Health Insurance Portability and Accountability Act

What is HIPAA?


HIPAA is a U.S. law designed to provide privacy standards to protect patients’ medical records and other health information provided to health plans, billing/coding companies, doctors, hospitals and other health care providers (known as 'covered entities').


Under this Act, the University of Colorado is considered a “hybrid” covered entity.

HIPAA impacts our campuses through usage of patient records (including shadow records), human subjects research records, and marketing demographics that contain health information, as just a few examples.

The Spirit of HIPAA is Simple

1) to secure Protected Health Information (PHI) and

2) to enforce standards for electronic transactions in healthcare.

Responsibility for the University's HIPAA compliance is coordinated by the Office of Regulatory Compliance under the direction of the Associate Vice Chancellor for Regulatory Compliance, Dr. Alison D. Lakin, RN, LLB, LLM, PhD.

The HIPAA Privacy Rule regulates the use and disclosure of individually identifiable health information and gives individuals the right to determine and restrict access to certain health information. Compliance with HIPAA's privacy regulations became required on April 14, 2003. There are substantial penalties, both civil and criminal, for non-compliance.

The HIPAA Security Rule requires that reasonable and appropriate technical, physical, and administrative safeguards be taken with electronic individually identifiable health information. Specifically, we must ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) we create, receive, maintain or transmit.

Compliance with the Security Rule became required on April 21, 2005, and is managed by the Office of Information Technology’s IT Security and Compliance Team.

Basic training in HIPAA regulation is mandatory for most of the UCD workforce. Employees are required to take training unless the work unit has been notified otherwise by the campus Privacy Officer.

The University’s Privacy Officer is the contact for any assistance University employees need with HIPAA compliance questions. Please contact the HIPAA Privacy Office at 303-724-0983 or at

Details on this Act can be found at its source, the Department of Health and Human Services (HHS), and at the Centers for Medicare & Medicaid Services‚Äč.

HIPAA Contacts

CMS Login