This Is Auburn Office of Audit, Compliance & Privacy

The Health Insurance Portability and Accountability Act (HIPAA)

Auburn University and Auburn University at Montgomery (collectively "the University" or "Auburn") are dedicated to improving the lives of the people of Alabama, the nation, and the world through forward-thinking education, life-enhancing research and scholarship, and selfless service.

As a part of improving the lives of the people of Alabama, the University, through its health care components, provides a variety of health care services to our employees, their families, our students and the citizens of Alabama (our family). Auburn is dedicated to protecting the privacy and security of your health care information (referred to as “Protected Health Information” or “PHI”). PHI is protected under a federal law known as the Health Insurance Portability and Accountability Act (HIPAA).

What is HIPAA?

HIPAA is the Health Insurance Portability and Accountability Act of 1996, Pub. L.No.104-191, as amended the Health Information Technology for Economic and Clinical (HITECH) Health Act which was a part of the American Recovery and Reinvestment Act of 2009 (ARRA).

The U.S. Department of Health and Human Services (DHHS) is the federal agency responsible for oversight of HIPAA; and the Office of Civil Rights (OCR) is responsible for enforcement of HIPAA.

In addition, to establishing laws allowing individuals to keep their health insurance and improving the efficacy and effectiveness of the health care system, HIPAA established standard for the protection and security of Individually Identifiable Information (PII), known as Protected Health Information (PHI).

Additional information regarding HIPAA, can be found on of DHHS website, including HIPAA Frequently Asked Questions.

Frequently Asked Questions

The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)."

"Individually identifiable health information" is information, including demographic data, that relates to:

  • the individual's past, present or future physical or mental health or condition,
  • the provision of health care to the individual, or
  • the past, present, or future payment for the provision of health care to the individual; and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.

Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

The Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. &sec;1232g.

For more information see the Summary of the HIPAA Privacy Rule

The University is a multi-disciplinary single legal entity composed of various components, with campus locations in Auburn, AL and Montgomery, AL. The main campus is located in Auburn, AL and known as Auburn University, or Auburn, and the campus in Montgomery, AL is known as Auburn University at Montgomery, or AUM. The Auburn University System is a hybrid entity.

Several entities at Auburn University and Auburn University at Montgomery provide health care services and are subject to the requirements of the Health Insurance Portability and Accountability Act of 1966 (HIPAA), Public Law 104-19; and are therefore considered to be "covered entities" under the terms and provisions of HIPAA.

Under HIPAA, a covered entity means:

  1. A health plan
  2. health care clearing house
  3. A health care provider who transmits any health information in electronic form in connection with a transaction covered by this chapter (45 C.F.R. 160.103- Definitions).

The designated covered entities of Auburn University and Auburn University at Montgomery are subject to HIPAA.

The following health care components at Auburn University and Auburn University at Montgomery have been designated as covered entities under the terms and provisions of HIPAA:

  • The Auburn University Employee Pharmacy
  • The Auburn University Student Pharmacy
  • The Auburn University Pharmaceutical Care Center
  • The Auburn University Pharmaceutical Care Center – Boykin Center
  • The State Employees' Insurance Board (SEIB) Pharmacy – Montgomery, AL.
  • The State Employees' Insurance Board (SEIB) Clinic – Montgomery, AL.
  • The Auburn University Speech and Hearing Clinic
  • The Auburn University Montgomery (AUM) Speech and Hearing Clinic
  • The Auburn University Montgomery (AUM) Student Health Services Clinic

The Privacy Rule permits a covered entity that is a single legal entity and that conducts both covered and non-covered functions to elect to be a "“hybrid entity." (The activities that make a person or organization a covered entity are its "covered functions.")

To be a hybrid entity, the covered entity must designate in writing its operations that perform covered functions as one or more "health care components." After making this designation, most of the requirements of the Privacy Rule will apply only to the health care components. A covered entity that does not make this designation is subject in its entirety to the Privacy Rule.

Auburn has designated in writing its operations that perform covered functions and is classified as a "hybrid entity" under the terms and provisions of HIPAA.

The group health plan is considered by Health and Human Services (HHS) to be a separate legal entity from the University. Consult DHHS guidance on group health plans for more information.

The Auburn University Medical Center is located on the campus of Auburn University at 400 Lem Morrison Drive Auburn, AL 36849. Although located on the campus of Auburn University, AUMC is solely owned and operated by East Alabama Medical Center (EAMC). Consult the AUMC website for more information.

For the following health care components:

The Auburn University Employee Pharmacy
The Auburn University Student Pharmacy
The Auburn University Pharmaceutical Care Center
The Auburn University Pharmaceutical Care Center – Boykin Center
The State Employees' Insurance Board (SEIB) Pharmacy – Montgomery, AL.
The State Employees' Insurance Board (SEIB) Clinic – Montgomery

Contact: HIPAA Privacy Officer
Auburn University
Harrison School of Pharmacy
2155 Walker Building
Auburn, AL 36849
Phone: (334) 844-4099

For The Auburn University Speech and Hearing Clinic:

Contact: HIPAA Privacy Officer
AU Speech and Hearing Clinic
1199 Haley Center
Auburn, AL 36849
(334) 844-9600

For The Auburn University at Montgomery (AUM) Speech and Hearing Clinic:

Contact: HIPAA Privacy Officer
AUM Speech and Hearing Clinic
7177 Halcyon Summit Drive
Montgomery, AL 36117
(334) 244-3408

For The Auburn University at Montgomery (AUM) Student Health Services Clinic:

Contact: HIPAA Privacy Officer
AUM Student Health Services Clinic
7461 East Drive
Montgomery, AL
(334) 244-3000

Or contact the Auburn University HIPAA Privacy Officer

Office of Audit, Compliance & Privacy
Division of Institutional Compliance & Privacy
302 Samford Hall
Auburn, AL 36849
(334) 844-4389

Anyone can report a known or suspected violation of HIPAA privacy or security. If you know of a violation or suspect a violation, please contact the University’s HIPAA Privacy Officer directly at: 334-844-4389 or you may submit a report via email to hipaa@auburn.edu.

Last Updated: January 28, 2020