The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is designed to protect an individual's health information (referred to as "Protected Health Information" or PHI), and to restrict how PHI may be used and disclosed by health care providers, health plans and those accessing PHI to support the providers and plans. The federal oversight agency for HIPAA is the U.S. Department of Health and Human Services (DHHS), and the enforcement agency is the Office of Civil Rights (OCR).
HIPAA applies to "covered entities," "hybrid entities," and "business associates." Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has an adopted standard. A hybrid entity is any single legal entity that performs both covered and noncovered functions as part of its business operations. A covered function is any function the performance of which makes the performer a health plan, a health care provider, or a health care clearinghouse.
USU partners with entities that provide services related to our health care providers and health plans. These companies are considered Business Associates, and are required to provide the same protections for PHI as USU.
HIPAA Policies & Procedures
The HIPAA Steering Committee has approved USU Policy 547: Privacy and Security of Protected Health Information under HIPAA. The following procedures have also been approved, which are incorporated into Policy 541:
- 541-PR1: Minimum Necessary Use and Disclosure of PHI
- 541-PR2: Provision of Safeguards Applicable to Protected Health Information (PHI)
- 541-PR3: Implementation of Corrective Actions Involving Violations of Individual’s Privacy or Security
- 541-PR4: HIPAA Uses and Disclosures for USU Group Health Plans
- 541-PR5: Patient Rights and Notifications to Patients and Patient Representatives
- 541-PR6: Breach Notifications for Unsecured PHI
- 541-PR7: Business Associate Relationships with Vendors
- SCCE Supplemental Privacy Policies
Notice of Privacy Practices
CEHS’s Notice of Privacy Practices is provided to all clinical patients of the SCCE. It describes how PHI about the patient may be used and disclosed, and outlines a patient's rights to access or request correction of their medical records.
HIPAA Authorizations
A HIPAA Authorization allow a Covered Entity or Business Associate to obtain permission from an individual who is a patient, research participant or enrolled in a health plan to use or disclose PHI for a purpose that would otherwise not be allowed by the HIPAA Privacy Rule.
- CEHS Authorization – used in all SCCE units
- HIPAA Authorization for Research – used for all research projects that obtain and use PHI (personal medical and/or demographic information that contains personally identifiable information
HIPAA Training
HIPAA training is required for all employees and students who work in Covered Entities and business support units that are exposed to PHI in the course of their work or studies. All employees and students must complete both HIPAA training and any associated information security awareness training to be considered compliant. Compliance with these training requirements must be completed PRIOR TO being given access to PHI.
For health care components (HCCs) in SCCE, training is provided and tracked through the HIPAAtrek Compliance system. For information about training requirements visit the Onboarding Process Sheet.
For other employees and students in health care components, initial training is available in USU’s ILS system. Additional training may be assigned within HCCs as appropriate.
USU's Designation as a Hybrid Entity
The University is considered a "hybrid entity" under HIPAA, which means that some parts of the University are subject to HIPAA while others are not. The University's self-funded health plans, many of its health care provider services, and units that may access PHI to support the plans or health care provider services are subject to HIPAA. The functional areas that comprise the University's hybrid entity are referred to as the University's "health care components" (HCCs). Areas outside of the University's health care components may also be subject to HIPAA if they act as a "business associate" of an organization that is subject to HIPAA. USU’s Hybrid Entity Declaration provides detail concerning the functions and activities that are regulated by HIPAA.
USU’s Health Care Components (HCCs)
Healthcare Provider Covered Components
- Behavioral Health Clinic, including:
- Marriage & Family Therapy Division
- Psychology Division
- Psychiatry Division
- Integrated Assessment Division
- Pediatric Feeding & Swallowing Division
- Clinical Rehabilitation Clinic
- Speech & Language Clinic
- George S & Delores Eccles Applied Neuroscience Clinic, including:
- Hearing & Balance Division
- Pediatric Audiology Division
- Cochlear Implant Clinic
- Behavior Support Services within the Arya M. Heravi Transition Services Clinic
- Student Health & Wellness Clinic (when performing covered functions involving non-students’ PHI)
Health Plan Covered Components
- Human Resources when acting as the plan sponsor for USU’s Self Insured Health Plans, including the Regence Medical and Dental Health Plans and USU’s Flex-Spending Account administered by ASI
- Human Resources when acting as the plan sponsor for USU Eastern Self-Insured Health Plans, the dental plan administered through EMIA and the Flex-Spending Account administered by PEHP
Business Support Covered Components
The following units are considered health care components only to the extent they are performing services involving PHI on behalf of another USU covered components which, if external to USU, would meet the definition of a “business associate” for HIPAA purposes:
- Business & Finance – Business Services & Controller’s Office
- College of Education & Human Services Business Services
- Information Technology
- USU-Eastern Information Technology
- Risk Management
- General Counsel
- Data Privacy
- University Compliance
- USU-Eastern Facilities- physical security
- Internal Audit Services
- Office of Equity
What is a Business Associate?
Business Associates are third parties who create, receive, maintain or transmit "protected health information" (PHI) on behalf of a health care provider or health plan, or who provide other services that involve the use or disclosure of PHI. Business Associates of the University are required to enter into a Business Associate Agreement. USU maintains a Business Associate Agreement Template, which may be used for this purpose. When USU’s template is not used, the agreement must be reviewed and approved using the contract review process.
At times the University may act as a Business Associate for another health care provider or health plan. When the University is acting as a Business Associate for another entity, the unit acting as the Business Associate is subject to HIPAA. Contact your unit’s HIPAA Compliance Office or Legal Affairs if another entity has informed you that it considers your unit its Business Associate and has asked you to sign a Business Associate Agreement.