Hybrid Entity Designation
Although the primary purpose of West Virginia University is education, it does have departments and programs that provide functions subject to the Health Insurance Portability and Affordability Act (HIPAA). As permitted under HIPAA, in 2019, the University officially designated itself as a Hybrid Entity that conducts activities which are both covered and not-covered under the federal regulation.
Through its HIPAA Hybrid Entity Designation Policy, the University identifies all colleges, departments, and/or programs that conduct HIPAA-covered functions as University Health Care Components. The policy also identifies all University departments and programs that do not conduct the functions of a covered component, however, do access PHI through business operations, as University Business Associates.
All University Health Care Components and University Business Associates must comply with applicable HIPAA Privacy and Security Rules. The University will ensure compliance by conducting annual risk assessments to confirm reasonable and appropriate administrative, technical, and physical safeguards are in place protecting the integrity, confidentiality, and availability of protected health information (PHI). Periodically, the University will review the list of University Health Care Components and University Business Associates to determine if any entities need added or removed from the policy.
For more information about individuals' rights afforded under HIPAA, visit the Department of Health and Human Services website.