Business Procedures Manual

Fiscal Affairs Division

Current Date: Sep 16, 2024

« Return to Normal View  |  Print This Page

Section 26.0: HIPAA: àËÅöÊÓƵ Health Care Component (HCC)


Last modified: November 14, 2019

The àËÅöÊÓƵ is a Hybrid Entity under HIPAA, the Health Insurance Portability and Accountability Act of 1996. Under HIPAA, a hybrid entity is required to identify which portions of the entity handle confidential information protected by HIPAA. The àËÅöÊÓƵ’s Health Care Component consists of those identified portions of each Institution and the University System Office that handle confidential HIPAA information.

This section provides additional information regarding the steps each Institution must take to ensure that the University System’s Health Care Component is fully identified as required by HIPAA.

26.1 Definitions

Last modified: November 14, 2019

Definitions relevant to the HCC as defined by the HIPAA regulations:

Business Associate (BA) means a person, contractor, vendor, institution, or other entity that, on behalf of the HCC, but other than in the capacity of a member of the HCC workforce, performs, or assists in the performance of:

  • A function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and re-pricing; or
  • Legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for the HCC, or to or for an organized health care arrangement in which the HCC participates, where the provision of the service involves the disclosure of individually identifiable health information from the HCC or arrangement, or from another business associate of the HCC or arrangement, to the person.

Covered Entity (CE) means a health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with furnishing, billing, or receiving payment for health care.

Covered Functions means those functions of a covered entity the performance of which makes the entity a health plan, health care provider or a health care clearinghouse.

Disclosure means the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.

Health Care means care, services, or supplies related to the health of an individual. Health care includes, but is not limited to, the following:

  • Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual, or that affects the structure or function of the body; and
  • The sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.

Health Information means any information, including genetic information, whether oral or recorded in any form or medium, that:

  • Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
  • Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

Hybrid Entity means a single legal entity that is a covered entity, whose business activities include both covered and non-covered functions; and that designates health care components. àËÅöÊÓƵ is a Hybrid Entity.

Individually Identifiable Health Information (IIHI) means health information, including demographic information collected from an individual, that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

Protected Health Information (PHI) means individually identifiable health information that is transmitted by or maintained in or by electronic media; or transmitted or maintained in any other form or medium; except for individually identifiable health information in:

  • Education records covered by the Family Educational Rights and Privacy Act (FERPA);
  • Student health records made or maintained by a physician or other health care professional which are used only in connection with the provision of treatment to the student and which are not available to anyone other than persons providing such treatment or other health care professional who has been asked to review such records by the student; and
  • Employment records held by àËÅöÊÓƵ in its role as employer.

Use means, with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within the entity that maintains such information.

Workforce means employees, including temporary agency or contract employees, health care professionals, including medical students and interns, volunteers, trainees, and other persons whose conduct, in the performance of work for the HCC, or a component of the HCC, is under the direct control of àËÅöÊÓƵ, whether or not they are paid by àËÅöÊÓƵ.

26.2 Covered Components in the àËÅöÊÓƵ HCC

Last modified: November 14, 2019

Covered Components of the àËÅöÊÓƵ HCC include any portion of the University System Office (USO) or any àËÅöÊÓƵ Institution that:

  • Engage in Covered Functions; or
  • Perform Business Associate activities for another component of àËÅöÊÓƵ engaged in covered functions activities.

(Please see definitions of covered functions and business associate in Section 26.1.)

Components of àËÅöÊÓƵ that could be engaged in covered functions may include:

  • Medical centers and clinics;
  • Clinical operations that, as individual organizational units, perform covered functions (i.e., engage in covered transactions as health care providers);
  • Student Health/Counseling Centers to the extent they engage in non-exempt covered functions for healthcare services to non-students;
  • Internal Employee Assistance programs that are staffed by àËÅöÊÓƵ employees and operated using àËÅöÊÓƵ resources;
  • Occupational Health Centers that provide clinical services; and
  • Any other àËÅöÊÓƵ entity that engages in covered functions with Protected Health Information.

26.3 Designation of HCC Workforce Members

Last modified: November 14, 2019

Those employed in the following areas of the USO or any àËÅöÊÓƵ Institution shall be considered HCC Workforce Members and part of the HCC when performing business, legal, financial, administrative or other functions that require the use of and/or disclosure of PHI:

  • Business Operations;
  • Legal Affairs;
  • Institutional Review Boards (IRBs);
  • Any Health Sciences colleges or programs of study and associated services;
  • Information Resources and Communications;
  • Human Resources;
  • Technology Support; and
  • Any other àËÅöÊÓƵ employee that performs functions on behalf of entities within the HCC that requires creating, receiving, maintaining, transmitting or storing PHI as defined under HIPAA.

When the same Workforce Members perform functions on behalf of non-covered entities within àËÅöÊÓƵ, these functions are not performed on behalf of the HCC and are not covered by HIPAA. Workforce Members must never disclose PHI outside the HCC without the patient’s authorization or as otherwise allowed or required by applicable laws, regulations, and policies.

26.4 Identification and Documentation of the HCC and Business Associate Relationships

Last modified: November 14, 2019

The USO and each Institution are expected to have a document that either:

  • Identifies the portions of that Institution that are part of àËÅöÊÓƵ’s HCC; or
  • Identifies business associate activities or services provided to another component of àËÅöÊÓƵ that engages in covered functions as those terms are defined by HIPAA.

If the USO or a àËÅöÊÓƵ Institution does contain a portion of the HCC, those HCC components shall be specifically described and identified in this documentation. Documentation should be maintained in the Legal Office of the USO and in an appropriate designated office at each àËÅöÊÓƵ Institution. This documentation shall be reviewed and updated in January of each year.

26.5 Designation of Privacy Officers

Last modified: November 14, 2019

The USO and every àËÅöÊÓƵ Institution shall make certain a privacy officer is identified for HIPAA purposes. Such privacy officer will be responsible for the development and implementation of privacy policies and procedures regarding the handling of protected health information in compliance with HIPAA regulations.

26.6 Policies and Procedures related to the HCC

Last modified: November 14, 2019

Any portion of the USO or àËÅöÊÓƵ Institution that contains an identified portion of the HCC shall be required to implement appropriate policies and procedures to allow that portion of the HCC to comply with HIPAA privacy and security requirements.

© 2024 Board of Regents of the àËÅöÊÓƵ
270 Washington Street, S.W.,
Atlanta, Georgia  30334

↑ Top