{"id":68432,"date":"2025-10-29T15:25:32","date_gmt":"2025-10-29T22:25:32","guid":{"rendered":"https:\/\/policies.wsu.edu\/prf\/?page_id=68432"},"modified":"2025-11-07T15:40:56","modified_gmt":"2025-11-07T23:40:56","slug":"bppm-88-25","status":"publish","type":"page","link":"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-88-25\/","title":{"rendered":"88.25 HIPAA Hybrid Entity Designation Policy"},"content":{"rendered":"\n<h1 class=\"wp-block-heading wsu-font-size--xxmedium\">University Policies and Procedures Manual&nbsp;(previously Business Policies and Procedures Manual)<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">HIPAA Hybrid Entity Designation Policy<\/h2>\n\n\n<div class=\"wsu-row wsu-row--single\" >\r\n    \n<div class=\"wsu-column\"  style=\"\">\r\n\t\n\n<p><strong>UPPM 88.25<\/strong><\/p>\n<p><strong>For more information contact:<\/strong><br>&nbsp; &nbsp;Compliance and Civil Rights<br>&nbsp; &nbsp;509-335-8864 \/ <a href=\"mailto:ccr@wsu.edu\">ccr@wsu.edu<\/a><\/p>\n<hr>\n<div id=\"toc_container\">\n<h3>Contents<\/h3>\n<ul class=\"toc_list\">\n<li><a href=\"#One_0\">1.0&nbsp;&nbsp; Purpose<\/a><\/li>\n<li><a href=\"#Two_0\">2.0&nbsp;&nbsp; Applicability<\/a><\/li>\n<li><a href=\"#Three_0\">3.0&nbsp;&nbsp; Policy Statement<\/a>\n<ul class=\"toc_list\">\n<li><a href=\"#Three_1\">3.1&nbsp;&nbsp; Hybrid Entity<\/a><\/li>\n<li><a href=\"#Three_2\">3.2&nbsp;&nbsp; Designated Health Care Components (HCC)<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#Four_0\">4.0&nbsp;&nbsp; Policy Oversight<\/a>\n<ul class=\"toc_list\">\n<li><a href=\"#Four_1\">4.1&nbsp;&nbsp; University Responsibility<\/a><\/li>\n<li><a href=\"#Four_2\">4.2&nbsp;&nbsp; Health Care Component and Business Unit Responsibility<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#Five_0\">5.0&nbsp;&nbsp; References<\/a><\/li>\n<li><a href=\"#appendix_A\">Appendix A: WSU Hybrid Entity Designation Health Care Components<\/a><\/li>\n<\/ul>\n<\/div>\n<h3 id=\"One_0\">1.0&nbsp; &nbsp;Purpose<\/h3>\n<p>This policy identifies Washington State University (WSU) as a hybrid entity and designates its covered health care components, which include business associate functions (collectively \u201cHealth Care Components\u201d or \u201cHCC\u201d), in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act.<\/p>\n<h3 id=\"Two_0\">2.0&nbsp; &nbsp;Applicability<\/h3>\n<p>This policy applies to all of WSU including its designated HCC.<\/p>\n<h3 id=\"Three_0\">3.0&nbsp; &nbsp;Policy Statement<\/h3>\n<p>It is WSU\u2019s policy to comply with HIPAA as it relates to safeguarding and using protected health information (PHI) and Washington\u2019s Uniform Health Care Information Act (UHCIA), <a href=\"https:\/\/apps.leg.wa.gov\/rcw\/default.aspx?cite=70.02&amp;full=true\">RCW 70.02<\/a>, as it pertains to health care information. Equally important, it is WSU\u2019s policy to comply with the Family Education Rights and Privacy Act (FERPA) as it applies to safeguarding education or treatment records.<\/p>\n<p>To the extent business units or programs (collectively \u201cbusiness units\u201d) in the designated HCC maintain PHI, health care information, education records, and\/or treatment records in the same WSU information systems (i.e., electronic medical record) or business units, the HCC implements the most stringent safeguards required under the law for ensuring the confidentiality, availability, and integrity of this data.<\/p>\n<p>Use, access, and\/or disclosure of the relevant information or record is governed by the applicable law(s) to the specific information or record.<a href=\"#footnote_1\"><sup>1<\/sup><\/a><\/p>\n<p>WSU follows the most stringent applicable law for using, accessing and\/or disclosing the relevant information or record where more than one statute applies to the data (i.e., HIPAA and UHCIA, or UHCIA and FERPA). WSU expressly disclaims the obligation to comply with HIPAA unless the information or record qualifies as PHI and WSU is legally required to comply with HIPAA.<\/p>\n<h4 id=\"Three_1\">3.1&nbsp; &nbsp;Hybrid Entity<\/h4>\n<p>WSU conducts both HIPAA covered and non-covered functions and elects to be a hybrid entity under HIPAA. See <a href=\"https:\/\/www.govregs.com\/regulations\/expand\/title45_chapterA_part164_subpartA_section164.103\">45 C.F.R. \u00a7 164.103<\/a> and <a href=\"https:\/\/www.govregs.com\/regulations\/expand\/title45_chapterA_part164_subpartA_section164.105\">45 C.F.R. \u00a7 164.105<\/a>. HIPAA covered functions only occur through WSU\u2019s HCC as further stated below.<\/p>\n<h4 id=\"Three_2\">3.2&nbsp; &nbsp;Designated Health Care Components (HCC)<\/h4>\n<p>As a hybrid entity, the applicable HIPAA compliance obligations only apply to WSU\u2019s designated HCC as stated herein.<\/p>\n<p>WSU\u2019s criteria for designating business units as part of the HCC is as follows:<\/p>\n<ul>\n<li>Business units that meet the definition of a HIPAA covered entity or business associate if they were each a separate legal entity;<\/li>\n<li>Business units only to the extent that they perform activities of a HIPAA covered entity (health care provider engaging in HIPAA transactions, health plan, or clearinghouse); and<\/li>\n<li>WSU business units that provide business associate services to other WSU business units that qualify as a HIPAA covered entity.<\/li>\n<\/ul>\n<p>WSU\u2019s HCC is listed in <a href=\"#appendix_a\">Appendix A<\/a>, WSU Hybrid Entity Designated Health Care Components.<\/p>\n<h3 id=\"Four_0\">4.0&nbsp; &nbsp;Policy Oversight<\/h3>\n<p>The WSU System Privacy Officer and the Chief Information Security Officer, in consultation with WSU\u2019s Chief Compliance and Risk Officer, review and amend <a href=\"#appendix_a\">Appendix A<\/a> as needed, but no less frequently than annually. Where appropriate, the Attorney General\u2019s Office should be consulted.<\/p>\n<p>Questions regarding compliance with this policy or whether business units qualify as a HIPAA covered entity or business associate are submitted to the WSU System Privacy Officer.<\/p>\n<h4 id=\"Four_1\">4.1&nbsp; &nbsp;University Responsibility<\/h4>\n<p>WSU retains oversight of the HCC and ensures that the designated HCC complies with the applicable HIPAA requirements. See <a href=\"https:\/\/www.govregs.com\/regulations\/expand\/title45_chapterA_part164_subpartA_section164.105\">45 C.F.R. \u00a7 164.105(a)(2)<\/a>(iii).<\/p>\n<p>The WSU System Privacy Officer, the Chief Information Security Officer, and the Chief Compliance and Risk Officer are collectively responsible for:<\/p>\n<ul>\n<li>Oversight, implementation, and enforcement of this policy; and<\/li>\n<li>Implementing reasonable and appropriate policies and procedures to comply with HIPAA.<\/li>\n<\/ul>\n<h4 id=\"Four_2\">4.2&nbsp; &nbsp;Health Care Component and Business Unit Responsibility<\/h4>\n<p>Each designated business unit ensures it complies with all applicable HIPAA rules, and WSU\u2019s system-wide HIPAA policies including any required compliance reporting. Subject to the system-wide policies, each business unit may adopt HIPAA policies and procedures specific to their operations. Each business unit must also comply with the following safeguards:<\/p>\n<ul>\n<li>Business units designated as the HCC must not disclose PHI to other business units within the HCC in a manner prohibited by the HIPAA Privacy Rule. Business units of the HCC should generally be treated as a separate and distinct legal entity in this respect.<\/li>\n<li>Protect electronic PHI with respect to WSU business units of the HCC to the same extent that it would be required under the HIPAA Security Rule if the other HCC business units were a separate and distinct legal entity.<\/li>\n<li>If a WSU workforce member performs duties or activities for both the HCC and for other WSU business units (may include business units not part of WSU\u2019s HCC) such workforce member must comply with the HIPAA Privacy Rule and WSU HIPAA policies with respect to PHI created or received in the course of or incident to being part of the HCC\u2019s workforce. All legal and WSU HCC\u2019s HIPAA policy requirements must be met for ensuring a person qualifies for being part of the business unit\u2019s workforce.<sup><a href=\"#footnote_2\">2<\/a><\/sup><\/li>\n<\/ul>\n<h3 id=\"Five_0\">5.0&nbsp; &nbsp;References<\/h3>\n<ul>\n<li><a href=\"https:\/\/www.hhs.gov\/hipaa\/for-professionals\/privacy\/laws-regulations\/combined-regulation-text\/index.html\">HIPAA: 45 C.F.R. Part 160, 162, and 164<\/a>; see also, <a href=\"https:\/\/www.hhs.gov\/sites\/default\/files\/ocr\/privacy\/hipaa\/administrative\/combined\/hipaa-simplification-201303.pdf?language=en\">HIPAA Administrative Simplification, Regulation Text<\/a>.<\/li>\n<li>U.S. Department of Health and Human Services, <a href=\"https:\/\/www.hhs.gov\/hipaa\/for-professionals\/index.html\">HIPAA for Professionals Guidance<\/a>.<\/li>\n<li>HealthIT.gov, <a href=\"https:\/\/www.healthit.gov\/topic\/privacy-security-and-hipaa\">Health IT Privacy and Security Resources for Providers<\/a>.<\/li>\n<li>Washington Uniform Health Care Information Act, <a href=\"https:\/\/apps.leg.wa.gov\/RCW\/default.aspx?cite=70.02\">RCW 70.02<\/a> et. seq., (governing access, use and\/or disclosure of health care information created, received, and\/or maintained by a licensed health care provider and\/or those working with health care providers); <a href=\"https:\/\/app.leg.wa.gov\/RCW\/default.aspx?cite=70.02.010\">RCW 70.02.010(19)<\/a>(defining \u201chealth care provider\u201d to mean a person licensed, certified, registered or otherwise authorized by WA law to provide health care in the ordinary course of business or practice of a profession).<\/li>\n<\/ul>\n<p><sup><a name=\"footnote_1\"><\/a>1<\/sup> See U.S. Dept. of Education and U.S. Dept. of Health and Human Services,<a href=\"https:\/\/www.hhs.gov\/hipaa\/for-professionals\/special-topics\/ferpa-hipaa\/index.html\"> Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA)<\/a> and the <a href=\"https:\/\/www.hhs.gov\/hipaa\/for-professionals\/special-topics\/ferpa-hipaa\/index.html\">Health Insurance Portability and Accountability Act of 1996 (HIPAA) To Student Records<\/a> (December 2019 update); see also, <a href=\"https:\/\/www.govregs.com\/regulations\/expand\/title45_chapterA_part164_subpartA_section164.103\">45 C.F.R. \u00a7 160.103(2)(i), (ii)<\/a>(excluding from the definition of PHI is an education record covered by FERPA).<\/p>\n<p><sup><a name=\"footnote_2\"><\/a>2<\/sup> See <a href=\"https:\/\/www.govregs.com\/regulations\/expand\/title45_chapterA_part164_subpartA_section164.103\">45 C.F.R. \u00a7 160.103<\/a> (defining workforce as employees, volunteers, trainees and other persons whose conduct, in the performance of work for a covered entity or business associate is under the direct control of the covered entity or business associate, whether they are paid by the covered entity or business associate); 78 Fed. Reg. 5574, 5582 (January 25, 2013) (permitting a contractor who has a duty station onsite to be either a member of the covered entity\u2019s workforce or as a business associate).<\/p>\n<h3 id=\"appendix_A\">Appendix A<\/h3>\n<h4>WSU Hybrid Entity Designation Health Care Components &#8211; May 2024<\/h4>\n<p><a href=\"https:\/\/wpcdn.web.wsu.edu\/wp-fais\/uploads\/sites\/2980\/2025\/05\/EP40_fig1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-66202 size-large\" src=\"https:\/\/wpcdn.web.wsu.edu\/wp-fais\/uploads\/sites\/2980\/2025\/05\/EP40_fig1-792x343.png\" alt=\"Org chart of WSU Healthcare Components\" width=\"792\" height=\"343\" srcset=\"https:\/\/wpcdn.web.wsu.edu\/wp-fais\/uploads\/sites\/2980\/2025\/05\/EP40_fig1-792x343.png 792w, https:\/\/wpcdn.web.wsu.edu\/wp-fais\/uploads\/sites\/2980\/2025\/05\/EP40_fig1-396x172.png 396w, https:\/\/wpcdn.web.wsu.edu\/wp-fais\/uploads\/sites\/2980\/2025\/05\/EP40_fig1-768x333.png 768w, https:\/\/wpcdn.web.wsu.edu\/wp-fais\/uploads\/sites\/2980\/2025\/05\/EP40_fig1-1536x666.png 1536w, https:\/\/wpcdn.web.wsu.edu\/wp-fais\/uploads\/sites\/2980\/2025\/05\/EP40_fig1-198x86.png 198w, https:\/\/wpcdn.web.wsu.edu\/wp-fais\/uploads\/sites\/2980\/2025\/05\/EP40_fig1.png 1949w\" sizes=\"(max-width: 792px) 100vw, 792px\" \/><\/a><\/p>\n<p>For additional information, please review or contact:<\/p>\n<ul>\n<li>Data Security Requirements: <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-53\/\">UPPM 87.53<\/a> and <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-06\/\">UPPM 87.06<\/a><\/li>\n<li><a href=\"https:\/\/ccr.wsu.edu\/\">Compliance and Civil Rights<\/a><\/li>\n<li><a href=\"https:\/\/atg.wsu.edu\/\">Washington State University Division of the Of\ufb01ce of the Attorney General<\/a><\/li>\n<\/ul>\n<p style=\"font-size: .8rem\">_______________________<br><strong>Revisions:<\/strong>&nbsp; May 2025 &#8211; editorial change; May 2024 (Rev. <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/revisions\/epm-revisions\/epm-revision-119\/\">119<\/a>); Dec. 2020 &#8211; new policy (Rev. <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/revisions\/epm-revisions\/epm-revision-96\/\">96<\/a>)<\/p>\n\n\n\n<p><\/p>\n\n<\/div>\r\n\n<\/div>","protected":false},"excerpt":{"rendered":"<p>University Policies and Procedures Manual&nbsp;(previously Business Policies and Procedures Manual) HIPAA Hybrid Entity Designation Policy<\/p>\n","protected":false},"author":49281,"featured_media":0,"parent":50633,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":[],"wsuwp_university_location":[],"wsuwp_university_org":[],"_links":{"self":[{"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages\/68432"}],"collection":[{"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/users\/49281"}],"replies":[{"embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/comments?post=68432"}],"version-history":[{"count":2,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages\/68432\/revisions"}],"predecessor-version":[{"id":68826,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages\/68432\/revisions\/68826"}],"up":[{"embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages\/50633"}],"wp:attachment":[{"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/media?parent=68432"}],"wp:term":[{"taxonomy":"wsuwp_university_location","embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/wsuwp_university_location?post=68432"},{"taxonomy":"wsuwp_university_org","embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/wsuwp_university_org?post=68432"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}