Skip to toolbar


Office of Information Security

Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.


HIPAA privacy

Penn State remains committed to keeping your personal health information private. The Privacy Office is responsible for the implementation and administration of an institutionally based complaint process in compliance with the rules and regulations of HIPAA.

If patients believe their privacy rights have been violated, complaints may be made directly to the Penn State Privacy Office, or the U.S. Department of Health and Human Services after the Office for Civil Rights.

Health Information Privacy Complaint Form

To file a complaint with the Penn State Privacy Office, please print and complete the Health Information Privacy Complaint Form. Mail the completed form to:

HIPAA Privacy Officer
Penn State Privacy Office
025 Technology Support Building
300 Science Park Road
State College, PA 16803

You may also file a complaint directly with the Office for Civil Rights.

Please reference University Policy AD22,  or contact the Penn State HIPAA Compliance Team at for additional guidance.


Protected Health Information (PHI)

The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information.

Pursuant to the HIPAA Breach Notification Rule, an individual has a right to receive a written notice if their unsecured PHI has been breached while in the possession, custody, or control of a Covered Component or vendor working with the Covered Component.

Reporting a suspected breach of PHI

If you suspect a breach of unsecured PHI has occurred, immediately report this to and/or


Health Insurance Portability and Accountability Act/Health Information Technology for Economic and Clinical Health (HITECH)

Penn State is a hybrid entity; only parts of Penn State are subject to HIPAA and/or HITECH. HITECH applies to electronic health information and the dissemination thereof. The parts of Penn State that are regulated under HIPAA are referred to as Covered Components. The University has identified which of its specific units are Covered Components.

Covered Components are specified as a health care provider, health plan, or health care clearinghouse who transmits health information in electronic form in connect with a covered transaction. For more information regarding whether or not your unit would meet the definition of a Covered Component under HIPAA, directly contact the Penn State HIPAA Compliance Team at For additional details on Covered Component (Entity) status, please refer to U.S. Department of Health and Human Services.

The University Privacy Officer serves as the designated HIPAA Privacy Officer and is responsible for coordinating compliance with specific standards of the HIPAA Privacy Rule.

The designated HIPAA Security Officer is responsible for coordinating compliance with specific standards of the HIPAA Security Rule regulations, in regard to the protection of Electronic Protected Health Information (ePHI).

In addition, each identified Covered Component must participate in the ongoing compliance of HIPAA and must assign a staff member, within their unit, the responsibility of HIPAA compliance and regulatory implementation to include both the HIPAA Privacy and Security Rules.

Note: The Milton S. Hershey Medical Center and the Penn State College of Medicine have been joined together as an “Affiliated Covered Entity” and act as one for the purposes of HIPAA. The Hershey Medical Center has its own privacy officer and procedures used to comply with HIPAA.

If students, faculty, or staff participate in any activity that involves patient information from the Milton S. Hershey Medical Center, it will be necessary to follow the privacy and security policies of the medical center.