Statement on Designation as a Hybrid Entity

Under HIPAA Regulations

INTRODUCTION

The Health Insurance Portability and Accountability Act (HIPAA) passed in 1996 in order to establish national standards for the protection of certain health information. The HIPAA Privacy Rule seeks to protect the individual's health information while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well being. The HIPAA security rule addresses the safeguards that health care providers must use to secure individuals' electronic protected health information (e-PHI). More recently, the Health Information Technology for Economic and Clinical Health Act (HITECH Act) was signed in 2009, strengthening the Privacy and Security Rules and requiring the federal government to develop standards for the nationwide exchange of healthcare information.

HIPAA regulations apply to organizations designated as covered entities. These covered entities include (1) health plans, (2) health care clearinghouses, and (3) health care providers who conduct certain electronic transactions, such as transmission of health care claims, health care payments, enrollment in a health plan, and referral authorization. Although the University of Denver does not primarily engage in any of these activities, some units within the University do perform functions that meet the definition of a covered entity. Organizations such as the University of Denver which are composed of covered entities as well as business components that do not perform HIPAA-covered functions may choose to be designated as hybrid entities. In this case, the organization must designate and include in its health care component all components of the organization that would meet the definition of a covered entity if those components were separate legal entities. Although the hybrid entity remains responsible for oversight, compliance, and enforcement obligations, the HIPAA requirements apply only to the health care component.

In September, 2010, a HIPAA Steering Committee met at the University of Denver in order to determine the status of its various business components in regard to HIPAA regulations. The departments represented on the committee included the Health and Counseling Center, the Professional Psychology Clinic, Office of the University Counsel, Office of Research and Sponsored Programs, Office of Institutional Compliance and Internal Audit, University Technology Services, Office of the Registrar, and Human Resources. At this meeting and in follow-up interviews with departmental directors, departments which should be designated as health care components were identified.

DESIGNATION

The University of Denver has designated certain units as health care components based upon one or more of the following criteria:

  1. A component that would meet the definition of a covered entity if it were a separate legal entity.
  2. A component that performs covered functions.
  3. A component that performs activities that would make it a business associate if it were a separate entity.

(A business associate is a person or organization that performs or assists the covered entity in the performance of a function that involves the use or disclosure of protected health information on behalf of a covered entity.)

Protected Health Information (PHI) specifically excludes records that are covered under the Family Education Rights and Privacy Act of 1974 (FERPA) and any employment records maintained by a covered entity in its capacity as an employer.

The following units have been designated as health care components which are required to comply with HIPAA regulations:

  • Health and Counseling Center health care provider
  • Professional Psychology Clinic health care provider
  • University Technology Services provides services to the University which, if external to the University would make it a business associate for HIPAA purposes.
  • Office of Institutional Compliance and Internal Audit - provides services to the University which, if external to the University would make it a business associate for HIPAA purposes.
  • Department of Risk Management - provides services to the University which, if external to the University would make it a business associate for HIPAA purposes.
  • Office of the University Counsel - provides services to the University which, if external to the University would make it a business associate for HIPAA purposes.

The University of Denver Department of Human Resources maintains employee health insurance records in its capacity as an employer, therefore it is not considered to be one of the University's health care components. The health plans offered to employees by the University are covered entities, independent of the University. These plans include medical and dental care, pharmacy benefits, and flexible spending accounts. The Employee Assistance Program is provided by the Health and Counseling Center, which is a health care component.