Your browser is unsupported

We recommend using the latest version of IE11, Edge, Chrome, Firefox or Safari.


The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, was enacted on August 21, 1996. Sections 261 through 264 of HIPAA require the Secretary of HHS to publicize standards for the electronic exchange, privacy and security of health information.

The University of Illinois System is a HIPAA covered entity. The majority of the System’s units, however, do not perform HIPAA-covered functions. Consequently, the System has designated itself as a hybrid entity. As a hybrid entity, the System may limit application of HIPAA to only those units or components of units that perform HIPAA-covered functions. The units or components of units identified as being covered by HIPAA are known as the health care components of the hybrid entity. The current list of the Systems’ health care components can be found here.

This policy applies to all employees, volunteers, trainees, and other persons who work under the direct control of a health care component and who perform the functions, activities or services of either a covered entity or business associate.

Policies Heading link

Incident Reporting Heading link

If you think you have experienced or discovered an incident or disclosure of protected health information (PHI), immediately report it to your supervisor AND one of the following individuals:

Contact Us Heading link