Indiana University's Designation as a "Hybrid Covered Entity"
The Health Insurance Portability and Accountability Act of 1996 ("HIPAA") is a law intended to protect individually identifiable information relating to the physical or mental health of an individual, the provision of health care to the individual, or the payment for the provision of health care to the individual ("Protected Health Information" or "PHI"). HIPAA applies to "Covered Entities", which include health plans, health care clearinghouses and health care providers that conduct specified transactions electronically ("Covered Entities" or each a "Covered Entity") and their business associates.
Indiana University is engaged in activities covered under HIPAA as well as activities that are not covered. HIPAA allows organizations such as Indiana University to choose hybrid status or to be designated as a "Hybrid Covered Entity". With that designation, the HIPAA regulations do not apply to the non-covered functions.
Covered entities that have selected hybrid status, such as Indiana University, must designate those schools, departments, divisions or units (areas) of the university that would meet the definition of a covered entity or a business associate if they were separate legal entities. Although IU as a hybrid covered entity remains responsible for oversight, compliance, and enforcement obligations, the HIPAA requirements apply only to the covered components or IU’s HIPAA Affected Areas.
Designation of Covered Components
Indiana University has designated certain areas as constituting its covered components or IU HIPAA Affected Areas based on one or more of the following criteria:
- An area that would meet the definition of a covered entity if it were a separate legal entity or many of the workforce members are part of another covered entity (e.g. healthcare providers, health plan);
- An area that performs activities that would make it a business associate if it were a separate legal entity;
- An area that is a business associate of an external covered entity; and/or
- An area that accesses PHI for research and/or education purposes.
See the HIPAA Affected Areas section of this website
Areas are grouped by:
- Covered healthcare component
- Internal/External business associate
- Access to PHI for education or research purposes
All other areas of Indiana University will be considered non-covered components. The University HIPAA Privacy and Security Officers will periodically verify the status of the covered and non-covered components.
Each IU HIPAA Affected Area will designate a HIPAA Liaison or Privacy Officer who will represent the area on the HIPAA Liaison Committee.
Each area designated as an IU HIPAA Affected Area will be subject to the HIPAA Privacy and Security policies, standards and procedures established by Indiana University.
Each area designated as an IU HIPAA Affected Area must implement appropriate policies and procedures to allow the area to comply with the HIPAA Privacy and Security Rules, the IU HIPAA Privacy and Security Compliance Plan, and related policies, standards and procedures.