Executive Policy Manual

EP40 – HIPAA Hybrid Entity Designation Policy

Approved May 6, 2024

1.0   Purpose

This policy identifies Washington State University (WSU) as a hybrid entity and designates its covered health care components, which include business associate functions (collectively “Health Care Components” or “HCC”), in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act.

2.0   Applicability

This policy applies to all of WSU including its designated HCC.

3.0   Policy Statement

It is WSU’s policy to comply with HIPAA as it relates to safeguarding and using protected health information (PHI) and Washington’s Uniform Health Care Information Act (UHCIA), RCW 70.02, as it pertains to health care information. Equally important, it is WSU’s policy to comply with the Family Education Rights and Privacy Act (FERPA) as it applies to safeguarding education or treatment records.

To the extent business units or programs (collectively “business units”) in the designated HCC maintain PHI, health care information, education records, and/or treatment records in the same WSU information systems (i.e., electronic medical record) or business units, the HCC implements the most stringent safeguards required under the law for ensuring the confidentiality, availability, and integrity of this data.

Use, access, and/or disclosure of the relevant information or record is governed by the applicable law(s) to the specific information or record.1

WSU follows the most stringent applicable law for using, accessing and/or disclosing the relevant information or record where more than one statute applies to the data (i.e., HIPAA and UHCIA, or UHCIA and FERPA). WSU expressly disclaims the obligation to comply with HIPAA unless the information or record qualifies as PHI and WSU is legally required to comply with HIPAA.

3.1   Hybrid Entity

WSU conducts both HIPAA covered and non-covered functions and elects to be a hybrid entity under HIPAA. See 45 C.F.R. § 164.103 and 45 C.F.R. § 164.105. HIPAA covered functions only occur through WSU’s HCC as further stated below.

3.2   Designated Health Care Components (HCC)

As a hybrid entity, the applicable HIPAA compliance obligations only apply to WSU’s designated HCC as stated herein.

WSU’s criteria for designating business units as part of the HCC is as follows:

  • Business units that meet the definition of a HIPAA covered entity or business associate if they were each a separate legal entity;
  • Business units only to the extent that they perform activities of a HIPAA covered entity (health care provider engaging in HIPAA transactions, health plan, or clearinghouse); and
  • WSU business units that provide business associate services to other WSU business units that qualify as a HIPAA covered entity.

WSU’s HCC is listed in Appendix A, WSU Hybrid Entity Designated Health Care Components.

4.0   Policy Oversight

The WSU System Privacy Officer and the Chief Information Security Officer, in consultation with WSU’s Chief Compliance and Risk Officer, review and amend Appendix A as needed, but no less frequently than annually. Where appropriate, the Attorney General’s Office should be consulted.

Questions regarding compliance with this policy or whether business units qualify as a HIPAA covered entity or business associate are submitted to the WSU System Privacy Officer.

4.1   University Responsibility

WSU retains oversight of the HCC and ensures that the designated HCC complies with the applicable HIPAA requirements. See 45 C.F.R. § 164.105(a)(2)(iii).

The WSU System Privacy Officer, the Chief Information Security Officer, and the Chief Compliance and Risk Officer are collectively responsible for:

  • Oversight, implementation, and enforcement of this policy; and
  • Implementing reasonable and appropriate policies and procedures to comply with HIPAA.

4.2   Health Care Component and Business Unit Responsibility

Each designated business unit ensures it complies with all applicable HIPAA rules, and WSU’s system-wide HIPAA policies including any required compliance reporting. Subject to the system-wide policies, each business unit may adopt HIPAA policies and procedures specific to their operations. Each business unit must also comply with the following safeguards:

  • Business units designated as the HCC must not disclose PHI to other business units within the HCC in a manner prohibited by the HIPAA Privacy Rule. Business units of the HCC should generally be treated as a separate and distinct legal entity in this respect.
  • Protect electronic PHI with respect to WSU business units of the HCC to the same extent that it would be required under the HIPAA Security Rule if the other HCC business units were a separate and distinct legal entity.
  • If a WSU workforce member performs duties or activities for both the HCC and for other WSU business units (may include business units not part of WSU’s HCC) such workforce member must comply with the HIPAA Privacy Rule and WSU HIPAA policies with respect to PHI created or received in the course of or incident to being part of the HCC’s workforce. All legal and WSU HCC’s HIPAA policy requirements must be met for ensuring a person qualifies for being part of the business unit’s workforce.2

5.0   References

1 See U.S. Dept. of Education and U.S. Dept. of Health and Human Services, Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) To Student Records (December 2019 update); see also, 45 C.F.R. § 160.103(2)(i), (ii)(excluding from the definition of PHI is an education record covered by FERPA).

2 See 45 C.F.R. § 160.103 (defining workforce as employees, volunteers, trainees and other persons whose conduct, in the performance of work for a covered entity or business associate is under the direct control of the covered entity or business associate, whether they are paid by the covered entity or business associate); 78 Fed. Reg. 5574, 5582 (January 25, 2013) (permitting a contractor who has a duty station onsite to be either a member of the covered entity’s workforce or as a business associate).

Appendix A

WSU Hybrid Entity Designation Health Care Components – May 2024

Org chart of WSU Healthcare Components

For additional information, please review or contact:

Revisions:  May 2024 (Rev. 119); Dec. 2020 – new policy (Rev. 96)