Yes, as long as you are involved in payment activities related to the patient. Payment is defined as activities related to being paid for services rendered; including eligibility determinations, billing, claims management, utilization review, etc.
Yes, if the use and disclosure falls under an exception. Refer to Policy HS 9412 Authorization for Use/Disclose of Protected Health Information (PHI) and HS 9422 Disclosure of Protected Health Information to Third Parties for additional information. Contact the Office of Compliance Services-Privacy at x48638 for assistance.
You can file a complaint or report an incident by:
Contacting the Privacy and Information Security Offices directly at 310-794-8638.
Sending an email to the Privacy and Information Security Offices at PrivacyInfoSec@mednet.ucla.edu.
Calling the toll-free Compliance Resource Line at 1-800-296-7188, if you wish to be anonymous. The Compliance Resource Line is available 24 hours a day.
The Privacy and Information Security Offices will investigate all complaints, work with the appropriate Departments on resolving them, and work with HR regarding any disciplinary action when appropriate
Violations occurred without the knowledge of covered entity and by exercising reasonable diligence would not have known it violated the HIPAA Privacy Rule $100-$50,000 for each violation, with a maximum for individual violations in the same year of $1,500,000 x each violation.
Violations due to reasonable cause $1,000 to $50,000 for each violation, with a maximum for individual violations in the same year of $1,500,000 x each violation.
Violations due to willful neglect but are corrected within 30 days $10,000 to $50,000 for each violation, with a maximum for individual violations in the same year of $1,500,000 x each violation.
Violations due to willful neglect and are not corrected within 30 days $50,000 for each violation, with a maximum for individual violations in the same year of $1,500,000 x each violation.
Criminal penalties for a person who knowingly violates HIPAA are as follows:
$50,000 and a one year prison term
$100,000 and up to 5 years in prison for wrongful conduct involving false pretenses
$250,000 and up to 10 years in prison for wrongful conduct with intent to sell, transfer, or
use individually identified health information for personal gain or malicious harm.
A Business Associate is a person or company that performs certain functions or activities that involve the creation, use, or disclosure of protected health information on behalf of, or provides services to, a UCLA Health System Provider such as the hospital, a clinic or an individual physician. Covered entities like hospitals, physician practices, pharmacies, etc. may disclose protected health information to an entity in its role as a business associate only to help the covered entity carry out its business activities, but not for the business associate's independent use or purposes.
Claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and off-site shredding of medical records. Specific examples of these functions or activities are: third party billing companies, transcriptionists, data storage companies, data shredding companies, etc.
Yes, as long as you are involved in a broad range of activities such as quality assessment, patient education and training, student training, contracting for health care services, medical review, legal services, auditing functions, compliance, business planning and development, licensing and accreditation, business management and general administrative activities. Contact the Office of Compliance Services – Privacy at x48638 if you have questions whether an activity is considered health care operations.
An Authorization is an individual’s signed permission to allow healthcare professionals to Use or Disclose their PHI for reasons generally not related to treatment, payment or health care operations. Under HIPAA, there are specific elements that every authorization must have to be valid. Contact the Privacy and Information Security Offices at 310-794-8638 or PrivacyInfoSec@mednet.ucla.edu , if you have any questions.
The Privacy and Information Security Offices staff will be happy to discuss and plan an education session to fit your specific needs. If you would like to schedule a Refresher Training, just contact the Privacy and Information Security Offices at 310-794-8938 or PrivacyInfoSec@mednet.ucla.edu.
In addition to seeking advice from you supervisor, the Privacy and Information Security Offices are available if you have questions about patient privacy and confidentiality. This includes questions on existing processes or functions you perform as well as new processes, programs, or initiatives you are considering that involve patients and PHI. Contact the Privacy and Information Security Offices at 310-794-8638 or PrivacyInfoSec@mednet.ucla.edu early in your planning process so we can provide guidance and help you do the right thing.
All workforce members (e.g. staff, physicians, nurses, residents, medical students, volunteers) must comply with all applicable UCLA Health System patient privacy and information security policies. If after an investigation you are found to have violated the organization's privacy and information security policies then you are subject to disciplinary action. Disciplinary action will be consistent with the organization's corrective action policies and past practices, and can include but is not limited to:
A Business Associate Agreement is contractual document required between a UCLA Health System Provider such as the hospital, a clinic or an individual physician, and its vendors that need PHI to perform the service or on behalf of UCLA Health System. This agreement sets forth requirements the Business Associates must follow with regard to confidentiality, security, use and disclosure of protected health information in providing services to the UCLA Health System.
Legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial services. Specific examples of these types of services are: attorneys defending a medical malpractice claim or helping with a billing audit; external consultants conducting compliance audits; accreditation boards and committees. NOTE: if a covered entity provides these types of services for another covered entity a business associate relationship would exist.