Health Insurance Portability & Accountability Act (HIPAA)

HIPAA means the Health Insurance Portability & Accountability Act of 1996 and Regulations issued under the Act. A core purpose of HIPAA is to protect the privacy and security of personal health information. HIPAA applies to “Covered Entities” such as health care providers and health plans. Certain parts of the University have been identified as being included in the University’s Covered Entity. Other parts of the University that are not within the Covered Entity may be required to comply with HIPAA if the unit performs activities as a “business associate” for or on behalf of the University’s Covered Entity or another health care provider outside of the University. The use of individual health information in research is also subject to special requirements under HIPAA.


HIPAA requires a Covered Entity such as a health care provider to have safeguards in place to protect the privacy of Protected Health Information (PHI). HIPAA imposes restrictions upon how health care providers may use or disclose PHI. PHI includes information created or received by a health care provider that includes health information or health care payment information plus information that personally identifies the individual patient. In addition to the federal law requirements under HIPAA, state laws impose additional restrictions on the use or disclosure of certain types of health information, including mental health information.

The HIPAA Security Rule requires Covered Entities to implement administrative, physical, and technical safeguards to protect PHI in electronic form.

Specific questions as to whether a given use or disclosure of PHI is permitted should be addressed to the Office of University Counsel. Similarly, in determining whether a contract with an outside entity requires the inclusion of a Business Associate Agreement under HIPAA, please consult the Office of University Counsel.