The Health Insurance Portability and Accountability Act of 1996 is designed to protect an individual's health information (referred to as "Protected Health Information" or PHI), and to restrict how PHI may be used and disclosed by health care providers, health plans and those accessing PHI to support the providers and plans. The federal oversight agency for HIPAA is U.S. The Department of Health and Human Services (DHHS), and the enforcement agency is the Office of Civil Rights (OCR).
HIPAA applies to "covered entities," "hybrid entities," and "business associates." Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standard.
What are the University's "health care components" under HIPAA?
- Addressing and Mailing Services
- Athletic Training Twin Cities
- Boynton Health
- Center for Allied Health Programs
- College of Pharmacy
- Community-University Health Care Center
- Disability Resource Center
- Genomics Center
- Health Sciences Administration
- Health Sciences Technology
- Internal Audit
- Medical School (Twin Cities and Duluth campuses)
- Minnesota Research Data Center
- Morris Health Service
- Office of Academic Clinical Affairs
- Office of General Counsel (OGC)
- Office of Institutional Compliance (OIC)
- Office of Information Technology - University Information Security (UIS)
- Office of Measurement Services (OMS)
- School of Dentistry and Dental Clinics
- School of Nursing
- Speech-Language-Hearing Sciences (including the Julia M. Davis Speech Language Hearing Center)
- UMD Health Services
- University Services - Radiation Safety and Regulated Waste
More Information about Business Associates
Business Associates must handle PHI appropriately, and are specifically subject to the Security Rules under HIPAA. Business Associates are also subject to enforcement action by government oversight agencies if they fail to comply with the Security Rules.
Business Associates of the University are required to enter into a Business Associate Agreement, which outlines the responsibilities of the Business Associate with respect to handling PHI. The University's standard form Business Associate Agreement is available in the University's Contracts Library. If you believe you have a vendor who meets the definition of a Business Associate, you should ask the vendor to sign the University's Business Associate Agreement.
At times the University may act as a Business Associate for another health care provider or health plan. In that case the University may have to sign a Business Associate Agreement provided by the health care provider or health plan. Contact the Health Information Privacy & Compliance Office if you have questions about these types of relationships and for review of another party's Business Associate Agreement.