• UCLA Health
  • myUCLAhealth
  • School of Medicine
Office of Compliance Services

Office of Compliance Services

Office of Compliance Services
  • About Our Program
    • Message from the Vice Chancellor
    • Code of Conduct & Statement of Ethics
    • Organizational Structure
    • Contact Us
    • Staff Spotlight
    • Program Description
    • Hotline Information
    • Conflict of Interest/Vendor Relations
    • Other Informative Sites
  • Compliance Services
    • Clinical Research Billing
    • Hospital Compliance
    • Professional Compliance
    • Frequently Asked Questions
    • EMTALA Compliance Program
  • Information Security & Privacy
    • Device Security
    • Additional Resources
    • HIPAA Training
    • Forms
    • Guidance and Policies
    • Frequently Asked Questions
  • Education & Training
    • Clinical Research Compliance Training
    • New and Current Faculty Training
    • EMTALA Training
    • HIPAA Training
    • Ethics Briefing/Conflict of Interest Training
    • Clinical Laboratory and Pathology Compliance Training
    • Advisory Notices
    • Webinars
  • Policies & Procedures
    • Clinical Laboratory and Pathology Compliance
    • Ronald Reagan UCLA Medical Center (Westwood)
    • Resnick Neuropsychiatric Hospital at UCLA
    • UCLA Santa Monica Medical Center
  • Compliance Tips
    • Frequently Asked Questions
    • Information Security Tips
    • Privacy Tips
    • Hospital, Physician, and Clinical Research Tips
  • UCLA Health
  • myUCLAhealth
  • School of Medicine

Office of Compliance Services

Compliance Tips

Compliance Tips

Compliance Tips

  • Frequently Asked Questions
  • Information Security Tips
  • Privacy Tips
  • Hospital, Physician, and Clinical Research Tips
  • Frequently Asked Questions
  • Information Security Tips
  • Privacy Tips
  • Hospital, Physician, and Clinical Research Tips
  1. Home
  2. Compliance Tips
  3. Privacy Tips

Privacy Tips

Share this

Reporting Suspected Privacy Violations

Concerns relating to potential or suspected patient privacy violations should be reported to the Office of Compliance Services - Privacy as soon as possible. Below are examples where violations can occur:

  • Electronic- Accessing electronic records without a work-related reason.
  • Paper- Sending documents containing PHI to the wrong address or fax number.
  • Verbal- Discussing patient information without a work-related reason.

For more information, see policy HS 9459, Privacy and Information Security Incident Reporting.


Using "Quick Release" Functionality in Care Connect

Implement the following precautions and safeguards to protect UCLA Private Health Information when using the "Quick Release" functionality in Care Connect:

  • Use the “Quick Release” functionality only when the patient is requesting medical records for herself/ himself.
  • If the patient is seeking to release her/his medical records to a third-party, please refer them to Health Information Management Services at 310.825.6021.
  • If the patient is requesting a significant number of their records refer them to Health Information Management Services at www.uclahealth.org/medicalrecords or 310.825.6021.

Faxing Medical Information

Implement the following precautions and safeguards to protect UCLA Private Health Information when faxing medical information:

  • Always confirm the fax number for the recipient is correct
  • Make sure the recipient is currently a member of the treatment team
  • Place your office fax machine in a secure location to prevent unauthorized access to information

Have a privacy concern? Introducing a new email source!

Help may only be an email away. Introducing the new: privacy@mednet.ucla.edu

The Privacy Office can help you with a variety of things including:

  • Investigating privacy incidents;
  • Determining obligations for projects involving different types of data;
  • Negotiating certain agreements, such as Business Associate Agreements, Appendix for Data Security and Privacy (Appendix DS), and Data Use Agreements; and
  • Other questions or requests that may arise.

Please email us today if you need assistance: privacy@mednet.ucla.edu!


PHI and Social Networking

Exercise caution when posting to social networking sites such as Facebook, Twitter, Snapchat, or LinkedIn. Keep these guidelines in mind:

  • Don’t post information, including photos or videos, about your patients.
  • Remember that once information is published on the web, it often cannot be edited or removed; you are personally responsible for what is published on your social media sites.

Refer to the Employee Social Media policy for more information.


Co-Workers or Family Members as Patients

Having a friend, family member, or co-worker in the hospital can be a difficult experience. Although you may want to contact these people to show your concern and support, doing so may be a violation of patient privacy policies.

Remember:

  • Treat friends, family, and co-workers as you would any other patient
  • Only access patient information for legitimate work-related purposes
  • Do not disclose health-related information to unauthorized parties

Providing Paper PHI to Patients

Before giving documents to patients, such as the After Visit Summary (AVS), check that you are handing the correct document to the correct patient. The AVS contains sensitive patient information such as diagnoses and medications. Documents given to the wrong individual may lead to a breach in patient privacy.

See the Privacy FAQs for more information on handling written PHI.


Leaving Voice Messages with PHI

When leaving information on a patient’s voicemail or answering machine, take these steps to safeguard the patient’s privacy and reduce the risk of unnecessary disclosures:

  • Verify that you have the correct phone number before calling.
  • Do not say the clinic/department name if it can identify the reason the patient is being seen.
  • Do not leave the patient’s medical record number, lab results or the name of a medication in a message.

Got RI? Just Shred It!

Protect privacy by shredding materials containing Restricted Information (RI), which includes PHI, when you are finished using them. It reduces the chances of RI getting into the wrong hands.

Throwing RI in wastebaskets or recycling bins can lead to privacy violations.

Click here for the definition of RI.


Emailing Restricted Information (RI)

Remember the following when emailing RI:

  • Messages sent from UCLA Mednet to a non-Mednet email address are NOT secure unless they are encrypted.
  • Emailing PHI in a non-secure manner violates patients’ privacy and may require notifying patients and/or governmental agencies.

Report Suspected Privacy Violations . . . ASAP

Potential or suspected patient privacy violations should be reported to the Office of Compliance Services - Privacy as soon as possible to help assure timely notification as may be required by state and federal law. Below are examples where violations can occur:

  • Electronic- Lost or stolen unencrypted mobile devices (i.e. laptops, USB drives).
  • Paper- Sending documents containing PHI to the wrong address or fax number.
  • Verbal- Discussing patient information in public places where it can be overheard.

For more information, see policy HS 9459, Privacy and Information Security Incident Reporting.


Tips to Reduce the Risk of Being Overheard When Discussing PHI

  • Avoid discussing patient information in cafeterias, elevators or other public areas.
  • Lower your voice when discussing patients at nurses’ stations or in semi-private rooms.
  • Close doors or pull curtains before interacting with patients.
  • Use private consultation rooms instead of relaying information to patients’ families in waiting rooms.

Recycling Bins and PHI do not go together

Paper records containing PHI should be shredded or disposed of using locked shredding containers. If these documents are left in any other receptacle, such as a blue recycling bin, they may be mistaken for regular trash and discarded improperly. If additional shredding bins are required, contact your supervisor.

For more information, see HS 9401.


“Break the Glass” (BTG) in CareConnect

In CareConnect, users are asked to provide a reason why they are accessing certain patient files. The “Further explanation” field is very useful to provide additional information to explain a user’s access. If “Research” is the reason selected please include the IRB approved protocol number in this section.

The Office of Compliance Services - Privacy conducts user access audits to patient files. If the reason for a user engaging BTG is not readily apparent, further inquiry into the access may occur.


HIPAA Alphabet Soup: TPO and PHI

HIPAA permits the use and disclosure of Protected Health Information (PHI) for treatment, payment, and healthcare operations (TPO). If you are performing any of these activities as a part of your daily work, a patient written authorization is not required to access patient information.

For more information on TPO and PHI, see HS 9401, Protection of Confidential Patient Information.


Vendors and Business Associate Agreements

A Business Associate is a person, other than a workforce member, or company that creates, receives, maintains, or transmits PHI on behalf of UCLA Health System, or provides services to or for UCLA Health System involving the disclosure of PHI. PHI may be shared with these entities ONLY after a signed Business Associate Agreement (BAA) is obtained.

If you are unsure whether a BAA is required, contact the Office of Compliance Services - Privacy for assistance. See Policy HS9430 and FAQs for more information.


Written PHI Left Unattended in Treatment Rooms

Remember to remove written PHI, such as medical records, when you are finished seeing patients in treatment rooms. Failure to do may lead to disclosing PHI to other patients left alone waiting to be seen. If you find unattended PHI, store it securely and contact the Office of Compliance Services - Privacy to report the incident.

For more information, see the “Safeguards to Protect PHI” section in HS 9401.


Disposing of Paper PHI

Paper documents containing PHI should be shredded or disposed of using locked shredding bins. If they are left in any other receptacle overnight, such as a recycling bin, they may be mistaken for trash and discarded improperly. If additional shredding bins are required, contact your supervisor or the Office of Compliance Services - Privacy for guidance.

For more information, see HS 9401.


Transporting Paper Documents with PHI

When transporting hard copy patient records in carts within or outside the Medical Center make sure they are covered to ensure patient privacy. A protective cover keeps the records from being seen by unauthorized individuals, and also helps prevent records from falling off the cart. For more information on protecting written PHI, see the Privacy Services FAQs.


Valid HIPAA Authorizations

A valid Authorization for Release of Health Information (HIPAA Authorization) is required whenever UCLA uses and/or discloses PHI except in cases of treatment, payment, and health care operations or when another exception to the authorization requirement exists in the Privacy Rule. To be valid an Authorization must contain certain elements, including a signature. See the Authorization Validation Checklist for details.


myUCLAhealth

myUCLAhealth is CareConnect’s secure online patient portal that enables patients to view portions of their medical records, see test results, request appointments, and communicate securely with their physicians.

myUCLAhealth should be used to share PHI with patients; however providers whose clinics haven’t yet implemented myUCLAhealth may communicate with patients via email when patients sign the UCLAHS Email Consent Form (Form #12005).


Patient Information and Text Paging

Exercise caution when sending PHI via text paging systems.

  • Use the minimum amount of information necessary to fulfill the purpose of the page.
  • Avoid using a patient’s full name—instead, use MRN, patient initials, and room number.

Delete pages containing PHI after reading and responding to them.


Is the Information Really Necessary?

Generally, when using and disclosing PHI make sure to limit the PHI to the minimum amount necessary to fulfill the intended purpose. For example, ask yourself whether you really need the specific patient identifiers - such as when requesting a data download report via CareConnect.

See policy HS 9421 for additional information – including the exceptions to the Minimum Necessary standard (page 5)


Notice of Privacy Practices

UCLA Health is required to provide a Notice of Privacy Practices (NPP) to all patients at their first encounter. Signed acknowledgment forms should be obtained from patients to document that we provided the NPP or that the patient refused it. Document the steps in the CareConnect “Document List” and follow your area’s procedure to ensure the form is stored in CareConnect. If you see the “No HIPAA” indicator on the patient header in CareConnect, then the patient needs to receive the NPP.


Carrying Paper Documents with PHI

When carrying documents containing patient information, it is important to ensure the documents are properly secured. If you carry papers in your coat pocket, be careful they don’t fall out. Documents, including handwritten notes, lost or found in unattended areas (i.e. parking lots, hallways, restrooms) may constitute a privacy violation and lead to disciplinary action.


Looking up Patients in CareConnect

The “Patient Lookup” feature in CareConnect allows you to search for a patient by several identifiers, including the patient’s name, medical record number, and date of birth. Confirm at least two patient identifiers before entering or making entries in the record. Selecting the wrong patient may result in a privacy breach – such as sending information to or about the incorrect patient.


What to do if you are served with a Subpoena

A subpoena is a legal document which may require a person to appear as a witness or to produce documents in a legal proceeding. Workforce members of UCLA hospitals, clinics, or administrative offices may be served with a subpoena.

Refer to policy HS 9011 for information on the departments to contact if you are presented with a subpoena.


Levels of Access in CareConnect & Password Sharing

Protect patient privacy and yourselves by never sharing your userID and password with ANYONE. This would include logging on and allowing someone else to work under your user name and password. If you believe you don’t have the correct level of access in CareConnect, contact your supervisor or your departmental authorizer.

Sharing passwords is a violation of policy and may lead to corrective or disciplinary action for both the person who shares the password and the person who uses it.


Exercise Caution When Faxing PHI

When sending faxes containing patient information, reduce the risk of a privacy violation by following these tips:

  • Use an approved cover sheet
  • Check that manually entered and pre-programmed numbers are correct
  • Remove information from the fax machine in a timely manner
  • When possible, avoid faxing sensitive information, such as anything involving mental health, chemical dependency, sexually transmitted diseases, or HIV/AIDS

For more information, see HS 9453-B, or contact the Office of Compliance Services- Privacy for guidance.


Requesting Amendments or Corrections to Patient Records

Patients have a right to request an amendment or correction to their medical records if they believe the information is inaccurate, incomplete, or incorrect. Patients should be directed to submit requests to the Health Information Management Services (HIMS) department on Form #11726.

For more information, see HS 9415.


Patients’ Right to Access Their Own Medical Records

Patients have a right to access their medical records – including while they are in the hospital. Requests should be submitted in writing to the Health Information Management Services (HIMS) department on Form #11727. If a request is approved, access to the record will be provided within 5 business days.

For more information, see HS 9413


What is an Authorization?

A signed Authorization for Release of Health Information (Form #30910) is required when UCLA uses and discloses PHI for reasons other than treatment, payment, or health care operations, or for certain limited reasons permitted by law. It must contain specific elements to be valid. It is not the same as the Terms and Conditions of Service form (COA – #305949).

If you receive a non-UCLA authorization, contact the Privacy Office for assistance.


HIPAA Requirement!
Notice of Privacy Practices & Signed Acknowledgment Form

Under HIPAA, patients or their personal representatives be given a copy of the NPP at their FIRST encounter with UCLAHS. We must also make a good faith effort to obtain and retain a signed acknowledgment from the individual that he or she has received the Notice.
See HS 9411 for more information about the NPP.


What should I do if I find a mobile device?

If you find a mobile device (including but not limited to USB Drives, Smart and Cell Phones, Laptops, iPads, and Pagers) inside or outside an UCLA Health System facility, contact the Office of Compliance Services - Privacy Division as soon as possible. The Office of Compliance Services will determine if there is any action necessary and try to get the device returned to its rightful owner if possible.
For more information on mobile devices, see policy HS 9453-C.


Requesting an Accounting of Disclosures

Patients have the right to request an accounting of disclosures of their PHI by UCLA Health System to outside entities. Disclosures for purposes of Treatment, Payment, and Operations are not required to be included in the accounting. Requests should be submitted to the Health Information Management Services (HIMS) department using Form #11729. See HS 9416, Request for Accounting of Disclosures, for more information.


Co-Workers in the Hospital

As an employee you might find out, either through word of mouth, observation, or performing work related responsibilities, that a current or former co-worker is an inpatient at UCLA Medical Center. Once you become aware of the information, you may want to contact or visit the patient to see how he/she is doing. However, under the laws that govern patient privacy, your first obligation is to respect and protect your co-workers' privacy.

When your co-worker is a patient, treat him/her just like any other patient. Your co-worker is entitled to and deserves the same privacy and confidentiality that you would give to any other patient.

Do the Right Thing by:

  1. Accessing his/her information for only legitimate work related reasons;
  2. Visiting him/her only if you are certain the co-worker/patient wants to receive visitors. Don’t assume the individual wants to be visited; and
  3. Not disclosing information about the patient to unauthorized 3rd parties – including your fellow co-workers.

Mandatory Privacy & Information Security Training

UCLA Health System and the David Geffen School of Medicine workforce members are required to complete Privacy and Information Security training. Click here to access the training.

The Office of Compliance Services- Privacy will perform audits to ensure that individuals who failed to complete the annual privacy and information security training by the deadline don’t access patient information. Individuals accessing PHI without completing the training will be subject to disciplinary action.


Authentication of Medical Record Entries

Per UC policy, all orders and certain medical record entries must be accompanied by the physician’s identification number (UCLA pager number). One use of this number is to confirm the identity of the signer. The UCLA pager number affixed after the physician signature should only be the number of the person signing the order or medical record entry.


Handling Inquiries from Media Outlets

If you are contacted by a journalist or other media representative requesting information about UCLA hospitals, clinics, doctors or patients, please contact the UCLA Health Sciences Media Relations Office at 310-267-7022. All media-related inquiries, including documentary requests, should be handled by the Media Relations Office.

For more information about disclosures of PHI to the media, see HS Policy 9472.


If In Doubt, Give a Shout

Did you know that sometimes it is not appropriate to divulge certain patient information to law enforcement? Sometimes we are asked by federal, state or local law enforcement officials to provide patients' health information to them. The PHI we can appropriately disclose is limited and specific, and depends upon the immediate circumstances involving the patient, and how or why the officer needs the information.

When faced with the question of whether or not to disclose PHI to an officer, notify your supervisor or contact the Privacy Office by telephone at ext. 48638 or pager after hours at #98329 or #96594.

Read Policy HS 9430 for more information.


Do Your Third Parties Have Access to PHI?

A business associate relationship exists when an individual or entity, acting on behalf of UCLA Health System assists with performing a function or activity involving the use or disclosure of PHI. When this exists, a business associates agreement (BAA) between UCLA and the entity may be necessary. Contact your Purchasing department or the Office of Compliance Services-Privacy for assistance with determining if a BAA is required and getting it finalized. Under HIPAA, if we disclose PHI to third parties without an executed BAA when required we may be subject to penalties.

Read Policy HS9430 for more information.


Don't Do It. . . It is Not Worth the Risk

If you do not need to access patients information in order to do your job, then don't. Don't look at information on celebrity patients out of curiosity or on a co-worker even out of concern. Don't look up information like room location to visit or demographic information if you want to know a co-worker's address to send a get well card. If you do access records when you shouldn't, you may be subject to disciplinary action - up to and including termination.

The Office of Compliance Services - Privacy monitors user access to medical records to determine if accesses are appropriate.

Read Policy HS9421 for more information.


Do You Have The Patient's Written Authorization?

A patient's written authorization is required before UCLA Health System can use and disclose patient information for a number of reasons. You do not need an authorization for treatment, payment, and health care operations. There are also a number of exceptions under State and Federal law when an authorization is not required. Uses and disclosures for activities such as fundraising, marketing, research, and media purposes are some examples of when a valid authorization is required.

All signed valid authorizations should be forwarded to Health Information Management Services to be scanned into the patient's record and documented in the PHI Tracking Database.

Click to access the English and Spanish versions of the authorization form.


Don't Be Tempted. . . It is Not Worth the Risk

If you do not need to access patients information in order to do your job, then don't. Don't look at information on celebrity patients out of curiosity. Don't look up information like demographic information if you want know a colleague's address to send a birthday card. If you do access records when you shouldn't, you may be subject to disciplinary action - up to and including termination.

The Office of Compliance Services - Privacy monitors user access to medical records to determine if accesses are appropriate. Do the right thing, protect patient privacy.


Responding to Patients' Email Containing PHI

When responding to or forwarding email messages from patients containing PHI consider whether all recipients on the email need to see the PHI in the original email or email string.

Patients may not want you to include additional people on your response and share PHI with others that was only meant for you. Remember, once you receive the patient's email with PHI, you are obligated to protect it. You should ensure that only the minimum amount of information should be disclosed to only individuals who have a work related reason to know.


Time Out!

Computer-generated patient labels contain patient identifiable information; therefore it is important they are used and disclosed properly. Make sure the information on the label matches the patient for whom services are being performed. Confirm the accuracy of the label with the patient - when possible.

Incidents related to labeling errors may lead to patient care errors (i.e. results) being assigned to the incorrect patient and possible inappropriate sharing of patient information. Avoid possible privacy breaches or patient safety concerns by taking a time-out before handling labels and placing them on other items.



If You Find It, We will Come

If you see unattended protected health information (PHI) in hallways, lobbies, cafeterias, clinical areas or even outside, pick it up and immediately contact the Office of Compliance Services - Privacy at 4-8638 for assistance.

The matter will be investigated to determine why the PHI was left unattended. The information was most likely misplaced by a UCLA workforce member, or a patient who is looking for the information.

Help reduce someone's stress level - give us the PHI and we will take it from there.

Like Us on Facebook Follow Us on Twitter Subscribe to Our Videos on YouTube Follow us on Instagram Connect with Us on LinkedIn Follow us on Pinterest
UCLA Health hospitals ranked best hospitals by U.S. News & World Report
  • UCLA Health
  • Find a Doctor
  • School of Medicine
  • School of Nursing
  • UCLA Campus
  • Directory
  • Newsroom
  • Subscribe
  • Patient Stories
  • Giving
  • Careers
  • Volunteer
  • International Services
  • Privacy Practices
  • Nondiscrimination
  • Billing
  • Health Plans
  • Emergency
  • Report Broken Links
  • Terms of Use
  • 1-310-825-2631
  • Compliance Hotline
  • Contact Us
  • Your Feedback
  • Report Misconduct
  • Get Social
  • Sitemap
Like Us on Facebook Follow Us on Twitter Subscribe to Our Videos on YouTube Follow us on Instagram Connect with Us on LinkedIn Follow us on Pinterest

Sign in to myUCLAhealth

Learn more about myUCLAhealth