FI0160 – HIPAA Re-designation and General Policy
Topics:
Objective:
To re-designate The University of Tennessee (“University” or “UT”) as a Hybrid Entity and establish general policy related to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).
Policy:
The University is a Covered Entity and employs certain physicians and other health care providers, and with respect thereto, transmits health information in connection with transactions for which the United States Department of Health and Human Services (“DHHS”) has adopted standards. However, the University’s business activities include both covered and non-covered functions. In this case, HIPAA allows entities to designate themselves as a “Hybrid Entity.”
- Covered Function: Functions that make an entity a health plan, a health care provider, or a health care clearinghouse.
- Hybrid Entity: A single legal entity that is a covered entity, performs business activities that include both covered and non-covered functions, and designates its health care components as provided in the Privacy Rule.
- Business Associate: A person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.
Re-Designation of Hybrid Entity Status
For purposes of designating the University as a Hybrid Entity, the health care components of the University shall mean any part of the University that would meet the definition of a covered entity or business associate under the HIPAA regulations if such part of the University were a separate legal entity. The University previously designated its Health Science Center campuses and clinics as comprising the health care component of the University under HIPAA. The following identifies UT’s current health care components.
- UT Chattanooga: Student Health Services*
- UT Institute of Agriculture (UTIA):
- Family & Consumer Sciences, Tennessee Childhood Lead Poisoning Prevention Program
- College of Veterinary Medicine, Veterinary Social Work
- UT Health Science Center (UTHSC): The entirety of UTHSC’s organizational unit is considered a covered component. UTHSC’s latest organization chart is found at http://uthsc.edu.
- UT Knoxville (UTK):
- Psychological Clinic
- Vine School Health Center
- Student Health Services*
- Business associates of covered entities: Any University organization with an approved Business Associate Agreement or sub agreement. A list of such is on file with the HIPAA Privacy Officer.
- Workforce members that provide services to health care components:
- Campus police
- Finance
- Human Resources
- Information Technology
- Office of Audit and Compliance
- Office of the General Counsel
*To the extent each organization provides health care services to non-students and transmits health information electronically in connection with transactions for which DHHS has adopted standards.
The HIPAA Privacy Officer must review the list of health care components annually and update as necessary.
Individuals or organizations within the University that engage in covered functions or enter into a Business Associate agreement must report their involvement to the HIPAA Privacy Officer, Office of the General Counsel, and Office of Audit and Compliance.
HIPAA Policy, Procedures, and Training
All of the University’s health care components and the personnel assigned to such components must comply with UTHSC’s HIPAA Privacy and Security policies and procedures located on its website (http://uthsc.edu/) until further notice, and must undergo periodic HIPAA privacy and security training as directed by the University’s HIPAA Privacy Officer and HIPAA Security Officer. The University’s HIPAA Privacy Officer and HIPAA Security Officer must approve in writing any health care component-specific policies and procedures.
Links
Office of Institutional Compliance – HIPAA – http://compliance.tennessee.edu/hipaa.html
Shauna Jennings 615-667-6687 shauna.jennings@tennessee.edu
Downloadable PDF