Skip to main content

Protecting Health Information

Protecting your health information is important to University of Utah Health (“U of U Health”). We maintain the privacy and security of your information in these ways:

  • Train our faculty, staff, and volunteers in privacy practices.
  • Use technical and physical safeguards for information storage.
  • Follow the Health Insurance Portability and Accountability Act (HIPAA) requirements.
  • Implement administrative controls to ensure we use or disclose patient data with caution and after careful consideration.

Notice of Privacy Practices

U of U Health understands that your health information is very personal and private. Every patient we serve is provided a Notice of Privacy Practices the first time they come to us for health services. This document is the centerpiece of our privacy promise to you.

This notice tells you how we use and disclose your information to provide you with the best treatment and support our operations. The notice advises you of your rights to access and control your own health information.

A Patient's Information Privacy Rights

You have the right to request that we take certain actions related to your health information. You can do this by submitting one or more of the forms below  as needed.

Your Right Under HIPAA

How You Exercise Your Right

Request a copy of your medical record. You can also identify another person or entity that you authorize us to share your medical record. Submit a Patient Authorization for Disclosure of Health Information form.
Request a correction to your medical record. Submit a Request to Amend Protected Health Information form.
Ask us to limit the information we use and share. Submit a Patient Request for Special Privacy Restriction form.
Ask us NOT to share certain health information with your insurer. Submit a Patient Request for Privacy Restriction for "Health Care Services Paid for Out-of-Pocket" form.
Get a list of those with whom we have shared your information for reasons other than treatment, payment, or administrative purposes Submit a Request for Accounting of Disclosures form.
Identify others who are authorized to act on your behalf (such as medical power of attorney, legal guardian, and the like). Provide legal documentation of your choice.
Ask us NOT to use your information for the purposes of fundraising. Opt out of fundraising

How University of Utah Health Uses Patient Health Information

When you receive care from U of U Health, we may use your health information to treat you, bill for services, and conduct our normal business operations. Examples of how we use your information include the following:


Health care providers use your health information to treat you and to deliver quality care to meet your needs. Your doctor may share your health information with other providers who are involved in your care.

Some health records, including confidential communications with a mental health professional and substance abuse records, may have additional restrictions for use and disclosure under state and federal law.


We keep billing records that include payment information and documentation of the services provided to you. We may use your information to get payment from you, your insurance company, or another third party.

We may also contact your insurance company to verify coverage for your care or to notify them of upcoming services that may need prior notice or approval.

Health Care Operations

We use health information to evaluate and improve the quality of care, train staff and students, provide customer service, manage costs, conduct required business duties, and make plans to better serve our communities. 

Sharing Patient Health Information

There are limited situations when we may disclose health information without your signed authorization. These include the following situations:

  • For public health purposes permitted or required by law. Examples include reporting communicable diseases; work-related illnesses; births and deaths; reactions to drugs; and problems with medical devices.
  • To protect victims of abuse, neglect, or domestic violence or to avert a serious threat to health or safety.
  • For health oversight activities, such as investigations, audits, and inspections.
  • When requested by law enforcement or as required by law or court order.
  • To coroners, medical examiners, and funeral directors.
  • For organ and tissue donation.
  • For research approved by our review process under strict federal guidelines.
  • For specialized government functions such as intelligence and national security.

Health Information Exchange (HIE)

A health information exchange provides a way for authorized health care professionals to securely access and share patient medical information. Only authorized health care professionals who have a relationship with you who access your medical information in a shared electronic medical record or health information exchange.

Why Do We Participate in HIEs?

Because you may receive treatment from more than one health professional, we participate in  health information exchanges to share information with your other health care providers. Information from different health care encounters could inform decisions about treatments you receive. Information about your illnesses, injuries, allergies, medicines, test results, and health history allow health care professionals to make the best possible decisions to care for you.

The Health Information Technology for Economic and Clinical Health (HITECH) Act encourages the sharing of information. HITECH provides objectives for health care providers to meet in order to support improved health care for patients. One of the core objectives is to provide patients and their health care providers with access to medical information to improve the safety, quality, and efficiency of care.

The 21st Century Cures Act: The Cures Act supports the use of modern technology in health care. One of its primary purposes is to reduce barriers to your ability to access your own health information. The Cures Act rules refer to these access barriers as “information blocking.” The Cures Act rules also require that we participate in standardized processes for exchanging health information, including using HIEs.

Some examples of HIEs in which U of U Health participates include the following:

  • Epic Care Everywhere. This application provides a way to access a patient's electronic health record when that record is kept by another health care organization. Care Everywhere participants are listed here. 
  • Utah Health Information Network (UHIN). UHIN is a nonprofit, broad-based coalition of Utah health care insurers, providers, and others. UHIN provides a private and secure gateway for electronic data exchanges. UHIN gathers and provides data to a statewide data repository. 
  • Trusted Exchange Framework and Common Agreement (TEFCA). The TEFCA is part of the 21st Century Cures Act. It's goal is to simplify and support the exchange of electronic health information between HIEs, while safeguarding the privacy and security of health information. TEFCA aims to improve emergency care outcomes, minimize care gaps, lower the cost of care, promote public health, and enable individuals to more easily gather their health care information.

Other Uses of Patient Health Information

We may also share your health information in the following ways:

  • Share information with family or friends to the extent they are directly involved in your care or in paying for your care.
  • Remind you of an appointment. (Optional: notify the scheduler if you do not wish to be reminded.)
  • Include you in our patient directory for callers, visitors, and clergy. (Optional: You may opt-out of participation in the directory.)
  • Share information with business associates who assist us with treatment, payment, and health care operations. (These business associates must adhere to applicable privacy laws and regulations.)

Reviewed 2/2024