HIPAA

Questions? Contact SCM Response Team

Overview

How to manage HIPAA (Health Insurance Portability and Accountability Act) issues when making a purchase at UCSF.

HIPAA (Health Insurance Portability and Accountability Act) implications

The Health Insurance Portability and Accountability Act (HIPAA) sets standards and regulations to protect patients from inappropriate disclosures of their protected health information (PHI). If your transaction involves the potential exposure of or outsiders’ access to UC PHI you must ensure protection of such information and the University.

When HIPAA comes into play

Determine whether PHI is involved with the transaction and whether the supplier will have potential access or exposure to PHI. 

Additional information to help make this determination may be found on the UCSF Privacy Office website. Most but not all transactions involving HIPAA will be related to purchasing services.  Examples of goods and services that may involve HIPAA include but are not limited to:

  • Goods:  Equipment such as a scanner, fax machine, copier, medical equipment, etc. The memory in the machine may cache or store images or data containing PHI; or Software that includes remote access to, storage or management of data.
  • Services:  Transcription, translation, patient billing, patient or physician surveys, statistical services, data management, data hosting, shredding or other disposal (including equipment listed above) services, programming/development/software customization, services to patients.

Determine if your transaction will involve electronic transmission of UCSF PHI to sources outside the UCSF IT systems.

  • If yes, contact the appropriate IT Security Officers in order to ensure that an assessment of the receiving system is performed and transfer of data is approved before submitting your purchase requisition. ƒ
  • Please also cc the Chief Privacy Officer on such communications.
  • The Security Officer will provide a written certification or approval of the recipient system to departmental contact who initiated the request.

Documenting HIPAA on purchase form

Complete appropriate BearBuy Form

When processing your transaction in BearBuy, use the appropriate form for the good or service, and select HIPAA or no HIPAA. Your SCM Department-Assigned Buyer’s involvement will always be required for all HIPAA transactions so that a Business Associate Agreement (BAA) or appropriate contractual document to protect PHI may be generated.

Use the Non‐Catalog Form to buy goods

  • If the Non‐Catalog Form is used, in the Additional Internal Comments field, note “HIPAA” is involved and include a brief description of supplier exposure to PHI
    • If you have a certification or approval from IT Security, per Step 2 above, attach as Internal Attachment.

Use the Professional Services/Independent Consulting Form or Amount‐based PO Form to buy services

  • If the Amount‐based PO or Professional Services/Independent Consulting Forms are used, select “HIPAA” in the drop‐down box next to where it states, “If the supplier has access to Protected Health Information (PHI), select HIPAA. Otherwise select NO.”
    • In the Product Description or Brief Project Description field, include a brief description of supplier exposure to PHI
    • If you have a certification or approval from IT Security, per Step 2 above, attach it as an Internal Attachment.

 

Selecting HIPAA on the Form

Please select “HIPAA”:

  • If the purchase involves sharing identifiable UCSF Health patient health data with the vendor/software (link embedded); and
    • (In some cases, merely associating the patient with a specific study/department may be health data.)
  • The sharing is not part of an IRB-approved study; or
  • The sharing is part of an IRB-approved study and it’s for the vendor to conduct participant screening or recruitment.

Please select “No HIPAA”:

  • If the purchase does not involve sharing identifiable UCSF Health patient health data with the vendor/software (link embedded); or
  • If identifiable UCSF Health patient health data will be shared with the vendor and all the following points are true. If any of these points are untrue, or if unsure, please contact the UCSF Privacy Office at [email protected] before proceeding:
    • The sharing is part of an IRB-approved study and is consistent with the study protocol and/or Informed Consent Form (ICF);
    • The sharing is not for the vendor to conduct participant screening or recruitment;
    • Participants signed HIPAA Research Authorization and ICFs authorizing the release of their data;
    • The shared patient data is maintained apart from the clinical medical record; and
    • The shared patient data will not be used for the participant’s clinical care or billing for clinical care.

Submit IT Security Approval

If a certification or approval from IT Security is required but has not been completed at the time you submit your requisition, email it to the Procurement Buyer assigned to your order once you have it. The Procurement Buyer cannot finalize the PO, associated contract and BAA until they have received such written certification/approval.  

  

Important Links and Contact Information

For more information about HIPAA and PHI, please visit the UCSF Privacy Office website.

UCSF has received approved BAA language from UCOP; moreover, we maintain a pre‐signed BAA from UCOP that can serve as a systemwide BAA covering all UC campuses with a supplier.  UCSF requires that this BAA and BAA language be used with suppliers.  Exceptions/changes to this BAA language are unlikely and the process of pursuing such exceptions/changes is difficult, involved and lengthy.