Skip to Content

UPPS 01.04.33 - HIPAA Hybrid Designation

HIPAA Hybrid Designation

UPPS No. 01.04.33
Issue No. 2
Effective Date: 2/11/2021
Next Review Date: 1/01/2022 (EY)
Sr. Reviewer: Assistant Vice President for Institutional Compliance and Chief Compliance Officer

  1. POLICY STATEMENT

    1. This policy designates Texas State University as a hybrid entity under the Health Insurance Portability and Accountability Act (HIPAA).

      1. Texas State designates itself as a hybrid entity for purposes of Title II of the HIPAA of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act, and the privacy and security regulations found in 45 C.F.R. §§ 160 et. seq. (collectively referred as HIPAA herein).

      2. Texas State recognizes the applicability of HIPAA to certain sectors of the university.

      3. Under HIPAA, Texas State can elect to be a hybrid entity with identified health care components (HCC) that are subject to HIPAA, and non-covered components which are not. The policy identifies the HCC subject to HIPAA’s privacy, security, breach notification, and enforcement provisions.

  2. RELATED DOCUMENTS

    1. Refer to 45 CFR Part 160 and 164; Section 164.105; and Section 164.504 for more information.
  3. DEFINITIONS

    1. Business Associate – a person or entity that creates, receives, maintains, or transmits protected health information (PHI) on behalf of a HIPAA covered entity or another business associate.

    2. Covered Entity – includes:

      1. a health plan;

      2. a health care clearinghouse; and

      3. a health care provider who transmits PHI in electronic form in connection with a HIPAA covered transaction.

      If a healthcare provider uses another entity (such as a clearinghouse) to conduct covered transactions in electronic form on its behalf, the healthcare provider is considered to be conducting the transaction in electronic form.

    3. Covered Transaction – the electronic transmission of information between two parties to carry out financial or administrative activities related to health care. It includes the following types of information transmissions:

      1. health care claims or equivalent encounter information;

      2. health care payment and remittance advice;

      3. coordination of benefits;

      4. health care claim status;

      5. enrollment and disenrollment in a health plan;

      6. eligibility for a health plan;

      7. health plan premium payments;

      8. referral certification and authorization;

      9. first report of injury;

      10. health claims attachments; and

      11. other transactions that the secretary of the U.S. Department of Health and Human Services may prescribe by regulation.

    4. Health Care Component (HCC) – any component (college, school, institute, center, department, office, or unit) of Texas State which would meet the definition of covered entity or business associate if it were a separate legal entity.

    5. Hybrid Entity – a single legal entity that is a covered entity under HIPAA and whose business activities include both covered and non-covered functions and that designates specific HCC under HIPAA.

    6. Protected Health Information (PHI) – information, including genetic information, created or received by a covered entity which relates to:

      1. the individual’s past, present, or future physical or mental health or condition;

      2. the provision of health care to the individual; or

      3. the past, present, or future payment for the provision of health care to the individual. As to any such information, the information identifies the individual or if there is a reasonable basis to believe it can be used to identify the individual.

      PHI excludes individually identifiable health information:

      1. in education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g;

      2. in records described in 20 U.S.C. 1232g(a)(4)(B)(iv) and by the Department of Education;

      3. in employment records held by a covered entity in its role as employer; and

      4. regarding a person who has been deceased for more than 50 years.

    7. Research – a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.

    8. Workforce – employees, volunteers, trainees, and other persons whose conduct, in the performance of work for Texas State, is under the direct control of Texas State whether or not they are paid by Texas State.

  4. DESIGNATION AND COMPLIANCE

    1. Texas State designates the HCC (the areas subject to HIPAA) as set forth on the university HCC list.

    2. If another Texas State college, school, institute, center, department, office, or unit not listed in the university HCC list initiates performance of covered entity functions, such as beginning to bill insurance companies for care delivery, they shall be reclassified as a HCC.

    3. When other Texas State colleges, schools, institutes, centers, departments, offices, or units not listed in the university HCC List perform business associate functions for a covered entity (or another business associate), within Texas State or outside, they would be a HCC to the extent of that activity.

    4. HIPAA also establishes conditions under which PHI may be used or disclosed by covered entities for research purposes. These include the following:

      1. preparatory to research;

      2. authorization;

      3. waiver of authorization;

      4. limited data set with a data use agreement;

      5. decedents; and

      6. fully de-identified.

    5. Any Texas State workforce member who undertakes a new activity that would make that member a health care provider under HIPAA or a business associate is obligated to notify the assistant vice president for Institutional Compliance and Chief Compliance Officer before engaging in the activity to assess if the member is a covered entity and HCC.

    6. Texas State shall require any third-party vendor performing covered functions for the university to enter into a business associate agreement with Texas State.

    7. Texas State shall retain its HCC designation for at least six years from the date of a decision to remove an HCC’s designation as an HCC. Otherwise, Texas State shall retain HCC designations indefinitely, as per 45 C.F.R. 164.316(b)(2)(i).

  5. INDIVIDUAL EMPLOYEE RESPONSIBILITY

    1. Any individual who fails to comply with this policy and the applicable HIPAA regulations may be subject to discipline up to and including termination.
  6. RESPONSIBILITIES OF UNIVERSITY HEALTH CARE COMPONENTS

    1. University HCCs shall appoint a privacy and security officer for the HCC.

    2. University HCCs shall comply with all applicable HIPAA laws and regulations. Each HCC’s privacy and security officer shall be the primary HCC representative responsible for providing evidence of compliance to the assistant vice president for Institutional Compliance and Chief Compliance Officer.

  7. REVIEWERS OF THIS UPPS

    1. Reviewers of this UPPS include the following:

      Position Date
      Assistant Vice President for Institutional Compliance and Chief Compliance Officer January 1 EY
      Assistant Director, Student Health Center January 1 EY
      Chief Information Security Officer January 1 EY
  8. CERTIFICATION STATEMENT

    This UPPS has been approved by the following individuals in their official capacities and represents Texas State policy and procedure from the date of this document until superseded.

    Assistant Vice President for Institutional Compliance and Chief Compliance Officer; senior reviewer of this UPPS

    Vice President for University Advancement

    President