Skip to content Where Legends Are Made Apply to UA Make a Gift

HIPAA Information

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996 to insure the portability of insurance coverage as employees moved from job to job; to increase accountability and decrease fraud and abuse in health care; and to improve the efficiency of the health care payment process, while at the same time protecting a patient’s privacy.

UA as a “hybrid entity”

Since the primary function of The University is not to provide health care, UA is permitted to designate itself as a “hybrid entity,” which allows it to apply the Privacy Rule only to those parts of UA that, if standing alone, would be a Covered Entity. As a hybrid entity, UA must designate its “health care components,” which includes departments that provide support for health care components.

HIPAA applies to “Covered Entities,” defined by the Privacy Rule as

  • a health care provider that conducts certain transactions in electronic form,
  • a health care clearinghouse,
  • a health plan, or
  • a business associate (person or organization performing a function on behalf of the CE for which access to protected health information is needed.

Because the University of Alabama has at least one department that provides health care services and electronically transmits health information, it is considered a Covered Entity.

Health Care Components at the University of Alabama are:

  • The Brewer Porch Children’s Center
  • The University Medical Center
  • The Speech & Hearing Clinic
  • Autism Spectrum Disorders Clinic
  • Departments that have signed Business Associated Agreements
  • Group Health Insurance/Flexible Spending Plan
  • UA Administrative Departments supporting the entities above (e.g. Legal Office, Auditing, Financial Affairs, Risk Management, OIT, UA Privacy/Security Officers, etc.)
  • Research involving PHI from a HIPAA-covered entity
  • DOES NOT APPLY TO: Psychology Clinic, Student Health Center/Pharmacy, ODS records, Counseling Center, WRC, Athletic Department health records

Helpful Links


  • Faculty & Staff – HIPAA Training for Faculty and Staff is provided through the University of Alabama LMS system.  If you are not automatically enrolled in HIPAA training, you can self-enroll on the UA LMS training site.
  • Students – Some students may be required to complete the HIPAA Privacy and Security Training based on program requirements, course enrollment, and/or volunteer activities, regardless of their employment status. More information, and instructions for accessing the training, is available on the Compliance, Ethics and Regulatory Affairs website.
  • Abbreviated Training – Abbreviated HIPAA Privacy and Security Training is available to those directed by their supervisor. Use this training only if instructed.
  • Acknowledgement Statement (PDF)


The University of Alabama’s Privacy Officer – Ronda Lacey

The University of Alabama’s HIPAA Security Officer – Taylor Anderson

University Medical Center Privacy Officer – Heather Sheffield (Interim)

University Medical Center Security Officer – Amy Sherwood

Brewer Porch Privacy Officer – Heather Sheffield (Interim)

Brewer Porch Security Officer – Amy Sherwood

Speech and Hearing Privacy Officer – JoAnne Payne

Speech and Hearing Security Officer – Sara Shirley

Autism Spectrum Disorders Clinic Privacy/Security Officer – Vacant

UA Group Health Plan/FSA/WellBama Privacy Officer – Emily Marbutt

UA Group Health Plan/FSA/WellBama Security Officer – Jay Haley

Working on Womanhood Program (WOW) Privacy/Security Officer – Jill Beck

Early Intervention Privacy/Security Officer – Kimberly Tomeny

Institutional Review Board Compliance Officer – Tanta Myles