HIPAA stands for the Health Insurance Portability and Accountability Act. This act passed by Congress in 1996 is an expansive set of rules that includes establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, an employers.

Covered entities must comply with HIPAA rules.  Under HIPAA, health care providers that transmit health information in electronic form for treatment, payment or operations purposes, health care clearinghouses, and health plans are considered covered entities.

The University is considered a "hybrid entity" for HIPAA compliance purposes. This means that only certain identified components of the University are subject to the HIPAA Privacy rules. The University is able to designate some components that are medical components or group health plans that are separate and distinct from non-medical components.  Only those components that the University has identified as medical components or group health plans are subject to the privacy requirements of HIPAA.

The University has identified the following components as subject to the HIPAA Privacy Rule:

• As health care providers:
  • Eleanor M. Luse Center for Communication: Speech, Language and Hearing
• Employee Group Health Plans
• University departments that have signed Business Associate Agreements with other entities are subject to the use and disclosure provisions of the Privacy Rule.

No. The University of Vermont Medical Center (formerly Fletcher Allen Health Care) and its parent organization the University of Vermont Health Network are separate and distinct organizations from the University of Vermont (UVM). A copy of the University of Vermont Medical Center's notice of privacy practices may be found on their website.

The HIPAA Privacy Rule establishes regulations for the use and disclosure or Protected Health Information (PHI)

PHI is any information about the health status, provision of health care, or payment for healthcare that can be linked to an individual.  This is interpreted to include any part of a patient's medical record or payment history.

The covered components identified by UVM may disclose PHI to facilitate treatment, payment or health care operations, or for other purposes if authorized to do so by the individual.  These components must make an effort when disclosing PHI in accordance with the rule to disclose the minimum amount necessary to achieve its purpose.

The covered components of UVM provide a notice of privacy to individuals for whom they provide health care or who participate in the identified group health plans.

Privacy Notice examples:

• Group health plans - Privacy Notice (PDF)
• Eleanor M. Luse Center – Notice of Privacy Practices (PDF)

Please note:  While student health records are covered under FERPA and not HIPAA, if you are looking for the Center for Health and Wellbeing’s Privacy Notice, please go to CHWB Notice of Privacy Practices (PDF).

FERPA (Family Educational Rights and Privacy Act) governs the privacy of student records including UVM student health information.  As a result, the HIPAA Privacy Rule governs UVM's medical  treatment of non-students.

Researchers that work with Private Health Information (PHI) are required to follow the Privacy Rule of the organization that owns the PHI.  Since College of Medicine physicians that provide health care services do so as University of Vermont Medical Center physicians, the University of Vermont Medical Center is the covered entity for HIPAA purposes for research using its PHI.  The College of Medicine, the University of Vermont Medical Center and the Institutional Review Board that oversees research involving human subjects have defined policies and procedures governing use of PHI for research purposes. See the Research Protections Office's HIPAA guidance page for further information. 

You may contact the relevant  Coordinator at the provider of service:

• HIPAA Coordinator - UVM Benefit Plans (802) 656-3150
• HIPAA Coordinator - UVM Luse Center (802) 656-3861