UPPS 01.04.33 - HIPAA Hybrid Designation

POLICY STATEMENT

Texas State University is committed to maintaining and enforcing Health Insurance Portability and Accountability Act (HIPAA) regulations.

1. SCOPE

   1. This policy designates Texas State University as a hybrid entity under the Health Insurance Portability and Accountability Act (HIPAA).

      1. Texas State designates itself as a hybrid entity for purposes of Title II of the HIPAA of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act, and the privacy and security regulations found in 45 C.F.R. §§ 160 et. seq. (collectively referred as HIPAA herein).

      2. Texas State recognizes the applicability of HIPAA to certain sectors of the university.

      3. Under HIPAA, Texas State can elect to be a hybrid entity with identified health care components (HCC) that are subject to HIPAA, and non-covered components which are not. The policy identifies the HCCs subject to HIPAA’s privacy, security, breach notification, and enforcement provisions.

2. RELATED DOCUMENTS

   1. 45 CFR Part 160 and 164; Section 164.105; and Section 164.504

   2. UPPS No. 01.04.34, HIPAA Privacy Compliance Program

3. DEFINITIONS

   1. Definitions related to HIPAA can be found in Section 02. of UPPS No. 01.04.34, HIPAA Privacy Compliance Program.

4. DESIGNATION AND COMPLIANCE

   1. Texas State designates HCCs (the areas subject to HIPAA) as set forth on the university HCC list.

   2. If another component of Texas State not listed in the university HCC list initiates performance of covered entity functions, such as beginning to bill insurance companies for care delivery, they shall be reclassified as a HCC and must notify the HIPAA Privacy Officer of this change.

   3. When other component of Texas State not listed in the university HCC List performs business associate functions for a HCC (or another business associate) within Texas State or for an outside covered entity, they would be a HCC to the extent of that activity.

   4. Any Texas State workforce member who undertakes a new activity that would make that member a health care provider under HIPAA, or a business associate, is obligated to notify the HIPAA Privacy Officer and Chief Information Security Officer before engaging in the activity to assess if the member is a covered entity and HCC.

   5. Texas State shall retain its HCC designation for at least six years from the date of a decision to remove an HCC’s designation as an HCC. Otherwise, Texas State shall retain HCC designations indefinitely, as per 45 C.F.R. 164.316(b)(2)(i).

5. RESPONSIBILITIES OF A HYBRID ENTITY

   1. A hybrid entity must implement institution wide policies and procedures to ensure compliance with applicable requirements. These requirements can be found in UPPS No. 01.04.34, HIPAA Privacy Compliance Program.

6. REVIEWERS OF THIS UPPS

   1. Reviewers of this UPPS include the following:

      Position	Date
      Associate Vice President for Institutional Compliance and Chief Compliance Officer	April 1 E5Y
      Associate Director, Student Health Center	April 1 E5Y
      Chief Information Security Officer and HIPAA Security Officer	April 1 E5Y
      HIPAA Privacy Officer	April 1 E5Y

7. CERTIFICATION STATEMENT

   This UPPS has been approved by the following individuals in their official capacities and represents Texas State policy and procedure from the date of this document until superseded.

   Chief Information Security Officer and HIPPA Security Officer; senior reviewer of this UPPS

   Vice President for Information Technology

   President