Standard on Privacy Liaisons


University of North Carolina at Chapel Hill Standard on Privacy Liaisons



To provide a framework that supports full HIPAA compliance for the University. Each Operating Unit with responsibility for Protected Health Information (PHI) must have a mechanism for obtaining information, understanding requirements, and maintaining compliance with HIPAA. This Standard describes the obligations of each Operating Unit and of the assigned Privacy Liaisons.

Scope of Applicability

Heads and Privacy Liaisons of University Operating Units with responsibilities for the privacy and security of PHI, due to (a) the Operating Unit's status as a designated Covered Unit of the University's HIPAA hybrid entity (including those that would be either Covered Entities or act as internal Business Associates to a Covered Unit) or (b) Business Associate or Subcontractor status (as defined under HIPAA) of the Operating Unit with responsibility for the PHI of Covered Entities or Business Associates outside of the University.


University Operating Units with responsibility for management of PHI must provide to the University's Designated HIPAA Privacy Officer/Chief Privacy Officer (CPO) a written designation of primary and secondary staff members to the role of Privacy Liaison.

Each Operating Unit that is designated as a Covered Unit of the University's HIPAA hybrid entity, the School of Medicine, and any University Operating Unit with Business Associate or Subcontractor status with respect to PHI of Covered Entities or Business Associates outside of the University, must designate both a Primary Privacy Liaison and a Backup Privacy Liaison, and renew that designation as requested by the CPO.

Each individual so designated must: (a) understand the requirements of HIPAA regulations applicable to their Operating Unit, (b) have knowledge of the locations and uses of PHI within the Operating Unit, and (c) have a level of responsibility within the Operating Unit sufficient to perform privacy-related compliance activities involving a high degree of risk for the University and the Operating Unit.

Privacy Liaisons are responsible for managing privacy risk to information with the highest degree of sensitivity (PHI is classified as Tier 3 in the University Information Classification Standard). Due to the critical and dynamic nature of each Privacy Liaison's responsibilities, full participation in privacy activities is expected of Privacy Liaisons.

The CPO has final responsibility for coordination of Privacy Liaisons.

Roles and Responsibilities

Operating Unit Head: Appointment of Primary and Backup Privacy Liaisons. Ensuring Privacy Liaisons have support, training, and resources to fulfill responsibilities.

Privacy Liaison (Note: Each Operating Unit will designate a "Primary Privacy Liaison" and a "Backup Privacy Liaison." Both roles are referred to together in this Standard as a "Privacy Liaison"): Attend all Privacy Liaison meetings (Primary or Backup should attend). Provide Privacy training, informational and compliance activities for the Operating Unit. The Privacy Liaison leads their Operating Unit's investigation activities involving potential privacy breaches (in coordination with the Institutional Privacy Office and the CPO); manages the Operating Unit's HIPAA-related policies and procedures; assures personnel have received applicable privacy training; serves as their Operating Unit's privacy point-of-contact; promotes privacy-awareness within the Operating Unit; and facilitates HIPAA risk assessment and remediation. Privacy Liaisons must maintain up-to-date knowledge of HIPAA and related requirements; provide guidance and support to Operating Unit staff in performance of their data-management activities; and act as liaison for the Operating Unit with the Institutional Privacy Office.

Chief Privacy Officer: Confirm Privacy Liaison appointments; hold regular Privacy Liaison meetings as needed; provide guidance and support to Privacy Liaisons in performance of their required activities.


The CPO may make exceptions to requirements of this Standard to permit additional Privacy Liaisons from any University Operating Unit, waive the requirement for a Primary Privacy Liaison or a Backup Privacy Liaison for any Operating Unit, or other exceptions, as needed in the discretion of the CPO.


Business Associate: A person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a HIPAA Covered Entity. Business Associate functions and activities include, but are not limited to: claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing. Business Associate services include but are not limited to: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial. A member of a Covered Entity's workforce is not a business associate.

Covered Unit: Officially designated health care components of the University, including Operating Units that would be either Covered Entities or act as internal Business Associates to a Covered Unit.

HIPAA: An acronym for the Health Insurance Portability and Accountability Act, a federal law that governs the use and disclosure of protected health information.

Protected Health Information: Individually identifiable information that is a subset of health information, including demographic information collected from an individual, and:

  1. is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
  2. relates to the past, present, or future physical or mental health or condition of a subject; the provision of health care to a subject; or the past, present, or future payment for the provision of health care to a subject; and
    1. That identifies the subject; or
    2. With respect to which there is reasonable basis to believe the information can be used to identify the individual.

    PHI can be:
    1. Transmitted by electronic media;
    2. Maintained in electronic media; or
    3. Transmitted or maintained in any other form or medium.

    PHI excludes individually identifiable information that is:
    1. In education records covered by the Family Educational Rights and Privacy Act, as amended, 20. U.S.C. 1232g;
    2. In records described at 20 U.S.C. 1232g(a)(4)(B)(iv);
    3. In employment records held by a covered entity in its role as employer; and
    4. Regarding a person who has been deceased for more than 50 years.

Related Requirements

External Regulations and Consequences

University Policies, Standards, and Procedures

Contact Information

Primary Contacts

Contact Information Table
Subject Contact Telephone Email
Policy questions ITS Policy Office 919-962-HELP
Privacy activities Institutional Privacy Office 919-962-HELP

Important Dates

  • Effective Date and title of Approver: September 6, 2017, Chief Privacy Officer
  • Revision and Review Dates, Change notes, title of Reviewer or Approver: N/A

Approved By:

Micki Jernigan
Chief Privacy Officer

100% helpful - 1 review


Article ID: 132096
Thu 4/8/21 9:23 PM
Fri 5/6/22 12:23 PM
Effective Date
If the date on which this document became/becomes enforceable differs from the Origination or Last Revision, this attribute reflects the date on which it is/was enforcable.
09/10/2018 12:00 AM
Issuing Officer
Name of the document Issuing Officer. This is the individual whose organizational authority covers the policy scope and who is primarily responsible for the policy.
Issuing Officer Title
Title of the person who is primarily responsible for issuing this policy.
Chief Privacy Officer and Associate University Counsel
Last Review
Date on which the most recent document review was completed.
09/10/2018 12:00 AM
Last Revised
Date on which the most recent changes to this document were approved.
09/10/2018 12:00 AM
Next Review
Date on which the next document review is due.
09/30/2021 12:00 AM
Date on which the original version of this document was first made official.
09/06/2017 12:00 AM
Responsible Unit
School, Department, or other organizational unit issuing this document.
Institutional Privacy Office