Health Information Compliance & Privacy is responsible for ensuring that individually identifiable health information is handled appropriately across the entire University. Federal laws such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) as well as Minnesota laws require the University to manage this information in a certain way.
Health Information Compliance & Privacy provides direction and support to ensure compliance with these requirements through the development of guidelines and policies, and through training and awareness.
Announcements and News
Data privacy and security training are now in ULearn. More information about HIPAA training can be found on the Training page.
Recent HIPAA Enforcement Actions
Stolen Laptop Results in $750,000 Settlement
A computer and backup device were stolen from the car of a Cancer Care Group, P.C. employee. The names, Social Security numbers, clinical information, and other data of 55,000 patients were compromised.
Columbia University Settlement for $4.8 Million
When a physician attempted to deactivate a personally-owned computer server on the network, a lack of technical safeguards resulted in ePHI for 6,800 patients being accessible on internet search engines.
Discussing Patient Information with Media Leads to $275,000 Settlement
Shasta Regional Medical Center leaders met with media to discuss medical services provided to a patient without the patient's authorization.
Lack of Safeguards with Document Sharing Internet Application Leads to Setttlement for $218,000
St. Elizabeth's Medical Center used an internet-based document sharing application to store ePHI without analyzing the risks of doing so.
What is HIPAA and How Does it Impact the University?
HIPAA and its regulations are designed to protect an individual's health information (referred to as PHI), and to restrict how PHI may be used and disclosed by health care providers, health plans and those accessing PHI in order to support the providers and plans.
The University is considered a "hybrid entity" under HIPAA, which means that the entire University is not subject to HIPAA. Only the University's health plans, its health care provider services, and those that may access PHI to support the plans or health care provider services are subject to HIPAA. These areas are referred to as "health care components." The University's health care components include the UPlan, Boynton Health Service, Community-University Health Care Center, the Julia M. Davis Speech Language Hearing Center, the Medical School, The School of Nursing, the College of Pharmacy, the School of Dentistry and Dental Clinics, AHC Administrative Shared Services, AHC Centers, AHC-IS, OIT Security, OIC, OGC, Internal Audit, Office of Measurement Services and Athletic Training - TC.