HIPAA PAT-607 Mitigations and Sanctions

It is USC’s policy to monitor compliance with HIPAA policies and to mitigate, to the extent practicable, any harm resulting from inappropriate access to, acquisition of, use of, or disclosure of protected health information.

HIPAA PAT-608 Breach Notification

USC shall comply with breach notification requirements under federal and state laws, including the HIPAA privacy and security regulations and the Health Information Technology for Economic and Clinical Health Act (“HITECH”) Regulations.

HIPAA PAT-601 Access to Protected Health Information

This policy describes when it is appropriate to permit a patient to access his or her Protected Health Information and the procedures to follow when approving or denying a patient request to access his or her Protected Health Information.

HIPAA Privacy Rule: Education of Covered Workforce

It is USC’s policy to provide education to its faculty, staff, students and other employees or volunteers who use, disclose or access Protected Health Information as part of their job responsibilities at USC.

HIPAA CLIN-207 Security Risk Analysis and Management

In accordance with the HIPAA Security Rule, USC maintains a HIPAA security risk analysis and management program to assess and prioritize risks to the confidentiality,
integrity and availability of Protected Health Information (PHI) and to respond, accept or remediate as appropriate.

HIPAA PAT-604 Patient Requests to Restrict Uses and Disclosures of Protected Health Information

USC will consider requested restrictions. However, except in the limited circumstances described below, USC has no obligation to agree to any such request, nor is it required to cite a reason for refusing to do so.

HIPAA PAT-603 Accounting of Disclosures of Protected Health Information

This policy describes the process for responding to a patient’s request for an accounting of disclosures of his or her Protected Health Information.

HIPAA PAT-602 Patient Requests to Amend Protected Health Information

Except as set forth below, the University of Southern California (USC) recognizes the right of a patient to request an amendment to his or her Protected Health Information or a record about a patient maintained by USC in a “Designated Record Set.”

HIPAA PAT-606 Resolution of Patient Complaints

It is USC’s policy to provide a process for individuals to make complaints regarding USC’s compliance with the Privacy Rule.

HIPAA PAT-605 Patient Requests to Receive Confidential Communications

It is USC’s policy to accommodate a reasonable request by a patient to receive communications of Protected Health Information from USC by alternative means or at alternative locations, provided the procedures for requesting such accommodations as set forth below, are followed.

HIPAA CLIN-206 Minimum Security Standards for ePHI for Keck

Keck Medicine of University of Southern California (Keck) recognizes that federal and California law require that Protected Health Information receive the highest level of access control and security protection in order to safeguard the confidentiality and protect the patients’ right to privacy of such information consistent with USC’s privacy policies.

HIPAA RES-301 Uses and Disclosures of Protected Health Information for Research Purposes

Federal and state regulations govern the protection of human subjects in research. While these regulations provide for some patient confidentiality protections, the HIPAA Privacy Rule adds additional privacy protections for human subjects and establishes the conditions under which protected health information (“PHI”) may be used or disclosed
by the University of Southern California (USC) for research purposes.

HIPAA CLIN-203 Special Privacy Considerations

USC recognizes that federal and California law require that certain categories of patient’s Protected Health Information receive additional privacy protections.

HIPAA CLIN-202 Personal Representatives of Patients

A patient’s “Personal Representative” is the person who has the authority, under California law, to make health care decisions on behalf of the patient. Although there are exceptions, in general a person who has the capacity to make his or her
own health care decisions does not have a Personal Representative.

HIPAA CLIN-201 Use of Protected Health Information for Treatment Payment and Health Care Operations

University of Southern California (USC) is permitted to use and disclose an individual’s Protected Health Information for treatment, payment and health care operations, provided: USC gives patients a Notice of Privacy Practices (Notice), which
describes the ways in which USC may use patients’ PHI; USC makes a good faith effort to obtain written acknowledgement of receipt of the Notice; and USC only uses and releases the minimum amount of health information necessary when doing so for payment or healthcare operations purposes.

HIPAA BUS-701 Business Associates

The University of Southern California (USC) ensures that its business associates protect patients’ right to privacy consistent with USC’s obligations under federal and state law and USC’s privacy policies.

HIPAA CLIN-204 Facility Directory

Purpose is to ensure that the maintenance of the facility directory at University of Southern California is in accordance with the HIPAA privacy regulations.

HIPAA CLIN-200 Notice of Privacy Practices

The University of Southern California (USC) is required to give all patients a Notice of Privacy Practices (Notice), which explains i) the ways that USC may use and release their health information; and ii) describes the patients’ rights with respect to their health information.

HIPAA GEN-105 Disclosures of Deidentified Information

The University of Southern California (USC) may use or disclose de-identified health information without obtaining a patient’s authorization.

HIPAA GEN-103 Public Policy Disclosures

USC may use or disclose PHI for treatment, payment and health care operations without an individual’s authorization in accordance with USC HIPAA Policy CLIN – 201 and USC’s Notice of Privacy Practices, provided the individual has acknowledged receipt of USC’s Notice of Privacy Practices or USC has made good faith efforts to obtain the individual’s acknowledgement of receipt.

HIPAA GEN-102 When to Obtain Authorizations

The University of Southern California (USC) may use and disclose an individual’s Protected Health Information (PHI) only pursuant to a written Authorization of the
patient or the patient’s Personal Representative with the following exceptions.