POL-U1000.14 Designating WWU As A HIPAA Hybrid Entity (Interim)

Some components within the University perform activities or functions that bring them within the definition of a Covered Entity for HIPAA purposes. University therefore chooses to invoke Hybrid Entity status and must designate and document as its "Health Care Component(s)" each component within the University that would meet the definition of a Covered Entity or a Business Associate if it were a single legal entity. This HIPAA Hybrid Entity Policy specifically addresses the requirements of 45 C.F.R. Sections 164.103 and 164.105, which involve organizational requirements for hybrid entities under HIPAA, among other issues. 

Although the University is responsible for HIPAA oversight, compliance, and enforcement requirements, as applicable, the HIPAA Rules apply only to the University’s designated Health Care Components. The University also is responsible for compliance with additional federal and state requirements and remains committed to ensuring that personal health information accessed by any University unit or component is handled in accordance with applicable state and federal regulations .  

The University has designated certain of its componens as its health and components based on one or more of the following factors: 

1. The component would meet the definition of a Covered Entity if it were a separate legal entity,

2. The component would meet the definition of a Business Associate if it were a separate legal entity, and/or

3. A component is included if it performs Covered Functions.

The  follwwing components of the University are designated as its Health Care Components and must comply with the requirements of HIPAA, as applicable:

1. Student Health Center,

2. Counseling and Wellmess Center

3. Those elements of Western's Information Technology Department not housed within a Designated Health Care Compnents, but which have access to the Electonic Meical Records system, and 

4. Risk Mamagement.

The University shall ensure that its Health Care Components comply with the HIPAA Rules regarding health records, as applicable, subject to the exclusions in section 4 below. In particular, the University shall ensure that:

1. Its Health Care Components do not disclose Protected Health Information to another component of the University in a manner that would be prohibited under the HIPAA Privacy Rule (45 C.F.R. Part 164, Subpart E) if the Health Care Component and other component were separate legal entities;
2. Its Health Care Components protect electronic Protected Health Information regarding another component of the University to the same extent that they would be required to protect this information under the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C) if the Health Care Components and other component were separate legal entities; and
3. If a person performs duties as a workforce member for both a Health Care Component and a non-Health Care Component of the University, the person does not use or disclose Protected Health Information created or received in the course of (or incident to) the person's work for the Health Care Component in a way that is prohibited under the HIPAA Privacy Rule (45 C.F.R. Part 164, Subpart E).

The University shall comply with HIPAA's requirements concerning compliance and enforcement (45 C.F.R. Part 160, Subpart C).

The University shall comply with requirements under the HIPAA Privacy Rule and Security Rule regarding implementation of compliance policies and procedures (45 C.F.R. §§ 164.316(a) and 164.530(i)), including the safeguards addressed above. Although excluded from the HIPAA Privacy Rule, the University has elected to model its security policies regarding excluded health records, when handled by designated Health Care Components, on the HIPAA Security rule.

The University shall ensure compliance with requirements under the HIPAA Privacy Rule and Security Rule regarding Business Associate arrangements and other organizational requirements (45 C.F.R. §§ 164.314 and 164.504).

1. Employee Health Records: 
   Through its Human Resources and Environmental Health and Safety offices, the University maintains employee health records in its capacity as an employer. Employee health records are expressly excluded from the definition of Protected Health Information under the HIPAA Rules, and the University’s human resources office is not one of the University’s designated Health Care Components.
2. Educational Records: 
   The University maintains student health records which are defined as education records under the Family Educational Rights and Act (FERPA). Education records covered by FERPA are expressly excluded from the definition of Protected Health Information under the HIPAA Rules. However, student health records are subject to the HIPAA Administrative Simplification Requirements for the insurance billing process.
3. Treatment records of a student over the age of 18: 
   Such records, as described under 20 U.S.C. 1232g(a)(4)(B)(iv) are expressly excluded from the definition of Protected Health Information under the HIPAA Rules. However, such records are subject to the HIPAA Administrative Simplification Requirements for the insurance billing process.

The University shall retain documentation evidencing its Health Care Component designation for at least six years following the date of a decision to remove a component's designation as a Health Care Component. Otherwise, the University shall retain documentation evidencing Health Care Component designations indefinitely.

The University Provost is responsible for identifying the University’s HIPAA Privacy Officer and HIPAA Security Officer for its Health Care Components. 

1. The HIPAA Privacy Officer oversees the development, implementation and management of the University’s privacy policies and procedures and oversees HIPAA training and compliance investigations.
2. The HIPAA Security Officer oversees the development, implementation and management of the University’s security and breach notification policies and procedures, including management of technical safeguards and risk assessments.
3. The HIPAA Privacy Officer and HIPAA Security Officer oversee and retain ultimate responsibility for their respective functions but may delegate certain responsibilities to healthcare component directors who ensure compliance with HIPAA, federal and state privacy laws within their respective University units. These delegated responsibilities may include developing and enforcing standards and procedures to safeguard PHI.

The University has appointed the Director of Risk Management and Compliance as its HIPAA Privacy Officer and the Senior Director of Enterprise Infrastructure Services as its HIPAA Security Officer for its Health Care Components. 

For any questions regarding the University’s compliance with the HIPAA Rules and their implementing regulations concerning the Health Care Components, please contact the HIPAA Privacy or Security Officer.

University departments who are not within designated Health Care Components but who, contrary to this policy, engage in Covered Functions put the University at risk for financial penalties and reputational harm and responsible employees will be subject to disciplinary action including termination.

The HIPAA Privacy Officer will rrview this policy regularly, no more than every two years, and following any significant emergency, audit, or regulatory or operational change.