The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) permits an organization that engages in both HIPAA covered and non-covered functions to designate itself as a hybrid covered entity. As a hybrid covered entity, the organization is permitted to place areas which engage in activities regulated under HIPAA into a health care component. The areas inside the health care component must follow HIPAA regulations; however, the areas which are outside the health care component are not bound by HIPAA regulations.
The University of Louisville has designated itself as a hybrid covered entity. The following areas have been designated to be within the University of Louisville health care component.
* Department of Athletics - subdivision which processes the level-funded insurance plan offered to student athletes
* Department of Audit Services
* Department of Environmental Health & Safety
* Department of Risk Management
* Department of University Advancement/Development – subdivision which performs fundraising activities
* Human Resources - subdivisions which process employee health plan (e.g. Benefits; includes the Get Healthy Now program until its’ expiration on 12/31/20 )
* Information Security Office
* Information Technology Department
* Office of Communications & Marketing
* Office of Finance/Controller – subdivisions of the Controller’s Office which process health care related payments
* Office of University Counsel
* School of Dentistry and affiliated Institutes and Centers
* School of Medicine and affiliated Institutes and Centers (includes Campus Health and the Prevention, Education, and Advocacy on Campus and in the Community (PEACC) Program; excludes all research activities; NOTE: Student data is governed by FERPA regulations)
* School of Nursing
* University Archives & Records – the subdivision which handles and/or stores protected health information
* University Integrity & Compliance Office
* University Privacy Office.
Revised/Reviewed November 18, 2020