July 15, 2014
HIPAA Privacy Rule: Policies, Forms and Other Resources
Federal regulations, known as the Health Insurance Portability and Accountability Act (HIPAA) privacy law, generally prohibit the use and disclosure of health information without written permission from the patient. The following policies were developed to assist USC faculty and staff in complying with these regulations. Questions about these policies should be directed to the USC Office of Compliance at (213) 740-8258 or firstname.lastname@example.org.
- GEN-101 Education of Covered Workforce
Describes those individuals who are considered to be part of USC’s covered workforce under the HIPAA Privacy Rule and who must complete USC’s HIPAA Education program.
- GEN-102 When to Obtain Patient Authorizations to Use and Disclose Protected Health Information
Defines the elements of a valid HIPAA authorization and describes those circumstances when it is necessary to obtain an authorization from patients before using their identifiable health information.
- GEN-103 Public Policy Disclosures That Do Not Require Patient Authorization
Describes those circumstances where—for public policy reasons—an authorization is not required prior to release of identifiable health information, e.g., subpoenas, public health activities, government oversight agencies, law enforcement, child and elder abuse.
- (GEN-104 now included in CLIN-201)
- GEN-105 Disclosures of De-Identified Information
Describes the identifiers that must be removed in order for the health information to meet the criteria for de-identification under the HIPAA privacy rule.
- Senior Vice President memorandum, dated February 19, 2003, to university community regarding compliance with HIPAA privacy rule.
- Authorization Form [generic template]
USC has developed specific template authorizations for uses/disclosures of health information for (1) research; (2), fundraising; (3) marketing and (4) special privacy considerations. Those specific authorization forms can be found below. This authorization form should be used and tailored for other uses and disclosures for which no other specific template document exists. See USC Policy GEN-102 for further information regarding use of the authorization.
- USC and DHS agreement to coordinate education efforts
Explains the terms under which USC and Department of Health Services will accept the HIPAA education certification of the other institution.
Clinical Practices (200)
- CLIN-200 Notice of Privacy Practices
Describes the purpose of the Notice of Privacy Practices and the procedures for properly obtaining an acknowledgement of receipt of the Notice from the patient.
- CLIN-201 Use of Protected Health Information for Treatment, Payment and Health Care Operations
Describes how health information can be shared without patient permission for purposes of treatment, payment and healthcare operations; Describes the policy for sharing health information with patient’s family members and/or caregivers.
- CLIN 202 Personal Representatives of Patients
Describes those individuals that may act as personal representatives of the patient.
- CLIN 203 Special Privacy Considerations
- CLIN-204 Facility Directories
Describes how USC facility directories will be maintained in accordance with the HIPAA privacy regulations.
- CLIN 206 Minimum Security Standards for ePHI for Keck
- CLIN 207 Security Risk Analysis and Management
- Notice of Privacy Practices (en Español)
Must be provided to patient no later than first clinical encounter; must be posted in conspicuous location at each clinical site *See USC Policy CLIN-200 for further information regarding use of the Notice of Privacy Practices.
- Instructions for completing HIPAA authorization form
- HIPAA Research Authorization – this template has been reviewed and approved by the respective USC IRBs. Please attach documents to the subject’s informed consent document. Any proposed changes to this form must first be approved by the Office of Compliance. Please see instructions for use for further information.
- CERTIFICATION Request for Protected Health Information for Preparatory Research Activities
Should be signed by USC researchers accessing health information for purposes of subject recruitment or for other purposes preparatory to research. May ONLY be used in connection with USC-held protected health information.
- CERTIFICATION Request for Decedent Protected Health Information
Should be signed by investigators accessing USC or non-USC health information for purposes of conducting research on decedents
- Data Use Agreement
To be signed by all recipients of limited data sets.
- See USC HIPAA Policy RES-301 for further information about using these forms.
- Authorization for USC Fundraising Activities
This document should be signed prior to using individual identifiable health information (e.g., treatment, diagnosis) for fundraising activities.
- Authorization for USC Marketing Activities
This document should be signed prior to using individual identifiable health information (e.g., treatment, diagnosis) for marketing activities.
- Authorization for Use of Health Information for Media Purposes*
This document should be signed prior to using individual identifiable health information (e.g., treatment, diagnosis) for purposes of videotaping or filming interviews with patients for public relations purposes.
- Authorization for Use of Health Information for Media purposes [En Espanol] (.doc)
Patients Rights (600)
- PAT-601 Access to Protected Health Information Policy for addressing patient request to access protected health information.
- PAT-602 Patient Requests to Amend Protected Health Information
Policy for addressing patient request to amend protected health information.
- PAT-603 Accounting of Disclosures of Protected Health Information
- PAT-604 Patient Requests to Restrict Certain Uses and Disclosures of Protected Health Information
Policy for addressing patient requests to restrict certain uses and disclosures of their identifiable health information.
- PAT-605 Patient Requests to Receive Confidential Communications
Policy for addressing patient requests to receive confidential communications by alternative means or at alternative addresses.
- PAT-606 Resolution of Patient Complaints
- PAT-607 Mitigation and Sanctions
Policy for monitoring compliance with USC’s privacy policies and mitigating harm in cases where there has been an unauthorized disclosure
- PAT-608 Breach Notification
- Access Request Form
Patients who request access to their health information must complete this form.
- Denial of Access Form
To be used when a clinical unit denies a patient’s request to access health information (see PAT 601 Access to Protected Health Information).
- Request to Amend Form
Patients who request an amendment to their health information must complete this form.
- Acceptance of Request to Amend
To be used when a clinical unit accepts a patient’s request to amend health information (see PAT 602 Patient Requests to Amend Protected Health Information).
- Denial of Request to Amend
To be used when a clinical unit denies a patient’s request to amend health information (see PAT 602 Patient Requests to Amend Protected Health Information).
- Request for Accounting Form
Patients who request an accounting of their health information must complete this form.
- Accounting of Disclosures Tracking Log
For internal use by clinical units to track accountable disclosures in accordance with the HIPAA privacy rule requirements.
- Request to Receive Confidential Communications
Patients who request to receive confidential communications about their health information by alternative means or at alternative locations pursuant to USC Policy PAT-605 must complete this form.