HIPAA Liaisons

HIPAA Liaisons

Each component of the UofI HIPAA Hybrid Entity has a HIPAA Liaison appointed by their Dean or Department Head. The liaisons are the first point of contact regarding HIPAA Compliance questions and procedures for each of the listed covered entities. The HIPAA Privacy and Security Officer may be contacted for general HIPAA questions and issues regarding HIPAA compliance at the University of Illinois.


College of Applied Health Sciences Jon Santanni jons@uic.edu
College of Dentistry Susan Rowan srowan@uic.edu
College of Medicine-Chicago Nicole Almiro, Todd Van Neck & Marilu Luna tvanneck@uic.edu, almiro@uic.edu & luzluna@uic.edu
College of Medicine-Peoria Judy Martin jam@uic.edu
College of Medicine-Rockford Carol Schuster schust@uic.edu
College of Nursing Jon Morelos hmorelos@uic.edu
College of Pharmacy Dale Rush dalerush@uic.edu
Division of Specialized Care for Children (DSCC) Andrew Nichols (Interim) & Brittani Provost abn@uic.edu & bprovo2@uic.edu
Environmental Health & Safety Office Brian Nathe bnathe2@uic.edu
Hospital Margaret Pajak & Gabriela Arroyo pajak@uic.edu garroy3@uic.edu
Jane Addams College of Social Work (JACSW) Marty McDermott martym@uic.edu
Mile Square Health Center Kimary Lee klee42@uic.edu
Office of Access and Equity Danielle Miller dearls@uic.edu
School of Public Health (SPH) Frank Cervone fcervone@uic.edu
Technology Solutions {Formerly Academic Computing and Communications Center (ACCC)} Ed Zawacki edz@uic.edu
The Office of Clinical and Human Subjects Research as part of the UIC Office of the Vice Chancellor for Research (OVCR)

Jonathan Klein

Andrew Boyd (Alternate)



UIC Innovation Center Tomoko Kawanaka tomokok@uic.edu


College of Applied Health Sciences – Speech and Hearing Sciences Michael Bohlmann mikeb@illinois.edu
Illinois Neuro Behavioral Assessment Laboratory (INBAL) Kathryn Leskis kkl@illinois.edu
Interdisciplinary Health Sciences Institute (IHSI) Gillian Snyder gcooke@illinois.edu
National Center for Supercomputing Applications (NCSA) Alexander Withers alexw1@illinois.edu
Occupational Safety & Health Department Jeremy Neighbors jneighbo@illinois.edu
Office of Access and Equity M.T. Hudson mthdsn@illinois.edu
Office of Medicaid Innovation Shawn Cole (Interim) cole3@uis.edu
Technology Services Paul Lucas & Taylor Judd pblucas@illinois.edu & tjudd@illinois.edu
The Autism Program Training Center at UIUC Jeanne Kramer jjkramer@illinois.edu

University Administration

Administrative Information Technology Services (AITS) Chris Barton cpbarton@uillinois.edu
Office of University Audits Gene Fruit gfruit@uillinois.edu
Office of University Counsel Karen Quinlan kquinlan@uillinois.edu
Records Information Management (RIM) William Herrera wherrera@uillinois.edu
The Freedom of Information Act (FOIA) Administration Matthew Rogina mrogina@uillinois.edu
University Ethics Office Donna McNeely dmcne1@uis.edu
University Office of Risk Management Darlene Frazier DFrazier@UIllinois.edu
University Payables (UPAY) James Martinie martini1@uillinois.edu

HIPAA Structure @ UofI

HIPAA Compliance Structure

In November 2013, the Board of Trustees approved policy that called for the formation of an Information Privacy and Security Council (IPSC) with representation from many areas of the university including Legal, IT Governance, IT Security, Faculty, etc. The IPSC serves an advisory role to the Board on information privacy and security issues. The IPSC commissioned a HIPAA Subcommittee to directly work on HIPAA related issues.

The IPSC HIPAA Subcommittee works closely with the University HIPAA Privacy and Security Official to address HIPAA related issues throughout the UofI covered entity.

In addition each component of the covered entity has named a HIPAA Liaison to act as resource to their unit and to work with the HIPAA Privacy and Security Official in all matters related to HIPAA.

IPSC HIPAA Subcommittee

Balgopal, Anita Institutional Review Board (UIUC) anitab@illinois.edu
Barnes, Joe Technology Services at Illinois, Chief Privacy & Security Officer (UIUC) jdbarns1@illinois.edu
Barton, Chris Administrative Information Technology Services (AITS) cpbarton@uillinois.edu
Boyd, Andy College of Medicine and College of Applied Health Sciences (UIC) boyda@uic.edu
Dzado-Swanson, Melissa Assistant Privacy Officer dzadoswa@uic.edu
Fruit, Gene University Audits gfruit@uillinois.edu
Garfinkel, Chaim UIC Hospital cgarfin@uic.edu
Grogan, David University Ethics & Compliance Office dgrogran@uillinois.edu
Herrera Lindstrom, Cynthia (Chair) HIPAA Privacy and Security Official cynthiar@uic.edu
Hoehne, Chuck Office of the Vice Chancellor for Research (UIC) choehne@uic.edu
Larrison, Christopher School of Social Work (UIUC) larrison@illinois.edu
Maslanka, Jason Director, CAS Information Technology (UIC ITGC InfraSec Chair) jasonm@uic.edu
Pajak, Margaret UI Hospital pajak@uic.edu
Pfister, Patricia Office of Research Services  (UIC) pfister@uic.edu
Power, Lisa University Counsel lpower@uillinois.edu
Reed, Claire University Counsel cmreed@uic.edu
Saxon, Stacy UI Hospital ssaxon@uic.edu
Sharma, Annalee UI Hospital aruiz3@uic.edu
Shipp, Judy Counseling Center & Student Services (UIS) jship@uis.edu
Slagell, Adam National Supercomputing Applications (NSCA) slagell@illinois.edu
Solomon-Strutz, Candice Administrative Information Technology Services cnsolomo@uillinois.edu
Wee, Emily Interdisciplinary Health Sciences Initiative ewee@illinois.edu
Zawacki, Ed Academic Computing and Communications Center, Chief Information Security and Privacy Officer (UIC) edz@uic.edu

Frequently Asked Questions

What is HIPAA?

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. Among other things, the law includes the Privacy Rule, which creates national standards to protect the privacy of individuals’ protected health information (PHI), and the Security Rule, which establishes standards for securing PHI in electronic form.

What is PHI?

PHI includes all individually identifiable health information (including information in research databases and tissue bank samples with identifiers) relating to the:
  • Past, present, or future physical or mental condition of an individual
  • Provision of health care to an individual
  • Past, present or future payment for the provision of health care to an individual
Health information is individually identifiable if it contains any of the following:
  • Names
  • Geographic subdivisions smaller than a state
  • Dates (except year) directly related to an individual, including birth date, health care service admission or discharge dates, date of death, and all ages over 89 and all elements of dates (including year) indicative of such age, unless aggregated into a single category of ages over 89
  • Telephone numbers
  • Fax numbers
  • E-mail addresses
  • Social security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/Driver’s license numbers
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Device identifiers and serial numbers
  • Web Universal Resource Locators (URLs)
  • Internet Protocol (IP) address numbers
  • Biometric identifiers, including finger and voice prints
  • Full face photographic images and any comparable images
  • Any other unique identifying number, characteristic or code
PHI that is either transmitted by electronic media or maintained in electronic media is referred to as electronic protected health information, or ePHI.

Which groups at UofI are subject to the HIPAA Privacy and Security Rules?

Entities covered by HIPAA are health care providers, health plans (including employer’s sponsored plans), and healthcare clearing houses (e.g., billing agent).

What standards are established by the Security Rule?

The HIPAA Security Rule establishes administrative, physical and technical safeguards to secure protected health information that is (i) transmitted by electronic media or (ii) maintained in electronic media. Electronic protected health information is commonly referred to as ePHI.
The Security Rule requires that Covered Entities restrict access to ePHI to only those workforce members or business associates who require access to that data in order to perform their job functions. Systems access controls and procedures must be in place on all information systems that maintain ePHI to guard against unauthorized access to such data. Security mechanisms and procedures must be implemented to limit access to facilities and physical areas in which information systems that maintain or access ePHI are housed.
Computing devices must be installed, configured and located in a way that minimizes the unauthorized or incidental disclosure of ePHI. Managers and workforce members are responsible for employing appropriate safeguards to deter unauthorized access in the workplace and on their computing devices and storage media.
When ePHI is transmitted over an electronic communications network (e.g., file transfer, email), the ePHI must be secured against unauthorized access and modification. The sender must use a secure electronic messaging system (e.g., secure email) that has been approved by the Stanford Information Security Officer. If a secure system is not used to transfer the ePHI, then the ePHI must be encrypted.
System Owners are responsible for establishing appropriate auditing mechanisms and procedures to detect potential security incidents involving ePHI. Contingency plans must be developed and implemented for each information system for responding to and recovering from system outages or other emergencies that may damage or make unavailable the system or ePHI.