Statement on Designation as a Hybrid Entity under HIPAA Regulations

Introduction

The Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations apply to individuals and organizations designated in the law/regulations as covered entities. These covered entities include: (1) group health plans; (2) health care providers who conduct certain transactions electronically, including but not limited to transmission of health care claims, health care payments, enrollment in a health plan, and referral authorizations; and (3) health care clearinghouses. Although Washington and Lee University (W&L) does not primarily engage in any of these activities, some units within the University may perform functions that bring them within the definition of a covered health care provider under HIPAA.

Organizations such as W&L that have both covered entity departments and non-covered entity departments may choose to be designated as hybrid entities. In this case, W&L must designate and include in its HIPAA "health care component" those departments of the University that would meet the definition of a covered entity if they were separate legal entities. In this case, although W&L as a hybrid entity remains responsible for oversight, compliance, and enforcement obligations, the HIPAA requirements apply only to the health care component.

Designation of Health Care Components

Washington and Lee University has designated certain units as constituting its healthcare components based on one or more of the following criteria:

  1. A department that would meet the definition of a covered entity if it were a separate legal entity.
  2. A department that performs covered functions or transactions under HIPAA.
  3. A department that performs activities that would make it a business associate if it were a separate legal entity.

Note: A business associate is a person or organization that performs or assists a covered entity in the performance of a function that involves the use or disclosure of protected health information on behalf of a covered entity.
Note: Protected Health Information (PHI) specifically excludes student health care treatment records and student education records maintained by Washington and Lee University, as defined and covered under the Family Education Rights and Privacy Act of 1974 (FERPA) and any employment records, including employee health records, maintained by a covered entity, including a hybrid entity, in its capacity as an employer.

The following departments of W&L has been designated as its health care components and are required to comply with any applicable1 HIPAA regulations:

  • Student Health Center, if its health care providers conduct any standard HIPAA transactions electronically, directly or through a vendor
  • Counseling Center, if its health care providers conduct any standard HIPAA transactions electronically, directly or through a vendor
  • Athletic Training Staff, if its health care providers conduct any standard HIPAA transactions electronically, directly or through a vendor
  • Information Technology Services, to the extent any personnel use and disclose individually identifiable health information in providing administrative and support services to the Student Health Center, the Counseling Center, and/or the Athletic Training staff, and would constitute a business associate if the department was a separate legal entity.
  • Business Office, to the extent any personnel use and disclose individually identifiable health information in providing administrative and support services to the Student Health Center, the Counseling Center, and/or the Athletic Training staff, and would constitute a business associate if the department was a separate legal entity.
  • Office of General Counsel, to the extent any personnel use and disclose individually identifiable health information in providing administrative and support services to the Student Health Center, the Counseling Center, and/or the Athletic Training staff, and would constitute a business associate if the department was a separate legal entity.

Washington and Lee University, through its Office of Human Resources, maintains employee health records in its capacity as an employer, which are excluded from the definitions of PHI under HIPAA. Further, W&L's Office of Human Resources maintains various employee health insurance records in its capacity as employer sponsor of the university's group health plans. The Office of Human Resources is not one of the university's health care components. The group health plans offered to university employees and retirees are separate legal entities covered by HIPAA, independent of the university. These plans currently include medical and dental care, prescription drug benefits, flexible spending accounts, an employee assistance program, and health advocate. The plans have HIPAA compliance obligations separate and apart from the university and they are not health care components of W&L.

Designation of Privacy and Security Officers

W&L designates the Vice President for Student Affairs and Dean of Students as the Privacy Officer for its health care components: Sidney Evans; (540) 458-8751; sevans@wlu.edu. W&L has previously designated Executive Director of Human Resources as the Privacy Officer for the University's Group Health Plans: Jodi Williams; (540) 458-8318; jwilliams@wlu.edu. The Security Officer for W&L's health care components and for the University's Group Health Plans is the Director of Enterprise Applications and ITS Security: Dean Tallman; (540) 458-8089; dtallman@wlu.edu. For any questions about W&L's compliance with applicable HIPAA, FERPA, or state privacy and security laws and regulations regarding individually identifiable health information, please contact one of these officers.

Non-Retaliation Policy

The University, its health care components and personnel shall not intimidate, threaten, coerce, discrimination against, or take other retaliatory action against anyone for exercising his/her right under the privacy regulations or participating in any process established by the privacy regulations; nor for filing a complaint, participating in an investigation or audit or review proceeding conducted by the university or a government agency under the privacy regulations, or opposing any act or practice made unlawful by the privacy regulations. Any individual who believes that some form of retaliation under the privacy regulations has occurred or is occurring should report such concern to the relevant privacy officer designated above. The privacy officer will then conduct an investigation and, if the retaliation is substantiated, will impose sanctions in accordance with W&L's confidentiality and information security policies.

Acknowledged this 3rd day of September, 2012 by:

Steven G. McAllister, Treasurer/Vice President for Finance and Administration

1Note: Any individually identifiable health information maintained by any W&L department on a W&L student is specifically excluded from coverage as PHI under HIPAA. W&L's health care components maintain no PHI and no e-PHI; the student health information maintained by those health care components is governed by compliance obligations under FERPA, and/or state medical records privacy laws and regulations. Business Associate agreements are maintained with any vendor whose services on behalf of the W&L health care components require access to individually identifiable student health information.