HIPAA Hybrid Entity Designation

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH Act), is a federal law designed to improve the portability and continuity of healthcare coverage, standardize healthcare transactions and implement requirements surrounding health information privacy and security.

In general, HIPAA addresses Protected Health Information (PHI) that is maintained or transmitted by a covered entity. 

Covered entities are:

• health plans,
• healthcare clearinghouses, and
• healthcare providers that conduct certain types of transactions in electronic form.

A covered entity that is a single legal entity and conducts both covered and non-covered functions may elect to be a hybrid entity. To be a hybrid entity, the covered entity must identify its components that perform covered functions and designate these components as healthcare components.  The HIPAA compliance obligations apply only to the designated healthcare components. A covered entity that does not make this designation is subject to HIPAA in its entirety. The university conducts both covered and non-covered functions and elects to be a hybrid entity.  This policy identifies the university as a hybrid entity and documents the university’s designated healthcare components that must comply with HIPAA requirements.

1. Hybrid Entity. The university conducts both covered and non-covered functions and elects to be a hybrid entity under HIPAA as provided by 45 C.F.R. § 164.103 and 45 C.F.R. § 164.105.
    
2. Designated Health Care Components. As a hybrid entity, the applicable HIPAA compliance obligations only apply to the university’s designated healthcare components. 
   1. The designated healthcare components include:
      1. any component that meets the definition of covered entity if it were a separate legal entity;
      2. components only to the extent that they perform covered functions; and
      3. components that provide business associate services to components that perform covered functions.
   2. The designated healthcare components are listed in Exhibit A, University of Colorado Designated Healthcare Components.
       
   3. Employee Services in consultation with the Office of University Counsel shall review and amend Exhibit A as needed, but no less frequently than annually.
       
3. University Responsibility.  The university shall ensure that the designated healthcare components comply with the applicable HIPAA requirements. 45 C.F.R. § 164.105.
    
4. Healthcare Components Responsibility. Each designated healthcare component shall ensure its compliance with the applicable HIPAA requirements. The designated healthcare components which provide business associate services shall follow the compliance rules of the designated healthcare component for which it is providing business associate services.

1. Business Associate:  a person or entity that creates, receives, maintains or transmits protected health information to perform certain functions or activities on behalf of a covered entity or provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services for a covered entity and the provision of the service involves the disclosure of protected health information. 45 C.F.R. § 160.103.
    
2. Covered Entity: a health plan, a healthcare clearinghouse or a healthcare provider who transmits any health information in electronic form in connection with a covered transaction. 45 C.F.R. § 160.103
    
3. Covered Function: functions of a covered entity the performance of which makes the entity a health plan, healthcare provider, or healthcare clearinghouse. 45 C.F.R. § 164.103
    
4. Covered Transaction:  the transmission of information between two parties to carry out financial or administrative activities related to healthcare and includes the following transmissions:
   1. Healthcare claims or equivalent encounter information.
   2. Healthcare payment and remittance advice.
   3. Coordination of benefits.
   4. Healthcare claim status.
   5. Enrollment and disenrollment in a health plan.
   6. Eligibility for a health plan.
   7. Health plan premium payments.
   8. Referral certification and authorization.
   9. First report of injury.
   10. Health claims attachments.
   11. Healthcare electronic funds transfers (EFT) and remittance advice.
   12. Other transactions that the Secretary may prescribe by regulation.  45 C.F.R. § 160.103​​
5. ​Hybrid Entity: a single legal entity that conducts both covered and non-covered functions and designates healthcare components in accordance with 45 C.F.R. § 164.105(a)(2)(iii)(D). 45 C.F.R. § 164.103

System

• • University of Colorado Health and Welfare Plan
  • CU Health Plan Administration to the extent it provides business associate services to the University of Colorado Health and Welfare Plan
  • Employee Services to the extent it provides business associate services to the University of Colorado Health and Welfare Plan
  • Office of University Counsel to the extent it provides business associate services to health care components
  • Office of Information Security to the extent it provides business associate services to health care components
  • University Information Systems to the extent it provides business associate services to health care components
  • Internal Audit to the extent it provides business associate services to health care components
  • Professional Risk Management to the extent it provides business associate services to health care components
  • University Risk Management to the extent it provides business associate services to health care components
  • Office of Advancement to the extent it provides business associate services to health care components
  • Technology Transfer Office to the extent it provides business associate services to health care components.

University of Colorado Anschutz Medical Campus

All Departments except for:

• • Physiology and Biophysics
  • Pharmacology
  • Microbiology
  • Immunology
  • Biochemistry and Molecular Genetics
  • Institutional Animal Care and Use Committee (IACUC)
  • Facilities Operations 
  • Office of Finance and Administration
  • Center for Lab Animal Care  (CLAC)
  • Continuing Medical Education (CME)
  • Cellular and Structural Biology
  • Alumni Relations Office

University of Colorado Boulder

• • Health and Wellness Services to the extent it performs covered functions
  • Office of Information Technology to the extent it provides business associate services to covered entities

University of Colorado Colorado Springs

• • UCCS HealthCircle Clinics at the Lane Center for Academic Health Sciences to the extent they perform covered functions
  • Helen and Arthur E. Johnson Beth-El College of Nursing and Health Sciences, Nurse-Family Partnership® Program
  • Office of Information Technology to the extent it provides business associate services to covered entities
  • Campus Controller to the extent it provides business associate services to covered entities