Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Policy

Effective Date:
October 12, 2013
Last Revised Date:
December 1, 2021
Last Reviewed Date:
December 9, 2025
Applies To:
Classified Staff, Appointed Personnel, University Staff, Students
Responsible Unit(s):
University Privacy - HIPPA
Responsible Unit Email(s):
HIPAAprivacy@arizona.edu
Status:
Active

Purpose and Summary

The purpose of this Policy is to:

  1. Establish procedures for the University of Arizona (University), as a Hybrid Entity, to designate Health Care Components;

  2. Acknowledge that the University performs certain activities that meet the definitions of a Covered Entity and Business Associate;

  3. Establish the University's commitment to maintaining a broad operational framework for the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Rules; and

  4. Ensure all members of the University Workforce understand their rights and obligations to the Privacy, Security, and integrity of Protected Health Information (PHI)/Electronic Protected Health Information (ePHI).

The University is considered a Hybrid Entity under HIPPA whose activities include both Covered and non-covered Functions. University Health Care Components must take all reasonable steps to assure compliance with all applicable HIPAA Privacy, Security, and Breach Notification Rules and regulations.  

Scope

This Policy applies to all members of the University Workforce and to all University owned, operated, or leased premises operating as a HIPAA Covered Entity, Business Associate, or as otherwise designated as a University Health Care Component.

Definitions

All capitalized terms in this Policy, unless specifically defined below, have the same definitions found in HIPAA (45 CFR Parts 160, 162, and 164).

Breach Reporting means the requirement for Covered Entities and Business Associates to notify affected individuals, the U.S. Department of Health and Human Services (HHS), and in some cases the media, following a breach of unsecured Protected Health Information (PHI)/Electronic Protected Health Information (ePHI) in accordance with HIPPA. 

Covered Function means activities that make an organization a Covered Entity under HIPPA. These functions include creating, receiving, maintaining, or transmitting PHI/ePHI.          

Health Care Component means the part(s) of a Hybrid Entity that performs functions covered by HIPAA, like providing health care or processing Health Information electronically. A Hybrid Entity must designate its Health Care Component(s), which are then subject to the HIPAA Privacy Rule, while other non-health-related components are not.

HIPPA mean the rules associated with the Health Insurance Portability and Accountability Act of 1996, found at 45 CFR Parts 160 and 164, as amended from time to time. 

University Workforce means all faculty, staff, students, affiliates, associates, volunteers, trainees, visiting scholars, and researchers of the University whose conduct, in the performance of work or study at the University, is under the direct control of the University, whether or not they are paid by the University.

Unit means any University college, school, department, program, or other operating unit.

Policy

A. UA Community Obligations

  1. General Statement: This Policy, including provisions related to Breach Reporting, investigation, and remediation, applies to all University Workforce members; all other persons whose conduct, in the performance of work for a University Health Care Component, is under the direct control of the University Health Care Component, whether or not they are paid by the University Health Care Component; and to all other persons who perform services for or on behalf of a University Health Care Component who meet the definition of a Business Associate. 
     

  2. Reporting Violations: If any University Workforce member becomes aware of an actual or alleged violation of HIPAA or this Policy, including but not limited to a incident or unauthorized access, Use, or Disclosure of PHI/ePHI, the individual is required to report the actual or alleged violation to the University HIPAA Privacy Program. 

    1. Any member of the public may provide notification to the University HIPAA Privacy Program regarding an actual or alleged violation of HIPAA requirements or of this Policy. 

    2. The University HIPAA Privacy Program will provide information on its website to enable the reporting of actual or alleged violations and will develop procedures to ensure the prompt and timely response to reports received by the University HIPAA Privacy Program. 

    3. The HIPAA Privacy Program will be responsible for making any determinations regarding whether a reported violation constitutes a breach as defined under HIPAA. 

    4. The University will take appropriate steps to mitigate, as required by applicable law, any violation of this Policy or applicable HIPAA requirements. 

    5. University Workforce members found to have violated this Policy may be subject to disciplinary action, up to and including dismissal, under the applicable University disciplinary policies. 

    6. Students in violation of this Policy may be subject to disciplinary action under the applicable student policies and procedures.

    7. Individuals who are in violation of HIPAA regulations may be subject to civil and criminal penalties as provided by law.

  3. Potential Breach or Noncompliance Investigations: The University HIPAA Privacy Program will promptly investigate any potential Privacy or Security incident, or violation of this Policy, of which they are notified and will recommend appropriate corrective actions if a breach has occurred. 

    1. The University HIPAA Privacy Program may involve the University Information Security Office, Office of the Office of the General Counsel, the University Compliance Office, or other Units as appropriate. 

      1. If a Unit receives notification of a potential HIPAA violation or violation of this Policy, the Unit will promptly notify the University HIPAA Privacy Program. 

    2. As part of its investigation of any potential Privacy or Security incident, or violation of this Policy, the HIPAA Privacy Program has the authority to access a University email account, document storage service, or transmission service without the permission of the account or service owner when there is reasonable basis to suspect the email account or service was involved in the incident. 

    3. All University Workforce members will cooperate in such investigations and promptly respond to inquiries from the University HIPAA Privacy Program and to any other such requests from Units assisting with or coordinating the investigation. 

      1. Failure to cooperate with an investigation concerning a Privacy or Security breach, or a violation of this Policy, may result in disciplinary action by the University, in accordance with applicable policies. 

    4. Nothing in this Policy precludes the applicability of University and/or ABOR policies that relate to the investigation of cyber-security incidents.

  4. Prior Notification of Intent to Conduct HIPAA Standard Transactions or Engage in HIPAA Covered Activity: All Units must notify the University HIPAA Privacy Program of their intent to engage in HIPAA Standard Transactions or to send, receive, and/or maintain PHI or Electronic Protected Health Information (ePHI) in connection with the provision of Health care (45 CFR § 160.103) or as a Business Associate (45 CFR § 160.103) to a Covered Entity. 

    1. Notification must be as soon as possible prior to proposed initiation of such transmissions or activity, but no later than ninety (90) days prior to the planned date of implementation to enable the University HIPAA Privacy Program to conduct an analysis and recommend appropriate HIPAA compliance measures.

B. Organizational Guidelines

The HIPAA Privacy Program as part of University Privacy, is charged with implementing this Policy and overseeing the University's HIPAA compliance program, which includes developing standard procedures, preparing and disseminating information and training materials, monitoring and auditing, and responding to reports of suspected noncompliance with this Policy or with HIPAA requirements.   

  1. University HIPAA Privacy Program​:

    1. University HIPAA Privacy Officer​: oversees all ongoing activities related to the University's implementation of this Policy and is designated as the individual primarily responsible for ensuring the University's HIPAA compliance.

      1. The University HIPAA Privacy Officer is responsible for maintaining relevant procedures, guidelines, and forms; maintaining the University HIPAA Privacy Program website; and developing HIPAA training and educational materials.   

      2. The University HIPAA Privacy Officer serves as the University's chief point of contact with the U.S. Department of Health and Human Services Office for Civil Rights (OCR) for all HIPAA complaints, investigations, and related matters.

    2. University HIPAA Security Officer: ensures compliance with the Security and Breach Notification Rules established by 45 CFR Parts 162 164, Subparts C and D

      1. The University HIPAA Security Officer will work closely with the University HIPAA Privacy Officer to develop, implement, and maintain policies and procedures necessary for Health Care Components to comply with the Security Rule, including those necessary to establish and maintain administrative, physical, and technical security safeguards and to prevent, detect, contain, and correct security violations.

  2. Designation of Health Care Components: The University HIPAA Privacy Program will establish criteria to determine those Units that should be designated as Health Care Components under the University’s Hybrid Entity designation. 

    1. The University HIPAA Privacy Program will review designated Health Care Components, with input from appropriate Units, to ensure that designations remain proper and any additional designations are made in a timely manner. 

    2. The University HIPAA Privacy Program will coordinate with each designated Health Care Component to assist with the development of a HIPAA compliance program. 

  3. Banner–University Medical Group Coordination: The University HIPAA Privacy Program may coordinate activities related to research and services which involve the University and Banner–University Medicine Division, including Banner–University Medical Group, Banner–University Medical Center Phoenix Campus, Banner–University Medical Center Tucson Campus, and Banner–University Medical Center South Campus. 

    1. The University HIPAA Privacy Program may assist both organizations with HIPAA-related compliance issues that impact both organizations, including training of University Workforce members and investigations of violations of this Policy, Uses and Disclosures of PHI for research purposes, and any other standards that involve both covered research studies and University departments, clinics, and individuals that serve as Business Associates of Banner Health Medical Centers. 

  4. Student health information: Student health information obtained or created as part of the student’s academic career is normally covered under the privacy provisions of the Family Educational Rights and Privacy Act (FERPA). 

    1. This Policy in no way affects the applicability of FERPA regulations to student records, including student health records created from health care services provided by University Campus Health Service or other campus clinics, programs, or centers.

Compliance

University Privacy is responsible for overseeing compliance with this Policy.

Policy Feedback

For questions or comments regarding a particular policy or to notify us of broken links or typographical errors, please provide this information below.

To report violations of a policy, please notify the Responsible Unit.

Please Note: Policy feedback is available to the Policy Office, Policy Sponsor, and elected shared governance representatives, upon request, for policies impacting the populations they represent.

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.