HSC Privacy Office

The federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) protects the privacy and confidentiality of an individual’s health information.

Report An Incident

While the online form is the preferred reporting method, privacy incident reports can also be submitted:

To report by email or FAX, please use the Incident Report Form.

Disclosure of PHI

Known as “protected health information” or “PHI”, the health information generally cannot be used or disclosed unless the individual who is the subject of the PHI has given prior written authorization or permission.


  • Prior Written Authorization to Employer: The individual* requests that a copy of the individual’s PHI or health records be sent the individual’s employer. The individual must provide prior written authorization before the records can be sent.
  • Prior Written Authorization - Interview: The individual would like a third party, not a treatment provider, to interview the individual’s treatment provider. The individual must provide prior written authorization that allows the treatment provider to discuss the individual’s treatment PHI with the third party.

Breach of PHI

HIPAA requires that an individual’s PHI is reasonably safeguarded. Learn more about record disposal. Loss of hard copy PHI or unencrypted electronic PHI can result in a breach of PHI that will require a breach notification letter to be sent to the affected individual.


  • Safeguarding Health Records: Medical record documents left unattended in the cafeteria constitute a breach of PHI.
  • Encrypted Laptop: A laptop containing unencrypted PHI is stolen from a car. The loss of the laptop constitutes a breach of PHI.
  • Workforce Curiosity - Data Breach: A workforce member** accessing PHI for information about co-workers, friends, or family members out of curiosity (i.e., without a medical or business-related purpose). This unauthorized access constitutes a breach of PHI.

Individual Rights

An individual has several basic rights associated with their Protected Health Information.

The Right to...

* Under HIPAA,"individual" means the person who is the subject of the protected health information.

** Under HIPAA, "workforce member" means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity. A person is acting under the authority of a covered entity or business associate if he or she is acting on its behalf. This may include a workforce member of a covered entity, an employee of a business associate, or even a business associate of a covered entity.

HSC Privacy Office

MSC08 4760

1650 University Blvd. NE

Albuquerque, NM 87131-0001

Physical Location:

HSC Business & Communications Center

Suite 3200

Phone: 505-272-1493

FAX: 505-272-2461