APS #5055

ActiveUnder Review Revision

HIPAA Hybrid Entity Designation

Brief Description

Identifies the University of Colorado as a hybrid entity and designates its covered health care components in accordance with federal law.

Reason for Policy

To comply with the  Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH Act), requirements regarding hybrid entities.

Policy Profile

APS Policy Title: 
HIPAA Hybrid Entity Designation
APS Number: 
5055
Proposed Effective Date: 
January 1, 2025
Effective Date: 
July 1, 2014
Approved By: 
President Bruce D. Benson
Responsible University Officer: 
Vice President Employee and Information Services
Responsible Office: 
Employee and Information Services
Policy Contact: 
Employee and Information Services
Supersedes: 
N/A
Last Reviewed/Updated date: 
July 1, 2014
Applies to: 
University-wide

I. Introduction

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH Act), is a federal law designed to improve the portability and continuity of health care coverage, standardize health care transactions and implement requirements surrounding health information privacy and security.

In general, HIPAA addresses Protected Health Information (PHI) that is maintained or transmitted by a covered entity. 

Covered entities are:

  • Health plans,
  • Health care clearinghouses, and
  • Health care providers that conduct certain types of transactions in electronic form.

A covered entity that is a single legal entity and conducts both covered and non-covered functions may elect to be a hybrid entity. To be a hybrid entity, the covered entity must identify its components that perform covered functions and designate these components as health care components.  The HIPAA compliance obligations apply only to the designated health care components. A covered entity that does not make this designation is subject to HIPAA in its entirety. The university conducts both covered and non-covered functions and elects to be a hybrid entity.  This policy identifies the university as a hybrid entity and documents the university’s designated health care components that must comply with HIPAA requirements. 

II. Policy Statement

  1. Hybrid Entity. The university conducts both covered and non-covered functions and elects to be a hybrid entity under HIPAA as provided by 45 C.F.R. § 164.103 and 45 C.F.R. § 164.105.
     
  2. Designated Health Care Components. As a hybrid entity, the applicable HIPAA compliance obligations only apply to the university’s designated health care components. 
    1. The designated health care components include:
      1. Any component that meets the definition of covered entity if it were a separate legal entity;
      2. Components only to the extent that they perform covered functions; and
      3. Components that provide business associate services to components that perform covered functions.
    2. The designated health care components are listed in Exhibit A, University of Colorado Designated Health Care Components.
    3. Employee and Information Services and the Office of University Counsel shall review and amend Exhibit A as needed, but no less frequently than annually.
       
  3. University Responsibility.  The university shall ensure that the designated health care components comply with the applicable HIPAA requirements. 45 C.F.R. § 164.105.
     
  4. Health Care Components Responsibility. Each designated health care component shall ensure its compliance with the applicable HIPAA requirements. The designated health care components which provide business associate services shall follow the compliance rules of the designated health care component for which it is providing business associate services.  Each designated health care component, or its designee, shall provide compliance reports to the Vice President Employee and Information Services at least annually.

III. Definitions

Business Associate:  a person or entity that creates, receives, maintains or transmits protected health information to perform certain functions or activities on behalf of a covered entity or provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services for a covered entity and the provision of the service involves the disclosure of protected health information. 45 C.F.R. § 160.103.

Covered Entity: a health plan, a health care clearinghouse or a health care provider who transmits any health information in electronic form in connection with a covered transaction . 45 C.F.R. § 160.103

Covered Function: functions of a covered entity the performance of which makes the entity a health plan, health care provider, or health care clearinghouse. 45 C.F.R. § 164.103

Covered Transaction:  the transmission of information between two parties to carry out financial or administrative activities related to health care and includes the following transmissions:

    1. Health care claims or equivalent encounter information.
    2. Health care payment and remittance advice.
    3. Coordination of benefits.
    4. Health care claim status.
    5. Enrollment and disenrollment in a health plan.
    6. Eligibility for a health plan.
    7. Health plan premium payments.
    8. Referral certification and authorization.
    9. First report of injury.
    10. Health claims attachments.
    11. Health care electronic funds transfers (EFT) and remittance advice.
    12. Other transactions that the Secretary may prescribe by regulation.  45 C.F.R. § 160.103

Hybrid Entity: a single legal entity that conducts both covered and non-covered functions and designates health care components in accordance with 45 C.F.R. § 164.105(a)(2)(iii)(D). 45 C.F.R. § 164.103

IV. History

Initial Policy Effective:  July 1, 2014

V. Keywords

HIPAA, HITECH,  Hybrid Entity, Health Care Component, Privacy Rule, Security Rule, Business Associate, Individually Identifiable Health Information, Protected Health Information

Exhibit A - University of Colorado Designated Health Care Components

System

    • University of Colorado Health and Welfare Plan
    • CU Health Plan Administration to the extent it provides business associate services to the University of Colorado Health and Welfare Plan
    • Employee Services to the extent it provides business associate services to the University of Colorado Health and Welfare Plan
    • Office of University Counsel to the extent it provides business associate services to health care components
    • Office of Information Security to the extent it provides business associate services to health care components
    • University Information Systems to the extent it provides business associate services to health care components
    • Internal Audit to the extent it provides business associate services to health care components
    • Professional Risk Management to the extent it provides business associate services to health care components
    • University Risk Management to the extent it provides business associate services to health care components
    • Office of Advancement to the extent it provides business associate services to health care components
    • Technology Transfer Office to the extent it provides business associate services to health care components.

University of Colorado Denver

    • Positive Early Learning Experiences (PELE) Center

University of Colorado Anschutz Medical Campus

All Departments except for:

    • Physiology and Biophysics
    • Pharmacology
    • Microbiology
    • Immunology
    • Biochemistry and Molecular Genetics
    • Institutional Animal Care and Use Committee (ICAUC)
    • Facilities Operations 
    • Office of Finance and Administration
    • Center for Lab Animal Care  (CLAC)
    • Continuing Medical Education (CME)
    • Cellular and Structural Biology
    • Alumni Relations Office

University of Colorado Boulder

    • Wardenburg Health Services to the extent it performs covered functions
    • Office of Information Technology to the extent it provides business associate services to covered entities

University of Colorado Colorado Springs

    • Health Circle Clinic to the extent it performs covered functions
    • Helen and Arthur E. Johnson Beth-El College of Nursing and Health Sciences, Nurse-Family Partnership® Program
    • Office of Information Technology to the extent it provides business associate services to covered entities
    • Office of Strategic Planning and Initiatives to the extend it provides business associate services to covered entities
    • Campus Controller to the extent it provides business associate services to covered entities