Skip to main content

HIPAA Privacy Program

Medical Workers

U of A HIPAA Privacy Program

The University of Arizona HIPAA Privacy Program (HPP) is a part of University Privacy and oversees all ongoing activities related to U of A’s implementation of HIPAA policies and procedures and is the office primarily responsible for ensuring U of A’s HIPAA compliance. 

The HIPAA Privacy Officer is responsible for developing and implementing relevant procedures, training and educational materials, and responding to privacy breaches.

Contact HIPAA Privacy

Report a Data Privacy Incident

HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act under the American Recovery and Reinvestment Act of 2009 (ARRA), along with associated regulations, establish national standards for the protection of individuals' protected health information (PHI). These rules govern the use and disclosure of PHI by covered entities and their business associates, and include requirements for privacy, security, and breach notification.

Hybrid Entity Status

The U of A is a Hybrid Entity and has designated Health Care Components in accordance with 45 CFR § 164.105. These Health Care Components must comply with HIPAA, including the Privacy Rule, the Security Rule, and the Breach Notification Rule. Each of the designated Health Care Components is required to comply with the University of Arizona's Notice of Privacy Practices. If you have questions about whether you, your department, or your program is a HIPAA covered entity, please contact the HIPAA Privacy Office to discuss.

HIPAA comprises several key rules and provisions, each aimed at addressing different aspects of health information privacy and security:

Privacy Rule

The Privacy Rule address the use and disclosure of an individual's health information, PHI, by organizations subject to the Privacy Rule — at the U of A, this refers to our designated Covered Components as defined under the Hybrid Entity Status.

What Information is Protected

The Privacy Rule protects all individually identifiable health information held or transmitted by a covered component under the hybrid designation or its business associate, in any form or media, whether electronic, paper, or oral.

PHI is defined as information that relates to:

  • the individual’s past, present or future physical or mental health or condition,
  • the provision of health care to the individual, or
  • the past, present, or future payment for the provision of health care to the individual,

Individually identifiable health information includes 18 specific identifiers, many of which are common identifiers (e.g., name, address, birth date, Social Security Number) not related specifically to their health record. The Privacy Rule excludes from protected health information education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act (FERPA).

Permitted Uses and Disclosures and Individual Rights

 A list of all permitted uses and disclosures along with the rights that each individual has under HIPAA are outlined in the University of Arizona’s Notice of Privacy Practices.

Security Rule

The Security Rule sets national standards for protecting the confidentiality, integrity, and availability of ePHI that is created, received, stored, or transmitted electronically. The Security Rule applies to covered entities (such as healthcare providers, health plans, and healthcare clearinghouses) and their business associates who handle ePHI. The Security Rule has three main sections:

Administrative Safeguards: Policies and procedures to manage the selection, development, and implementation of security measures. This includes risk assessments, workforce training, and access controls.

Physical Safeguards: Measures to protect physical infrastructure and equipment that store or access ePHI. This includes facility access controls, workstation security, and device and media controls.

Technical Safeguards: Measures to protect ePHI through technological means. This includes access controls, audit controls, integrity controls, and transmission security.

Breach Notification Rule

The Breach Notification Rule requires covered entities and business associates to notify affected individuals, the Secretary of Health and Human Services (HHS), and in some cases, the media, of breaches of PHI.

To notify the HIPAA Privacy Program of a potential breach, please complete the Data Privacy Incident report and a member of University Privacy will perform an investigation to determine if a breach has occurred and needs to be reported.

Notification Requirements: Notifications must be made without unreasonable delay and no later than 60 days after the discovery of the breach. Notifications must include:

  • A description of the breach.
  • The types of information involved.
  • Steps individuals can take to protect themselves.
  • Actions taken by the covered entity or business associate to mitigate the breach.

HIPAA Privacy Program Links

HIPAA Program Directory Notice of Privacy Practices Business Associate Agreements Authorization to Operate Data Use Agreements HIPAA Resources HIPAA Policy, Procedure & Guidance HIPAA Training Certification Zoom for Health UA Box Health