{"id":1328,"date":"2026-04-02T12:52:53","date_gmt":"2026-04-02T17:52:53","guid":{"rendered":"https:\/\/wp.uthscsa.edu\/stage-compliance\/?page_id=1328"},"modified":"2026-04-02T12:52:53","modified_gmt":"2026-04-02T17:52:53","slug":"hipaa-compliance-program","status":"publish","type":"page","link":"https:\/\/wp.uthscsa.edu\/compliance\/hipaa-compliance-program\/","title":{"rendered":"HIPAA Compliance Program"},"content":{"rendered":"<div class=\"wpb-content-wrapper\"><p>[vc_row][vc_column][vc_column_text]<\/p>\n<h2>\u200b\u200b\u200b\u200b\u200b\u200b\u200b\u200b\u200b\u200b\u200bOverview of HIPAA<\/h2>\n<h4>What is HIPAA?\u200b<\/h4>\n<p>It is a federal law titled the\u00a0Health\u00a0Insurance\u00a0Portability and\u00a0Accountability\u00a0Act (HIPAA).<\/p>\n<h4>\u200bWhich federal agency oversees HIPAA compliance?<\/h4>\n<p>The Department of Health and Human Services (HHS), Office of Civil Rights (OCR).<\/p>\n<h4>\u200bWhy was HIPAA established?<\/h4>\n<ul>\n<li>To protect employees&#8217; insurance when they have \u200b\u200blost or changed jobs.<\/li>\n<li>To protect the privacy and security of patients&#8217; health information.<\/li>\n<li>To adopt national standards for electronic health care transactions.<\/li>\n<li>To improve the efficiency and effectiveness of the health care system.<\/li>\n<\/ul>\n<h4>\u200bWhat do the HIPAA regulations do for health care?<\/h4>\n<ul>\n<li>Protects patients&#8217; rights regarding their health information, including the right to review it and make decisions about how it is used and disclosed.<\/li>\n<li>Provides for appropriate use and disclosure of patients&#8217; health information.<\/li>\n<li>Requires health care providers to implement safeguards to ensure privacy of patients&#8217; health information.<\/li>\n<\/ul>\n<h4>On what exactly do the privacy regulations focus?<\/h4>\n<ul>\n<li>Individually identifiable information, which means it identifies the patient or could be used to identify the patient.<br \/>\nPaper or electronic patient medical or health records.<\/li>\n<li>Patient information exchanged verbally.<\/li>\n<li>Information relating to the past, present, or future physical or mental condition of an individual.<\/li>\n<li>Research data that identifies individual patients.<\/li>\n<\/ul>\n<p>[\/vc_column_text][vc_separator color=&#8221;mulled_wine&#8221; border_width=&#8221;4&#8243; css=&#8221;&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text css=&#8221;&#8221;]<\/p>\n<h3>Patient Rights Under HIPAA<\/h3>\n<p>UT Health San Antonio is committed to protecting and safeguarding the confidential and sensitive information entrusted to us through various means. The UT Health San Antonio Institutional&nbsp;Compliance and Privacy Office (ICPO) ensures that UT Health San Antonio complies with the privacy laws, rules, and policies. We strive to create a culture of privacy awareness and for the highest level of commitment to protecting personally identifiable information.<\/p>\n<p>The ICPO handles issues related to privacy practices, policies, concerns, and complaints. We also act as a resource for patients, staff, and students. The privacy laws provide for certain privacy rights.<a href=\"https:\/\/wp.uthscsa.edu\/compliance\/hippa\/\">&nbsp;Read more about Patients Rights under HIPAA.<\/a><\/p>\n<p><span style=\"text-decoration: underline;\">Forms of Interest<\/span><\/p>\n<ul>\n<li><a href=\"https:\/\/powerdms.com\/link\/UTHSA\/document\/?id=2756388\" target=\"_blank\" rel=\"noopener\">Notice of Privacy Practices (English)<\/a><\/li>\n<li><a href=\"https:\/\/powerdms.com\/link\/UTHSA\/document\/?id=2756389\" target=\"_blank\" rel=\"noopener\">Notice of Privacy Practices (Spanish)<\/a><\/li>\n<li><a href=\"https:\/\/uthealthsa.sharepoint.com\/RAC\/Documents\/Telemedince%20NPP\/Telemedicine%20NPP%20English%20March%202020.pdf\">Notice of Privacy Practices &#8211; Telemedicine (English)<\/a><\/li>\n<li><a href=\"https:\/\/uthealthsa.sharepoint.com\/RAC\/Documents\/Telemedince%20NPP\/Telemedicine%20NPP%20Spanish%20March%202020.pdf\">Notice of Privacy Practices &#8211; Telemedicine (Spanish)<\/a><\/li>\n<\/ul>\n<p>[\/vc_column_text][vc_separator color=&#8221;mulled_wine&#8221; border_width=&#8221;4&#8243; css=&#8221;&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text css=&#8221;&#8221;]<\/p>\n<h3>Patient Privacy Policies &amp; Procedures<\/h3>\n<p>The Institutional Handbook of Operating Policies (IHOP), <a href=\"https:\/\/wp.uthscsa.edu\/pao\/hop\/11-toc\/\">Chapter 11 &#8211; Patient Privacy Policies<\/a>, provides governing general oversight, uses and disclosures of protected health information (PHI), patient rights regarding privacy of PHI, and the requirement of all employees, students and non-employees of the Health Science Center to complete mandatory training in patient privacy regulations and policies.[\/vc_column_text][\/vc_column][\/vc_row][vc_row][vc_column][vc_separator color=&#8221;mulled_wine&#8221; border_width=&#8221;4&#8243; css=&#8221;&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text css=&#8221;&#8221;]<\/p>\n<h3>Business Associates<\/h3>\n<h4>Purpose of Business Associate Agreements<\/h4>\n<p>Any person of company\u00a0that is a Business Associate is\u00a0required to sign a contract with special language mandated by the privacy rules. Business Associate Agreements (BAA) assist UT Health San Antonio\u00a0in protecting our patients&#8217; health information when it is released to someone outside our organization.\u200b\u200b<\/p>\n<p><strong>\u200bDefinitions:<\/strong><\/p>\n<ul>\n<li>\u200bBusiness Associate: A Business Associate is a person or entity to which UT Health San Antonio discloses protected health information so that the person\/entity can carry out, assist with the performance of, or perform a function or activity for UT Health San Antonio.<\/li>\n<li>\u200b\u200bProtected Health Information (PHI):\u00a0A patient&#8217;s or participant&#8217;s (in the case of research) health information that identifies the person or can be used to identify the person.<\/li>\n<\/ul>\n<h5>Business Associate Test:<\/h5>\n<ul>\n<li>Is UT Health San Antonio disclosing PHI?<\/li>\n<li>Does the recipient of the PHI provide a service to, for, or on behalf of UT Health San Antonio?<\/li>\n<\/ul>\n<p>If the answer to both of the above questions is &#8220;yes&#8221;, you may have a relationship that requires a business associate agreement.<\/p>\n<h5>Not Business Associates<\/h5>\n<ul>\n<li>UT Health San Antonio Workforce: Employees, faculty, residents, students<\/li>\n<li>Health care workers providing treatment<\/li>\n<li>Providers with staff privileges at the institution<\/li>\n<li>Labs<\/li>\n<li>Individuals or companies with very limited and incidental exposure to health information, such as telephone company, electrician, etc.<\/li>\n<li>Companies that act as a conduit for PHI, such as the postal service, UPS, private couriers, etc.<\/li>\n<\/ul>\n<h5>Potential Business Associates<\/h5>\n<ul>\n<li>Lawyers<\/li>\n<li>External auditors or accountants<\/li>\n<li>Professional translator services<\/li>\n<li>Answering services<\/li>\n<li>Consultants hired to conduct audits, perform coding reviews, etc.<\/li>\n<li>Accreditation agencies<\/li>\n<li>Shredding and\/or documentation storage companies<\/li>\n<li>Data processing firms or software companies that may be exposed to or use PHI<\/li>\n<li>Medical transcription services, even if you contract with an individual rather than a company<\/li>\n<li>Medical equipment service companies handling equipment that holds PHI<\/li>\n<li>E-prescribing gateways<\/li>\n<li>Health information organizations<\/li>\n<\/ul>\n<h4>Process for Completing a Business Associate Agreement (BAA)<\/h4>\n<p><span style=\"text-decoration: underline;\"><strong>Department Responsibilities<\/strong><\/span><\/p>\n<ul>\n<li>Determine when services, functions, or activities are being provided by a vendor, person, or company and in the provision of those services patient health information is being shared<\/li>\n<li>Ensure BAA is in place prior to services being provided<\/li>\n<li>Prepare a description of the &#8220;purposes for the sharing of PHI&#8221; to be included in the BAA<\/li>\n<li>Contact the Purchasing Department at buscontracts@uthscsa.edu or (210) 562-6203 for assistance in completing the BAA<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Purchasing Department (Manager for Contract Administration) Responsibilities<\/strong><\/span><\/p>\n<ul>\n<li>Complete the BAA for signature<\/li>\n<li>Assess need for review by the Legal Office and\/or the Institutional Compliance &amp; Privacy Office<\/li>\n<li>Ensure BAA is signed by the vendor and the appropriate institutional signatory authority<\/li>\n<li>Maintain the original signed BAA<\/li>\n<\/ul>\n<h4>Process for Termination or Non-Renewal of a Contract with a Business Associate<\/h4>\n<p><span style=\"text-decoration: underline;\"><strong>When the institutional data is stored\/maintained by the business associate, the following steps will be required<\/strong><\/span><\/p>\n<ul>\n<li>The department will notify the Purchasing Department, Manager for Contract Administration, to assess the contract and BAA terms<\/li>\n<li>The Purchasing Department, Manager for Contract Administration, will assess the need for review by the Legal Office and\/or the Institutional Compliance &amp; Privacy Office<\/li>\n<li>The department will ensure the return or destruction of data providing confirmation to the Purchasing Department, Manager for Contract Administration<\/li>\n<li>The Purchasing Department, Manager for Contract Administration, will maintain that confirmation with the BAA. If it is not feasible to return or destroy, the BAA will continue to extend the protections to limit further use or disclosure by the business associate<\/li>\n<\/ul>\n<p>[\/vc_column_text][vc_separator color=&#8221;mulled_wine&#8221; border_width=&#8221;4&#8243; css=&#8221;&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text css=&#8221;&#8221;]<\/p>\n<h3>Select HIPAA Links<\/h3>\n<ul>\n<li>Office of Civil Rights (OCR)<\/li>\n<li>Center for Medicare and Medicaid Services (CMS)<\/li>\n<li>American Dental Association<\/li>\n<li>American Health Information Mgmt. Assoc.\u00a0(Search &#8220;HIPAA&#8221;)<\/li>\n<li>American Hospital Association<\/li>\n<li>HIPAA Summit<\/li>\n<li>Texas Health Information Management Association<\/li>\n<li>WEDI-Strategic National Implementation Process (SNIP)\u200b<\/li>\n<\/ul>\n<p>[\/vc_column_text][vc_separator color=&#8221;mulled_wine&#8221; border_width=&#8221;4&#8243; css=&#8221;&#8221;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text css=&#8221;&#8221;]<\/p>\n<h3>Contacts &amp; Resources<\/h3>\n<p>Any questions or concerns related to privacy matters should be directed to the Privacy Team in the Institutional Compliance &amp; Privacy Office at <a href=\"mailto:compliance@uthscsa.edu\">compliance@uthscsa.edu<\/a> or <a href=\"tel:12105672014\">(210) 567-2014<\/a>, or by calling the Compliance Hotline at <a href=\"tel:18775077317\">(877) 507-7317<\/a>.<\/p>\n<p>You can also contact a member of the Privacy Team directly:<\/p>\n<ul>\n<li><strong>Angelife Pardo, MSIT, CHPC, CISSP, CRISC, PMP<\/strong><br \/>\nDirector, Privacy Program<br \/>\npardoa@uthscsa.edu<\/li>\n<li><strong>Mark S. Curnow, MS, CHC, CHPS<\/strong><br \/>\nCompliance Analyst, Senior<br \/>\ncurnowm@uthscsa.edu<\/li>\n<li><strong>Bianca De La Fuente, BSBM, CHPC<\/strong><br \/>\nPrivacy Analyst<br \/>\ndelafuenteb@uthscsa.edu<\/li>\n<li><strong>Caleb Barrera, CHTS<\/strong><br \/>\nPrivacy Analyst<br \/>\nbarrerac5@uthscsa.edu<\/li>\n<\/ul>\n<p>&nbsp;[\/vc_column_text][\/vc_column][\/vc_row]<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>[vc_row][vc_column][vc_column_text] \u200b\u200b\u200b\u200b\u200b\u200b\u200b\u200b\u200b\u200b\u200bOverview of HIPAA What is HIPAA?\u200b It is a federal law titled the\u00a0Health\u00a0Insurance\u00a0Portability and\u00a0Accountability\u00a0Act (HIPAA). \u200bWhich federal agency oversees HIPAA compliance? The Department of Health and Human Services (HHS), Office of Civil Rights (OCR). \u200bWhy was HIPAA established? To protect employees&#8217; insurance when they have \u200b\u200blost or changed jobs. To protect the privacy and [&hellip;]<\/p>\n","protected":false},"author":560,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-1328","page","type-page","status-publish","hentry"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>HIPAA Compliance Program - Compliance<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/wp.uthscsa.edu\/compliance\/hipaa-compliance-program\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"HIPAA Compliance Program - Compliance\" \/>\n<meta property=\"og:description\" content=\"[vc_row][vc_column][vc_column_text] \u200b\u200b\u200b\u200b\u200b\u200b\u200b\u200b\u200b\u200b\u200bOverview of HIPAA What is HIPAA?\u200b It is a federal law titled the\u00a0Health\u00a0Insurance\u00a0Portability and\u00a0Accountability\u00a0Act (HIPAA). \u200bWhich federal agency oversees HIPAA compliance? The Department of Health and Human Services (HHS), Office of Civil Rights (OCR). \u200bWhy was HIPAA established? To protect employees&#8217; insurance when they have \u200b\u200blost or changed jobs. To protect the privacy and [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/wp.uthscsa.edu\/compliance\/hipaa-compliance-program\/\" \/>\n<meta property=\"og:site_name\" content=\"Compliance\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/wp.uthscsa.edu\\\/compliance\\\/hipaa-compliance-program\\\/\",\"url\":\"https:\\\/\\\/wp.uthscsa.edu\\\/compliance\\\/hipaa-compliance-program\\\/\",\"name\":\"HIPAA Compliance Program - Compliance\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/wp.uthscsa.edu\\\/compliance\\\/#website\"},\"datePublished\":\"2026-04-02T17:52:53+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/wp.uthscsa.edu\\\/compliance\\\/hipaa-compliance-program\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/wp.uthscsa.edu\\\/compliance\\\/hipaa-compliance-program\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/wp.uthscsa.edu\\\/compliance\\\/hipaa-compliance-program\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/wp.uthscsa.edu\\\/compliance\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"HIPAA Compliance Program\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/wp.uthscsa.edu\\\/compliance\\\/#website\",\"url\":\"https:\\\/\\\/wp.uthscsa.edu\\\/compliance\\\/\",\"name\":\"Compliance\",\"description\":\"Compliance\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/wp.uthscsa.edu\\\/compliance\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"HIPAA Compliance Program - Compliance","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/wp.uthscsa.edu\/compliance\/hipaa-compliance-program\/","og_locale":"en_US","og_type":"article","og_title":"HIPAA Compliance Program - Compliance","og_description":"[vc_row][vc_column][vc_column_text] \u200b\u200b\u200b\u200b\u200b\u200b\u200b\u200b\u200b\u200b\u200bOverview of HIPAA What is HIPAA?\u200b It is a federal law titled the\u00a0Health\u00a0Insurance\u00a0Portability and\u00a0Accountability\u00a0Act (HIPAA). \u200bWhich federal agency oversees HIPAA compliance? The Department of Health and Human Services (HHS), Office of Civil Rights (OCR). \u200bWhy was HIPAA established? To protect employees&#8217; insurance when they have \u200b\u200blost or changed jobs. To protect the privacy and [&hellip;]","og_url":"https:\/\/wp.uthscsa.edu\/compliance\/hipaa-compliance-program\/","og_site_name":"Compliance","twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/wp.uthscsa.edu\/compliance\/hipaa-compliance-program\/","url":"https:\/\/wp.uthscsa.edu\/compliance\/hipaa-compliance-program\/","name":"HIPAA Compliance Program - Compliance","isPartOf":{"@id":"https:\/\/wp.uthscsa.edu\/compliance\/#website"},"datePublished":"2026-04-02T17:52:53+00:00","breadcrumb":{"@id":"https:\/\/wp.uthscsa.edu\/compliance\/hipaa-compliance-program\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/wp.uthscsa.edu\/compliance\/hipaa-compliance-program\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/wp.uthscsa.edu\/compliance\/hipaa-compliance-program\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/wp.uthscsa.edu\/compliance\/"},{"@type":"ListItem","position":2,"name":"HIPAA Compliance Program"}]},{"@type":"WebSite","@id":"https:\/\/wp.uthscsa.edu\/compliance\/#website","url":"https:\/\/wp.uthscsa.edu\/compliance\/","name":"Compliance","description":"Compliance","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/wp.uthscsa.edu\/compliance\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/wp.uthscsa.edu\/compliance\/wp-json\/wp\/v2\/pages\/1328","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wp.uthscsa.edu\/compliance\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/wp.uthscsa.edu\/compliance\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/wp.uthscsa.edu\/compliance\/wp-json\/wp\/v2\/users\/560"}],"replies":[{"embeddable":true,"href":"https:\/\/wp.uthscsa.edu\/compliance\/wp-json\/wp\/v2\/comments?post=1328"}],"version-history":[{"count":1,"href":"https:\/\/wp.uthscsa.edu\/compliance\/wp-json\/wp\/v2\/pages\/1328\/revisions"}],"predecessor-version":[{"id":2221,"href":"https:\/\/wp.uthscsa.edu\/compliance\/wp-json\/wp\/v2\/pages\/1328\/revisions\/2221"}],"wp:attachment":[{"href":"https:\/\/wp.uthscsa.edu\/compliance\/wp-json\/wp\/v2\/media?parent=1328"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}