Skip to main content
HS Office of Compliance & Privacy OCP
  1. HS Office of Compliance & Privacy
  2. Privacy
  3. Education

Education

Privacy FAQ

What is considered confidential protected health information (PHI)?

PHI is information created or received by a health care provider or health plan that includes health information or health care payment information plus information that personally identifies the individual patient or plan member. PHI identifiers include a patient's name, email, home address, identifying numbers (including Social Security, medical records, insurance numbers, biomedical devices, vehicle identifiers and license numbers), full facial photos, other biometric identifiers, and dates (such as birth date, dates of admission and discharge, death).

The HIPAA Privacy Rule provides Federal protections for PHI held by covered entities and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of PHI needed for patient care and other important purposes. HIPAA requires hospitals and care providers to have written and specific authorization from an individual patient (or patient's authorized personal representative) before using or disclosing the patient's PHI for purposes other than for treatment, payment or healthcare operations, except as required by law. Patients have the right to withhold or revoke an authorization for release of PHI.

UC Davis Health workforce members are authorized to access PHI so long as there is a work need for the access. A work need typically falls within the Treatment, Payment, or Health Care Operations provisions found in HIPAA. For any other purpose, the patient must provide authorization for the access or there must be an applicable exception to patient authorization.

What is Health Insurance Portability Accountability Act (HIPAA)?

In May 2002, the Board of Regents designated the University of California as a HIPAA hybrid covered entity and determined that UC would be a Single Health Care Component for the purposes of complying with the HIPAA Rule. All of the entities at UC are covered by the HIPAA Privacy and Security Rules — medical centers, medical clinics, health care providers, health plans, student health centers — are a single entity for purposes of compliance with HIPAA. However, the research function is excluded from HIPAA coverage at UC.

Accordingly, research health information that is not associated with a health care service is not subject to the HIPAA Privacy and Security Rules. Other state and federal laws govern privacy and confidentiality of personal health information obtained in research.

HIPAA regulations apply to employees, health care providers, trainees and volunteers at UC medical centers and affiliated health care sites or programs and employees who work with UC health plans. HIPAA regulations also apply to anyone who provides financial, legal, business, or administrative support to UC health care providers or health plans. Visit the University of California, Office of the President (UCOP) HIPAA website.

Who is authorized to access PHI?

UC San Diego Health workforce members are authorized to access PHI so long as there is a work need for the access. A work need typically falls within the Treatment, Payment, or Health Care Operations provisions found in HIPAA. For any other purpose, the patient must provide authorization for the access or there must be an applicable exception to patient authorization.

What is the California Confidentiality of Medical Information Act (CMIA)?

The California Confidentiality of Medical Information Act (CMIA) authorizes a provider of health care to disclose medical information without first obtaining authorization to a local health department for the purpose of preventing or controlling disease including for the purpose of public health interventions. (CA Civil Code §56.10(c)(18).)