HIPAA Liaisons
HIPAA Liaisons
Each component of the UofI HIPAA Hybrid Entity has a HIPAA Liaison appointed by their Dean or Department Head. The liaisons are the first point of contact regarding HIPAA Compliance questions and procedures for each of the listed covered entities. The HIPAA Privacy and Security Officer may be contacted for general HIPAA questions and issues regarding HIPAA compliance at the University of Illinois.
UIC
| UNIT | NAME | |
| College of Applied Health Sciences | Jon Santanni | jons@uic.edu |
| College of Dentistry | Danny Hanna | hannad@uic.edu |
| College of Medicine-Chicago | Sandra Young, Todd Van Neck & Marilu Luna | tvanneck@uic.edu, syoung@uic.edu & luzluna@uic.edu |
| College of Medicine-Peoria | Judy Martin | jam@uic.edu |
| College of Medicine-Rockford | Carol Schuster | schust@uic.edu |
| College of Nursing | Charlotte Buchanan & Jon Morelos (Alt) | cb21@uic.edu & hmorelos@uic.edu |
| College of Pharmacy | Dale Rush | dalerush@uic.edu |
| Division of Specialized Care for Children (DSCC) | Andrew Nichols & Brittani Provost | abn@uic.edu & bprovo2@uic.edu |
| Environmental Health & Safety Office | Heather Jackson & Juana Guzman | heather9@uic.edu & jruiz@uic.edu |
| Hospital | Margaret Pajak & Gabriela Iniguez | pajak@uic.edu & garroy3@uic.edu |
| Jane Addams College of Social Work (JACSW) | Natalie Dagres | ndagres@uic.edu |
| Mile Square Health Center | Kimary Lee | klee42@uic.edu |
| Office of Access and Equity | Donald Kamm | donn@uic.edu |
| School of Public Health (SPH) | Christopher Hollenbeck | chollen@uic.edu |
| Technology Solutions | Ed Zawacki | edz@uic.edu |
| The Office of Clinical and Human Subjects Research as part of the UIC Office of the Vice Chancellor for Research (OVCR) | Jonathan Klein & Andrew Boyd (Alternate) | jonklein@uic.edu & boyda@uic.edu |
| UIC Innovation Center | Tomoko Kawanaka | tomokok@uic.edu |
Urbana-Champaign
| UNIT | NAME | |
| College of Applied Health Sciences – Speech and Hearing Sciences | Candice Solomon-Strutz | cnsolomo@illinois.edu |
| Illinois Neuro Behavioral Assessment Laboratory (INBAL) | Kathryn Leskis | kkl@illinois.edu |
| Interdisciplinary Health Sciences Institute (IHSI) | Gillian Snyder | gcooke@illinois.edu |
| National Center for Supercomputing Applications (NCSA) | Alexander Withers & Margaret Gelman | alexw1@illinois.edu & mgelman2@illinois.edu |
| Occupational Safety & Health Department | Jeremy Neighbors | jneighbo@illinois.edu |
| Office of Access and Equity | Allison Kushner | Akushner@illinois.edu |
| Technology Services | Paul Lucas | pblucas@illinois.edu |
| The Autism Program Training Center at UIUC | Jeanne Kramer | jjkramer@illinois.edu |
| The School of Social Work Center for Prevention Research and Development at UIUC | Crystal Reinhart | reinhrt@illinois.edu |
University Administration
| UNIT | NAME | |
| Administrative Information Technology Services (AITS) | Chris Barton & Jared Ross | cpbarton@uillinois.edu & jeross@uillinois.edu |
| Office of Medicaid Innovation | Carl Conner | conner20@uillinois.edu |
| Office of University Audits | Gene Fruit | gfruit@uillinois.edu |
| Office of University Counsel | Karen Quinlan | kquinlan@uillinois.edu |
| Records Information Management (RIM) | Margaret Norman | mnorman3@uillinois.edu |
| The Freedom of Information Act (FOIA) Administration | Matt Sullard | sullard@uillinois.edu |
| University Ethics Office | Donna McNeely | dmcne1@uis.edu |
| University Office of Risk Management | Darlene Frazier | DFrazier@UIllinois.edu |
| University Payables (UPAY) | James Martinie | martini1@uillinois.edu |
HIPAA Structure @ UofI
] HIPAA Compliance Structure
In November 2013, the Board of Trustees approved policy that called for the formation of an Information Privacy and Security Council (IPSC) with representation from many areas of the university including Legal, IT Governance, IT Security, Faculty, etc. The IPSC serves an advisory role to the Board on information privacy and security issues. The IPSC commissioned a HIPAA Subcommittee to directly work on HIPAA related issues.
The IPSC HIPAA Subcommittee works closely with the University HIPAA Privacy and Security Official to address HIPAA related issues throughout the UofI covered entity.
In addition each component of the covered entity has named a HIPAA Liaison to act as resource to their unit and to work with the HIPAA Privacy and Security Official in all matters related to HIPAA.
IPSC HIPAA Subcommittee
| Balgopal, Anita | Institutional Review Board (UIUC) | anitab@illinois.edu |
| Barnes, Joe | Technology Services at Illinois, Chief Privacy & Security Officer (UIUC) | jdbarns1@illinois.edu |
| Barton, Chris | Administrative Information Technology Services (AITS) | cpbarton@uillinois.edu |
| Boyd, Andy | College of Medicine and College of Applied Health Sciences (UIC) | boyda@uic.edu |
| Dzado-Swanson, Melissa | Assistant Privacy Officer | dzadoswa@uic.edu |
| Fruit, Gene | University Audits | gfruit@uillinois.edu |
| Garfinkel, Chaim | UIC Hospital | cgarfin@uic.edu |
| Grogan, David | University Ethics & Compliance Office | dgrogran@uillinois.edu |
| Riley, Matthew (Chair) | HIPAA Privacy and Security Official | mlriley@uic.edu |
| Hoehne, Chuck | Office of the Vice Chancellor for Research (UIC) | choehne@uic.edu |
| Larrison, Christopher | School of Social Work (UIUC) | larrison@illinois.edu |
| Maslanka, Jason | Director, CAS Information Technology (UIC ITGC InfraSec Chair) | jasonm@uic.edu |
| Pajak, Margaret | UI Hospital | pajak@uic.edu |
| Pfister, Patricia | Office of Research Services (UIC) | pfister@uic.edu |
| Power, Lisa | University Counsel | lpower@uillinois.edu |
| Reed, Claire | University Counsel | cmreed@uic.edu |
| Saxon, Stacy | UI Hospital | ssaxon@uic.edu |
| Shipp, Judy | Counseling Center & Student Services (UIS) | jship@uis.edu |
| Slagell, Adam | National Supercomputing Applications (NSCA) | slagell@illinois.edu |
| Solomon-Strutz, Candice | Administrative Information Technology Services | cnsolomo@uillinois.edu |
| Wee, Emily | Interdisciplinary Health Sciences Initiative | ewee@illinois.edu |
| Zawacki, Ed | Technology Solutions {Formerly Academic Computing and Communications Center}, Chief Information Security and Privacy Officer (UIC) | edz@uic.edu |
Frequently Asked Questions
What is HIPAA?
HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. Among other things, the law includes the Privacy Rule, which creates national standards to protect the privacy of individuals’ protected health information (PHI), and the Security Rule, which establishes standards for securing PHI in electronic form.
What is PHI?
PHI includes all individually identifiable health information (including information in research databases and tissue bank samples with identifiers) relating to the:
- Past, present, or future physical or mental condition of an individual
- Provision of health care to an individual
- Past, present or future payment for the provision of health care to an individual
Health information is individually identifiable if it contains any of the following:
- Names
- Geographic subdivisions smaller than a state
- Dates (except year) directly related to an individual, including birth date, health care service admission or discharge dates, date of death, and all ages over 89 and all elements of dates (including year) indicative of such age, unless aggregated into a single category of ages over 89
- Telephone numbers
- Fax numbers
- E-mail addresses
- Social security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/Driver’s license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic or code
PHI that is either transmitted by electronic media or maintained in electronic media is referred to as electronic protected health information, or ePHI.
Which groups at UofI are subject to the HIPAA Privacy and Security Rules?
Entities covered by HIPAA are health care providers, health plans (including employer’s sponsored plans), and healthcare clearing houses (e.g., billing agent).
What standards are established by the Security Rule?
The HIPAA Security Rule establishes administrative, physical and technical safeguards to secure protected health information that is (i) transmitted by electronic media or (ii) maintained in electronic media. Electronic protected health information is commonly referred to as ePHI.
The Security Rule requires that Covered Entities restrict access to ePHI to only those workforce members or business associates who require access to that data in order to perform their job functions. Systems access controls and procedures must be in place on all information systems that maintain ePHI to guard against unauthorized access to such data. Security mechanisms and procedures must be implemented to limit access to facilities and physical areas in which information systems that maintain or access ePHI are housed.
Computing devices must be installed, configured and located in a way that minimizes the unauthorized or incidental disclosure of ePHI. Managers and workforce members are responsible for employing appropriate safeguards to deter unauthorized access in the workplace and on their computing devices and storage media.
When ePHI is transmitted over an electronic communications network (e.g., file transfer, email), the ePHI must be secured against unauthorized access and modification. The sender must use a secure electronic messaging system (e.g., secure email) that has been approved by the Stanford Information Security Officer. If a secure system is not used to transfer the ePHI, then the ePHI must be encrypted.
System Owners are responsible for establishing appropriate auditing mechanisms and procedures to detect potential security incidents involving ePHI. Contingency plans must be developed and implemented for each information system for responding to and recovering from system outages or other emergencies that may damage or make unavailable the system or ePHI.