UPPS 01.04.33 - HIPAA Hybrid Designation
HIPAA Hybrid Designation
UPPS No. 01.04.33
Issue No. 3
Effective Date: 4/01/2022
Next Review Date: 4/01/2024 (E2Y)
Sr. Reviewer: Assistant Vice President for Institutional Compliance and Chief Compliance Officer
Texas State University is committed to maintaining and enforcing HIPAA Regulations.
This policy designates Texas State University as a hybrid entity under the Health Insurance Portability and Accountability Act (HIPAA).
Texas State designates itself as a hybrid entity for purposes of Title II of the HIPAA of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act, and the privacy and security regulations found in 45 C.F.R. §§ 160 et. seq. (collectively referred as HIPAA herein).
Texas State recognizes the applicability of HIPAA to certain sectors of the university.
Under HIPAA, Texas State can elect to be a hybrid entity with identified health care components (HCC) that are subject to HIPAA, and non-covered components which are not. The policy identifies the HCC subject to HIPAA’s privacy, security, breach notification, and enforcement provisions.
- Refer to 45 CFR Part 160 and 164; Section 164.105; and Section 164.504 for more information.
Business Associate – a person or entity that creates, receives, maintains, or transmits protected health information (PHI) on behalf of a HIPAA covered entity or another business associate.
Covered Entity – includes:
a health plan;
a health care clearinghouse; and
a health care provider who transmits PHI in electronic form in connection with a HIPAA covered transaction.
If a healthcare provider uses another entity (such as a clearinghouse) to conduct covered transactions in electronic form on its behalf, the healthcare provider is considered to be conducting the transaction in electronic form.
Covered Transaction – the electronic transmission of information between two parties to carry out financial or administrative activities related to health care. It includes the following types of information transmissions:
health care claims or equivalent encounter information;
health care payment and remittance advice;
coordination of benefits;
health care claim status;
enrollment and disenrollment in a health plan;
eligibility for a health plan;
health plan premium payments;
referral certification and authorization;
first report of injury;
health claims attachments; and
other transactions that the secretary of the U.S. Department of Health and Human Services may prescribe by regulation.
Health Care Component (HCC) – any component (college, school, institute, center, department, office, or unit) of Texas State which would meet the definition of covered entity or business associate if it were a separate legal entity.
Hybrid Entity – a single legal entity that is a covered entity under HIPAA and whose business activities include both covered and non-covered functions and that designates specific HCC under HIPAA.
Protected Health Information (PHI) – information, including genetic information, created or received by a covered entity which relates to:
the individual’s past, present, or future physical or mental health or condition;
the provision of health care to the individual; or
the past, present, or future payment for the provision of health care to the individual. As to any such information, the information identifies the individual or if there is a reasonable basis to believe it can be used to identify the individual.
PHI excludes individually identifiable health information:
in education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g;
in employment records held by a covered entity in its role as employer; and
regarding a person who has been deceased for more than 50 years.
Research – a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.
Workforce – employees, volunteers, trainees, and other persons whose conduct, in the performance of work for Texas State, is under the direct control of Texas State whether or not they are paid by Texas State.
DESIGNATION AND COMPLIANCE
Texas State designates the HCC (the areas subject to HIPAA) as set forth on the university HCC list.
If another component Texas State not listed in the university HCC list initiates performance of covered entity functions, such as beginning to bill insurance companies for care delivery, they shall be reclassified as a HCC and must notify Institutional Compliance and Ethics of this change.
When other component of Texas State not listed in the university HCC List performs business associate functions for a HCC (or another business associate) within Texas State or for an outside covered entity, they would be a HCC to the extent of that activity.
HIPAA also establishes conditions under which PHI may be used or disclosed by covered entities for research purposes. These include the following:
preparatory to research;
waiver of authorization;
limited data set with a data use agreement;
Any Texas State workforce member who undertakes a new activity that would make that member a health care provider under HIPAA, or a business associate, is obligated to notify the assistant vice president for Institutional Compliance and Chief Compliance Officer before engaging in the activity to assess if the member is a covered entity and HCC.
Texas State shall require any third-party vendor performing covered functions for the university to enter into a business associate agreement with Texas State. It will also require any Texas State colleges, schools, institutes, centers, departments, offices, or units performing business associate functions for an HCC to enter into a memorandum of understanding (MOU) with the HCC that would provide the same satisfactory assurances as a business associate agreement.
Texas State shall retain its HCC designation for at least six years from the date of a decision to remove an HCC’s designation as an HCC. Otherwise, Texas State shall retain HCC designations indefinitely, as per 45 C.F.R. 164.316(b)(2)(i).
RESPONSIBILITIES OF A HYBRID ENTITY
- A hybrid entity must implement institutional wide policies and procedures to ensure compliance with applicable requirements.
INDIVIDUAL EMPLOYEE RESPONSIBILITY
- Any individual who fails to comply with this policy and the applicable HIPAA regulations may be subject to discipline up to and including termination.
RESPONSIBILITIES OF UNIVERSITY HEALTH CARE COMPONENTS
University HCCs shall appoint a privacy and security officer for the HCC.
University HCCs shall comply with all applicable HIPAA laws and regulations. Each HCC’s privacy and security officer shall be the primary HCC representative responsible for providing evidence of compliance to the assistant vice president for Institutional Compliance and Chief Compliance Officer.
University HCCs shall, without delay, report any suspected or confirmed information resources security incident or breach of PHI to Information Security at 512.245.4225 or at firstname.lastname@example.org.
REVIEWERS OF THIS UPPS
Reviewers of this UPPS include the following:
Position Date Assistant Vice President for Institutional Compliance and Chief Compliance Officer April 1 E2Y Assistant Director, Student Health Center April 1 E2Y Chief Information Security Officer April 1 E2Y
This UPPS has been approved by the following individuals in their official capacities and represents Texas State policy and procedure from the date of this document until superseded.
Assistant Vice President for Institutional Compliance and Chief Compliance Officer; senior reviewer of this UPPS
Vice President for University Administration