What is HIPAA? The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996 to insure the portability of insurance coverage as employees moved from job to job; to increase accountability and decrease fraud and abuse in health care; and to improve the efficiency of the health care payment process, while at the same time protecting a patient’s privacy. UAH as a “hybrid entity” Since the primary function of UAH is not to provide health care, UAH is permitted to designate itself as a “hybrid entity,” which allows it to apply the Privacy Rule only to those parts of UAH that, if standing alone, would be a Covered Entity. As a hybrid entity, UAH must designate its “health care components,” which includes departments that provide support for health care components. HIPAA applies to “Covered Entities,” defined by the Privacy Rule as a health care provider that conducts certain transactions in electronic form, a health care clearinghouse, a health plan, or a business associate (person or organization performing a function on behalf of the CE for which access to protected health information is needed. Because UAH has at least one department that provides health care services and electronically transmits health information, it is considered a Covered Entity. UAH also administers a health plan. Health Care Components at the University of Alabama are: Student Health Center Faculty & Staff Clinic Departments that have signed Business Associated Agreements Group Health Insurance/Flexible Spending Plan (Human Resources) Administrative Departments supporting the entities above (e.g., Risk Management & Compliance, Counsel, Internal Audit, OIT, etc.) Research involving PHI from a HIPAA-covered entity Helpful Links HIPAA Policy Training Faculty & Staff: HIPAA Training for Faculty and Staff is provided through the Canvas LMS system. If you are not automatically enrolled in HIPAA training, you can self-enroll on the Canvas platform. Students: Some students may be required to complete the HIPAA Privacy and Security Training based on program requirements, course enrollment, and/or volunteer activities, regardless of their employment status. View the HIPAA policy for more details. Training Links: HIPAA Introductory Training HIPAA Annual Refresher Training Contacts HIPAA Privacy Officer – Kevin Bennett or privacy@uah.edu HIPAA Security Officer – Jeremy Shelley, CISO University Health Services (clinics) – Amber McPhail, Director UAH Group Health Plan/HSA/FSA – Holly Holladay or hr@uah.edu Institutional Review Board Compliance Officer – Dr. Jennifer Bail, IRB Chair or irb@uah.edu