Contact the HIPAA Privacy Program
Health Insurance Portability and Accountability Act (HIPAA)
What Is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that establishes national standards for protecting sensitive health information. The U.S. Department of Health and Human Services (HHS) created the HIPAA Privacy Rule to set these standards, ensuring that individuals’ Protected Health Information (PHI) is used and disclosed appropriately while still allowing necessary information flow for high‑quality care and public health purposes.
HIPAA applies to “Covered Entities” and their “Business Associates” and governs how PHI may be used, how it must be safeguarded, and what rights individuals have regarding their own health information.
Protects Individuals’ Health Information Accordion Closed
HIPAA’s Privacy Rule exists to make sure health information is properly protected while allowing the information needed for care, operations, and public health. A formal privacy program helps an institution consistently enforce these protections.
Supports Responsible Information Sharing Accordion Closed
HIPAA is designed to protect PHI and still enable appropriate information flow—such as for treatment, billing, and operations—while preventing unauthorized access or disclosure. A privacy program helps maintain this balance.
Strengthens Institutional Compliance Accordion Closed
HIPAA includes administrative requirements, such as workforce training and safeguards for handling PHI. An effective HIPAA privacy program ensures that staff are trained, processes are documented, and risks are managed.
Promotes Trust Accordion Closed
By preventing improper disclosures and guiding proper practices, a strong HIPAA Privacy Program helps foster trust among students, patients, employees, and the community.
Hybrid Entity Status
NAU designates itself a “Hybrid Entity” under the Health Insurance Portability and Accountability Act (“HIPAA”). A hybrid entity is an organization that performs both HIPAA covered and non-covered functions, and only the specific components within NAU are subject to the HIPAA compliance.
In accordance with the HIPAA regulations, NAU has identified its HIPAA covered functions as Health Care Components (HCCs), responsible for ensuring the privacy and security of PHI. NAU’s designated HCCs meet the definition of “Covered Entities” subject to HIPAA requirements. NAU’s HCC s must safeguard the privacy and confidentiality of PHI in accordance with HIPAA.
Our Commitment
NAU is committed to maintaining the privacy and security of all PHI entrusted to us. We support our campus partners by providing guidance and oversight rooted in lawful standards, ethical practice, and continuous compliance improvement.
NAU has obligations to abide by certain laws and regulations that govern the privacy and the security of health records subject to the HIPAA. While HIPAA primarily focuses on healthcare providers and health plans, its relevance in higher education extends to situations where institutions like NAU provide healthcare services and operate employee health plans.
NAU is also subject to the Family Educational Rights and Privacy Act (“FERPA”), which protects the privacy of a student’s education records, including health records. Therefore student health information maintained at NAU generally falls under the FERPA, not HIPAA.
Reporting
NAU recognizes that the protection of PHI as not only a legal requirement but an ethical duty to the patient’s served at our health care components. As such, all Workforce Members are expected and encouraged to report any behavior(s), incident(s), or concern(s) that may compromise the privacy and/or security of PHI. This includes, but is not limited to, suspected privacy breaches, unauthorized access, improper disclosures, or privacy and security vulnerabilities.
Workforce Members are provided with access to PHI, if it is essential to do their jobs, for which they are expected to safeguard the information and act with prudence to prevent, to the extent possible, unauthorized disclosures.