Health Insurance Portability and Accountability Act of 1996 (HIPAA)


Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Overview – HIPAA Privacy and Security

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects the use and disclosure of individually identifiable information or protected health information (PHI) created or received by covered entities.

The University of Colorado is a covered entity that has chosen hybrid status, meaning it is a single legal entity with components that are covered and non-covered under HIPAA. HIPAA Affected Areas refer to those units at UCCS that have access to PHI, as defined by HIPAA, because the unit is a designated healthcare component (healthcare provider or a health plan), provides services to covered components and as such receives PHI to perform those tasks, or uses PHI for education or research purposes. The designated health care components for UCCS can be found in Exhibit A of the “HIPAA Hybrid Entity Designation” Administrative Policy Statement.  The locations listed in Exhibit A are all considered covered entities and therefore all of these areas must comply with HIPAA rules and regulations.

Key Concepts:

HIPAA designated healthcare components must safeguard PHI during storage, use and disclosure. These safeguards apply to the Privacy and Security of the data and must include:

  • Administrative Safeguards (e.g. policies, procedures, training, contractual agreements)
  • Physical Safeguards (e.g. doors, privacy curtains, locking cabinets)
  • Technical Safeguards (e.g. password protected computers, encryption)

Patients have Rights to:

  • Notice of Privacy Practices (How their information may be used)
  • Inspect & copy PHI
  • Accounting of Disclosures (Record of disclosures of PHI for other than TPO & without their permission)
  • Request to Amend their record
  • Request for Confidential Communications
  • Request for Restrictions related to certain uses and disclosures
  • Give permission to allow certain uses and disclosures such as for research purposes
  • File a Complaint


HealthCircle Notice of Privacy Practices (PDF)
Authorization to Release and/or Obtain Patient Information (PDF)
Approval of Request to Amend Medical or Billing Records (PDF)
Business Associates Agreement (PDF)
Data Use Agreement (PDF)
HIPAA Authorization for Release of Health Information – Media (PDF)
Request for Amendment of Medical or Billing Records Instructions and Fill-in Form (PDF)
Request for Accounting of Disclosures of Protected Health Information Fill-in Form (PDF)
Revocation of Authorization Fill-in Form (PDF)
Denial of Request to Amend Medical or Billing Records Fill-in Form (PDF)

Coming soon.

Report a concern

UCCS Privacy Officer 
Deborah O’Connor

UCCS Security Officer 
Thomas Conley

Training and Education

University of Colorado HIPAA SkillSoft Training 

  1. Visit and select your campus to log into the portal.
  2. From the CU Resources tab, click on the Training drop-down and click Start SkillSoft.
  3. From the Catalog section, open the HIPAA subfolder from the University of Colorado- System folder:

HIPAA SkillSoft training webpage

U.S. Department of Health and Human Services Training

  1. For Professionals: Helping Entities Implement Privacy and Security Protections:
  2. For Individuals: Your Rights Under HIPAA and FAQs: