A new security rule for protecting individuals’ computer-based health information as prescribed by the federal Health Insurance Portability and Accountability Act (HIPAA) became effective on April 20, 2005. The University is required to comply with the new Security Rule.

For those who aren’t familiar with it, HIPAA is the federal Health Insurance Portability and Accountability Act of 1996. HIPAA regulations require that healthcare providers, health plans and health care clearinghouses take certain measures to protect patient information from unauthorized use or disclosure. HIPAA is federal law enacted to safeguard what it terms "protected health information" or PHI.

You may remember during a visit to your doctor, pharmacist or dentist over the past two years that you were asked to read and sign a new form. That form, in most cases, was the HIPAA notice and disclosure that medical providers have their patients sign to verify that they understand the medical provider has standards and obligations under HIPAA.

The University of California, like many large employers offers, various health plans to its employees and retirees. The plan provider, the University of California or an insurance carrier, is subject to the HIPAA regulations. But unlike medical providers, the University rarely collects or uses PHI in the administration of your health coverage. In fact, most medical information at the University comes from health plan members who provide PHI when they call or write the University for assistance to resolve an eligibility issue or a complaint about their medical plan or provider.

When you call or write to University representatives about a problem with your health plan, it is best not to include specifics about diagnosis, medications, or health history unless it has been requested. However sometimes more detailed information may be necessary to process your request so please be sure to include your phone number with your correspondence.

In 2003, the HIPAA Privacy Rule became effective, and the University completed a major effort to become compliant. The focus of the Privacy Rule was the management of PHI.

The new Security Rule imposed certain requirements for the University’s use of electronic protected health information or ePHI. They call for policies to safeguard ePHI which is created, received, maintained, or transmitted in electronic media. The University has undertaken a systemwide effort to bring the University into compliance with these standards. All ten UC campuses and the national laboratories are involved in this effort.

The Universitywide HIPAA website is being redesigned to include information on the HIPAA Security Rule. This site will include guidelines and a summary of the regulations, educational materials describing the training process and related documents of interest. Links pointing to campus HIPAA websites and other sites of interests will also be included in the updated UC HIPAA site.