UNIVERSITY OF CALIFORNIA
SYSTEMWIDE STANDARDS
AND IMPLEMENTATION POLICIES
(SYSTEM STANDARDS)

HEALTH INSURANCE PORTABILITY
AND ACCOUNTABILITY ACT
PRIVACY RULE
(HIPAA)

I. RESOLUTION OF THE UNIVERSITY OF CALIFORNIA BOARD OF REGENTS

May 2002

Academic Health Center Health Insurance Portability And Accountability Act (HIPAA)
Compliance Program

The University’s individual and institutional providers of health care recognize and respect a patient’s expectations that the privacy and security of individual health information will be protected. The University is committed to implementing policies and practices that will enable us to reasonably and appropriately protect our patient’s privacy while carrying out our mission of care, service, education and research. Compliance with the mandates of The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule and Security Regulations requires a thoughtful balance between the rights of the University’s patients to privacy of their protected health information, the patient’s expectation that quality care will be delivered in a cost-effective and timely manner, and society’s expectation that academic health centers will continue to teach and perform leading edge research.

The Board of Regents recognizes and supports the efforts of the members of the University’s Systemwide Taskforce to Implement a HIPAA Compliance Program that will: provide for compliance by developing privacy and security policies applied to those covered entities of the University; demonstrate a commitment and leadership across the organization to the principles embodied in HIPAA; minimize disruption to the care, research and teaching missions of the University; and, enhance patient confidence in the institutions that serve them.

II. INTRODUCTION

The Health Insurance Portability and Accountability Act of 1996 (HIPAA)

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandates significant changes in the legal and regulatory environment governing the provision of health benefits, the delivery of and payment for healthcare services, and the security and confidentiality of individually identifiable, protected health information (PHI) in written, electronic or oral formats. The HIPAA Privacy Rule provides for the privacy of an individual’s health information, with a compliance date of April 2003. The HIPAA Security Rule provides for the security of an individual’s health information when the information is transmitted electronically; the compliance date is April 2005. The HIPAA Administrative Simplification Standards provide for the standardization of transactions and formats used for electronic communication of health care data. In 2002 the President signed legislation allowing for a one-year delay in HIPAA Transactions and Code Sets compliance from October 2002 to October 2003.

University of California’s HIPAA Compliance Work-plan

Since the HIPAA Privacy Rule applies to the use and disclosure of an individual’s protected health information, the University’s academic medical centers took a leadership role in recommending a system-wide approach to prepare for compliance with the requirements of HIPAA. In November 2000, the academic medical center CEOs and School of Medicine Deans from the five academic health center campuses (Davis, Irvine, Los Angeles, San Diego, San Francisco) appointed individuals from each of their respective health sciences centers and the Office of the President (Office of the General Counsel, University Auditor, Clinical Services) to the University’s systemwide HIPAA Taskforce (the HIPAA Taskforce) and charged the group with developing a workplan for achieving academic health system compliance prior to the HIPAA Privacy Rule prior to the effective date of April 2003.

The HIPAA Taskforce soon determined that HIPAA would not only apply to the five University academic health centers, but would also encompass University health care providers at all University campuses and the University self-funded health plans. Consequently, the HIPAA Taskforce broadened its membership and the scope of its efforts to include individuals representative of covered functions and entities from throughout the University. Since November 2000, the HIPAA Taskforce has grown from a group of approximately 20 members to over 115 members with representation from all University campuses, federal Department of Energy Laboratories, and leadership from the Office of Business and Finance charged with HIPAA compliance by the University’s covered self-funded health plans. Appendix A provides a list of those individuals participa ting in the work of the HIPAA Taskforce as of April 14, 2003.

In May 2002, the University’s Board of Regents took action to support the recommendation of the HIPAA Taskforce that, for purposes of compliance with HIPAA, all University HIPAA-covered entities would comprise a Single Health Care Component (SHCC) and would implement a systemwide approach to achieving compliance with HIPAA. The Privacy Rule requires the University to designate and document the entities and individuals within the University that are a part of the SHCC and, as such, must comply with HIPAA. Further, the University must define those entities and workforce members who are not covered by HIPAA and are not part of the SHCC and safeguard the flow of protected health care information between the SHCC and non-covered entities and workforce members.

In order to provide for system compliance as a SHCC, the HIPAA Taskforce, in coordination with individuals from throughout the University system, has developed policies, procedures, HIPAA education modules designed to train the workforce on those policies and procedures, and other materials necessary to implement a single system approach to compliance. Appendix B provides a list of University prepared and copyrighted materials included in the University’s HIPAA Implementation Packet. Copies of all materials are available from the University’s Privacy Official or on the University’s HIPAA website at www.universityofcalifornia.edu/hipaa.

The purpose of the University of California’s Systemwide HIPAA Standards and Implementation Policies (System Standards) is to provide uniform compliance standards and implementation policies for allcovered entities within the University.

HIPAA Privacy Rule

As of April 2003, health care providers, health plans and hea lth care clearinghouses must be in compliance with The Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule). The HIPAA Privacy Rule provides the first comprehensive federal protection for the privacy of health information.

PRIVACY PRINCIPLES

The Privacy Rule creates standards that protect a patient or member’s medical records and
personal health information and:

1. Gives patients and plan members more control over their health information;
2. Sets boundaries on the use and release of health records;
3. Establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information;
4. Holds violators accountable and imposes civil and criminal penalties for violation of a
patient’s privacy rights;
5. Strikes a balance when public responsibility requires disclosure of some forms of data (for example, to protect public health); and
6. Establishes a “federal floor” of safeguards. (State laws with stronger privacy protections
take precedence over and above the HIPAA Privacy Rule.)

HEALTHCARE PROVIDER AND PLAN RESPONSIBILITIES

In general, the Privacy Rule requires covered entities to:

1. Provide information to patients or plan members about their privacy rights and how their
information can be used;
2. Adopt clear privacy policies and procedures;
3. Educate all employees regarding privacy policies and procedures;
4. Designate a Privacy Official or individual to be responsible for seeing that privacy
procedures are adopted and followed and/or a HIPAA Office responsible for receiving and
handling complaints;
5. Respond to patient or plan members’ requests regarding certain rights provided in the
Privacy Rule; and
6. Secure patient and members’ records so that they are available only to those who need
them.

PATIENT RIGHTS

The Privacy Rule entitles patients or members to:

1. Receive Notice of a HIPAA-covered entity’s practices governing permitted uses and
disclosures of PHI;
2. Authorize release and disclosure of PHI as required in the Privacy Rule;
3. Inspect and/or copy PHI;
4. Request that PHI be amended or appended (if information is incorrect or incomplete);
5. Request and receive an accounting of uses and disclosures of PHI, with certain exceptions;
6. Request additional restrictions on use/disclosure of PHI; and
7. Request confidential communications of PHI.

The Relationship of HIPAA Privacy Protections to California Law

California state laws that address medical confidentiality and access to medical information
include: the Confidentiality of Medical Information Act which requires patient authorization for release of information unless release is otherwise permitted or required by law; the Lanterman-Petris-Short Act that protects mental health information; HIV test confidentiality laws that provide protection for information concerning HIV tests; and the Information Practices Act.

HIPAA provides that “…any provision, requirement, standard or implementation specifications of HIPAA shall supersede any contrary provision of State law” for all components of HIPAA, not only those relating to privacy. With few exceptions, when the state law is more protective of privacy rights than the federal law, the state law prevails.

The determination of when state law prevails is complicated by the fact that there has been no historical effort to harmonize state laws relative to medical records or privacy of information. The University’s Office of the General Counsel has been collaborating with others in the state, including the California Healthcare Association (CHA) and California Office of HIPAA Implementation (CalOHI) to develop a state-wide preemption analysis for all covered entities. To
the extent possible, the System Standards provide the University’s required policies and procedures, including where state law provides greater protections for the individual. However, the University and the HIPAA Taskforce recognize that the System Standards is a dynamic document that may require modification as the SHCC implements the policies and procedures and develops best practices.

HIPAA Security Rule

The Department of Health and Human Services (DHHS) published the final HIPAA Security Rule on February 20, 2003, with an implementation date of April 2005. The HIPAA Taskforce expects toimplement a planning process similar to that used for the Privacy Rule. Moreover, achievingcompliance with the Security Rule anticipates that covered entities will build upon the policies andprocedures developed for compliance with the Privacy Rule.

Administrative Simplification: Standardization of Transactions

Standardization of transactions and formats used for electronic communication of health care data includes: claims or encounter information; health plan eligibility; referral certification and authorization; health care claim status; enrollment and disenrollment; payment and remittance advice; premium payments; and coordination of benefits. Providers do not have to conduct electronic transactions, but providers must comply with the standards if they use electronic transactions. Health plans must use the standards for electronic transactions and accept standard transactions from providers and process them promptly. Covered entities are not permitted to vary the standards. In other words, a health plan and a provider cannot mutually and independently agree to vary the standards. The University has until October 2003 to comply.

Purpose, Use And Organization Of The University’s HIPAA Systemwide
Standards and Implementation Policies

The University’s Systemwide HIPAA Standards and Implementation Policies (System Standards) provide all covered entities within the SHCC with consistent standards and policies to achieve compliance as a hybrid-covered entity with a Single Health Care Component (SHCC). Individual covered entities and individuals within the SHCC may promulgate more stringent requirements.

The Final Privacy Rule, August 14, 2002, specifically states: “One of the goals in making changes to the Privacy Rule is to simplify, rather than add complexity and to assure that the Privacy Rule does not hamper necessary treatment.” The University supports these principles and has developed the System Standards in order to:

1. Reduce costs of compliance by standardizing the University’s approach and by sharing
resources and expertise;
2. Maintain the standards of quality care;
3. Provide scalability and enhance compliance by creating, where appropriate, a single set of
policies, procedures and practices;
4. Reduce the University’s business and audit risks by providing consistency of approach,
sharing best practices and uniform applications of the “reasonableness and appropriate”
principles for HIPAA compliance;
5. Enhance compliance by demonstrating commitment and leadership across the organization
and providing support at all levels for the cultural changes necessary to manage privacy
and security;
6. Minimize disruption to the care, research, public service and teaching missions of the
University;
7. Build patient confidence in and loyalty toward the University;
8. Enhance ability to provide consistency and accountability for documentation and
accounting; and
9. Facilitate the transfer of information between the appropriate units within the SHCC.

Organization of the System Standard

The Standard summarizes the University’s legal interpretation of the requirements of the Privacy Rule as applicable to the University. Section III. HIPAA Privacy Rule Standards focuses on the applicability of the Privacy Rule to the SHCC’s health care providers. Section IV. Privacy Rule Requirements for Covered Health Plans: the University as Plan Sponsor, Plan Administrator and the University’s Self-Funded Plans provides the specific Standards and Policies for the University’s self-funded health plans, as well as the requirements of the University as a plan sponsor and plan administrator.

Implementation Policies are the University’s policy interpretations of the Privacy Rule and defines the specific actions that must be implemented at the system level and/or by individual covered entities within the SHCC in order to meet the requirements of The Standard.

Footnotes. The Privacy Rule states that covered entities have “flexibility and workability” in order to implement the Rule and not interfere with access to care. As such, the Privacy Rule does not always provide specific answers to the myriad array of issues that arise within a complex University setting. The University believes that the Privacy Rule provides covered entities with discretion, under the oft-stated HIPAA principles of flexibility and workability, to interpret the regulations so long as one can reasonably support the interpretation. Footnotes provide reference to the regulatory language, the Preambles to the rules or to guidance provided by the Department of Health and Human Services.

Appendix A: Members of the University’s HIPAA Taskforce

Appendix B: University’s HIPAA Implementation Packet : List of Items

Appendix C: Glossary of Terms

To view the complete UC HIPAA regulations, please click here.