Home > HIPAA Compliance

HIPAA Compliance

UHC engaged Science Applications International Corporation (SAIC) to assess the impact of HIPAA on its database operations and the database products provided to UHC members (Members).
The main objectives of this effort were to:
  • Assess the current status of UHC and its readiness to comply with the HIPAA regulations. The assessment included interviews, review of documents, review of policies and procedures, internal vulnerability testing and external penetration testing.
  • Perform and provide a gap analysis to compare the current state of UHC’s operations, activities, practices, policies and procedures with the proposed Security standards and final Privacy requirements of HIPAA.
  • Develop recommendations for UHC to comply with the HIPAA regulations.

As a part of this effort, a review of how UHC collects, uses and discloses protected health information (PHI) in the following databases was conducted: Clinical Database (CDB), Clinical Database-Pharmacy (CDB-P), Clinical Process Improvement (CPI), Faculty Practice Solutions Center; and Patient Safety Net (PSN).

Based on the findings of the assessment that was conducted, it was determined that UHC:

  • is a business associate to the Members, which are the “covered entities” as defined by HIPAA;
  • will be required to enter into a business associate contract with Members to obtain individually identifiable health information for the purposes of de-identifying and aggregating the data provided by Members and conducting database operations including data analysis, processing and administration;
  • database operations, including clinical benchmarking activities, are “healthcare operations” as defined by HIPAA;
  • clinical benchmarking activities are not “research”, as defined by HIPAA, because benchmarking is primarily conducted for UHC member health care
    operations and is not designed to develop or contribute to generalizable knowledge;
  • will be permitted to provide Members with Web access to create de-identified aggregate reports or provide de-identified aggregate reports to Members;
  • will be permitted to provide Members with Web access to create reports containing their own PHI or provide reports to Members containing their own PHI; and
  • member institutions will be permitted to publish (e.g., in peer-reviewed journals) the de-identified results of UHC database operations and clinical benchmarking activities.

Although UHC itself is not considered a “covered entity” as defined by HIPAA, UHC will be required to implement appropriate safeguards, policies and procedures and provide individuals to whom PHI pertains with certain rights.

UHC is in the process of implementing the privacy recommendations with the objective of obtaining a legal opinion that UHC is compliant with the HIPAA privacy rules and regulations. At the same time, UHC is also implementing the security recommendations, but may be required to revise that process as the final HIPAA Security Regulations have not yet been issued by DHHS.

Questions on UHC’s HIPAA compliance process? For HIPAA privacy-related issues contact Tom Kiser, UHC General Counsel, at (312) 775-4235 or kiser@uhc.edu, and for HIPAA security-related issues contact Pete Giordano, Senior Manager, Corporate Security, at (312) 775-4189 or giordano@uhc.edu.

For More Information

Tom Kiser, JD - vice president & general counsel, Legal Department

Tom Kiser, JD

Log in & take advantage
of your member benefits.

©2015 UHC. All rights reserved.
UHC refers to University HealthSystem Consortium. For a complete explanation of UHC’s rights and disclaimers related to the information and documents on this site, click here.
UHC ®, 155 North Wacker Drive, Chicago, Illinois, 60606, (312) 775-4100.