April 1, 2003Newsletter

MB&F University Spring Mini-Mester, 2003

Course: HIPAA and Universities – The Crash Course

Course Description
This course will address the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 and its impact on colleges and universities.

In 1996, Congress passed the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). HIPAA addressed a number of health related topics, including the costs associated with administering the provision of health care in the United States. In an effort to reduce those costs, HIPAA mandates the use of uniform standards and code sets for certain types of electronic transactions between “covered entities” (the “Transaction Standards”). HIPAA also requires covered entities to safeguard the privacy of “individually identifiable health information” which they maintain (the “Privacy Rule”).

  1. Lesson 1 - Are You a Covered Entity?

    The first step in assessing the impact of HIPAA is to ascertain whether you are a covered entity. There are three types of covered entities – health plans, health care clearinghouses, and health care providers who transmit health information in electronic form in connection with a transaction for which there are transaction standards and code sets. Neither the Privacy Rule nor the Transaction Standards apply if you are not a covered entity.

    Many colleges and universities will be covered entities because of their status as providers of health care services. For instance, a university may operate a hospital or community mental health clinic. If those health care providers electronically engage in a transaction for which there are standards or code sets, then the college or university is a covered entity. Colleges and universities may also be covered entities because they operate health plans for the benefit of their students.


  2. Lesson 2 – Managing the Impact

    If a university or college determines that it is a covered entity, then the entire university or college would be required to comply with the Privacy Rule. This would be administratively burdensome. For example, the Privacy Rule requires a covered entity to train its workforce on its privacy policies and procedures. To minimize these and other administrative burdens, the university or college may elect to designate itself as a “hybrid entity.” A hybrid entity is a covered entity with business activities that include both covered and non-covered (e.g., teaching) functions. With a hybrid entity, only those units that perform covered functions need to comply with the Privacy Rule. A covered entity that wishes to take the hybrid entity approach to HIPAA compliance must designate those parts of the entity that will constitute the entity’s “health care component.”


  3. Lesson 3 - Defining “Protected Health Information”

    A covered entity is prohibited from using or disclosing “protected health information” except as permitted or required by the Privacy Rule. Protected health information is broadly defined as any individually identifiable health information transmitted or maintained, in any form or medium, by the covered entity. But, protected health information excludes “educational records” protected by the Family Educational Rights and Privacy Act (“FERPA”) as well as the records of students held by post-secondary educational institutions (or records of students at least 18 years of age) that are utilized exclusively for health care treatment and which have not been disclosed other than to health care providers involved in the student’s care (so-called “FERPA treatment records”). The exclusion of FERPA education and treatment records from the definition of protected health information is significant for many student health centers.


  4. Lesson 4 – Even if You are not a Covered Entity, You may still be Affected by HIPAA

    Only covered entities are directly regulated by HIPAA. A college or university which is not a covered entity may nevertheless be affected by HIPAA. For instance, colleges and universities may require students in allied health, nursing and other health programs to complete clinical rotations or internships at hospitals and other health care providers. If those hospitals and health care providers are covered entities and they are unwilling to treat those students as members of their workforce, they may require the college or university to execute a “business associate” agreement as a condition of continuing those clinical programs. This is because covered entities are required by the Privacy Rule to obtain written satisfactory assurances from their business associates before they may disclose protected health information to those business associates.

    Colleges and universities, like many employers, may also sponsor group health plans for their employees. Employers and other sponsors of group health plans are not subject to the Privacy Rule. Indeed, the Employee Retirement Income Security Act of 1974 (“ERISA”) makes the group health plan legally separate and distinct from its sponsor. Still, the Privacy Rule affects the employer or other sponsor of a group health plan because it restricts the flow of information that the group health plan may provide to the sponsor.


  5. Lesson 5 – Case Study – Assessing the Impact on Student Health Services

    Student health records maintained by a college or university that receives federal funding are not affected by the Privacy Rule. Student health records are either: (1) FERPA treatment records, for so long as they are made or maintained by a professional or paraprofessional and are not available to anyone other than persons providing such treatment; or (2) FERPA education records once they are disclosed to anyone other than such professional, including but not limited to a health insurer.

    It is significant to emphasize that if the student health center provides health care services to individuals other than students (e.g., faculty, administration, staff) and engages electronically in a transaction for which there are established standards (i.e., the student health center is a covered health care provider), those records would be subject to the Privacy Rule. Moreover, even if the health records of students are FERPA education or treatment records and, therefore, are not protected health information, if the student health center engages electronically in standard transactions, it is a covered entity. If it is a covered entity, it must comport with the Transaction Standards.

    Many colleges and universities also operate student health plans whereby students pay a pre-determined fee per quarter or semester in exchange for the provision of basic health care services. In that capacity, colleges and universities may also be operating a health plan subject to HIPAA and the Privacy Rule.


  6. Lesson 6 – The Review

    HIPAA and the Privacy Rule can significantly affect colleges and universities. The first step is to ascertain whether you are a covered entity and, if so, how you can manage the impact on your institution. You may qualify as a hybrid entity. You may also be able to avoid the Privacy Rule’s obligations in regard to student health records that you maintain. Even if you are not a covered entity, you may be affected by HIPAA if you do business with covered entities or sponsor a health plan for your employees or students.


  7. The Final Exam

    To be administered on a pass/fail basis by the Office for Civil Rights for the U.S. Department of Health Services beginning April 14, 2003.

back to top