1. Policy
Issued: November 15, 2011
Last Revised: August 20, 2025
Last Reviewed: August 20, 2025
Applies to: Faculty (including part-time, adjunct and visiting faculty), postdoctoral scholars, staff and students (including graduate/undergraduate student workers and graduate assistants) employed by University of Southern California (“USC“ or the “University“). This policy continues to apply to individuals who are on sabbatical or other leaves, or who are visiting other institutions.
2. Policy Purpose
The purpose of this policy is to ensure that the University of Southern California (USC) provides all patients with a Notice of Privacy Practices (Notice) that explains how USC may use and disclose their health information and inform patients of their rights concerning the protection and privacy of their health information.
3. Scope and Application
This policy applies to all USC schools, subsidiaries, departments, divisions, and units involved in the provision of healthcare services, including those that create, receive, maintain, or transmit Protected Health Information (PHI) or electronic PHI (ePHI) in the context of patient care.
4. Definitions
| Term | Definition |
| Covered Workforce | Individuals affiliated with USC who collect, use, process, access, or disclose PHI, including but not limited to faculty, staff, and volunteer faculty who provide clinical-related services at USC sites or to USC patients. |
| Electronic Protected Health Information (ePHI) | Refers to a subset of individually identifiable health information that is maintained or transmitted in electronic form. |
| Health care operations | Certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment. Health care operations examples include the many administrative tasks required to operate a health care provider, such as quality assessment and improvement, peer review, legal, auditing and compliance, business management, general administrative functions, and customer service. Operations also include clinical training of students and residents. |
| HIPAA Privacy Rule | Refers to the Standards for Privacy of Individually Identifiable Health Information, which governs the use and disclosure of PHI. The Privacy Rule is codified at 45 CFR Part 160 and Subparts A and E of Part 164. |
| HIPAA Security Rule | Refers to the Security Standards for the Protection of Electronic Protected Health Information, which establish national standards to safeguard the confidentiality, integrity, and availability of ePHI that is created, received, maintained, or transmitted electronically. |
| Payment | The various activities of health care providers to obtain payment or be reimbursed for their services and of a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of health care. Payment examples include but are not limited to disclosures to collection agencies; disclosures for utilization review requests; disclosures for claims management. |
| Personal Representative | A patient’s “Personal Representative” is the person who has the authority, under California law, to make health care decisions on behalf of the patient. Although there are exceptions, in general a person who has the capacity to make his or her own health care decisions does not have a Personal Representative. It should not be assumed that a family member or caregiver is a Personal Representative of the patient, unless such individual meets the definition set forth in this policy. |
| Protected Health Information (PHI) | Any health information created or received by a health care provider that: I. Identifies an individual; and II. Relates to that individual’s past, present or future physical or mental health condition or to payment for health care; or III. Relates to the past, present, or future payment for the provision of health care to the individual. |
| Treatment | The provision, coordination, or management of health care and related services, consultation between health care providers regarding a patient, or the referral of a patient from one health care provider to another. Treatment examples include consultations between health care providers who are treating a common patient; referrals to other health care providers; coordination of health care. |
5. Policy Details
5.1 Obligation to Provide Notice
Healthcare providers are required to inform patients of possible uses of PHI in the Notice no later than the first date that clinical service is provided. The Notice shall explain USC’s possible uses and disclosures of the patient’s PHI, the patient’s rights regarding their PHI and USC’s legal duties with respect to that PHI. The Notice shall be written in plain language and shall contain the elements required by the HIPAA Privacy Rule.
5.2 Posting of Notice
The Notice shall be posted in a clear and prominent location in USC’s clinical sites where it is reasonable to expect individuals seeking service to be able to read the Notice. Clinic site administrators (or designees) are responsible for ensuring the physical posting of the Notice in each clinical location. In addition, the Office of Culture, Ethics and Compliance shall ensure that the Notice is posted on USC’s website.
5.3 Notice Acknowledgment:
Healthcare providers will make a good faith effort to obtain written acknowledgment of receipt of the Notice. If despite good faith efforts USC is unable to obtain a written acknowledgment of receipt, then USC will document its efforts and the reason(s) why the written acknowledgment of receipt could not be obtained.
5.4 Personal Representatives:
In cases where the patient has a Personal Representative, the Notice may be provided to the Personal Representative, and the Personal Representative may acknowledge receipt of the Notice on behalf of the patient. However, an unemancipated minor with the right to consent to treatment under state law must be provided with the Notice.
5.5 Record Retention:
Copies of the acknowledgment or documentation of the good faith efforts to obtain an acknowledgment shall be maintained in the patient’s record or electronically stored for a period of six years from the date of their creation, or the date when such Notice last was in effect, whichever is later.
5.6 Revisions to Notice:
USC shall promptly revise its Notice whenever there is a material change to the uses or disclosures, the individual’s rights, USC’s legal duties, or other privacy practices stated in the Notice; post the revised Notice on its website; and post and distribute the revised Notice at its practice sites.
5.7 Internal Procedures:
Each USC clinical site shall develop internal procedures for ensuring compliance with this policy.
6. Procedures
N/A
7. Forms
N/A
8. Responsibilities
| POSITION or OFFICE | RESPONSIBILITIES |
| Office of Culture, Ethics and Compliance | Oversee the content, management, and application of the policy.  |
9. Related Information
45 CFR § 164.506; 164.510(b); 164.520
HIPAA CLIN-202 Personal Representatives of Patients
University of Southern California Notice of Privacy Practices
10. Contacts
Please direct any questions regarding this policy to:
| OFFICE | PHONE | |
| Office of Culture, Ethics and Compliance | 213-740-2500 | compliance@usc.edu |