HIPAA Compliance at the University

The Health Insurance Portability and Accountability Act of 1996 is designed to protect an individual's health information (referred to as "Protected Health Information" or PHI), and to restrict how PHI may be used and disclosed by health care providers, health plans and those accessing PHI to support the providers and plans.  The federal oversight agency for HIPAA is U.S. The Department of Health and Human Services (DHHS), and the enforcement agency is the Office of Civil Rights (OCR).

HIPAA applies to "covered entities," "hybrid entities," and "business associates." Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standard. A hybrid entity is any single legal entity that performs both covered and noncovered functions as part of its business operations. A covered function is any function the performance of which makes the performer a health plan, a health care provider, or a health care clearinghouse. 

The University is considered a "hybrid entity" under HIPAA, which means that some parts of the University are subject to HIPAA and others are not.  The University's health plans, its health care provider services, and those that may access PHI to support the plans or health care provider services are subject to HIPAA.  The areas that make us the University's hybrid entity are sometimes referred to as the University's "health care components."  Areas outside of the University's health care components may also be subject to HIPAA if they act as a "business associate" of an organization that is subject to HIPAA.

The University's health care components include:

  • Addressing and Mailing Services
  • Athletic Training Twin Cities
  • Boynton Health
  • Center for Allied Health Programs
  • College of Pharmacy
  • Community-University Health Care Center
  • Disability Resource Center
  • Genomics Center
  • Health Sciences Administration
  • Health Sciences Technology
  • Internal Audit
  • Medical School (Twin Cities and Duluth campuses)
  • Minnesota Research Data Center
  • Morris Health Service
  • Office of Academic Clinical Affairs
  • Office of General Counsel (OGC)
  • Office of Institutional Compliance (OIC)
  • Office of Information Technology - University Information Security (UIS)
  • Office of Measurement Services (OMS)
  • School of Dentistry and Dental Clinics
  • School of Nursing
  • Speech-Language-Hearing Sciences (including the Julia M. Davis Speech Language Hearing Center)
  • UMD Health Services
  • University Services - Radiation Safety and Regulated Waste
  • UPlan