�������ϲʹ���ֱ��

HIPAA Hybrid Entity Designation

Purpose

�������ϲʹ���ֱ�� (�������ϲʹ���ֱ��) is designated as a single covered entity for purposes of the Healthcare Information Portability and Accountability Act (HIPAA).  Only certain components of �������ϲʹ���ֱ�� are involved in providing health care services that are subject to HIPAA.  Thus, �������ϲʹ���ֱ�� is a Hybrid Entity.  This policy designates the components within �������ϲʹ���ֱ�� that are part of the Hybrid Entity subject to the HIPAA Administrative Simplification regulations

Stakeholders Most Impacted

Individuals working for or with �������ϲʹ���ֱ��’s covered components.

Key Definitions

The terms used in this policy have the same meaning as those terms in the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 and the regulations at 45 CFR Parts 160, 162, and 164.  The Hybrid Entity designation includes any component that would meet the definition of a covered entity or business associate if it were a separate entity.

Details

�������ϲʹ���ֱ�� hereby designates the following services as the health care components included in the Hybrid Entity:

1. Sindecuse Health Center
2. Unified Clinics
3. Kalamazoo Autism Center
4. Department of Athletics, Medical Services
5. Department of Human Resources
6. Institutional Research
7. Office of Information Technology members assigned to work for health care components
8. Center for Disability Services

Whenever �������ϲʹ���ֱ��’s policies, procedures or guidelines refer to �������ϲʹ���ֱ�� as a “covered entity” under HIPAA, they are referring to the services listed above. The requirements of HIPAA apply only to �������ϲʹ���ֱ��’s services included within the Hybrid Entity.

Those involved in performing the services listed above may not use or disclose protected health information (PHI) that they create or receive in a way prohibited by HIPAA.  One component may not share PHI with another component unless permitted under the HIPAA regulations and �������ϲʹ���ֱ��’s HIPAA policies and procedures.

Although workforce members of the Hybrid Entity perform duties for both the health care components and for other components of �������ϲʹ���ֱ��, they must not use or disclose PHI created or received in the course of or incident to the members’ work for the health care component in a way prohibited by HIPAA.

Other programs and services will use and disclose information as required under HIPAA if they are business associates of another entity and therefore subject to HIPAA standards.

Related Procedures and Guidelines

HIPAA Breach Notification Procedures

Related Policies:

HIPA Breach Notification Policy

References:

45 C.F.R. Parts 160, 162 & 164

History:

1. Effective date of current version: March 11, 2021
2. Date first adopted: March 11, 2021
3. Revision history: N/A
4. Proposed date of next review: March 11, 2024