University Policy

HIPAA Policies

General HIPAA policy:
3364-15-01 HIPAA administrative simplification

Confidentiality of Patient Information:
3364-15-10 Confidentiality of Patient Information

UT HIPAA Policies:

Policy Number

Policy Name



Release of Health Information

Process for providing patients their medical record.


Minimum Necessary Guidelines for Use/Disclosure of Protected Health Information

PHI can be used for treatment, payment and healthcare operations but only PHI that workforce members has a business purpose to review the information.


Request for Restriction on Health Information

Patients may pay cash for services and restrict the disclosure of the documentation.


De-Identifiable and Re-Identifiable Health Information, Limited Data Set and Data Use agreement

PHI may need to be de-identified for such purposes as research. Re-identification maybe necessary by using a code that would remain with the covered entity.


Medical Record Availability and Access

Health Information Management maintains a medical record on every patient. Patients may request a copy of their record in various formats, electronics, e-mail, flash drive and/or paper.


Patient Directory

Patient directory and what information may be disclosed as requested by the patient.


Joint Notice of Privacy Practices

A notice provides the patient with their rights and obligations.


Accounting and Documentation of Disclosures of Protected Health Information other than Treatment, Payment and Healthcare Operations.

HIM must keep a tracking log of all disclosures of PHI.


Security and protection of Patient Information Both Papers and Electronic

PHI must be protected from natural or environmental disasters. Workforce members must ensure highest security of their computer and passwords.


Business Associate Agreement

A Business Associated Agreement must accompany any contract where the vendor will create, receive, maintain or transmit PHI on behalf of UT.


Photographing- videotaping, filming, video recording

Consent required for filming, photographing, or recording for the purpose of education, staff development and/or documentation.


Reporting of Security Breach of Protected Health Information including Personal Health Information

Process for determining and reporting a breach.


Medical Record Retention and Destruction Disposal of Protected Health information

Maintenance, retention, destruction and disposal of electronic and paper documentation.


Medical Record Amendment

Patients may request a change to their medical record that may either be approved or denied by the provider


Patient Request for Confidential Communication

Patients complete a Confidential Communication form, directing UT what phone number to call and leave messages and whom workforce members may speak to regarding PHI.

Information Technology HIPAA policies

Last Updated: 6/27/22