USC Policy: HIPAA

Administrative and Business Practices

HIPAA Privacy Rule: Policies, Forms and Other Resources

Federal regulations, known as the Health Insurance Portability and Accountability Act (HIPAA) privacy law, generally prohibit the use and disclosure of health information without written permission from the patient. The following policies were developed to assist USC faculty and staff in complying with these regulations. Questions about these policies should be directed to the USC Office of Compliance at (213) 740-8258 or complian@usc.edu.

General (100)

Policies

GEN-101 Education of Covered Workforce
Describes those individuals who are considered to be part of USC's covered workforce under the HIPAA Privacy Rule and who must complete USC's HIPAA Education program.
GEN-102 When to Obtain Patient Authorizations to Use and Disclose Protected Health Information
Defines the elements of a valid HIPAA authorization and describes those circumstances when it is necessary to obtain an authorization from patients before using their identifiable health information.
GEN-103 Public Policy Disclosures That Do Not Require Patient Authorization
Describes those circumstances where—for public policy reasons—an authorization is not required prior to release of identifiable health information, e.g., subpoenas, public health activities, government oversight agencies, law enforcement, child and elder abuse.
GEN-104 Limiting Uses and Disclosure of Protected Health Information to the Minimum Necessary
Describes the requirement that individuals only use and release the minimum amount of health information necessary to perform a particular task and to mitigate incidental disclosures.
GEN-105 Disclosures of De-Identified Information
Describes the identifiers that must be removed in order for the health information to meet the criteria for de-identification under the HIPAA privacy rule.

Forms/Resources

Senior Vice President memorandum, dated February 19, 2003, to university community regarding compliance with HIPAA privacy rule.
Authorization Form [generic template]
USC has developed specific template authorizations for uses/disclosures of health information for (1) research; (2), fundraising; (3) marketing and (4) special privacy considerations. Those specific authorization forms can be found below. This authorization form should be used and tailored for other uses and disclosures for which no other specific template document exists. See USC Policy GEN-102 for further information regarding use of the authorization.
USC and DHS agreement to coordinate education efforts
Explains the terms under which USC and Department of Health Services will accept the HIPAA education certification of the other institution.

Clinical Practices (200)

Policies

CLIN-200 Notice of Privacy Practices
Describes the purpose of the Notice of Privacy Practices and the procedures for properly obtaining an acknowledgement of receipt of the Notice from the patient.
CLIN-201 Use of Protected Health Information for Treatment, Payment and Health Care Operations
Describes how health information can be shared without patient permission for purposes of treatment, payment and healthcare operations; Describes the policy for sharing health information with patient's family members and/or caregivers.
CLIN-202 Personal Representatives of Patients
Describes those individuals that may act as personal representatives of the patient.
CLIN-203 Special Privacy Considerations (PENDING)
CLIN-204 Facility Directories
Describes how USC facility directories will be maintained in accordance with the HIPAA privacy regulations.

Forms/Resources

Notice of Privacy Practices (en Español)
Must be provided to patient no later than first clinical encounter; must be posted in conspicuous location at each clinical site
*See USC Policy CLIN-200 for further information regarding use of the Notice of Privacy Practices.

Research (300)

Policies

RES-301 Uses and Disclosures of Protected Health Information for Research Purposes

Forms/Resources

HIPAA Research Authorization—Instructions for Use
HIPAA Research Authorization
(Word file) (Word file en Español)
This template has been reviewed and approved by the respective USC IRBs. Please attach the enclosed documents to the subject's informed consent document. Any proposed changes to this form must first be approved by the Office of Compliance. Please see instructions for use for further information.
Certification to Use Protected Health Information Preparatory to Research
Should be signed by USC researchers accessing health information for purposes of subject recruitment or for other purposes preparatory to research. May ONLY be used in connection with USC-held protected health information.
Certification to Use Protected Health Information for Decedents Research
Should be signed by investigators accessing USC or non-USC health information for purposes of conducting research on decedents
Data Use Agreement
To be signed by all recipients of limited data sets.
See USC HIPAA Policy RES-301 for further information about using these forms.

Fundraising/Marketing (400)

Forms/Resources

HIPAA Privacy Rule Impact on Fundraising and Marketing: Announcement to Impacted Units
Authorization for USC Fundraising Activities
This document should be signed prior to using individual identifiable health information (e.g., treatment, diagnosis) for fundraising activities.
Authorization for USC Marketing Activities
This document should be signed prior to using individual identifiable health information (e.g., treatment, diagnosis) for marketing activities.
Authorization for Use of Health Information for Media Purposes*
This document should be signed prior to using individual identifiable health information (e.g., treatment, diagnosis) for purposes of videotaping or filming interviews with patients for public relations purposes.
Authorization for Use of Health Information for Media purposes [En Espanol] (.doc)

Non-Clinical Health Education (500)

Forms/Resources

Uses and Disclosures of Protected Health Information for Non-Clinical Health Education and Instruction (PENDING)

Patients Rights (600)

Policies

PAT-601 Access to Protected Health Information
Policy for addressing patient request to access protected health information.
PAT-602 Amendment of Protected Health Information
Policy for addressing patient request to amend protected health information.
PAT-603 Accounting of Uses and Disclosures of Protected Health Information
PAT-604 Patient Requests to Restrict Certain Uses and Disclosures of Protected Health Information
Policy for addressing patient requests to restrict certain uses and disclosures of their identifiable health information.
PAT-605 Patient Request to Receive Confidential Communications
Policy for addressing patient requests to receive confidential communications by alternative means or at alternative addresses.
PAT-606 Review and Resolution of Patient Complaints
PAT-607 Mitigation and Sanctions Policy
Policy for monitoring compliance with USC's privacy policies and mitigating harm in casesharm in cases where there has been an unauthorized disclosure

Forms/Resources

Access Request Form
Patients who request access to their health information must complete this form.
Denial of Access Form
To be used when a clinical unit denies a patient's request to access health information, in whole or in part, pursuant to the procedures set forth in USC Policy PAT-601.
Request to Amend Form
Patients who request an amendment to their health information must complete this form.
Acceptance of Request to Amend
To be used when a clinical unit accepts a patient's request to amend health information, in whole or in part, pursuant to the procedures set forth in USC Policy PAT-602.
Denial of Request to Amend
To be used when a clinical unit denies a patient's request to amend health information, in whole or in part, pursuant to the procedures set forth in USC Policy PAT-602.
Request for Accounting Form
Patients who request an accounting of their health information must complete this form.
Accounting of Disclosures Tracking Log
For internal use by clinical units to track accountable disclosures in accordance with the HIPAA privacy rule requirements.
Request to Receive Confidential Communications
Patients who request to receive confidential communications about their health information by alternative means or at alternative locations pursuant to USC Policy PAT-605 must complete this form.

Business Associates (700)

Policies

BUS-701 Policy Regarding Business Associates

Forms/Resources

Business Associate/Privacy and Security Agreement (.docx)

Responsible Office

Office of Compliance

ooc.usc.edu
complian@usc.edu
(213) 740-8258

Quick links

Index to university policy—an alphabetical list of every policy
What's new—the most recent changes to university policy
Policy procedures—help for those wishing to issue or revise a university policy
Academic calendar
Holiday schedule

Policy archive—historical reference to policy updates

University of Southern California

USC Policy

Administrative and Business Practices

HIPAA Privacy Rule: Policies, Forms and Other Resources

General (100)

Policies

Forms/Resources

Clinical Practices (200)

Policies

Forms/Resources

Research (300)

Policies

Forms/Resources

Fundraising/Marketing (400)

Forms/Resources

Non-Clinical Health Education (500)

Forms/Resources

Patients Rights (600)

Policies

Forms/Resources

Business Associates (700)

Policies

Forms/Resources

Responsible Office

Office of Compliance

In this section

Quick links

Helpful links