Privacy Policy & Procedure Manual

Operational Guidelines for Health Information

Individual Policies and Procedures by Section

Last Revision

Section 1: General HIPAA and Privacy Rules



Relationship of University of Florida Health Care Components and Affiliated Entities
 - List of University of Florida Health Care Components
 - List of Affiliated Entities



Protected Health Information and De-Identification
 - The 18 HIPAA-defined Identifiers
 - De-Identification and Re-identification of PHI



Maintaining Confidentiality of Health Information
 - UF’s Commitment to Privacy & Confidentiality
 - Privacy Policies: Scope and Application
 - Access to PHI
 - Mandatory Training
 - Healthcare Volunteers, Visitors and Vendors
 - Charitable and Other Outside Activities

    Confidentiality Statement  Form



Reporting & Responding to Privacy Violations
 - Reporting Privacy Violations
 - Investigations and Disciplinary Actions
 - Required Notifications for Privacy Breaches
 - Mitigation and Sanctions
 - Disclosures By Whistleblowers and Non-Retaliation
 - Preventing, Responding to, and Reporting Incidents
 - Definitions: Incidental, Accidental, Intentional Disclosures

Incident Report - Protected Health Information 
PDF Form      Fillable Form
Incident Report - Personal Identification Information 
PDF Form      Fillable Form



Verification of Identity and Authority and Personal Representatives
 - Evidences of Identity
 - Personal Representatives
 - Verification Requirements
 - Exercise of Professional Judgment
 - Minors, Incapacitated Adults, Deceased Patients
 - Verifying the Authority of a Public Official



Minimum Necessary Rule
 - Limiting Uses, Disclosures, and Requests

   Minimum Necessary Decision Tree Table
   Examples of Routine and Non-Routine Disclosures Table



Education and Training
 - Documentation of Training
 - Responsibilities for Training
 - Training Programs:
    Level 1: General Awareness / HIPAA for Research
    Level 2: Policies & Procedures
    Level 3: Role-Specific

Section 2: Health Information and Record Management



Health Information Management: General Policies
(See Section 2.4 for Retention & Storage Guidlines)
 - Maintenance and Ownership of UF Records
 - Confidentiality and Availability of Records
 - Content of UF Records
 - Use and Disclosure of Records
 - Removal of Health Information from UF or Shands
 - Health Information Custodians at UF
 - Health Information Management Personnel

    Designated Record Set  Table
    Record Custodian List  Table



HIM: Documentation Rules
 - Authorization to Document
 - General Documentation Requirements: Paper / Electronic
 - Additions/Amendments/Corrections
 - Copies of Health Records from Other Facilities/Providers
 - Record Errors That Cannot Be Corrected by the User
 - Co-Signatures



HIM: Record Management Guidelines
 - Active Record Storage, Security, and Control
 - Removal of Health Information from Premises
       Records for Depositions - see Section 3.4
 - Duplication of Patient Information
 - Record Management During Disasters
 - Management and Organization of Paper Records
 - Recovery of Lost or Damaged Paper Records
 - When Record Recovery Is Not Possible



HIM: Retention, Archiving, and Disposal
 - Retention Rules for Records
 - Archiving and Storing Inactive Records
 - Disposal and Destruction of Records
 - Preparing Records for Storage
 - Disposing of Non-Primary Records / Documents
 - Permanently Destroying Whole Health Records

     Appropriate Record Destruction Methods  Table
     Record Inventory Log  Form
     Record Destruction Log Form
     UF Records Disposition Request Form

Section 3: Uses and Disclosures of PHI



Uses and Disclosures: General Rules
 - General Rules for Uses and Disclosures of PHI
 - Information Subject to More Stringent Laws
 - UF’s Organized Health Care Arrangement
 - Disclosing PHI to Other Entities
 - Uses/Disclosures of PHI Permitted Without Authorization
 - Other Limited Uses/Disclosures of PHI
       General Rules for Providing Copies of Records
       Documenting and Maintaining a Log of Disclosures
       Purchasing/Updating Systems That Use e-PHI
       Agencies Claiming Exemption from HIPAA
       Media Requests for Patient Information



Uses and Disclosures: "Super-Confidential" Health Information
 - Information Specifically Protected by Law
 - Limited Disclosures
 - Responding to requests for super-confidential records
   - By Patient Authorization
   - By Subpoena or Court Order
 - Required Non-Redisclosure Statements



Uses and Disclosures: Family Members and Friends
 - Personal Representatives
 - Patients’ Rights to Restrict Disclosures
 - Verification of Identity and Authority



Uses and Disclosures: Authorizations for Release of Health Information
 - Uses and Disclosures of PHI Must Be Authorized
 - Valid Authorizations
 - Revoking an Authorization
 - Use of Authorization Forms
 - Alteration of Authorization Forms
 - Retention of Authorization Forms
 - Expiration Dates
 - Verbal Agreements / Authorizations

     Authorization to Use or Disclose PHI  Form
     Authorization for Electronic Communications  Form
       Alert for Electronic Communication Tip Sheet
     Authorization for Public Activities  Form
     Authorization for De-Identified Health Information  Form



Uses and Disclosures: Health Records for Depositions
 - Authority to Remove Health Records from UF Premises
 - Notifying the Deposing Attorney



Uses and Disclosures: Subpoenas, Court Orders, and Attorney Requests
 - If You Receive a Subpoena...
 - Processing Requests for Health Records
    - When Shands is the Record Custodian
    - When Using Contracted Copying Services
      (e.g., HealthPort, Bactes)
    - When Not Using Contracted Copying Services

 - Certifying Copies of Health Records
     Copying, Production, and Inspection Fees   Table



Uses and Disclosures: Fundraising
 - Rules for Fundraising
 - Written Authorization Required for Use of PHI
 - Opting Out and Maintaining the Opt-Out Log
 - Institutionally-related foundations involved in fundraising

    Attestation of Compliance  Form



Uses and Disclosures: Marketing
 - Rules for Marketing
 - Written Authorization Required
 - Maintaining the Opt-Out Log
 - Prohibition Against Selling PHI
 - Marketing Definitions & Examples
 - Obtaining Authorization



Uses and Disclosures: Research
 - Authorizations, Waivers, and Certificates
 - De-Identified Health Information
 - Honest Broker Services
 - Requesting Health Records, Information and Data
 - Research Document Retention and Storage
 - Correcting Improper Procedures: 30-Day Cure
     Failure to Obtain Authorization
     Failure to Obtain Waiver of Authorization



Uses and Disclosures: Sale of PHI
 - Authorization Required for Sale
 - Sale of PHI Exclusions

Section 4: Patient's Rights



Patient's Rights: Notice of Privacy Practices
 - Notice and Acknowledgement of Receipt Required
 - Availability of the Notice
 - Changes in the Notice
 - Organized Health Care Arrangement
 - Procedures for Providing the Notice and Tracking

    Notice of Privacy Practices (English)
    Acknowledgment of Receipt of NPP (English) (Español)



Patient's Rights: Access to Personal Health Records
 - Right to Inspect or Receive Copies
 - CLIA: When the Right of Access Does Not Apply
 - Authorizations
 - Health Records of Deceased Patients
 - Authorizations and Verification
 - To Receive Copies of Records
 - To Inspect or View Records

    Copying and Inspection Fees Table
    Authorization to Use and Disclose PHI  Form



Patient's Rights: Request to Restrict Uses and Disclosures
 - Decisions to Grant or Deny Requests
 - New and Additional Requests for Restrictions
 - Terminating or Changing the Restriction
 - Coordinating, Documenting, and Communicating

    Request for Restrictions   Form



Patient's Rights: Request for More Confidential Communications
 - Verbal and Written Communications
 - Final Decision-Making Authority
 - Procedures for Staff
 - Procedures for Managers

    Request for More Confidential Communications   Form



Patient's Rights: Request for Amendment of Health Records
 - Responding to Requests for Corrections or Amendments
 - Procedures for Staff
 - Procedures for Managers
 - Privacy Office Involvement
 - Making Corrections and Amendments
 - Documenting the Request Response
 - Future Disclosures
 - Corrections/Amendments from Other Providers

     Request for Amendment of a Medical Record  Form
     Response to Request for Amendment  Form



Patient's Rights: Privacy Complaints
 - Right to File a Complaint
 - Non-Retaliation and No Waiver of Rights
 - Where to File Complaints: Names and Addresses
 - Informing the Privacy Office and Follow Up

    Privacy Complaint Form  Form



Patient's Rigths: Accounting for Disclosures
 - Background for Understanding the Requirement
 - Patient’s Right to Request an Accounting
    - Time limitations, Report format
    - Fees for providing an accounting report
 - UF’s Responsibilities to Track Disclosures
    - Purpose of the Online Disclosure Tracking System
    - Accessing and Using the Online DTS
    - Recording Disclosures
 - Requesting an Accounting of Disclosures
 - Responding to a Request for Accounting
 - Grounds for Temporary Suspension of Right
 - Accounting for Disclosures during Research

    Request for Accounting of Disclosures  Form

Section 5: Security of PHI



Security: Privacy Safeguards
 - Computer Surveillance
 - Physical Safeguards:
    Securing Paper and Electronic Records
 - Administrative Safeguards
    Policies and Procedures
    Incident Management
    Notice of Termination
    Required Training
 - Technical Safeguards
    Computer Access Controls
    Acquiring and Maintaining Access to PHI
    Terminating Access to PHI



Security: Personal Portable Data Devices
 - Devices Included: Wireless phones, “smart” phones, “pods” and “pads”, USB's, dictation equipment, laptop or notebook computers, blackberry devices, digital cameras, video recorders, and similar devices
 - Use of Personal Cameras
 - Protecting Personal Devices and Contents
 - Limiting Data and Security Devices
 - Reporting Loss or Theft



Security: Electronic Databases
 - Requirements for Securing Databases
    Location of Data
    Limiting Access and Maintaining Logs
 - Products of Electronic Databases
 - Transport of Data
 - Purging and Destruction of Data



Security: Electronic Mail
 - Conditions for Including PHI in Emails
    Patients and Research Participants
    Internal E-mails
    Research Communications
    External E-mails
 - Patient Communications via EHR System
 - Alerting Patients of E-mail Hazards
 - Email Disclaimer Notice
 - Encryption Suggestions

   Alert for Electronic Communications  Tip Sheet
   Authorization for Electronic Communications  Form



Security: Video- and Audio-Conferences
 - Conference Elements to Be Pre-Approved
 - Conferencing and Patients' Rights

    Alert for Electronic Communications   Tip Sheet
    Authorization for Electronic Communications   Form



Security: Verbal, Telephone, and Other Types of Communications
 - Use of Interpreters
 - Use of Telephone Devices for Hearing Impaired
 - Verbal and Substitute Communications in Healthcare
 - Telephone Use in Healthcare Areas



Security: Faxing PHI
 - Fax Cover Sheets
      Confidentiality Disclaimer
 - Pre-programming Fax Numbers
 - Verification Procedures
 - Reporting Faxing Errors

   Sample Fax Cover Sheet - Form

Section 6: Other Privacy Policies and Procedures



Visitors, Vendors, Volunteers, and Observers
  Visit the web page here.
 - General Rules
    - Exception for visiting faculty
    Observing and Volunteering by Minors
    Sponsor Responsibilities
    Patient Authorizations for Observer's Presence
    Access to PHI and Restricted Information
    Required Training
 - Privacy Policies for Volunteering
 - Privacy Policies for Observing or “Shadowing”
    Individual Observers
    Groups of Observers

 Volunteer Request   Fillable Form   PDF form
 Request to Observe  Fillable Form   PDF form
 Group Roster  PDF form



Student Data Access - Electronic Medical Records
  Visit the web page here.
 - Pre-Approval Required for UF Students
     Programs Authorized for Access to PHI
     Students who are also employees
     Sponsors and Their Responsibilities
     Student Responsibilities
     Time Limits and Standards for Access
     Shands Requirements
 - Use of Data
 - Access to PHI for Students in Research
    Routine process for student access

  Student Data Access Application Fillable Form
  Student Date Access  Chart



Honest Broker Certification
  Visit the web page here.
 - Uses and Disclosures of PHI for Research
 - Honest Broker Requirements
    Sponsorship or Appointment
    Education and Training
    Application Process
    Attestation of Agreement
 - Honest Broker Certification Procedures:
    Certification, Approval and Maintenance
    Adding and Removing Brokers
    Duties and Other Requirements
    Honest Broker Data Requests
Honest Broker Application Forms are available on request - please call the Privacy Office at the number below.


Complete Text of Operational Guidelines, including Table of Contents
PDF document


All of the above policies apply to all of the following entities:

The University of Florida Health Science Centers, together including the UF Health Science Center clinics and physicians' offices; the Florida Clinical Practice Association; the University of Florida Student Health Center, the University of Florida Wellness and Counseling Cente, the University of Florida Jacksonville Physicians, Inc.; the University of Florida Jacksonville Healthcare, Inc.; the University of Florida Colleges of Medicine, Nursing, Health Professions, Dentistry and Pharmacy; and other affiliated health care providers, including all employees, volunteers, staff and other University of Florida health services staff. See Section 1.1. above for more details.

UF Privacy Homepage

UF Privacy Office Contact Information
UF Privacy Policies

Health Information Privacy

Health Information Privacy Contacts
More About HIPAA

Policies & Procedures

Operational Guidelines - Health
Forms - Health


HIPAA & Privacy - General Awareness
HIPAA for Researchers
HIPAA for Visitors & Vendors
HIPAA for Fundraisers

The Red Flag Rules
FERPA Basics: Student Records
Protecting Social Security Numbers

Certificate Lookup

pointerPrint your Certificate or
Confidentiality Statement!!

Confidentiality Statement

Report an Incident

File a Complaint

UF HSC Jacksonville

(including UFJHI and UFJPI)

Access to Epic

Accounting for Disclosures

E-Mail Authorization

Honest Broker for Research

Release of Health Information

Shadowing & Volunteering

Social Security Numbers



Frequently Asked Questions
HIPAA & Research at UF
Computers & Electronic Data
Emails & PHI
Disclosures Allowed By Florida Laws
HIPAA and Fundraising

Identity Theft

How it Happens, Reduce Your Risk, What To Do If You're a Victim



Confidentiality Statement

Other UF Resources

UF Home
UF Directory
Health Science Center
HSC Information Security - SPICE
UF IT Security