St. Ambrose University Statement on its Designation as a Hybrid Entity Under HIPAA (Health Insurance Portability and Accountability Act)
The Health Insurance Portability and Accountability Act of 1996 ("HIPAA") is a consumer protection law intended to protect individually identifiable information relating to the physical or mental health of an individual, the provision of health care to the individual, or the payment for the provision of health care to the individual ("Protected Health Information" or "PHI"). HIPAA applies to "Covered Entities," which include health care providers, health plans and health care clearinghouses that conduct specified transactions electronically ("Covered Entities" or each a "Covered Entity"). St. Ambrose University is engaged in both Covered Entity activities and activities that are not Covered Entity functions. HIPAA allows entities that are engaged in Covered Entity functions and other activities that are not Covered Entity functions to designate themselves as "Hybrid Entities," with the result that the HIPAA regulations do not apply to the non-covered functions.
Assessment of Hybrid Entity Status
A Task Force comprised of representatives from St. Ambrose administrative offices such as Information Technology, College of Health and Human Services, Human Resources, and external resources including legal counsel was assembled to ascertain which St. Ambrose departments engage in activities to which the HIPAA privacy standards apply. Based on this guidance and review of HIPAA standards, St. Ambrose formally designates itself as a hybrid entity under HIPAA.
In determining which departments to include in the St. Ambrose Covered Entity (hereinafter "SACE"), St. Ambrose has been guided by the Department of Health and Human Services' amendments to the HIPAA regulations. Whether a St. Ambrose function or individual's activity on behalf of St. Ambrose is included in the SACE is determined based upon the data used and/or being disclosed, not based upon any particular overall departmental mission or activity. The following defined categories of data are critical to the determination of covered functions and activities:
1. IIHI: Individually Identifiable Health Information is information collected from an individual that is created or received by a health care provider, employer, plan or clearinghouse and relates to the past, present or future physical or mental health condition of an individual; the provision of health care to an individual; or the part, present or future payment for the provision of health care to an individual and identifies the individual, or can reasonably be used to identify the individual.
2. PHI: Protected Health Information that is IIHI that is transmitted or maintained in any form or medium by a covered function within the SACE. This specifically excludes education records, which are protected by other privacy regulations, and employment records held by St. Ambrose in its role as the employer. This also excludes research health information (see definition below), which is protected by other regulatory requirements.
3. RHI: Research Health Information is a term used by St. Ambrose to identify IIHI used for research purposes that is not PHI, and thus is not subject to the requirements of HIPAA. RHI is IIHI that is created in connection with research activity and is not created in connection with patient care activity. When a researcher is not also functioning as a health care provider, and creates IIHI in connection with pure research activities (no patient care involved) the IIHI is not PHI and is not subject to the privacy and security rules of HIPAA. If a researcher is also a health care provider and IIHI is created in connection with the researcher's health care provider activities, then the IIHI is PHI subject to HIPAA. IIHI that is created as PHI and is needed for research purposes may be disclosed to the researcher (the same individual healthcare provider who is also a researcher may disclose PHI to himself or herself in the research role) pursuant to the IRB approval process, which includes proper patient authorization or IRB waiver of authorization. After the PHI is properly disclosed in the research setting, the IIHI transferred to the research setting becomes RHI, which is no longer subject to the requirements of HIPAA. In certain cases such as interventional clinical trials it is expected there will be two copies of some IIHI; a copy kept in the patient's medical record which is PHI and subject to HIPAA and a copy of the same data kept in the research record which is RHI and not subject to HIPAA.
4. Key Determinants: The key determinants as to whether or not information is IIHI and not protected by the Privacy Rule or PHI and protected are: 1) the function being performed by the provider or health plan and 2) the purpose for which an entity or workforce member has received, created or maintained the medical information (treatment, payment, operations, other). Record keeping practices are not the determinant. For example, the results of a fitness for duty exam are PHI when SAU and a provider and part of the SACE administers the test to a SAU employee. When the employee authorizes SAU, the health care provider, to turn over the information to SAU, the employer, it is a part of the employee's employment record and no longer PHI. It is important to note that in most circumstances (exceptions include workplace injury, illness or medical surveillance) the employee must provide a signed Authorization to the SAU health care provider to release the information to SAU, the employer.
SAU determined which of its departments are health care components (covered units) pursuant to the following criteria per the Privacy Rule, amendments and HHS guidance:
1. Health care or health plan use or disclosure: A component that would meet the definition of a "covered entity," if it were a separate legal entity, must be included in the health care component. When the use or disclosure of individually identifiable health information (IIHI) is carried out in connection with a health care provider or health plan function by SAU workforce members, the individual's health information is defined as PHI, and HIPAA privacy and security regulations apply to those functions and to the workforce members who carry out those functions;
2. Functions that support health care or health plan: Another component of the covered entity the activities of which would make it a business associate of the component that performs covered functions if the two were separate legal entities may be included. If these business associate -like functions are not designated as part of the health care component, the exchange of health care information probably would require an authorization because the covered entity cannot have a business associate contract with itself. When the use or disclosure of IIHI is carried out by business, financial, legal or administrative functions on behalf of SAU's health care provider and health plan activities, the individual's information is PHI and the HIPAA privacy and security regulations apply to those functions and to the workforce members who carry out those functions;
3. Employer and education functions: When the use and disclosure of IIHI is carried out by SAU in its capacity as an employer or an educational institution, the information is not PHI and those SAU functions are not subject to the privacy or security regulations of HIPAA, but the confidentiality of the individual's health information is protected by other state and federal law, as well as by SAU policy; and
4. IRB functions: PHI may only be disclosed to a researcher for use in connection with an IRB-approved or exempt protocol and pursuant to a waiver or authorization. When a researcher requests access to PHI that has been created, received or maintained by the SACE, the Privacy Rule requires that the SACE receive specific assurances that the PHI will be protected once disclosed to the researcher for use as RHI, and SAU must account for certain disclosures as required by the HIPAA regulations. SAU's IRB will function as the Privacy Board as defined by HIPAA.
5. Examples of workforce members who may provide business, finance, legal or other services to covered functions: Workforce members of the following departments of SAU may provide administrative functions on behalf of the SACE (use of PHI subject to requirements of HIPAA) and on behalf of non-covered components of SAU (IIHI not subject to the requirements of HIPAA):
b. Information Technology;
c. Communication and Marketing;
d. Alumni Affairs;
g. Compliance Office;
h. IRB and individual SAU researchers;
i. Other departments as determined by the HIPAA Committee/Task Force.
The following departments are officially designated as health care components required to comply with HIPAA's privacy rules and standards:
- Speech and Language Pathology - health care provider
- Assistive Technology Lab - health care provider
- Student Health Services - health care provider subject to HIPAA privacy standards only to the extent that Student Health Services provides treatment to non-students
- Interprofessional Health Clinic
Transfer of PHI Between Covered and Non-Covered Components
When workforce members who provide services to the SACE perform services on behalf of non-covered components of SAU, these non-covered functions are not part of the SACE. Workforce members must not disclose PHI to non-covered SAU components without the individual or patient's authorization, or waiver of authorization by the IRB in cases of disclosures for research purposes, as required by the Privacy rule.
Workforce members who provide business and finance services to both the SACE providers and SAU health plans cannot use or disclose PHI between those entities unless such disclosure is allowed by the Privacy Rule.