Concerns relating to potential or suspected patient privacy violations should be reported to the Office of Compliance Services - Privacy as soon as possible. Below are examples where violations can occur:
For more information, see policy HS 9459, Privacy and Information Security Incident Reporting.
Implement the following precautions and safeguards to protect UCLA Private Health Information when using the "Quick Release" functionality in Care Connect:
Implement the following precautions and safeguards to protect UCLA Private Health Information when faxing medical information:
Help may only be an email away. Introducing the new: firstname.lastname@example.org
The Privacy Office can help you with a variety of things including:
Please email us today if you need assistance: email@example.com!
Exercise caution when posting to social networking sites such as Facebook, Twitter, Snapchat, or LinkedIn. Keep these guidelines in mind:
Refer to the Employee Social Media policy for more information.
Having a friend, family member, or co-worker in the hospital can be a difficult experience. Although you may want to contact these people to show your concern and support, doing so may be a violation of patient privacy policies.
Before giving documents to patients, such as the After Visit Summary (AVS), check that you are handing the correct document to the correct patient. The AVS contains sensitive patient information such as diagnoses and medications. Documents given to the wrong individual may lead to a breach in patient privacy.
See the Privacy FAQs for more information on handling written PHI.
When leaving information on a patient’s voicemail or answering machine, take these steps to safeguard the patient’s privacy and reduce the risk of unnecessary disclosures:
Protect privacy by shredding materials containing Restricted Information (RI), which includes PHI, when you are finished using them. It reduces the chances of RI getting into the wrong hands.
Throwing RI in wastebaskets or recycling bins can lead to privacy violations.
Click here for the definition of RI.
Remember the following when emailing RI:
Potential or suspected patient privacy violations should be reported to the Office of Compliance Services - Privacy as soon as possible to help assure timely notification as may be required by state and federal law. Below are examples where violations can occur:
For more information, see policy HS 9459, Privacy and Information Security Incident Reporting.
Paper records containing PHI should be shredded or disposed of using locked shredding containers. If these documents are left in any other receptacle, such as a blue recycling bin, they may be mistaken for regular trash and discarded improperly. If additional shredding bins are required, contact your supervisor.
For more information, see HS 9401.
In CareConnect, users are asked to provide a reason why they are accessing certain patient files. The “Further explanation” field is very useful to provide additional information to explain a user’s access. If “Research” is the reason selected please include the IRB approved protocol number in this section.
The Office of Compliance Services - Privacy conducts user access audits to patient files. If the reason for a user engaging BTG is not readily apparent, further inquiry into the access may occur.
HIPAA permits the use and disclosure of Protected Health Information (PHI) for treatment, payment, and healthcare operations (TPO). If you are performing any of these activities as a part of your daily work, a patient written authorization is not required to access patient information.
For more information on TPO and PHI, see HS 9401, Protection of Confidential Patient Information.
A Business Associate is a person, other than a workforce member, or company that creates, receives, maintains, or transmits PHI on behalf of UCLA Health System, or provides services to or for UCLA Health System involving the disclosure of PHI. PHI may be shared with these entities ONLY after a signed Business Associate Agreement (BAA) is obtained.
Remember to remove written PHI, such as medical records, when you are finished seeing patients in treatment rooms. Failure to do may lead to disclosing PHI to other patients left alone waiting to be seen. If you find unattended PHI, store it securely and contact the Office of Compliance Services - Privacy to report the incident.
For more information, see the “Safeguards to Protect PHI” section in HS 9401.
Paper documents containing PHI should be shredded or disposed of using locked shredding bins. If they are left in any other receptacle overnight, such as a recycling bin, they may be mistaken for trash and discarded improperly. If additional shredding bins are required, contact your supervisor or the Office of Compliance Services - Privacy for guidance.
For more information, see HS 9401.
When transporting hard copy patient records in carts within or outside the Medical Center make sure they are covered to ensure patient privacy. A protective cover keeps the records from being seen by unauthorized individuals, and also helps prevent records from falling off the cart. For more information on protecting written PHI, see the Privacy Services FAQs.
A valid Authorization for Release of Health Information (HIPAA Authorization) is required whenever UCLA uses and/or discloses PHI except in cases of treatment, payment, and health care operations or when another exception to the authorization requirement exists in the Privacy Rule. To be valid an Authorization must contain certain elements, including a signature. See the Authorization Validation Checklist for details.
myUCLAhealth is CareConnect’s secure online patient portal that enables patients to view portions of their medical records, see test results, request appointments, and communicate securely with their physicians.
myUCLAhealth should be used to share PHI with patients; however providers whose clinics haven’t yet implemented myUCLAhealth may communicate with patients via email when patients sign the UCLAHS Email Consent Form (Form #12005).
Exercise caution when sending PHI via text paging systems.
Delete pages containing PHI after reading and responding to them.
Generally, when using and disclosing PHI make sure to limit the PHI to the minimum amount necessary to fulfill the intended purpose. For example, ask yourself whether you really need the specific patient identifiers - such as when requesting a data download report via CareConnect.
See policy HS 9421 for additional information – including the exceptions to the Minimum Necessary standard (page 5)
UCLA Health is required to provide a Notice of Privacy Practices (NPP) to all patients at their first encounter. Signed acknowledgment forms should be obtained from patients to document that we provided the NPP or that the patient refused it. Document the steps in the CareConnect “Document List” and follow your area’s procedure to ensure the form is stored in CareConnect. If you see the “No HIPAA” indicator on the patient header in CareConnect, then the patient needs to receive the NPP.
When carrying documents containing patient information, it is important to ensure the documents are properly secured. If you carry papers in your coat pocket, be careful they don’t fall out. Documents, including handwritten notes, lost or found in unattended areas (i.e. parking lots, hallways, restrooms) may constitute a privacy violation and lead to disciplinary action.
The “Patient Lookup” feature in CareConnect allows you to search for a patient by several identifiers, including the patient’s name, medical record number, and date of birth. Confirm at least two patient identifiers before entering or making entries in the record. Selecting the wrong patient may result in a privacy breach – such as sending information to or about the incorrect patient.
A subpoena is a legal document which may require a person to appear as a witness or to produce documents in a legal proceeding. Workforce members of UCLA hospitals, clinics, or administrative offices may be served with a subpoena.
Refer to policy HS 9011 for information on the departments to contact if you are presented with a subpoena.
Protect patient privacy and yourselves by never sharing your userID and password with ANYONE. This would include logging on and allowing someone else to work under your user name and password. If you believe you don’t have the correct level of access in CareConnect, contact your supervisor or your departmental authorizer.
Sharing passwords is a violation of policy and may lead to corrective or disciplinary action for both the person who shares the password and the person who uses it.
When sending faxes containing patient information, reduce the risk of a privacy violation by following these tips:
For more information, see HS 9453-B, or contact the Office of Compliance Services- Privacy for guidance.
Patients have a right to request an amendment or correction to their medical records if they believe the information is inaccurate, incomplete, or incorrect. Patients should be directed to submit requests to the Health Information Management Services (HIMS) department on Form #11726.
For more information, see HS 9415.
Patients have a right to access their medical records – including while they are in the hospital. Requests should be submitted in writing to the Health Information Management Services (HIMS) department on Form #11727. If a request is approved, access to the record will be provided within 5 business days.
For more information, see HS 9413
A signed Authorization for Release of Health Information (Form #30910) is required when UCLA uses and discloses PHI for reasons other than treatment, payment, or health care operations, or for certain limited reasons permitted by law. It must contain specific elements to be valid. It is not the same as the Terms and Conditions of Service form (COA – #305949).
If you receive a non-UCLA authorization, contact the Privacy Office for assistance.
Under HIPAA, patients or their personal representatives be given a copy of the NPP at their FIRST encounter with UCLAHS. We must also make a good faith effort to obtain and retain a signed acknowledgment from the individual that he or she has received the Notice.
See HS 9411 for more information about the NPP.
If you find a mobile device (including but not limited to USB Drives, Smart and Cell Phones, Laptops, iPads, and Pagers) inside or outside an UCLA Health System facility, contact the Office of Compliance Services - Privacy Division as soon as possible. The Office of Compliance Services will determine if there is any action necessary and try to get the device returned to its rightful owner if possible.
For more information on mobile devices, see policy HS 9453-C.
Patients have the right to request an accounting of disclosures of their PHI by UCLA Health System to outside entities. Disclosures for purposes of Treatment, Payment, and Operations are not required to be included in the accounting. Requests should be submitted to the Health Information Management Services (HIMS) department using Form #11729. See HS 9416, Request for Accounting of Disclosures, for more information.
As an employee you might find out, either through word of mouth, observation, or performing work related responsibilities, that a current or former co-worker is an inpatient at UCLA Medical Center. Once you become aware of the information, you may want to contact or visit the patient to see how he/she is doing. However, under the laws that govern patient privacy, your first obligation is to respect and protect your co-workers' privacy.
When your co-worker is a patient, treat him/her just like any other patient. Your co-worker is entitled to and deserves the same privacy and confidentiality that you would give to any other patient.
Do the Right Thing by:
UCLA Health System and the David Geffen School of Medicine workforce members are required to complete Privacy and Information Security training. Click here to access the training.
The Office of Compliance Services- Privacy will perform audits to ensure that individuals who failed to complete the annual privacy and information security training by the deadline don’t access patient information. Individuals accessing PHI without completing the training will be subject to disciplinary action.
Per UC policy, all orders and certain medical record entries must be accompanied by the physician’s identification number (UCLA pager number). One use of this number is to confirm the identity of the signer. The UCLA pager number affixed after the physician signature should only be the number of the person signing the order or medical record entry.
If you are contacted by a journalist or other media representative requesting information about UCLA hospitals, clinics, doctors or patients, please contact the UCLA Health Sciences Media Relations Office at 310-794-0777. All media-related inquiries, including documentary requests, should be handled by the Media Relations Office.
For more information about disclosures of PHI to the media, see HS Policy 9472.
Did you know that sometimes it is not appropriate to divulge certain patient information to law enforcement? Sometimes we are asked by federal, state or local law enforcement officials to provide patients' health information to them. The PHI we can appropriately disclose is limited and specific, and depends upon the immediate circumstances involving the patient, and how or why the officer needs the information.
When faced with the question of whether or not to disclose PHI to an officer, notify your supervisor or contact the Privacy Office by telephone at ext. 48638 or pager after hours at #98329 or #96594.
Read Policy HS 9430 for more information.
A business associate relationship exists when an individual or entity, acting on behalf of UCLA Health System assists with performing a function or activity involving the use or disclosure of PHI. When this exists, a business associates agreement (BAA) between UCLA and the entity may be necessary. Contact your Purchasing department or the Office of Compliance Services-Privacy for assistance with determining if a BAA is required and getting it finalized. Under HIPAA, if we disclose PHI to third parties without an executed BAA when required we may be subject to penalties.
Read Policy HS9430 for more information.
If you do not need to access patients information in order to do your job, then don't. Don't look at information on celebrity patients out of curiosity or on a co-worker even out of concern. Don't look up information like room location to visit or demographic information if you want to know a co-worker's address to send a get well card. If you do access records when you shouldn't, you may be subject to disciplinary action - up to and including termination.
The Office of Compliance Services - Privacy monitors user access to medical records to determine if accesses are appropriate.
Read Policy HS9421 for more information.
A patient's written authorization is required before UCLA Health System can use and disclose patient information for a number of reasons. You do not need an authorization for treatment, payment, and health care operations. There are also a number of exceptions under State and Federal law when an authorization is not required. Uses and disclosures for activities such as fundraising, marketing, research, and media purposes are some examples of when a valid authorization is required.
All signed valid authorizations should be forwarded to Health Information Management Services to be scanned into the patient's record and documented in the PHI Tracking Database.
If you do not need to access patients information in order to do your job, then don't. Don't look at information on celebrity patients out of curiosity. Don't look up information like demographic information if you want know a colleague's address to send a birthday card. If you do access records when you shouldn't, you may be subject to disciplinary action - up to and including termination.
The Office of Compliance Services - Privacy monitors user access to medical records to determine if accesses are appropriate. Do the right thing, protect patient privacy.
When responding to or forwarding email messages from patients containing PHI consider whether all recipients on the email need to see the PHI in the original email or email string.
Patients may not want you to include additional people on your response and share PHI with others that was only meant for you. Remember, once you receive the patient's email with PHI, you are obligated to protect it. You should ensure that only the minimum amount of information should be disclosed to only individuals who have a work related reason to know.
Computer-generated patient labels contain patient identifiable information; therefore it is important they are used and disclosed properly. Make sure the information on the label matches the patient for whom services are being performed. Confirm the accuracy of the label with the patient - when possible.
Incidents related to labeling errors may lead to patient care errors (i.e. results) being assigned to the incorrect patient and possible inappropriate sharing of patient information. Avoid possible privacy breaches or patient safety concerns by taking a time-out before handling labels and placing them on other items.
If you see unattended protected health information (PHI) in hallways, lobbies, cafeterias, clinical areas or even outside, pick it up and immediately contact the Office of Compliance Services - Privacy at 4-8638 for assistance.
The matter will be investigated to determine why the PHI was left unattended. The information was most likely misplaced by a UCLA workforce member, or a patient who is looking for the information.
Help reduce someone's stress level - give us the PHI and we will take it from there.