Pol-HIPAA Privacy Policy Management

policy HIPAA privacy management modified Tue Mar 17 2020 13:43:30 GMT-0400 (Eastern Daylight Time)

UofL Logo

University of Louisville



HIPAA Privacy Policy Management


July 1, 2015




This policy applies to the University Employees (administrators, faculty, and staff).


Members of the Health Care Component of the University who are responsible for the management of their areas need to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) by:

A. Developing HIPAA Privacy policies and procedures specific to the University area involved, based on the guidance documents available on the Privacy Office website.

B. Ensuring that all Workforce members of the area know and understand the policies and procedures and where to access them.

C. Ensuring that appropriate general online and area-specific training are provided for all personnel within their given area who could have access to Protected Health Information.


The University of Louisville is responsible for complying with the requirements of HIPAA that are relevant to those areas of the University covered by the HIPAA regulations.  This includes those areas that qualify as Covered Entities under HIPAA, as well as those functioning as Business Associates for the University’s Covered Entities.  Such compliance promotes a culture that adheres to the requirements of the regulations and values and protects the privacy of the Protected Health Information within its possession.  

  • HIPAA Privacy Regulations and Guidance on the U.S. Department of Health and Human Services website:  



Business Associate (This is an abbreviated definition.  For the full definition, see page 11 of 

https://www.hhs.gov/sites/default/files/hipaa-simplification-201303.pdf (PDF).) 

Business Associate means a person who:

On behalf of a Covered Entity or Business Associate, but other than in the capacity of a member of the Workforce of such Covered Entity or 

Business Associate:

A.  Creates, receives, maintains, or transmits Protected Health Information for a function or activity regulated by HIPAA, or

B.  Provides other services that involve the disclosure of Protected Health Information to the person.

Covered Entity means:

A.  A health plan.

B.  A health care clearinghouse.

C.  A health care provider who transmits any health information in electronic form in connection with a transaction covered by     HIPAA.

Health Care Component means:

Those areas of the University that meet HIPAA’s definition of Covered Entity or that are functioning as a Business Associate for a Covered Entity area.  The current structure can be found on the Privacy Office website:


Protected Health Information means individually identifiable health information that is:

A.     Transmitted by electronic media;

B.     Maintained in electronic media; or

C.     Transmitted or maintained in any other form or medium.

Protected Health Information excludes individually identifiable health information:

A.     Covered by the Family Educational Rights and Privacy Act, as amended (20 U.S.C. 1232g);

B.     In employment records held by a covered entity in its role as employer; and

C.     Regarding a person who has been deceased for more than 50 years.

Workforce means:

Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a Covered Entity or Business Associate, is under the direct control of such Covered Entity or Business Associate, whether or not they are paid by the Covered Entity or Business Associate.


Members of the Health Care Component of the University who are responsible for the management of their areas need to:

  • Review the guidance documents available on the Privacy Office website.
  • For those relevant to the work performed in their areas, develop the guidance documents into official policies for their areas.
  • Develop area-specific procedures to delineate the steps to be performed to implement the policy compliantly.
  • Train all relevant workforce members on the policies and procedures.
  • Maintain the policies and procedures in a location accessible to all workforce members, and ensure that the location is known.

Vice President for Risk, Audit, and Compliance


Privacy Office
425 West Lee St.
Louisville, KY  40208
Phone:  502-852-4062


1/25/2019 – updated Administrative Authority and Privacy Office contact information

Revision Date(s): January 25, 2019

Reviewed Date(s): 

The University Policy and Procedure Library is updated regularly. In order to ensure a printed copy of this document is current, please access it online at http://louisville.edu/policies.