HIPAA Hybrid Entity Designation Policy

Policy Number: 1.11.3.6
Category: HIPAA Hybrid Entity Designation Policy
Effective: July 1, 2022
Revision History: Originally effective July 1, 2019; minor revision July 1, 2022
Review Date: June 30, 2025

1. PURPOSE AND SCOPE

   1. The purpose of this Policy is to designate West Virginia University, West Virginia University Institute of Technology, and Potomac State College of West Virginia University (collectively the “University) as a Hybrid Entity under HIPAA.
   2. This Policy applies to all schools, departments, clinics, programs, and functions designated as a University Health Care Component.

2. THE UNIVERSITY AS A HYBRID ENTITY:

   1. The University is a single legal entity, comprised of multiple and distinguishable schools, departments, clinics, programs, and functions, some of which may conduct both Covered Functions and non-covered functions under HIPAA.
   2. The University has determined that there are a number of its components that either do or do not use or disclose PHI; accordingly, to effectively and efficiently safeguard the use and disclosure of PHI and to focus its HIPAA compliance efforts on University Health Care Components, the University hereby elects to designate itself as a Hybrid Entity.
   3. Under Exhibit A, the University has designated the schools, departments, clinics, programs, or functions that either meet the definition of a Covered Entity, if each were a separate legal entity, or perform Covered Functions as a University Health Care Component.
   4. Under Exhibit A, the University has designated all schools, departments, clinics, programs, or functions that perform certain functions on behalf of a University Health Care Component that involves the use or disclosure of PHI as a University Business Component.
   5. The University will conduct periodic reviews to add or remove one or more University Health Care Component or University Business Component designation(s).

3. UNIVERSITY HEALTH CARE COMPONENT RESPONSIBILITIES:

   1. All University Health Care Components are subject to and must ensure compliance with applicable HIPAA requirements, including, without limitation, the requirements of the HIPAA privacy and security rules.
   2. University Health Care Components may only use and disclose PHI to a University non-health care component to the same extent, and in the same manner, as it is permitted to use or disclose PHI to individuals or entities that are legally separate from the University.
   3. University Health Care Components shall provide compliance reports to the Health Sciences Center Privacy Officer on a periodic basis. Such compliance reports will be facilitated via annual risk assessment conducted by the University.

4. UNIVERSITY BUSINESS COMPONENT RESPONSIBILITIES:

   1. All University Business Components are subject to and must ensure compliance with the same HIPAA requirements that are applicable to the designated University Health Care Component to which it is providing services. In that respect, and to avoid confusion, University Business Components shall be considered to be and are hereby designated as University Health Care Components.
   2. The University shall only permit the use and disclosure of PHI between a University Business Component and a University non-health care components to the same extent, and in the same manner, as the University is permitted to use or disclose PHI to individuals or entities that are legally separate from it.
   3. Each University Business Component shall provide compliance reports to the Health Sciences Center Privacy Officer on a periodic basis.

5. Definitions

   1. "Covered Entity" means any health plan, health care clearinghouse, or health care provider that transmits PHI in electronic form in connection with a Covered Transaction.
   2. "Covered Function" means functions that a Covered Entity performs which makes it a health plan, health care provider, or health care clearinghouse.
   3. "Covered Transaction" means the transmission of information between two parties to carry out financial or administrative activities related to health care and includes: health care claims or equivalent encounter information; health care payment and remittance advice; coordination of benefits; health care claim status; enrollment and disenrollment in a health plan; eligibility for a health plan; health plan premium payments; referral certification and authorization; first report of injury; health claims attachments; health care electronic funds transfers (EFT) and remittance advice; or other transactions that the Secretary of the Department of Health and Human Services may prescribe by regulation.
   4. "HIPAA" means the Health Insurance Portability and Accountability Act of 1996, as amended, the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), and all other regulations promulgated thereunder.
   5. "Hybrid Entity" means a single legal entity that conducts both covered and non-covered functions and designates health care components in accordance with HIPAA.
   6. "PHI" means individually identifiable protected health information transmitted by or maintained in electronic media or any other form of medium, excluding education records covered by the Family Education Rights and Privacy Act, as amended, employment recorded held by the Covered Entity as an employer, and information about a person who has been deceased for more than 50 years.
   7. "University Business Component" means a University school, department, program, clinic, or function that creates, receives, maintains, or transmits PHI to perform certain functions or activities on behalf of a University Health Care Component or provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services for a University Health Care Component and the provision of the service involves the disclosure of PHI.
   8. "University Health Care Component" means any University school, department, program, clinic, or function that (1) meets the definition of a HIPAA Covered Entity, if it were a separate legal entity; (2) performs Covered Functions; or (3) for purposes of this Policy, is a University Business Component.

6. ENFORCEMENT AND INTERPRETATION:

   1. Any employee, workforce member, or agent who violates this Policy shall be subject to appropriate disciplinary action.
   2. Any student who violates this Policy shall be subject to appropriate disciplinary action in accordance with the Student Code of Conduct.
   3. Any other individual who violates this Policy shall be subject to appropriate corrective action, including, but not limited to, termination of their relationship with the University
   4. The University’s Chief Information Officer, supported by the Chief Information Security Officer, will coordinate with appropriate University entities on the implementation and enforcement of this Policy.
   5. Responsibility for interpretation of this Policy rests with the Chief Information Officer.

7. Authority and References:

   1. BOG Rule 1.11 – Information Technology Resources and Governance
   2. All other University policies may also apply to the protection and privacy of PHI, and such policies remain in full force and effect. Relevant institutional policies include, but are not limited to:
      1. Information Privacy Policy
      2. Sensitive Data Protection Policy
      3. Protected Health Information Privacy Policy
      4. PHI Disclosure Standard
      5. PHI De-Identification Standard
      6. PHI Protection Standard