Designation of Indiana Univeristy as a Hybrid Entity
About This Policy
- Effective Date:
- Date of Last Review/Update:
- Responsible University Office:
- HIPAA Privacy and Security Compliance Office
- Responsible University Administrator:
- Vice President for University Clinical Affairs
- Policy Contact:
- University HIPAA Privacy Officer
University HIPAA Security Officer
- Policy Feedback:
- If you have comments or questions about this policy, let us know with the policy feedback form.
- Print or view a PDF of this policy
- Many policies are quite lengthy. Please check the page count before deciding whether to print.
Covered Entity with Hybrid Status
Organizations such as Indiana University that have both covered components and non-covered components may choose to be designated as hybrid entities. In this case, Indiana University must designate and include in its HIPAA "covered component" those schools, departments, divisions or units (areas) of the university that would meet the definition of a covered entity or a business associate if they were separate legal entities. Although IU as a hybrid entity remains responsible for oversight, compliance, and enforcement obligations, the HIPAA requirements apply only to the covered components or IU’s HIPAA Affected Areas.
Designation of Health Care Components
Indiana University has designated certain areas as constituting its covered components or IU HIPAA Affected Areas based on one or more of the following criteria:
- An area that would meet the definition of a covered entity if it were a separate legal entity or many of the workforce members are part of another covered entity;
- An area that performs activities that would make it a business associate if it were a separate legal entity;
- An area that is a business associate of another covered entity; and/or
- An area that accesses PHI for research and/or education purposes.
See the list of IU HIPAA Affected Areas.
Areas are grouped by:
- Covered healthcare component
- Internal/External business associate
- Access to PHI for education or research purposes
All other areas of Indiana University will be considered non-covered components. The University HIPAA Privacy and Security Officers will periodically verify the status of the covered and non-covered components.
Each IU HIPAA Affected Area will designate a HIPAA Liaison or Privacy Officer who will represent the area on the HIPAA Liaison Committee.
Each area designated as an IU HIPAA Affected Area will be subject to the HIPAA Privacy and Security policies established by Indiana University.
Each area designated as an IU HIPAA Affected Area must implement appropriate policies and procedures to allow the area to comply with the HIPAA Privacy and Security Rules, the IU HIPAA Privacy and Security Compliance Plan, and related policies and procedures.
Reason for Policy
The Health Insurance Portability and Accountability Act of 1996 ("HIPAA") is a law intended to protect individually identifiable information relating to the physical or mental health of an individual, the provision of health care to the individual, or the payment for the provision of health care to the individual ("Protected Health Information" or "PHI"). HIPAA applies to "Covered Entities, which include health care providers, health plans and health care clearinghouses that conduct specified transactions electronically ("Covered Entities" or each a "Covered Entity") and their business associates. Indiana University is engaged in activities covered under HIPAA as well as activities that are not covered. HIPAA allows entities that are engaged in both types of activities to designate themselves as "Hybrid Entities," with the result that the HIPAA regulations do not apply to the non-covered functions.