Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Overview – HIPAA Privacy and Security

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects the use and disclosure of individually identifiable information or protected health information (PHI) created or received by covered entities.

The University of Colorado is a covered entity that has chosen hybrid status, meaning it is a single legal entity with components that are covered and non-covered under HIPAA. HIPAA Affected Areas refer to those units at UCCS that have access to PHI, as defined by HIPAA, because the unit is a designated healthcare component (healthcare provider or a health plan), provides services to covered components and as such receives PHI to perform those tasks, or uses PHI for education or research purposes. The designated health care components for UCCS can be found in Exhibit A of the “HIPAA Hybrid Entity Designation” Administrative Policy Statement.  The locations listed in Exhibit A are all considered covered entities and therefore all of these areas must comply with HIPAA rules and regulations.

Key Concepts:

HIPAA designated healthcare components must safeguard PHI during storage, use and disclosure. These safeguards apply to the Privacy and Security of the data and must include:

  • Administrative Safeguards (e.g. policies, procedures, training, contractual agreements)
  • Physical Safeguards (e.g. doors, privacy curtains, locking cabinets)
  • Technical Safeguards (e.g. password protected computers, encryption)

Patients have Rights to:

  • Notice of Privacy Practices (How their information may be used)
  • Inspect & copy PHI
  • Accounting of Disclosures (Record of disclosures of PHI for other than TPO & without their permission)
  • Request to Amend their record
  • Request for Confidential Communications
  • Request for Restrictions related to certain uses and disclosures
  • Give permission to allow certain uses and disclosures such as for research purposes
  • File a Complaint

Training and Education

CU: HIPAA Regulations - UCCS

  1. Select the Skillsoft tile on the home page
  2. Once in Skillsoft, select Library from the top of the screen and select UCCS or use the UCCS tile from the home page
  3. Select the HIPAA folder then select CU: HIPAA Regulations – UCCS and click LAUNCH

Frequently Asked Questions 

What is HIPAA?
What is a covered entity?
When can PHI be used and/or disclosed without an Authorization?
Does the HIPAA Privacy Rule apply to the UCCS Wellness Center?
Must a health care provider or other covered entity obtain permission from a patient prior to notifying public health authorities of the occurrence of a reportable disease?
Is a health care provider permitted to disclose proof of a child’s immunizations directly to a school without a HIPAA authorization?
Does the HIPAA Privacy Rule allow a health care provider to disclose protected health information (PHI) about a student to a school nurse or physician?
May physician's offices or pharmacists leave messages for patients at their homes, either on an answering machine or with a family member, to remind them of appointments or to inform them that a prescription is ready?
May providers continue to mail appointment or prescription refill reminders to patients' homes?
If I do not object, can my health care provider share or discuss my health information with my family, friends, or others involved in my care or payment for my care?
May mental health practitioners or other specialists provide therapy to patients in a group setting where other patients and family members are present?
Does the HIPAA Privacy Rule change the way in which a person can grant another person health care power of attorney?
Can I use my UCCS email account to send Protected Health Information (PHI)?
How do I secure data that I am using/what are my responsibilities?
What do the HIPAA Privacy and Security Rules require of covered entities when they dispose of protected health information?
What is de-identified data?
What is a Limited-Data Set?
What is a Data Use Agreement?
What is Minimum Necessary Standard?
When is health information considered PHI?

Report a concern or have Questions

UCCS Privacy Officer
Deborah O’Connor
UCCS Security Officer
Charlie Wertz


For a complete PDF version of the UCCS HIPAA policy portfolio, please visit the UCCS Policy Webpage at:

100-020 HIPAA Compliance Policy
Attachment 1 - Policies and Procedures Policy
Attachment 4 - HIPAA Investigations Policy
Attachment 5 - Breach Notification Policy
Attachment 6 - HIPAA Training Policy
Attachment 7 - Patients Rights Policy
Attachment 8 - PHI Uses and Disclosures Policy
Attachment 9 - Use and Disclosure for Research Purposes
Attachment 10 - Privacy Complaints Policy
Attachment 11 - Risk Management and Risk Analysis Policy
Attachment 12 - Sanction Policy
Attachment 13 - Information System Activity Review/ Authorization and Supervision Policy/Log-in Monitoring Policy
Attachment 14 - Workforce Clearance and Access/Termination Policy
Attachment 15 - HIPAA Security Reminders Policy
Attachment 16 - HIPAA Malware Protection Policy
Attachment 17 - HIPAA Password Management Policy
Attachment 18 - HIPAA Security Incident Policy
Attachment 19 - Data Backup and Storage Policy
Attachment 20 - HIPAA Disaster Recovery Policy
Attachment 21 - Emergency Mode Operations Policy
Attachment 22 - Policy on Testing and Revision of Contingency and Emergency Plans and Procedures
Attachment 23 - Policy on Applications and Data Criticality Analysis
Attachment 24 - Policy on Evaluating the Effectiveness of Security Policies and Procedures
Attachment 25 - Business Associates Policy
Attachment 26 - Contingency Operations Policy
Attachment 27 - Facility Security Policy
Attachment 28 - Access Control and Validation Policy
Attachment 29 - Facility Security Maintenance Records Policy
Attachment 30 - Workstation Use and Security Policy
Attachment 31 - Media Disposal and Re-Use Hardware and Media Accountability Policy
Attachment 32 - Unique User Identification Policy
Attachment 33 - Emergency Access Policy
Attachment 34 - Automatic Log-Off Policy
Attachment 35 - Encryption and Decryption Policy
Attachment 36 - Audit Controls Policy
Attachment 37 - Data Integrity Controls Policy
Attachment 38 - Person or Entity Authentication Policy
Attachment 39 - Data Transmission Security Policy