KUMC Designation as a Hybrid Entity under HIPAA
The University of Kansas Medical Center (KUMC), a part of the University of Kansas, is designated a “Hybrid Entity” pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) and all regulations promulgated thereunder (hereinafter collectively referred to as “HIPAA”).
The purpose of this policy is to define, in accordance with HIPAA, how KUMC will identify departments, clinics, programs, and functions determined to be Health Care Components of KUMC. The term Health Care Components includes components that meet the definition of a Covered Entity if it were a separate legal entity, KUMC departments that conduct Covered Functions and those that perform activities that would make the component a Business Associate of the entity if it were legally separate.
All departments, clinics, programs, and functions determined to be Health Care Components of KUMC.
As a health care provider that transmits health information in electronic form in connection with the conduct of Covered Transactions, the University of Kansas (“KU”) is a Covered Entity subject to the requirements of the Health Insurance Portability and Accountability Act (“HIPAA”), Standards for Privacy of Individually Identifiable Health Information (the “Privacy Rule”), as amended. As a Covered Entity, KU conducts business activities that include both Covered Functions and non-Covered Functions. Accordingly, KU is permitted under the Privacy Rule to comply with the requirements of the Privacy Rule as a Hybrid Entity. As such, KUMC must designate the Health Care Components that will be required to comply with standards of the Privacy Rule and Security Rule.
Health Care Component Designation
- The HIPAA Privacy Program, in consultation with the appropriate administrators, will identify the schools, departments, programs, and functions determined to be “Health Care Components”, and which are required to comply with the standards set forth in the Privacy and Security Rule.
- The HIPAA Privacy Program will, not less than annually, review the activities of KUMC schools, departments, programs, and functions to determine whether any modifications to the designated Health Care Components should be made. Such determinations will be based on whether the unit reviewed meets the definition of a “Health Care Component” as outlined herein. The results of the review will be documented by the HIPAA Privacy Program.
- The HIPAA Privacy Program will communicate the results of the review and designation of the Health Care Components to the KUMC Vice Chancellor for Administration and to the heads of the designated Health Care Components.
- All components of KUMC that perform Business Associate functions for Health Care Components within KUMC shall be designated Health Care Components of KUMC.
- A Health Care Component of KUMC that performs a Covered Function, but does not conduct certain standard electronic transactions may be, but is not required to be, included in the Health Care Component(s) Hybrid Entity designation. Such exceptions shall be set forth in Exhibit B. Health Care Components of KUMC listed in Exhibit B shall not in any way transmit health information in electronic form in connection with a Covered Transaction. If any such component transmits health information in electronic form in connection with a Covered Transaction, that component shall be considered a Health Care Component, and the employees and workforce will be required to comply with the standards set forth in the Privacy and Security Rule and KUMC’s HIPAA Privacy and Security policies and procedures.
General Safeguard Requirements
- KUMC’s Health Care Components shall not disclose PHI to any non-Health Care Components, if such disclosure would be prohibited to an entity that is separate from KUMC under the Privacy Rule and KUMC’s HIPAA policies and procedures.
- A member of KUMC’s workforce that performs duties for both a Health Care Component and a non-Health Care Component of KUMC shall not use or disclose PHI created or received in the course of the member’s duties for the Health Care Component while performing duties for the non-Health Care Component if such disclosure would be prohibited by the Privacy Rule and KUMC’s HIPAA policies and procedures to an entity that is separate from KUMC.
- KUMC shall only permit the use and disclosure of PHI between Health Care Components and non-Health Care Components of KUMC to the same extent, and in the same manner, as KUMC is permitted to use or disclose PHI to individuals and entities that are separate from KUMC.
- KUMC shall implement procedures and technical safeguards to limit access to KUMC’s PHI by members of its workforce that perform duties for the non-Health Care Components. These procedures and safeguards shall include, but not be limited to, access control and validation procedures to limit access to electronic records containing PHI.
- Where connectivity exists, KUMC shall maintain technical safeguards between its Health Care Components and non-Health Care Components such that the non-Health Care Components are unable to access PHI maintained electronically by the Health Care Components.
For each designation by KUMC of a Health Care Component, KUMC shall maintain a written or electronic record of such designation for six (6) years from the date of the designation, or the date when such designation was last in effect whichever is later.
- KUMC’s Privacy Official (the “PO”) is responsible for facilitating compliance with this Policy, and all questions that arise concerning the designation of Health Care Components and non-Health Care Components of KUMC, or the disclosure of PHI from a Health Care Component to a non-Health Care Component. The PO, in consultation with the Office of General Counsel, shall have the authority to make final determinations regarding designation of Health Care Components and non-Health Care Components of KUMC, or the disclosure of PHI from a Health Care Component to a non-Health Care Component.
- All Workforce members of KUMC are responsible for completing ongoing education on HIPAA Privacy and Security as directed by the KUMC Office of Compliance.
- All Workforce members of KUMC are responsible for compliance with this policy.
Faculty, staff and student employees who violate this Policy may be subject to disciplinary action for misconduct and/or performance based on the administrative process appropriate to their employment or other status.
KUMC Privacy Official 913-588-0940
Business Associate is a person who is not a Workforce member of a Covered Entity but creates, receives, maintains, or transmits PHI for or on behalf of a Covered Entity. A Covered Entity may be a Business Associate of another Covered Entity. 45 C.F.R. § 160.103.
Covered Entity means:
- A health plan.
- A health care clearinghouse.
- A health care provider who transmits any health information in electronic form in connection with a Covered Transaction. 45 C.F.R. §160.103.
Covered Functions means those functions of KU, the performance of which makes KU a health care provider, health plan or health care clearinghouse. 45 C.F.R. § 164.103.
Covered Transactions means the transmission of information by KU to carry out financial or administrative activities related to health care, including transmission of the following types of information:
- Health care claims or equivalent encounter information;
- Health care payment and remittance advice;
- Coordination of benefits;
- Health care claim status;
- Enrollment and disenrollment in a health plan;
- Eligibility for a health plan;
- Health plan premium payments;
- Referral certification and authorization;
- First report of injury;
- Health claims attachments;
- Health care electronic fund transfers (EFT) and remittance advice; and
- Other transactions that the Secretary of DHHS may prescribe by regulation. 45 C.F.R. Part 162.
Hybrid Entity means a single legal entity:
- That is a covered entity;
- Whose business activities include both Covered and non-Covered Functions; and
- That designates Health Care Components in accordance with the Privacy Regulations. 45 CFR. § 164.105.; 45 CFR. § 164.103.
Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and:
- Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
- Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
i. That identifies the individual; or
ii. With respect to which there is a reasonable basis to believe the information can be used to identify the individual. 45 C.F.R. § 160.103.
Protected health information (“PHI”) means individually identifiable health information:
- Except as provided in paragraph (2) of this definition, that is:
i. Transmitted by electronic media;
ii. Maintained in electronic media; or
iii. Transmitted or maintained in any other form or medium.
- Protected health information excludes individually identifiable health information in:
i. In education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g;
ii. In records described at 20 U.S.C. 1232g (a)(4)(B)(iv); and
iii. In employment records held by a covered entity in its role as employer; and
iv. Regarding a person who has been deceased for more than 50 years. 45 C.F.R. § 160.103.
Workforce means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for KU, is under the direct control of KU, whether or not they are paid by KU. 45 C.F.R. § 160.103
05/06/2016: Removed Date Last Reviewed
12/14/2015: Revised to reflect changes in regulations.
04/11/2003: Original issue date