The HIPAA Privacy Standards govern the confidentiality of individuals’ health information maintained in the health care system. An entity covered by the HIPAA Privacy Standards generally must complywith the following obligations: (i) Use or Disclose health information only as permitted by the HIPAA Privacy Standards; (ii) limit requests, Uses, and Disclosures of health information to the minimum necessary; (iii) give individuals a notice of the entity’s privacy practices; (iv) provide certain rights to individuals with respect to their health information; and (v) establish certain administrative procedures to ensure health information is kept confidential, such as the designation of a privacy official and the establishment of sanctions against workforce members who breach an individual’s privacy rights.
This compilation of policies and forms (“the Manual”) constitute official policies of The University of Texas System Administration (System). They are cross- referenced in the System Policy Library, http://www.utsystem.edu/bor/procedures/policy/  collectively as System Administration Internal Policy INT 166.
They are adopted to govern the treatment of the Protected Health Information by System. The policies and procedures are intended to comply with 45 C.F.R. §§ 164.530(i) and (j)(1)(i), which require System, as a HIPAA Hybrid Entity that has an office that houses Self-funded Group Health Plans that are Covered Entities, as well as offices that function as Business Associates (collectively “the Health Care Component”), to implement and design privacy policies and procedures that comply with the HIPAA Privacy Standards and to maintain such privacy policies and procedures in written or electronic form. Additionally, these policies address System’s duties as a Plan Sponsor to other Fully-insured Group Health Plans through which employees, retirees and their eligible dependents are insured.