Privacy Standards, Guidelines, and FAQ

+ Expand All

What types of information must be protected?

There are several categories of sensitive information that must be protected under State and Federal privacy laws including medical information, health insurance information, genetic information. See the following Glossary below for further details.

Key Principles of Protecting Information

  • ­ Access to restricted information is limited to authorized users ­
  • HIPAA information is further limited by the minimum necessary standard and the “need to know” principle ­
  • The minimum necessary standard applies to most uses of PHI (other than PHI accessed for treatment purposes). ­
  • Access, use or disclosure of PHI for purposes other than treatment, payment and healthcare operations, generally requires the patient’s prior written authorization.
  • Information entrusted to UC’s workforce members must be protected from unauthorized access, use, disclosure, loss and theft.

Special Situations - When Additional Privacy Considerations May be Necessary.

  • ­ Mental Health ­ Minors ­
  • Disclosures for Public Health Activities
    • Disclosures for Public Health [45CFR164.512(b)]
    • The Privacy Rule permits covered entities to disclose protected health information, without authorization, to public health authorities who are legally authorized to receive such reports for the purpose of preventing or controlling disease, injury, or disability. This would include, for example, the reporting of a disease or injury; reporting vital events, such as births or deaths; and conducting public health surveillance, investigations, or interventions. See 45 CFR 164.512(b)(1)(i). Also, covered entities may, at the direction of a public health authority, disclose protected health information to a foreign government agency that is acting in collaboration with a public health authority. See 45 CFR 164.512(b)(1)(i).
    • For disclosures to a public health authority, covered entities may reasonably rely on a minimum necessary determination made by the public health authority in requesting the protected health information. ­
  • Emergency Situations ­
  • Disclosures to Law Enforcement ­
  • Disclosures to Media ­
  • Communicating with the Patient’s Family Members and Friends ­
  • Guidance on De-Identification Methods ­
  • FERPA and HIPAA ­
  • Research

Types of Information: Glossary

  • ­ Restricted Information. “Restricted Information" (RI) (as defined by UC Policy IS-3, Electronic Information Security) describes any confidential or personal information that is protected by law or policy and that requires the highest level of access control and security protection, whether in storage or in transit. This includes personally identifiable information (PII), protected health information (PHI and electronic PHI or ePHI) as defined below, but could also include other types of information such as intellectual property, proprietary information, research protocols, research results, study subject identifiable information, student information, animal research information, passwords, and other confidential information that could damage the reputation of the institution.
  • Personally Identifiable Information (PII) is an individual's first name or first initial and last name combined with any one of the following:
    • Social Security Number
    • Driver's license number or California identification card number
    • Account number, credit, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account
    • Medical information, or
    • Health insurance information. ­
  • Protected Health Information (PHI). The Privacy Rule protects certain information that covered entities use and disclose. This information is called protected health information (PHI), which is generally individually identifiable health information that is transmitted by, or maintained in, electronic media or any other form or medium. This information must relate to 1) the past, present, or future physical or mental health, or condition of an individual; 2) provision of health care to an individual; or 3) payment for the provision of health care to an individual. If the information identifies or provides a reasonable basis to believe it can be used to identify an individual, it is considered individually identifiable protected health information. o Or use this definition for PHI and the list of 18 PHI (table) below:
    • Protected Health Information (PHI) is any individually identifiable health information, in any format, including verbal communications. "Individually identifiable" means that the health information or medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient's name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the individual's identity. PHI includes patient billing and health insurance information and applies to a patient's past, current or future physical or mental health or treatment.
    • Below are listed the 18 HIPAA identifiers that must be removed to consider data de-identified according to the HIPAA Privacy Rule. [HIPAA 45 CFR164.514] Note: It only takes one identifier for data to be considered as containing PHI.
  1. Names (first name or initials and last name)
  2. Street Address, City, State and Zip Code
  3. Dates (birth, death, treatment, service, etc.)
  4. Telephone Numbers
  5. Fax Numbers
  6. Email Addresses
  7. Social Security Number (SSN)
  8. Medical Record Number (MRN#)
  9. Account Numbers
  1. Health Plan Beneficiary ID #'s or Account Numbers
  2. Certificate/License Numbers
  3. Vehicle ID (VIN, serial #'s), License Plate #'s, Driver's License #
  4. Device Identifiers or Serial Numbers
  5. Web Address/URL (Universal Resource Locator)
  6. IP Address (Internet Protocol Address)
  7. Biometric ID's, including finger- and voice-prints
  8. Full-face Photos or any comparable images
  9. Any other unique identifying number, characteristic, or code.
  • Medical Information means any information, in either electronic or physical form, regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional, and which may be in the possession of or derived from a health care provider, health care service plan, pharmaceutical company or contractor. Medical information and health insurance information for patients are included in California’s definition of personally identifiable information (PII). ­
  • Health Insurance Information means an individual's health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual's application and claims history, including any appeals records. Medical information and health insurance information for patients are also considered to be PHI. ­
  • Treatment under the HIPAA Privacy Rule is defined to include all the preventive, diagnostic, therapeutic, rehabilitation, maintenance and palliative care provided to an individual as well as the provision, coordination, management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to the patient; or the referral of a patient for health care from one health care provider to another.
  • De-Identification (of PHI).  De-identified data (e.g., aggregate statistical data or data stripped of individual identifiers) require no individual privacy protections and are not covered by the Privacy Rule. De-identifying can be conducted through:
    • Statistical de-identification --- a properly qualified statistician using accepted analytic techniques concludes the risk is substantially limited that the information might be used, alone or in combination with other reasonably available information, to identify the subject of the information [45 CFR § 164.514(b)]; or the 
    • Safe-harbor method --- a covered entity or its business associate de-identifies information by removing 18 identifiers and the covered entity does not have actual knowledge that the remaining information can be used alone or in combination with other data to identify the subject [45 CFR § 164.514(b)]. 
    • In certain instances, working with de-identified data may have limited value to clinical research and other activities. When that is the case, a limited data set may be useful. 
    • Refer to:  HHS.Gov, "Guidance Regarding Methods for De-Identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. http://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html 
  • Limited Data Set (LDS).  Health information in a limited data set is not directly identifiable, but may contain more identifiers than de-identified data that has been stripped of the 18 identifiers [45 CFR § 164.514]. 
  • Data Use Agreement (DUA) is a legal agreement that establishes who is permitted to use or receive the limited data set, and provides that the recipient will: 
    • not use or disclose the information other than as permitted by the agreement or as otherwise required by law; 
    • use appropriate safeguards to prevent uses or disclosures of the information that are inconsistent with the data-use agreement; 
    • report to the covered entity any use or disclosure of the information, in violation of the agreement, of which it becomes aware; 
    • ensure that any agents to whom it provides the limited data set agree to the same restrictions and conditions that apply to the limited data set recipient with respect to such information; and 
    • not attempt to re-identify the information or contact the individual.
    • Requests for Data Use Agreement and signatures for DUAs are handled by the Compliance Office. UCSD Health employees may refer to MCP policies for further information.
  • Research means the "systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge. In general, research differs from treatment in that the end goals of treatment are to benefit the individual being treated, while research is performed for the benefit of obtaining general knowledge.
  • Research Health Information (RHI).  The University of California has defined the term research-related health information (RHI) when individually-identifiable information that is used during participation in a research study but that is not part of any medical treatment. When research is associated or derived from a healthcare service event (either related to the provision of care or the payment for such care), then the information may be classified as both RHI and PHI. Research studies that use medical records as a source of personally-identifiable research data are using PHI, and in order to obtain the PHI from a covered health care provider, the provider must comply with all requirements of the IRB and the Privacy Rule. Most research involving human subjects operates under the Common Rule (Code of Federal Regulations, 45 Part 46) and/or the FDA's human subjects' protections regulations.