How To Manage HIPAA (Health Insurance Portability and Accountability Act)

The Health Insurance Portability and Accountability Act (HIPAA) sets standards and regulations to protect patients from inappropriate disclosures of their protected health information (PHI). If your transaction involves the potential exposure of or outsiders’ access to UC PHI you must ensure protection of such information and the University.

When processing your transaction in BearBuy, use the appropriate form for the good or service, and indicate HIPAA applicability on the form itself in the designated section.

Use the Non‐Catalog Form to buy goods, the Professional Services/Independent Consulting Form or Amount‐based PO Form to buy services.  A SCM Buyer’s involvement will always be required for all HIPAA transactions so that a Business Associate Agreement (BAA) or appropriate contractual document to protect PHI may be generated.

Determine whether PHI is involved with the transaction and whether the supplier will have potential access or exposure to PHI. 

Additional information to help make this determination may be found on the UCSF Privacy Office website. Most but not all transactions involving HIPAA will be related to purchasing services.  Examples of goods and services that may involve HIPAA include but are not limited to:

  • Goods:  Equipment such as a scanner, fax machine, copier, medical equipment, etc. The memory in the machine may cache or store images or data containing PHI; or Software that includes remote access to, storage or management of data.
  • Services:  Transcription, translation, patient billing, patient or physician surveys, statistical services, data management, data hosting, shredding or other disposal (including equipment listed above) services, programming/development/software customization, services to patients.

Determine if your transaction will involve electronic transmission of UCSF PHI to sources outside the UCSF IT systems.

  • If yes, contact the appropriate IT Security Officers in order to ensure that an assessment of the receiving system is performed and transfer of data is approved before submitting your purchase requisition. ƒ
  • Please also cc the Chief Privacy Officer on such communications.
  • The Security Officer will provide a written certification or approval of the recipient system to departmental contact who initiated the request.

Complete appropriate BearBuy Form:

  • If the Non‐Catalog Form is used, in the Additional Internal Comments field, note “HIPAA” is involved and include a brief description of supplier exposure to PHI
    • If you have a certification or approval from IT Security, per Step 2 above, attach as Internal Attachment.
  • If the Amount‐based PO or Professional Services/Independent Consulting Forms are used, select “HIPAA” in the drop‐down box next to where it states, “If the supplier has access to Protected Health Information (PHI), select HIPAA. Otherwise select NO.”
    • In the Product Description or Brief Project Description field, include a brief description of supplier exposure to PHI
    • If you have a certification or approval from IT Security, per Step 2 above, attach it as an Internal Attachment.

Submit IT Security Approval

If a certification or approval from IT Security is required but has not been completed at the time you submit your requisition, email it to the Procurement Buyer assigned to your order once you have it. The Procurement Buyer cannot finalize the PO, associated contract and BAA until they have received such written certification/approval.  

Important Links and Contact Information:

For more information about HIPAA and PHI, please visit the UCSF Privacy Office website.

UCSF has received approved BAA language from UCOP; moreover, we maintain a pre‐signed BAA from UCOP that can serve as a systemwide BAA covering all UC campuses with a supplier.  UCSF requires that this BAA and BAA language be used with suppliers.  Exceptions/changes to this BAA language are unlikely and the process of pursuing such exceptions/changes is difficult, involved and lengthy.