The colleges, schools, departments, and administrative business units of the University that have been designated to be within the Health Care Component of the University of Louisville’s Hybrid Covered Entity are responsible for complying with the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Such compliance promotes a culture that adheres to the requirements of the regulations and values and protects the privacy of the Protected Health Information within its possession.  

The colleges, schools, departments, and administrative business units of the University that have been designated to be within the Health Care Component of the University’s Hybrid Covered Entity are required to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) by:

1. Adhering to the University of Louisville Privacy Office HIPAA Policy Manual (available on the Privacy Office website). Members of the Health Care Component may develop HIPAA privacy policies and procedures specific to the University area involved, provided that the policies and procedures are at least as stringent as the University of Louisville Privacy Office HIPAA Policy Manual.  
2. Ensuring that all Workforce members of the Health Care Component know and understand the University of Louisville Privacy Office HIPAA Policy Manual, as well as the Health Care Component’s policies and procedures, as applicable, and where to access them.
3. Ensuring that appropriate online and area-specific training are provided to all Workforce members who may have access to Protected Health Information.

• HIPAA Privacy Regulations and Guidance, U.S. Department of Health and Human Services website: http://www.hhs.gov/ocr/privacy/index.html.
• Privacy Office website: http://louisville.edu/privacy.
• University Policy and Procedure Templates: http://louisville.edu/policies/policy-resources.

Covered Entity means:

1. A health plan.
2. A health care clearinghouse.
3. A health care provider who transmits any health information in electronic form in connection with a transaction covered by HIPAA.

Hybrid Covered Entity means: 

A single legal entity that is a Covered Entity whose business activities include both HIPAA covered and non-covered functions. The entity is permitted to place areas which engage in activities regulated under HIPAA into a health care component. The areas inside the health care component must follow HIPAA regulations; however, the areas which are outside the health care component are not bound by HIPAA regulations. The current designated health care component can be found on the Privacy Office website at http://louisville.edu/privacy. 

Protected Health Information means:

All "individually identifiable health information" held or transmitted by a Covered Entity or its business associate, in any form or media, whether electronic, paper, or oral. 

“Individually identifiable health information” is information, including demographic data, that relates to:

•The individual’s past, present or future physical or mental health or condition;

•The provision of health care to the individual; or

•The past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. 

Protected Health Information excludes individually identifiable health information:

1. Covered by the Family Educational Rights and Privacy Act, as amended (20 U.S.C. l 232g);
2. In employment records held by a Covered Entity in its role as employer; and 
3. Regarding a person who has been deceased for more than 50 years.

Workforce means:

Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a Covered Entity or Business Associate, is under the direct control of such Covered Entity or Business Associate, whether or not they are paid by the Covered Entity or Business Associate. For purposes of this definition, the University includes students as part of its Workforce.

The colleges, schools, departments, and administrative business units of the University that have been designated to be within the Health Care Component of the University of Louisville’s Hybrid Covered Entity are expected to:

1. Review the University of Louisville Privacy Office HIPAA Policy Manual available on the Privacy Office website.
2. If desired, develop official policies specific to their college, school, department, or administrative business unit. Policies and Procedures within the Health Care Components must be at least as stringent as the University of Louisville Privacy Office HIPAA Policy Manual. 
3. Develop area-specific procedures to delineate the steps to be performed to implement the University and area policies in a compliant manner.
4. Train all Workforce members who may have access to Protected Health Information regarding HIPAA policies and procedures.
5. Ensure all Workforce members know how to access University and area-specific HIPAA policies and procedures.