok?
It is ok, if you are using a pull off label system, so that patient names do not accumulate throughout
the day for subsequent patients to view. Alternatively you can use a thick black marker to cross off the
name, so the next person cannot see the previous patients' names.
For additional FAQs, related to HIPAA please refer to
the UCSF HIPAA Handbook.
|
