HIPAA Privacy Program

Mock PHI Announcement

The HIPAA Privacy Program, with the help of UITS, has been testing a control to detect unencrypted PHI sent via email. To avoid triggering an alert for this control when sending mock or fake PHI, in assignments it is recommended to:

  • Shorten MRN numbers (5 digits or less). 
  • Use links to documents containing PHI or mock PHI, instead of attachments. 
  • Get in the habit of encrypting mock PHI, as this is a standard industry practice.
  • Refrain from using email to send PHI unless absolutely necessary.

COVID-19 HIPAA Privacy Information


Welcome to the HIPAA Privacy Program

The University of Arizona (UA) HIPAA Privacy Program (HPP), led by the Director of the HIPAA Privacy Program, oversees all ongoing activities related to UA’s implementation of HIPAA policies and procedures and is the office primarily responsible for ensuring UA’s HIPAA compliance. The UA Director of the HIPAA Privacy Program is the Privacy Officer for designated UA departments and clinics and is responsible for developing and implementing relevant procedures, training and educational materials, and responding to privacy breaches.

HIPAA: The Health Insurance Portability and Accountability Act of 1996 (HIPAA), the American Recovery and Reinvestment Act of 2009 (ARRA), and all regulations promulgated thereunder, regulate the protection of private health information for individuals. These rules and regulations set standards for the uses and disclosures of all protected health information (PHI) obtained from a covered entity or a business associate of a covered entity. 

Hybrid Entity Status: UA is a Hybrid Entity and has designated Health Care Components in accordance with 45 CFR § 164.105. These Health Care Components must comply with HIPAA (45 CFR Parts 160, 162 and 164) and all regulations promulgated thereunder, as may be amended from time to time. If you have questions about whether you, your department, or your program is a HIPAA covered entity, please contact the HIPAA Privacy Office to discuss.

Researchers: please note that all research studies involving PHI must obtain either an individual’s authorization to access their information, granted by the entity that maintains the PHI, or without individual authorization under limited circumstances set forth in the Privacy Rule (e.g. an IRB-approved waiver of authorization).