HIPAA AND HYBRID ENTITY DESIGNATION
Effective: August 15, 2024
Purpose: To reflect the University’s commitment to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and designate the University as a Hybrid Entity.
Scope: This policy applies to the University campus wide.
Responsible Office: General University; Office of General Counsel; Student Wellness Center
Policy Statement: Emporia State University is a Covered Entity under Health Insurance Portability and Accountability Act of 1996 (HIPAA) and shall comply with HIPAA’s requirements to protect the privacy and security of Protected Health Information and to provide individuals with certain rights with respect to their Protected Health Information created, collected, transmitted, and maintained by the University.
Hybrid Entity Designation
The University performs activities which include Covered Functions and non-covered functions. When a Covered Entity performs both functions, HIPAA permits Covered Entities to designate themselves as a Hybrid Entity. This policy designates Emporia State University as a Hybrid Entity.
HIPAA Compliance Officer Responsibilities
The HIPAA Compliance Officer shall maintain a current list of designated Health Care Components for Emporia State University. The HIPAA Compliance Officer shall develop uniform unit level policies and procedures consistent with this policy.
Definitions: All words and phrases shall be interpreted utilizing their plain meanings unless otherwise defined in another University or Board of Regents policy or by statute or regulation.
Covered Entity – A Covered Entity is a health plan, a healthcare clearinghouse, or a healthcare provider who transmits any health information in electronic form in connection with a Covered Function pursuant to 45 C.F.R. § 160.103.
Covered Function – Functions of a Covered Entity the performance of which makes the entity a health plan, healthcare provider, or healthcare clearinghouse pursuant to 45 C.F.R. § 164.103.
Health Care Component – A component or combination of components of a Hybrid Entity designated by the Hybrid Entity in accordance with 45 C.F.R. § 164.105(a)(2)(iii)(D) pursuant to 45 C.F.R. § 164.103.
Hybrid Entity – A Hybrid Entity is a single level entity: (1) that is a Covered Entity; (2) whose business activities include both Covered and non-covered Functions; and (3) that designates Health Care Components in accordance with paragraph 45 C.F.R. § 164.105(a)(2)(iii)(D) pursuant to 45 C.F.R. § 164.103.
Protected Health Information – Protected Health Information means Individually Identifiable Health Information: (i) Transmitted by electronic media; (ii) Maintained in electronic media; OR (iii) Transmitted or maintained in any other form or medium BUT does not include individually identifiable health information: In education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; (ii) In records described at 20 U.S.C. 1232g(a)(4)(B)(iv); (iii) In employment records held by a covered entity in its role as employer; AND (iv) Regarding a person who has been deceased for more than 50 years.
Procedures: All procedures linked and related to the policies above shall have the full force and effect of policy if said procedures have first been properly approved by the University’s administrator in charge of General University procedures.
[General University procedures - coming soon]
Related Policy Information: [45 C.F.R. § 160, § 162, and § 164 - coming soon]