The Health Insurance Portability and Accountability Act of 1996 is designed to protect an individual's health information (referred to as "Protected Health Information" or PHI), and to restrict how PHI may be used and disclosed by health care providers, health plans and those accessing PHI to support the providers and plans. The federal oversight agency for HIPAA is U.S. The Department of Health and Human Services (DHHS), and the enforcement agency is the Office of Civil Rights (OCR).
HIPAA applies to "covered entities," "hybrid entities," and "business associates." Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standard.
What are the University's "health care components" under HIPAA?
HIPCO maintains a full list of all individual departments and academic plans within the University via “the Picker” which uses Department IDs and Academic Plan IDs associated with personnel accounts to track HCC membership. Some of the largest units included in the healthcare component include, but are not limited to, the:
- Medical School
- School of Dentistry
- College of Pharmacy
- School of Nursing
To inquire whether your department or academic plan is within the HCC, please reach out to [email protected].
More Information about Business Associates
Business Associates must handle PHI appropriately, and are specifically subject to the Security Rules under HIPAA. Business Associates are also subject to enforcement action by government oversight agencies if they fail to comply with the Security Rules.
Business Associates of the University are required to enter into a Business Associate Agreement, which outlines the responsibilities of the Business Associate with respect to handling PHI. The University's standard form Business Associate Agreement is available in the University's Contracts Library. If you believe you have a vendor who meets the definition of a Business Associate, please reach out to HIPCO at [email protected].
At times the University may act as a Business Associate for another health care provider or health plan. In that case the University may have to sign a Business Associate Agreement provided by the health care provider or health plan. Contact the Health Information Privacy & Compliance Office if you have questions about these types of relationships and for review of another party's Business Associate Agreement.