HIPAA Hybrid Entity Designation (Policy 1150)

University Policy 1150

Download a Printable Version of Policy 1150

Effective Date

January 19, 2021

Responsible Party

University Health Services, (208) 426-1459
HIPAA Privacy Officer, (208) 426-1680
HIPAA Security Officer, (208) 426-5612

Scope and Audience

This policy applies to all departments, units, faculty, and other employees of the Health Care Components identified under Section 11 – Appendix A.

This policy does not apply to human subjects research activities that have been approved by a Boise State University Institutional Review Board under University Policy 5050 (Use of Human Subjects) and are carried-out in conformity with University Policy 5120 (Export Control and Controlled Data), University Policy 6030 (University Contracts), and University Policy 8060 (Information Privacy and Data Security).

Additional Authority

Health Insurance and Accountability Act (HIPAA), Public Law 104-191
Health Information Technology for Economic and Clinical Health Act (HITECH Act), Public Law 111-5
45 CFR Part 160 and 164
45 CFR §§ 164.103 and 164.105
20 U.S.C. 1232g
University Policy 8060 (Information Privacy and Data Security)

1. Policy Purpose

To define Boise State University as a Hybrid Entity and designate its Health Care Components, in accordance with governing privacy regulations.

2. Policy Statement

This statement designates Boise State University as a Hybrid Entity under HIPAA and formally designates those Health Care Components required to comply with the HIPAA Rules. Only Health Care Components, designated as such under this policy, are required to comply with the HIPAA Rules and only Health Care Components have the right to use, maintain, access or transmit Protected Health Information. This designation isolates the risk and liabilities that are associated with HIPAA Rules.

3. Definitions

All definitions defined in HIPAA or other pertinent laws and regulations shall be as defined in the HIPAA or other laws or regulations. The definitions listed hereunder are for convenience and to provide additional clarity as to how these terms may be used in this Policy.

3.1 Business Associate

For purposes of this Policy, a Business Associate shall include a unit of the University that performs certain functions or activities on behalf of, or in providing services to, a Health Care Component and where those functions or activities include the use or disclosure of Protected Health Information

3.2 Covered Entity

Covered entities are defined in the HIPAA Rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which the U.S. Department of Health and Human Services has adopted standards.

3.3 Covered Function

A covered function means those functions of an entity that would render the performer a Covered Entity.

3.4 Education Records

Education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g and University Policy 2250 (Student Privacy and Release of Information).

3.5 Health Care Clearinghouse

An organization that processes nonstandard health information to conform to standards for data content or format, or vice versa, on behalf of covered entities.

3.6 Health Care Component

A component or combination of components of the University designated by the University as a health care component of the University. A Health Care Component may be designated as such under this policy if the Unit would meet the definition of Covered Entity under HIPAA if it were a separate legal entity, or if it acts as a Business Associate to another Health Care Component.

3.7 Health Care Provider

A provider of services, a provider of medical or health services, and any other person or organization that furnishes, bills, or is paid for health care in the normal course of business.

3.8 Health Plan

An individual or group plan that provides or pays for the cost of medical treatment or care. Examples include, but are not limited to health insurance companies, health maintenance organizations, employer-sponsored Health Plans, and government programs that pay for health care such as Medicare, Medicaid, and military and veteran’s health programs.

3.9 HIPAA Rules

The Privacy Rule and the Security Rule found at 45 CFR Part 160 and 164.

3.10 Hybrid Entity

A single legal entity that is a Covered Entity whose business activities include both Covered Functions and non-covered functions; that designates Units within the entity as Health Care Components, documents the designation, and establishes the appropriate administrative, technical, and physical safeguards to segregate data, information, and operations between its covered and non-covered functions.

3.11 Privacy Rule

45 C.F.R. Part 160 and Subparts A and E of Part 164. The rules established under HIPAA that set national standards as to when Protect Health Information may be used and disclosed.

3.12 Protected Health Information (PHI)

As defined in HIPAA, individually identifiable health information that is transmitted by electronic media, maintained in electronic media or transmitted or maintained in any form or medium. PHI excludes identifiable health information contained in Education Records (covered by FERPA), Treatment Records (as defined in FERPA), employment records held by a Covered Entity in its role as employer and records regarding a person who has been deceased for more than 50 years.

3.13 Security Rule

45 C.F.R. Part 160 and Subparts A and C of Part 164. The rules established under HIPAA that specify safeguards that Covered Entities and their business associates must implement in order to regulate the use and disclosure, as well as the confidentiality, integrity, and availability of electronic PHI.

3.14 Treatment Records

Records described at 20 U.S.C. 1232g(a)(4)(B)(iv); records on a student who is eighteen years of age or older, or is attending an institution of postsecondary education, which are made or maintained by a physician, psychiatrist, psychologist, or other recognized professional or paraprofessional acting in his professional or paraprofessional capacity, or assisting in that capacity, and which are made, maintained, or used only in connection with the provision of treatment to the student, and are not available to anyone other than persons providing such treatment, except that such records can be personally reviewed by a physician or other appropriate professional of the student’s choice.

3.15 Unit

A department, office, division, college or other component of the University.

3.16 Workforce Member

Workforce Member means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity.

4. Background

A legal entity must designate as a Health Care Component, any component that would meet the definition of a Covered Entity or Business Associate if it were a separate legal entity. For example, an agency that offers a health clinic that conducts covered transactions electronically (e.g., electronic claim submission) is a Covered Entity component, and the legal entity must designate the clinic as part of the health care component of the Hybrid Entity.

5. Designation of Health Care Components

a. The University designates the Health Care Components set forth in Section 11 – Appendix A to this policy. A Unit is included in the designation only to the extent it performs Covered Functions or engages in activities that would make it a Business Associate of another Health Care Component. Any Unit not designated in this policy as a Health Care Component that desires to engage in Covered Functions or act as a Business Associate must first receive approval from the University and become designated as a Health Care Component under this policy. A Unit that is not designated as a Health Care Component under this Policy may not use, maintain, access or transmit Protected Health Information.

b. Units of the University that are not Health Care Components may perform duties on behalf of, provide oversight, or provide assistance to Health Care Components that are not Covered Functions and do not require a Business Associate Agreement. For example, if another Unit is providing services to a Health Care Component, but no PHI is transmitted or used as part of those services, that Unit is not a Business Associate of a Health Care Component and a Business Associate Agreement is not required.

c. If circumstances dictate that Protected Health Information must be disclosed or used in providing services to a Health Care Component, it should be disclosed in such a way that the disclosure is de-identified, ambiguous, or incidental. If a disclosure is required that exceeds the previously mentioned conditions, then the Unit providing the services may be considered a Business Associate or itself a Health Care Component, and should seek approval to be designated as such and shall have a signed Business Associate agreement with the Health Care Component to which it provides such services, if required.

6. Duties of a Health Care Component

a. University Health Component must comply with the HIPAA Privacy and Security Rules and shall not use or disclose PHI that in a way prohibited by the HIPAA Rules.

b. The Health Care Component must ensure that electronic Protected Health Information is not used or disclosed or otherwise accessed outside the electronic health record platform or other system used by the Health Care Component to create and store electronic medical records. Health Care Component, as required by HIPAA Rules, must protect PHI under the HIPAA Rules to the same extent it would be required to protect the PHI if the Health Care Component were a separate and distinct legal entity from the University, functioning as a typical health care provider.

c. The workforce members of Boise State University who perform duties for both a Health Care Component and other University Units must not use or disclose PHI created or received in the course of the members’ work for the Health Care Component in any way prohibited by the HIPAA Privacy Rule.

7. Responsibilities of a Health Care Component

a. Compliance with the HIPAA Privacy and Security Rules.

b. Compliance with the HIPAA Privacy Rule pertaining to the implementation of policies and procedures to ensure compliance, including the safeguard requirements.

c. Compliance with the HIPAA Privacy Rule regarding Business Associate arrangements and any associated organizational requirements.

d. Designation of Health Care Components in compliance with the HIPAA Privacy Rule and maintenance of this designation on a routine and regular basis.

8. Designation of Compliance Responsibility

a. The Boise State Office of Institutional Compliance will provide oversight of policies and procedures to ensure that the university is compliant with relevant federal and state regulations. Each compliance area may designate a responsible person to ensure their area complies with applicable laws, regulations, and policies.

b. Each health care component must identify an individual within the component who is responsible for the accountability and compliance of privacy and security regulations. The individual(s) responsible for security and the individual(s) responsible for privacy within each component can be the same person, but are not required to be and are set forth below. All designated health care components will comply with applicable healthcare laws and regulations and are separately subject to liability for non-compliance.

9. HIPAA Privacy Officer

The HIPAA Privacy Officer is authorized to develop and implement procedures within its own Health Care Component at the University. The HIPAA Privacy Officer is also responsible for receiving and responding to complaints related to electronic protected health information (ePHI) and/or PHI; ensuring workforce members are trained appropriately; auditing workforce compliance with all policies, standards and procedures; implementing sanctions against students, employees, or volunteers; and for maintaining overall compliance with HIPAA Rules within its own Health Care Component.

University Health Services designates the Technical Records Specialist for Health Services as its HIPAA Privacy Officer.

Christy Hill
(208) 426-4385
christyhill@boisestate.edu

CLIA COVID Testing Lab designates the Clinical Program Director as its HIPAA Privacy Officer.

Stephanie Hudon
(208) 426-1523
stephaniehudon@boisestate.edu

10. HIPAA Security Officer

The HIPAA Security Officer is responsible for the implementation of policies, standards, and procedures to ensure institutional compliance with the HIPAA security Rule within its own Health Care Component.

University Health Services designates the Health Information Systems Administrator for Health Services as its HIPAA Security Officer:

Ron Schmaltz
(208) 426-5612
ronschmaltz@boisestate.edu

CLIA COVID Testing Lab designates the Clinical Program Director as its HIPAA Security Officer.