NOTE: You will need the free Acrobat
Reader to view and print PDF files.
Health Insurance Portability and
Accountability Act of 1996 (HIPAA)
In May 2002, the Board of Regents designated the University of California as a HIPAA hybrid covered entity and determined that UC would be a Single Health Care Component for the purposes of complying with the HIPAA Rule. All of the entities at UC covered by the HIPAA Privacy and Security Rules — medical centers, medical clinics, health care providers, health plans, student health centers — are a single entity for purposes of compliance with HIPAA. However, the research function is excluded from HIPAA coverage at UC. Accordingly, research health information that is not associated with a health care service is not subject to the HIPAA Privacy and Security Rules. Other state and federal laws govern privacy and confidentiality of personal health information obtained in research.
Compliance. The HIPAA Privacy Rule, effective April
14, 2003, established national standards to guard the privacy
of a patient's protected health information. Protected health
- Information created or received by a health care provider or health plan that includes health information or health care payment information plus information that personally identifies the individual patient or plan member.
- Personal identifiers include: a patient's name and email, web site and home addresses; identifying numbers (including Social Security, medical records, insurance numbers, biomedical devices, vehicle identifiers and license numbers); full facial photos and other biometric identifiers; and dates (such as birth date, dates of admission and discharge, death).
HIPAA Security Compliance. The HIPAA Security
Rule, effective April 20, 2005, requires that workforce members
adhere to controls and safeguards to: (1) ensure the confidentiality,
integrity and availability of confidential information; and (2)
detect and prevent reasonably anticipated errors and threats due
to malicious or criminal actions, system failure, natural disasters
and employee or user error. Such events could result in damage
to or loss of personal information, corruption or loss of data
integrity, interruption of University activities, or compromise
to the privacy of the University patients or employees and its
Scope - Who is subject to HIPAA at UC? HIPAA regulations apply to employees, health care providers, trainees and volunteers at UC medical centers and affiliated health care sites or programs and employees who work with UC health plans. HIPAA regulations also apply to anyone who provides financial, legal, business, or administrative support to UC health care providers or health plans.
For More Information. If you have questions regarding the University's HIPAA compliance practices, please use the Campus Contact links under Privacy or Security in the navigation bar to the left.
UC Complaint Process. You may file a complaint
if you believe that the University is not complying with applicable
HIPAA requirements. All complaints must be in writing. Please
identify the entity or individual that is the subject of the compliant
and describe the activities believed to be in violation of the
HIPAA rule. The complaint must be filed within 180 days of the
activity. Mail complaints to UC's HIPAA Official. Information for
filing an anonymous complaint consistent with the University of
California Whistleblower Policy is available at http://ucwhistleblower.ucop.edu/.