12-2 HIPAA: Hybrid Entity Defined
About CMU's "HIPAA hybrid entity defined policy"
This policy establishes that CMU will operate as a hybrid entity as outlined by the Health Insurance Portability and Accountability Act of 1996.
NOTE ABOUT PDF VERSION: The PDF is the official text of the policy. If there are any incongruities between the text of the HTML version and the text within the PDF file, the PDF will be considered accurate and overriding.
- Attachments are included in the PDF file.
- Effective date of this revision: November 9, 2018
- Contact for more information: Office of HIPAA Compliance, 989-774-2829, hipaa@cmich.edu
BACKGROUND
Central Michigan University (CMU) is a covered entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) law and regulations. Its business activities include both covered and non-covered functions. CMU has decided to designate itself as a Hybrid Entity. The CMU covered functions that make CMU a covered entity are its operations as a self- funded health plan and as a healthcare provider.
PURPOSE
This policy designates and defines, in accordance with HIPAA, how CMU will identify departments, clinics, programs, and functions determined to be a designated unit within Central Michigan University’s Hybrid Entity, subject to CMU polices and HIPAA regulations.
DEFINITIONS
The terms used in this policy have the same meaning as those terms in the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 and the regulations at 45 CFR Parts 160, 162, and 164.
Individually Identifiable Health Information (IIHI). A subset of health information, including demographic information collected from a patient/client/employee, that is created or received by a health care provider, health plan or employer and relates to the past, present, or future physical or mental health or condition of a patient/client/employee, the provision of health care to a patient/client/employee, or the past, present or future payment for the provision of health care to a patient/client/employee, and which identifies the patient/client/employee, or with respect to which there is a reasonable basis to believe that the information can be used to identify the patient/client/employee.
Protected Health Information (PHI). Individually Identifiable Health Information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.
Workforce Member. A “Workforce Member” includes employees (and student employees), volunteers, trainees, and other persons whose conduct, in the performance of work for a unit in the CMU Hybrid entity is under the direct control of such entity, whether or not they are paid by the entity. This includes students at a CMU work-site who have access to PHI in order to satisfy a clinical experience requirement for a program of study.
POLICY
1.0 The HIPAA Privacy Officer in consultation with the appropriate administrators and HIPAA Executive Steering Committee, will identify the departments, clinics, programs, and functions determined to be designated in the Hybrid entity. The Privacy Officer, in collaboration with the Office of General Counsel and the Vice President of Health Affairs, shall have the authority to make final determinations regarding designation of Hybrid entities and update Exhibit A as needed.
2.0 The HIPAA Privacy Officer will, not less than annually, review the activities of CMU departments, clinics, programs, and functions to determine whether any modifications to the designated Hybrid entity should be made.
3.0 Hybrid: Covered Entity Units: All CMU units with workforce members who use or disclose PHI in connection with (1) carrying out the functions of the CMU self-funded health plan, or (2) carrying out the functions of a healthcare provider that conducts HIPAA covered electronic transactions or uses another entity to conduct the HIPAA covered electronic transactions, are designated as a covered entity of the CMU Hybrid Entity. These units are subject to all CMU HIPAA policies and HIPAA regulations and will be listed on Exhibit A.
4.0 Hybrid: Business Associate Units: All CMU units who perform activities that if they were separate entities, would make them business associates of CMU HIPAA covered entities, are designated as a unit of the Hybrid Entity. These Business Associate units are subject to all CMU HIPAA policies and HIPAA regulations and will be listed on Exhibit A.
5.0 Hybrid: Other Units: A CMU unit that performs a HIPAA covered function that is a healthcare provider but does not conduct HIPAA covered electronic transactions, or use another entity to do so, may, but is not required to be included in the CMU Hybrid Entity designation. If CMU determines that it will designate such units as a part of the CMU Hybrid Entity, those units will be required to adhere to CMU HIPAA policies and HIPAA regulations.
6.0 Non-Hybrid Units: Those health care units that perform a covered function, but do not conduct HIPAA covered electronic transactions, and CMU has determined will be exempt from the Hybrid Entity designation but the security and confidentiality of the IIHI are protected by other state and federal law, and/or by CMU policy. In addition:
a. These units may not in any way transmit health information in electronic form, or use another entity to do so, in relation with a HIPAA covered electronic transaction.
b. If these units want to conduct HIPAA covered electronic transactions, they must first obtain consultation with and approval from the Vice President for Health Affairs and the HIPAA Privacy Officer.
c. These units are required to report breach of IIHI to the HIPAA Privacy Officer for further review and applicable follow up.
7.0 Non-Hybrid Units: When the use and disclosure of IIHI is carried out by CMU in its capacity as an employer or an educational institution, and not in the role of a self-insured health plan or a health care provider, the information is not PHI and those functions are not subject to the HIPAA regulations. These units are exempt from the CMU Hybrid entity designation, but the security and confidentiality of the IIHI are protected by other state and federal law, and/or by CMU policy.
8.0 For the purpose of Research functions:
a. A researcher that functions as a health care provider and engages in standard electronic transactions must be included in the hybrid entity's health care component(s), and be subject to HIPAA regulations and CMU HIPAA policies.
b. PHI may only be disclosed to a researcher for use in connection with an Institutional Review Board (IRB)- approved or exempt protocol and waiver or authorization. When a researcher requests access to PHI that has been created, received or maintained by the CMU Hybrid entity, the hybrid entity must receive specific assurances that the PHI will be protected once disclosed to the researcher. CMU must account for certain disclosures as required by the HIPAA regulations. CMU’s IRB will function as the Privacy Board as defined by HIPAA and CMU IRB policies.
9.0 A CMU college, unit, or department that would like to pursue a healthcare service must first consult with and obtain approval from the Vice President of Health Affairs and HIPAA Privacy Officer.
10.0 A CMU college, unit, or department that would like to pursue an information system to use and/or house electronic health information, must first consult with and obtain approval from the Vice President of Information Technology, the Vice President for Health Affairs and the HIPAA Privacy Officer.
11.0 Before the University begins to offer a new self-insured employee benefit health program to its employees, the Associate Vice President of Human Resource will consult with the HIPAA Privacy Officer to ensure that the new program complies with HIPAA.
12.0 Separation Controls:
a. The Hybrid Entity is required to ensure that it does not disclose protected health information to any other component of the University in circumstances in which HIPAA regulations would prohibit such disclosure if the health care component and the other component were separate and distinct legal entities.
b. CMU workforce members who provide business services to both the CMU Health Care Components and CMU Health Plans cannot use or disclose PHI between those entities unless it is allowed in HIPAA regulations.
Central Michigan University reserves the right to make exceptions to, modify or eliminate this policy and or its content. This document supersedes all previous policies, procedures or guidelines relative to this subject.