Skip Ribbon Commands
Skip to main content
Sign In
Search Policy Site
Pacific Logo

Health Insurance Portability and Accountability Act (HIPAA) Privacy Policy


This policy addresses the University of the Pacific's obligations to protect the privacy of individually identifiable health information that is created, received, or maintained by its health care providers.

The University implements this policy as a matter of sound business practice to protect the interests of its patients; and to fulfill its legal obligations under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), its implementing regulations at 45 CFR Parts 160 and 164 (65 Fed. Reg 82462

(Dec. 28, 2000)) ("Privacy Rules"), as amended (78 Fed. Reg. 5565 [Jan. 25, 2013]); and to comply with state laws that provide greater protection or rights to patients than the Privacy Rules.


This policy applies to all Workforce Members, who are obligated to follow this policy faithfully. Failure to do so can result in disciplinary action, up to and including termination of employment or contract, or dismissal from the educational program or affiliation with University of the Pacific.

This policy addresses the portions of HIPAA that apply in our Health Care Components.

If you have questions or concerns about any use or disclosure of individually identifiable health information or about your other obligations under this policy, the Privacy Rules or other federal or state law, consult the University HIPAA Privacy Officer.


BreachAcquisition, access, use or disclosure of Protected Health Information not permitted by the privacy and security rules, that compromises the privacy or security of the Protected Health Information, and that does not meet one of the exceptions mentioned in HIPAA.
Business Associate

A person or entity that performs certain functions or activities that involve the use or disclosure of Protected Health Information on behalf of, or provides services to, a Health Care Component of the University.


The release, transfer, provision of access to, or divulging in any manner of information outside the University Health Care Components.

Health Care Component

A component or combination of components of a Hybrid Entity.
Hybrid Entity

A single legal entity, covered by HIPAA, whose business activities include both covered and non-covered functions and has designated its health care components.


The person who is the subject of the Protected Health Information and includes prospective patients, patients of record, former patients, and their authorized representatives.



A person who, under applicable law, has authority to act on behalf of another individual in making decisions related to health care.

Protected Health Information


Individually identifiable health information, except for records covered by the Family Educational Rights and Privacy Act ("FERPA") or those in employment records.
Psychotherapy Notes

Notes made by a mental health professional documenting or analyzing the contents of conversations during counseling sessions that are separated from the rest of the individual's medical record.


The sharing, employment, application, utilization, examination, or analysis of Protected Health Information within the University Health Care Components.

Workforce Members

All University employees, the student body, and Business Associates.

Policy Statement

I.         Hybrid Entity

The University of the Pacific is a Hybrid Entity and has designated Health Care Components (see Statement of Hybrid Designation). This policy applies to all Workforce Members within our Health Care Components.

Each Health Care Component will designate a HIPAA Privacy Liaison who is responsible for ensuring this policy is implemented and followed within the component.

The University of the Pacific will regularly review and monitor its clinics, departments and programs to assess its Health Care Components list.

II.      Uses and Disclosures of Protected Health Information

The University of the Pacific will not use or disclose Protected Health Information (PHI), except as this policy permits or requires.

Where the University may use or disclose PHI these uses and disclosures will be limited according to HIPAA. Details of how PHI may be used or disclosed is documented in the University HIPAA Privacy Procedures.

Disclosures of PHI to members of the University outside the University Health Care Components are considered external disclosures, and may require an authorization (see University HIPAA Privacy Procedures).

III.     Patient Rights

The University of the Pacific will honor all patients' rights granted by HIPAA to view, obtain and amend information contained in the Designated Record Set (defined below). (See University HIPAA Privacy Procedures).

A.                 Patient Access to Records

Each Component's HIPAA Privacy Liaison will act as a custodian of records who is responsible for the process of receiving and processing all requests related to records of that Component.

Patients, with limited exceptions, have the right to look at or obtain copies of their health information.

The University will only deny a request for access when allowable under HIPAA and state law, and will provide written notice of the denial in accordance with HIPAA and state law.

B.                 Designated Record Sets

Pursuant to HIPAA the University designates the following as the Patient's Designated Record Set.

Medical Records:

      • Treatment notes
      • All images (X-rays, photographs)
      • Medical history
      • Patient intake and discharge information
      • Treatment plans
      • Examinations, evaluations and diagnostic tests
      • Consents
      • Referrals
      • Medical consults, referrals and other medical information from other providers
      • Correspondence with Patients

Billing Records:

      • Enrollment information
      • Eligibility information
      • Billing statements
      • Financial contracts                                                                            
      • Insurance Claims
      • Claims adjudication

Psychotherapy Notes are not a part of the Designated Record Set. A Patient's Designated Record Set is subject to access and possible amendment by Patients and their Personal Representatives.

C.                 Record Amendment and Addendum

The University will allow all Patients or their Personal Representatives to request an amendment to the information about the Patient in the Patient's Designated Record Set if they believe the information is incorrect in accordance with HIPAA.

The University will allow Patients to provide a written addendum in accordance with CA Health and Safety Code section 123111.

D.                Alternative Communications

To the extent practicable, the University will accommodate reasonable written requests by Patients to receive communications by alternative means or at an alternative location.

E.                 Accounting of Disclosures

Upon request, the University will provide Patients with an appropriate accounting of disclosures in accordance with HIPAA requirements.

F.                 Breach Notification

If the University or any of its Business Associates discovers a possible breach of unsecured PHI, the University will investigate and when appropriate provide timely notification in compliance with HIPAA and applicable state law.

    1. Waivers

The University will not require anyone to waive their rights under the Privacy or Breach Notification Rules, including their right to complain to the Department of Health and Human Services if they believe the University or another HIPAA covered entity is not complying with HIPAA, as a condition for the provision of treatment, payment or eligibility for benefits.

IV.  Administrative

A.                 Safeguarding of Patient Information

The University of the Pacific will maintain appropriate administrative, technical and physical safeguards to ensure the privacy of Protected Health Information. The University will reasonably safeguard patient information from intentional or unintentional use and disclosure that is in violation of HIPAA.

The University will retain, transmit and destroy all PHI in compliance with HIPAA.

B.                 Complaints

Anyone, not just a Patient, has the right to complain about the University's HIPAA compliance, to either the University or the federal government. The University will document all complaints received and their disposition.

Anyone who has a complaint should be directed to the Component Privacy Liaison, the University HIPAA Privacy Officer or the University Compliance Helpline: 1.800.854.8443

Any complaints received by the Component Privacy Liaisons will be passed on to the University HIPAA Privacy Officer.

The University will not retaliate against anyone who submits a complaint in good faith. Complaints submitted in bad faith may result in disciplinary action.

C.                 Business Associates

All the University's relationships with Business Associates are managed in compliance with HIPAA. The University will not permit a Business Associate to access PHI unless a current and compliant Business Associate agreement is in place.

D.                Notice of Privacy Practices

The University provides a notice of privacy practices to its Patients, and anyone else who requests a copy. The Notice and how it is provided complies with HIPAA and applicable state law. The University will revise the Notice as appropriate, and provide the revised Notice as required by HIPAA.

E.                 Research

The University's Institutional Review Board reviews research proposals and establishes protocols to protect the privacy of Patient information. The board, in consultation with the University HIPAA Privacy Officer, will ensure that when PHI is used for research purposes the requirements of HIPAA are met and when necessary the appropriate authorizations are obtained.

F.                 Training

The University trains all Workforce Members within 60 days of their joining a University Health Care Component as to any HIPAA policy and procedure that affects their job. When there is a material change in its HIPAA policy and procedures, the University retrains the Workforce Members whose jobs are affected by the change within a reasonable time after the change becomes effective.

All University Health Care Component Workforce Members are trained annually in HIPAA Policy and Procedures.

G.                Retaliation and Intimidation

The University and its Business Associates will not intimidate or retaliate against anyone who: exercises their rights under HIPAA; participates in a HIPAA process; files a HIPAA complaint; participates in a HIPAA investigation, compliance review, proceeding or hearing; or who appropriately opposes an act that they believe is unlawful under HIPAA.

Any Workforce Member found to have violated this policy will be sanctioned (see Violations Section and HIPAA Privacy Procedures). Workforce Members will immediately report to the University HIPAA Privacy Officer anyone they believe or suspect, including a Business Associate, has violated this policy.

H.               State Law Compliance

The University will comply with the privacy laws of each state that has jurisdiction over the University regarding its actions involving Protected Health Information, where those laws provide greater protections or rights to Patients than HIPAA.

I.                   Review and Revisions

The University will review and revise its HIPAA policy and procedures as necessary and appropriate to remain in compliance with HIPAA.

J.                   Changes to our Policies and Procedures

Only the University HIPAA Privacy Officer, in consultation with the Office of General Counsel, may change this HIPAA Privacy Policy and our related procedures. In accordance with HIPAA, all original versions of this policy are retained.


University of the Pacific Workforce Members who violate the University's HIPAA Privacy Policy and Procedures, HIPAA or other applicable federal or state privacy laws, will be subject to disciplinary action, up to and including termination of employment or academic dismissal (see University HIPAA Privacy Procedures).

Workforce Members have a responsibility to report known HIPAA violations, and failure to report a known violation may result in disciplinary action as described above.


Victim of Crime - These sanctions will not apply to Workforce Members who are victims of a crime and disclose PHI to a law enforcement officer provided that: the PHI disclosed is about the suspected perpetrator of the criminal act, is disclosed for identification and location purposes, and is limited to the information allowed under HIPAA.

 Whistleblower – These sanctions will not apply to Workforce Members who disclose PHI provided that:

a)       The Workforce Member believes in good faith that the University is engaged in conduct that is unlawful or otherwise violates professional or clinical standards, or that the care, services, or conditions provided by the University potentially endangers one or more Patients, workers, or the public; and  

b)      The disclosure is to a health oversight agency, public health authority or an attorney retained for the purpose of determining legal options of the Workforce Member with regard to this conduct.

Contact Information         HIPAA Privacy Officer 415.351.7124

Related Information


ProceduresHIPAA Privacy Procedures