Skip to main content

HIPAA NOTICE OF PRIVACY PRACTICES 

This notice describes how your medical information may be used and disclosed and how you can get access to your medical information. Please review this notice carefully. 

University of Arizona Hybrid Designation 

The U of A is a Hybrid Entity and has designated Health Care Components in accordance with its HIPPA Policy and 45 CFR 164.105. As of the date of this notice, the following departments, clinics, programs, and functions have been designated as Health Care Components under its hybrid designation: 

  • UA Center for Population Science and Discovery 

  • UA Center for Applied Genetics & Genomic Medicine 

  • Arizona Telemedicine and Telehealth Center 

  • Biomedical Informatics and Biostatistics – Clinical Data Warehouse 

  • College of Medicine – Tucson 

  • College of Medicine – Phoenix 

  • College of Nursing 

  • College of Pharmacy 

  • College of Public Health 

  • Campus Health Services 

  • Speech, Language, and Hearing Clinic 

  • LIFESteps Program 

  • UA Genetics Core 

  • Research Laboratory Safety Services 

Other units at the University may receive, handle, and store PHI for research or other purposes. Each of these units or departments should ensure that they have the appropriate processes and technologies in place to secure the PHI and align with this statement. Designations for the covered components under the hybrid designation may change as future assessments of HIPAA across the university are performed. 

How We May Use and Disclose Your Protected Health Information (PHI) 

The following sections describe different ways that we may use and disclose your information. 

Treatment: We may use health information about you to provide you with medical treatment, coordinate, or manage your health care and any related services. We may use and share health information about you with staff who are part of your treatment team involved in your care. We may also disclose your health information to providers not affiliated with the U of A, such as your personal physicians, for care coordination or treatment purposes. 

Payment: We may use and disclose health information about you to bill and receive payment for health care services that we or others may provide to you. We may also inform your payor about a treatment you are planning to receive to determine whether your payor will cover the cost of the treatment. For certain services, if your permission is needed to release health information to obtain payment, you will be asked for permission. 

Health Care Operation: We may use and disclose health information about you for health care operations, including functions required to ensure that all patients receive quality care. For example, we may use health information to review our treatment and services to evaluate the performance of the staff in caring for you. We may also use or disclose your health information to assess compliance with licensure and regulatory requirements or to review the quality, efficiency and cost of care. We may share information with providers and other personnel for quality assurance and educational purposes. 

Business Associates: The U of A contracts with other entities that perform business services such as quality assurance reviewers, attorneys, or information technology specialists. In certain circumstances, we may need to share your health information with a business associate so it can provide a service on our behalf. We will have a written contract in place with the business associate requiring protection of the privacy and security of your health information. 

Appointment Reminders: We may contact you to remind you about your appointment(s). We will communicate with you using the contact information that you provide. Unless you notify us to the contrary, we may use the contact information you provide to communicate general information about your care such as appointment location, date and time. 

Treatment Alternatives: We may use and disclose health information to tell you about or recommend possible treatment options or alternatives that may be of interest to you. 

Health-Related Benefits and Services: We may use and disclose health information to tell you about health-related benefits or services that may be of interest to you. 

Others Involved in Your Care: We may release health information about you to a family member or friend who is involved in your medical care. We may also give information to someone who helps to pay for your care.  

Research: The U of A may use or disclose your health information for research projects. Such research projects must go through a special process that protects the confidentiality of your health information. We generally ask for your written authorization before using your health information or sharing it with others to conduct research. Under limited circumstances, we may use and disclose your health information without your authorization. In most of these latter situations, we must comply with applicable laws and regulations and obtain approval through an independent review process to ensure that research conducted without your authorization poses minimal risk to your privacy. Researchers may also contact you to see if you are interested or eligible to participate in a study. 

Other University Units or Departments: We may disclose certain information about you to other units or departments of the University of Arizona for research purposes or to help in providing you with the best care possible. 

Teaching and Educational Purposes: The U of A may use or disclose your PHI for teaching and educational activities. These activities may include training healthcare professionals, students, and staff to improve the quality of care and enhance professional knowledge. Whenever possible, we will limit the information shared to the minimum necessary and take steps to protect your privacy. 

To Prevent a Serious Threat to Health or Safety: We may use and disclose certain information about you when necessary to prevent a serious threat to your health and safety or the health and safety of others. However, any such disclosure will only be to someone able to prevent or respond to the threat, such as law enforcement, or to the potential victim. For example, we may need to disclose information to law enforcement if a patient states an intent to harm him- or herself or someone else. 

Our Duties and Responsibilities 

We are required to: 

  • Maintain the privacy and security of your PHI. 

  • Provide you with this Notice of our duties and privacy practices. 

  • Notify you in the event of a breach of unsecured PHI. 

  • Follow the terms of this Notice currently in effect. 

Confidentiality of Substance Use Disorder Records  

We are required by Federal law and regulation (42 USC 290dd-2 and 42 CFR Part 2) to protect the confidentiality of records related to substance use disorder treatment. Such records may be used or disclosed only with your written consent, except in the limited circumstances expressly permitted by law—such as for treatment, payment, or healthcare operations when you provide a valid comprehensive consent, or when required by a court order or other federal law. We prohibit onward disclosure of Part 2–protected records unless authorized by you or permitted by law. 

Legally Permitted Disclosures Allowed Under HIPAA 

Workers' Compensation: We may release health information about you for workers' compensation or similar programs. These programs provide benefits for work-related injuries or illness. 

Public Health Activities: We may disclose health information about you for public health activities. These activities include, but are not limited to the following: 

  • To prevent or control disease, injury or disability 

  • To report births and deaths 

  • To report the abuse or neglect of children, elders and dependent adults 

  • To report reactions to medications or problems with products 

  • To notify you of the recall of products you may be using 

  • To notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition 

  • To notify the appropriate government authority if we believe you have been the victim of abuse, neglect or domestic violence; we will only make this disclosure when required or authorized by law 

  • To notify appropriate state registries when you seek treatment at SLHS for certain diseases or conditions 

Health Oversight Activities: We may disclose health information to a health oversight agency for activities authorized by law. These oversight activities include audits, investigations, inspections, and licensure. These activities are necessary for the government to monitor the health care system, government programs, and compliance with civil rights laws. 

Lawsuits and Disputes: If you are involved in a lawsuit or a dispute, we may disclose health information about you in response to a court or administrative order. We may also disclose health information about you in response to a subpoena, legally enforceable discovery request, or other lawful process by someone else involved in the dispute. 

Law Enforcement: We may release health information if asked to do so by law enforcement officials in the following limited circumstances: 

  • In response to a court order, subpoena, warrant, summons or similar process 

  • To identify or locate a suspect, fugitive, material witness, or missing person 

  • About the victim of a crime if, under certain limited circumstances, the victim is unable to consent 

  • About a death we believe may be the result of criminal conduct 

  • About criminal conduct at the U of A 

  • In emergency circumstances to report a crime; the location of the crime or victims; or the identity, description or location of the person who committed the crime 

Coroners, Medical Examiners, Funeral Directors: We may release medical information to a coroner or medical examiner. This may be necessary to identify a deceased person or determine the cause of death. We may also release health information about patients to funeral directors as necessary to carry out their duties with respect to the deceased. 

Military and Veterans: If you are a member of the armed forces, we may release health information about you as required by military command authorities. We may also release health information about foreign military personnel to the appropriate foreign military authority. 

National Security and Intelligence Activities: Upon receipt of a request, we may release health information about you to authorized federal officials for intelligence, counterintelligence, and other national security activities authorized by law. We will only provide this information after University Privacy has verified the validity of the request and reviewed and approved our response. 

Abuse, Neglect & Domestic Violence: We may disclose your health information to public authorities as required by the law to report abuse, neglect, or domestic violence. 

As Required by Law: We may disclose health information about you when required to do so by federal, state or local law that is not specifically mentioned in this Notice. For example, we may disclose health information as part of a lawful request in a government investigation. 

Situations that Require Your Authorization 

For uses and discloses not generally described above, we must obtain your authorization. For example, the following uses and disclosures will be made only with your authorization: 

  • Uses and disclosures for marketing purposes 

  • Uses and disclosures that constitute the sale of PHI 

  • Most uses and disclosures of psychotherapy notes 

  • Other uses and disclosures not described in this Notice 

If you provide authorization to use or disclose health information about you, you may revoke that authorization, in writing, at any time. If you revoke your authorization, we will no longer use or disclose health information about you for the activities covered by the authorization, except if we have already acted in reliance on your permission. We are unable to take back any disclosures we have already made with your authorization, and we are required to retain records of health information. 

Your Rights Regarding Your PHI 

You have the right to: 

Inspect and Obtain a Copy: You have the right to inspect and obtain a paper or electronic copy of health information that may be used to make decisions about your care.  

Amendment: You have the right to request that we amend your medical information if you feel that it is incomplete or inaccurate. We are permitted to deny your request if it is not in writing or does not include a reason to support the request. We may also deny your request if: 

  • We did not create the information, or the person who created it is no longer available to make the amendment. 

  • The information is not part of the record which you are permitted to inspect and copy. 

  • The information is not part of the designated record set kept by this practice. 

  • The opinion of the health care provider that the information is accurate and complete. 

An Accounting of Disclosures: You have the right to request an accounting of disclosures which is a list describing how we have shared your health information with outside parties. This accounting is a list of the disclosures we made of your health information for purposes other than treatment, payment, health care operations, and certain other purposes consistent with law.  

Request Confidential Communications: You have the right to request that we communicate with you about your health information or medical matters in a certain way or at a certain location.  

Copy of this Notice: You have the right to a copy of this Notice. It is available online, or by contacting the University Privacy (HIPAAprivacy@arizona.edu).  

Request Restrictions: You have the right to request restrictions on certain uses or disclosures of your health information. Right to request that PHI not be disclosed to a health plan for an item or service that has been paid for in full out of pocket. 

File a complaint: If you believe that the U of A has not handled or secured your PHI according to the procedures outlined in this statement, you have the right to file a complaint regarding the privacy or security of your PHI. You will not be retaliated against for filing a complaint. 

To file a complaint you may: 

  • Contact University Privacy at the information below. 

Contact Information 

To obtain information about how to exercise your rights as outlined above, or if you have any questions regarding this statement, please contact University Privacy via email (HIPAAprivacy@arizona.edu) or via mail to the following address: 

University Privacy 

888 N Euclid Ave. 

Suite 113 

Tucson, AZ 85719 

Breach Notification Statement 

We are required by law to notify you without unreasonable delay and no later than 60 days after discovering a breach of your unsecured PHI. The notice will include: 

  • A description of the breach and the types of information involved. 

  • Steps you should take to protect yourself. 

  • What we are doing to investigate and mitigate harm. 

  • Contact information for questions. 

Changes 

We will review this Notice of Privacy Practices regularly and publish changes on our website. 

This Notice Privacy Practices was most recently updated on December 18, 2025.