Executive Policy Manual

EP40 – HIPAA Hybrid Entity Designation Policy

Approved December 14, 2020

Summary

This policy identifies Washington State University (WSU) as a hybrid entity and designates its covered health care components, which include business associate functions (collectively “Health Care Components” or “HCC”), in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Policy Statement

It is WSU’s policy to comply with HIPAA as it relates to safeguarding and using protected health information (PHI) and Washington’s Uniform Health Care Information Act (UHCIA), RCW 70.02, as it pertains to health care information. Equally important, it is WSU’s policy to comply with the Family Education Rights and Privacy Act as it applies to safeguarding and using treatment records or education records. To the extent business units or programs (collectively “Business Units”) in the designated HCC maintains PHI, health care information, education records, and/or treatment records in the same WSU information systems (i.e., electronic medical record) or Business Units, the HCC implements the most stringent safeguards required under the law for ensuring the confidentiality, availability, and integrity of this data. Use, access, and/or disclosure of the relevant information or record is governed by the applicable law(s) to the specific information or record.¹ WSU follows the most stringent applicable law for using, accessing and/or disclosing the relevant information or record where more than one statute applies to the data (i.e., HIPAA and UHCIA, or UHCIA and FERPA). WSU expressly disclaims the obligation to comply with HIPAA unless the information or record qualifies as PHI and WSU is legally required to comply with HIPAA.

Hybrid Entity

WSU conducts both HIPAA covered and non-covered functions and elects to be a hybrid entity under HIPAA. See 45 C.F.R. § 164.103 and 45 C.F.R. § 164.105. HIPAA covered functions only occur through WSU’s HCC as further stated below.

Designated Health Care Components (HCC)

As a hybrid entity, the applicable HIPAA compliance obligations only apply to WSU’s designated HCC as stated herein.

WSU’s criteria for designating Business Units as part of the HCC is as follows:

• Business Units that meet the definition of a HIPAA covered entity or business associate if they were each a separate legal entity;
• Business Units only to the extent that they perform activities of a HIPAA covered entity (health care provider engaging in HIPAA transactions, health plan, or clearinghouse); and
• WSU Business Units that provide business associate services to other WSU Business Units that qualify as a HIPAA covered entity.

WSU’s HCC is listed in Appendix A, WSU Hybrid Entity Designated Health Care Components.

Policy Oversight

WSU’s HIPAA Privacy and Security Officer, the Assistant Vice President and CISO at Information Technology Services, in consultation with WSU’s Chief Compliance and Risk Officer, reviews and amends Appendix A as needed, but no less frequently than annually. Where appropriate, the Attorney General’s Office should be consulted. Questions regarding compliance with this policy or whether Business Units qualify as a HIPAA covered entity or business associate are submitted to WSU’s Privacy and Security Officer.

University Responsibility

WSU retains oversight of the HCC and ensures that the designated HCC complies with the applicable HIPAA requirements. See 45 C.F.R. § 164.105(a)(2)(iii). Oversight, implementation and enforcement of this policy are through the HIPAA Privacy and Security Officer, and the Chief Compliance and Risk Officer. The HIPAA Privacy and Security Officer and the Chief Compliance and Risk Officer collectively implement reasonable and appropriate policies and procedures to comply with HIPAA.

Health Care Component and Business Unit Responsibility

Each designated Business Unit ensures it complies with all applicable HIPAA rules, and WSU’s system-wide HIPAA policies including any required compliance reporting. Subject to the system-wide policies, each Business Unit may adopt HIPAA policies and procedures specific to their operations. Each Business Unit must also comply with the following safeguards:

• Business Units designated as the HCC must not disclose PHI to other Business Units within the HCC in a manner prohibited by the HIPAA Privacy Rule. Business Units of the HCC should generally be treated as a separate and distinct legal entity in this respect.
• Protect electronic PHI with respect to WSU Business Units of the HCC to the same extent that it would be required under the HIPAA Security Rule if the other HCC Business Units were a separate and distinct legal entity.
• If a WSU workforce member performs duties or activities for both the HCC and for other WSU business units (may include business units not part of WSU’s HCC) such workforce member must comply with the HIPAA Privacy Rule and WSU HIPAA policies with respect to PHI created or received in the course of or incident to being part of the HCC’s workforce. All legal and WSU HCC’s HIPAA policy requirements must be performed for ensuring a person qualifies for being part of the Business Unit’s workforce.²

Applicability

This policy applies to all of WSU including its designated HCC.

References

• HIPAA: 45 C.F.R. Part 160, 162, and 164; see also, HIPAA Administrative Simplification, Regulation Text.
• U.S. Department of Health and Human Services, HIPAA for Professionals Guidance.
• HealthIT.gov, Health IT Privacy and Security Resources for Providers.
• Washington Uniform Health Care Information Act, RCW 70.02 et. seq., (governing access, use and/or disclosure of health care information created, received, and/or maintained by a licensed health care provider and/or those working with health care providers); RCW 70.02.010(19)(defining “health care provider” to mean a person licensed, certified, registered or otherwise authorized by WA law to provide health care in the ordinary course of business or practice of a profession).

¹ See U.S. Dept. of Education and U.S. Dept. of Health and Human Services, Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) To Student Records (December 2019 update); see also, 45 C.F.R. § 160.103(2)(i), (ii)(excluding from the definition of PHI is an education record covered by FERPA).

² See 45 C.F.R. § 160.103 (defining workforce as employees, volunteers, trainees and other persons whose conduct, in the performance of work for a covered entity or business associate is under the direct control of the covered entity or business associate, whether they are paid by the covered entity or business associate); 78 Fed. Reg. 5574, 5582 (January 25, 2013) (permitting a contractor who has a duty station onsite to be either a member of the covered entity’s workforce or as a business associate).

Appendix A

WSU Hybrid Entity Designation Covered Components – October 2020

For additional information, please review or contact:

• Data Security Requirements: Executive Policy 8 and Executive Policy 37
• Compliance and Civil Rights
• Washington State University Division of the Office of the Attorney General

_______________________
Revisions:  Dec. 2020 – new policy (Rev. 96)