Health Insurance Portability and Accountability Act (HIPAA)

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is designed to assure the privacy and security of health information held or transmitted by the University of Illinois (University) in support of its HIPAA covered functions and activities.  To implement HIPAA requirements, the U.S. Department of Health and Human Services issued regulations providing specific guidance on privacy (known as the “Privacy Rule”) and security (known as the “Security Rule”).  The Privacy and Security Rules are set forth in 45 C.F.R. Part 164.

What Are Health Care Components?

 

The Board of Trustees has identified the University units or components having HIPAA compliance obligations.  These units or components, referred to as health care components, are either University health care providers who transmit HIPAA protected information electronically or business associates performing services or functions involving HIPAA protected information for health care providers.  The protected information is called “protected health information” or “PHI”.  University employees, volunteers, trainees, students and other persons who work under the direct control of a University unit, who perform either health care or business associate functions within an identified health care component using PHI, are subject to the Privacy and Security Rules and the relevant University policy requirements, including training. 

Who Oversees HIPAA Compliance?

The University President is responsible for the University’s HIPAA compliance program.  The University-wide Privacy and Security Compliance Council, also known as the HIPAA Subcommittee of the University Information Privacy and Security Committee, is a key part of the President’s oversight effort.  The HIPAA Subcommittee serves in an advisory role and provides guidance and support to the University’s HIPAA compliance program. 

The President has appointed a University HIPAA Privacy and Security Official.  This official is responsible for:

  • Monitoring health care component compliance with the Privacy and Security Rules.
  • Regularly reviewing the activities of University units to ensure health care components are properly identified and documented in writing.
  • Serving as a compliance resource to the health care components.
  • Developing and maintaining HIPAA training and maintaining related records.
  • Establishing and maintaining administrative, physical and technical security safeguards to prevent, detect, contain and correct security violations involving protected health information in electronic form.
  • Receiving, investigating, and recommending resolution of complaints concerning the University’s compliance with the Privacy Rule.
  • Receiving, investigating, recommending resolution and responding to alleged breaches of the Security Rule.

Health Care Component HIPAA Liaisons are responsible for:

 

  • Identifying members of the unit’s workforce who engage in activities that involve the use of PHI and ensuring they are trained;
  • Cooperating with the University Privacy and Security Official in development of policies and procedures and other compliance activities; and
  • Serving as the point of contact for questions, audits, and problem resolution regarding the unit’s compliance with HIPAA.

More Information

For more information, see University Counsel’s HIPAA webpage.

References

Health Insurance Portability and Accountability Act of 1996

45 C.F.R. Part 164