Skip to main content
Compliance Program

Compliance Program

Managers' HIPAA guide

What will you do differently the morning of April 14, when the HIPAA privacy rule takes effect? Here's a quick guide to help you remember some of the most compelling things that should be going on at UC Davis Health System.

  1. Notice of Privacy Practices is displayed in clinics, admissions, ER, and posted on the health system web site.
  2. Give patients a copy of the Notice of Privacy Practices and make good-faith efforts to obtain written acknowledgment of receipt.
  3. Avoid verbal discussions of protected health information (PHI) on the phone, public areas, or in reception/waiting areas that are within earshot of people who don't have a need to know.
  4. Don't leave sensitive information on telephone answering machines.
  5. Limit or use minimum necessary PHI in announcements made in clinic waiting rooms.
  6. You may share PHI with family, friends, personal representative identified by the patient as someone involved in their care.
  7. Limit patient information on whiteboards, X-ray boxes, computer screens and other areas that may be visible to the public and others who don't need access to PHI.
  8. Follow safeguards for PHI that is transmitted by fax or e-mail.
  9. File away promptly and secure folders that contain patient medical records.
  10. Make sure that computer/network security measures are in place (e.g., that screensavers kick in quickly, passwords are not taped to the monitor, machines are turned off at night, and access from off site is carefully restricted).
  11. Do not share passwords.
  12. Make sure the physical plant is locked down at night, with windows closed and doors locked.
  13. Remind people that only the "minimum necessary" PHI should be disclosed except for treatment purposes.
  14. Make sure separated employees turn in their keys and building cards and terminate their network access.
  15. Enter required disclosures of PHI in the Disclosure Tracking Database.
  16. Make sure written authorizations to use and disclose PHI are received except for treatment, payment, operations, and exceptions permitted in the policy.
  17. Make sure new and existing employees participate in HIPAA privacy training.
  18. Make sure everyone is aware of the rights patients have to review (and get copies of) their records and what procedures will be followed.
  19. Make sure everyone knows who patients should speak with if they have questions about their HIPAA privacy rights.
  20. Be sure everyone in your work force knows who the privacy officer is and who they should contact with patient privacy questions or problems. The privacy officer is Anna Orlowski anna.orlowski@ucdmc.ucdavis.edu  (916) 734-8808.