In 1996, Congress passed the Health Insurance Portability and Accountability Act, commonly referred to as HIPAA. HIPAA consists of multiple components. One component referred to as "administrative simplification” is designed to streamline the process to exchange information electronically for claims reimbursement.

It was believed that making it easier to share patient information increased the risk of unauthorized disclosures. As a result, HIPAA's "administrative simplification" section mandated the development of the Privacy Rule.

The HIPAA Privacy Rule creates a federal standard for protecting the privacy of health information, which is in addition to existing state laws. USC has been required to comply with the  Privacy Rule since April 14, 2003, when its requirements went into effect.

The Privacy Rule requires USC to continue to comply with California laws that provide extra protection to patients and includes civil and criminal penalties for non-compliance.


What does the Privacy Rule require?

The Privacy Rule prohibits the use or disclosure of "protected health information" or PHI. PHI is defined in the Privacy Rule as any health information created or received by a health care provider that: (1) identifies an individual; and (2) relates to that individual's past, present or future physical or mental health condition or to payment for health care. Protected Health Information includes information in any form or medium, from a paper medical record to a fax authorization or referral to a conversation between colleagues consulting on the care of a patient.

There are four categories of uses and disclosures that are permitted by the Privacy Rule:

• First, patient information can be used or disclosed to: (1) treat the patient, (2) obtain payment for treating the patient, or (3) conduct health care operations if a patient has acknowledged receipt of a Notice of Privacy Practices (or good faith efforts have been made to obtain an acknowledgment).

• Second, patient information can be given to patient caregivers (for example, family members) but only if the patient expressly or impliedly consents.

• Third, certain disclosures can be made by a health care provider without patient authorization to accomplish public policy objectives (for example, to report child or elder abuse).

• Fourth, any other disclosure (such as for research, fundraising or marketing) may only be made if the patient specifically authorizes the disclosure in writing. An authorization is a customized document that requests permission from the patient to use protected health information for specific purposes and for a specific time period.

As a general rule, even if a disclosure is permitted under the Privacy Rule, it must be limited to the information needed by the requestor.


What does this mean for USC?

The HIPAA Privacy Rule generally prohibits health care providers (such as USC physicians, pharmacists, dentists, allied health professionals as well as USC's hospital partners), health plans (such as the USC Network) and clearinghouses, from using or disclosing an individual’s "protected health information" without an authorization from a patient. That said, health care providers and practitioners can continue to use protected health information to treat patients, obtain payment for such treatment, or for health care operations (such as teaching students and residents, credentialing, quality assurance, compliance reviews, etc.) without an authorization from a patient. In those instances, USC still must provide the patient with a Notice of Privacy Practices, which summarizes all of the possible ways that USC may use an individual's health information. In addition, USC must make a good faith effort to obtain the patient's acknowledgement of receipt of the Notice of Privacy Practices.

For most other uses, such as uses for research, fundraising and marketing, patients must sign a specific authorization permitting USC to use their health information for those purposes. For fundraising and marketing, USC will attempt to obtain authorizations on an as needed basis. For research, the HIPAA Privacy Rule authorization may be incorporated into the informed consent document. The USC Institutional Review Boards (IRBs) have been charged with enforcement of certain aspects of the Privacy Rule related to research.

The HIPAA Privacy Rule also gives patients expanded rights to access their medical and billing records, request amendments to those records, and to obtain an accounting of disclosures of protected health information. USC also must not use more than the "minimum necessary" amount of patient health information to accomplish a particular task. For example, while a physician or resident may need to see all of a patient's health information for treatment purposes, a receptionist who simply checks patients in to the clinic should not need to see medical records.

How has USC implemented a HIPAA compliance program?

The HIPAA Privacy Rule is comprehensive and impacts USC and other academic medical centers in far-reaching ways. USC's implementation efforts include:

• Designating Laura LaCorte, Associate Senior Vice President of the USC Office of Compliance, as the privacy official for HIPAA compliance purposes;
• Developing an online HIPAA education privacy program that may be accessed at the Office of Compliance web site (www.ooc.usc.edu). This program must be completed by all faculty, staff and other USC employees, as well as students, volunteers, agents and certain other individuals who have access to patient health information through USC providers;
• The development of policies, procedures and templates for the university community. Such templates include:

• Notice of Privacy Practices
• Authorizations for research, fundraising and marketing purposes
• Policies and procedures and other guidance for complying with the Privacy Rule,    particularly as it impacts clinical practice, research, fundraising, marketing, the USC health plans and non-clinical health education.

Information regarding the Privacy Rule, including access to the online education program, template documents, and policies and procedures, are available on the USC Office of Compliance website at www.ooc.usc.edu.

If you are interested in more information about the HIPAA Privacy Rule and how its provisions specifically affect your work, please contact the Office of Compliance at (213) 740-8258 or at complian@usc.edu.