HSC Privacy Office

The federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) protects the privacy and confidentiality of an individual’s health information.

Report An Incident

• Fill out the Online Form

While the online form is the preferred reporting method, privacy incident reports can also be submitted:

• By Phone at 505-272-1493
• By email to HSC-Privacy@salud.unm.edu
• By Fax to 505-272-2461

To report by email or FAX, please use the Incident Report Form.

Disclosure of PHI

Known as “protected health information” or “PHI”, the health information generally cannot be used or disclosed unless the individual who is the subject of the PHI has given prior written authorization or permission.

Examples:

• Prior Written Authorization to Employer: The individual* requests that a copy of the individual’s PHI or health records be sent the individual’s employer. The individual must provide prior written authorization before the records can be sent.

• Prior Written Authorization - Interview: The individual would like a third party, not a treatment provider, to interview the individual’s treatment provider. The individual must provide prior written authorization that allows the treatment provider to discuss the individual’s treatment PHI with the third party.

Breach of PHI

HIPAA requires that an individual’s PHI is reasonably safeguarded. Learn more about record disposal. Loss of hard copy PHI or unencrypted electronic PHI can result in a breach of PHI that will require a breach notification letter to be sent to the affected individual.

Examples:

• Safeguarding Health Records: Medical record documents left unattended in the cafeteria constitute a breach of PHI.

• Encrypted Laptop: A laptop containing unencrypted PHI is stolen from a car. The loss of the laptop constitutes a breach of PHI.

• Workforce Curiosity - Data Breach: A workforce member** accessing PHI for information about co-workers, friends, or family members out of curiosity (i.e., without a medical or business-related purpose). This unauthorized access constitutes a breach of PHI.

Individual Rights

An individual has several basic rights associated with their Protected Health Information.

The Right to...

• Receive a Notice of Privacy Practices
• General Access to Inspect and Obtain a Copy of Health Information
• Request an Amendment to Health Information
• Request Confidential Communications
• Request Restrictions on Uses and Disclosures of Health Information
• An Accounting of Disclosures

* Under HIPAA,"individual" means the person who is the subject of the protected health information.

** Under HIPAA, "workforce member" means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity. A person is acting under the authority of a covered entity or business associate if he or she is acting on its behalf. This may include a workforce member of a covered entity, an employee of a business associate, or even a business associate of a covered entity.