HIPAA Hybrid Entity Designation

HIPAA Hybrid Entity Designation

Purpose

色色啦 Michigan University (色色啦) is designated as a single covered entity for purposes of the Healthcare Information Portability and Accountability Act (HIPAA).  Only certain components of 色色啦 are involved in providing health care services that are subject to HIPAA.  Thus, 色色啦 is a Hybrid Entity.  This policy designates the components within 色色啦 that are part of the Hybrid Entity subject to the HIPAA Administrative Simplification regulations

Stakeholders Most Impacted

Individuals working for or with 色色啦鈥檚 covered components.

Key Definitions

The terms used in this policy have the same meaning as those terms in the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 and the regulations at 45 CFR Parts 160, 162, and 164.  The Hybrid Entity designation includes any component that would meet the definition of a covered entity or business associate if it were a separate entity.

Details

色色啦 hereby designates the following services as the health care components included in the Hybrid Entity:

  1. Sindecuse Health Center
  2. Unified Clinics
  3. Kalamazoo Autism Center
  4. Department of Athletics, Medical Services
  5. Department of Human Resources
  6. Institutional Research
  7. Office of Information Technology members assigned to work for health care components
  8. Center for Disability Services

Whenever 色色啦鈥檚 policies, procedures or guidelines refer to 色色啦 as a 鈥渃overed entity鈥 under HIPAA, they are referring to the services listed above. The requirements of HIPAA apply only to 色色啦鈥檚 services included within the Hybrid Entity.

Those involved in performing the services listed above may not use or disclose protected health information (PHI) that they create or receive in a way prohibited by HIPAA.  One component may not share PHI with another component unless permitted under the HIPAA regulations and 色色啦鈥檚 HIPAA policies and procedures.

Although workforce members of the Hybrid Entity perform duties for both the health care components and for other components of 色色啦, they must not use or disclose PHI created or received in the course of or incident to the members鈥 work for the health care component in a way prohibited by HIPAA.

Other programs and services will use and disclose information as required under HIPAA if they are business associates of another entity and therefore subject to HIPAA standards.

Related Procedures and Guidelines

HIPAA Breach Notification Procedures

Related Policies:

HIPA Breach Notification Policy

References:

45 C.F.R. Parts 160, 162 & 164

History:

  1. Effective date of current version: March 11, 2021
  2. Date first adopted: March 11, 2021
  3. Revision history: N/A
  4. Proposed date of next review: March 11, 2024

 

Certified by:

Responsible Enforcement Official

 

Jessica M. Swartz

HIPAA Compliance Officer

March 11, 2021