HIPAA Hybrid Entity Designation
Drexel University HIPAA Privacy Program
Policies and Procedures
Policy Title: HIPAA Hybrid Entity Designation
Policy Number: IM-01A
Effective Date: April 14, 2003; September 23, 2013
Last Revised: October 10, 2018
Responsible Officer: Vice President, Chief Compliance, Privacy and Internal Audit Officer
This policy applies to all of Drexel University (Drexel).
I. Policy Statement
As a comprehensive research-intensive institution with a mission of education, research and patient care, Drexel recognizes the applicability of the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH Act), and its regulations (HIPAA) to certain sectors of the University.
Under HIPAA, Drexel can elect to be a Hybrid Entity with identified Health Care Components which are subject to HIPAA and non-covered components which are not. The Policy identifies the Health Care Components subject to HIPAA's privacy, security, breach notification and enforcement provisions and Drexel's Privacy Program.
This Policy designates Drexel University as a Hybrid Entity under HIPAA.
Business Associate: A person or entity that creates, receives, maintains or transmits protected health information on behalf of a HIPAA Covered Entity or another Business Associate.
Covered Entity: (1) A health plan; (2) a health care clearinghouse; and (3) a health care provider who transmits protected health information in electronic form in connection with a HIPAA covered transaction.
Covered Transaction: The transmission of information between two parties to carry out financial or administrative activities related to health care. It includes the following types of information transmissions:
- Health care claims or equivalent encounter information.
- Health care payment and remittance advice.
- Coordination of benefits.
- Health care claim status.
- Enrollment and disenrollment in a health plan.
- Eligibility for a health plan.
- Health plan premium payments.
- Referral certification and authorization.
- First report of injury.
- Health claims attachments.
- Health care electronic funds transfers (EFT) and remittance advice.
- Other transactions that the Secretary may prescribe by regulation.
Health Care Component: Any component (College, School, Institute, Center, Department, Office or Unit) which would meet the definition of Covered Entity or Business Associate if it were a separate legal entity.
Hybrid Entity: A single legal entity that is a Covered Entity under HIPAA and whose business activities include both covered and non-covered functions and that designates specific Health Care Components under HIPAA.
Protected Health Information (PHI): Information, including genetic information, created or received by a Covered Entity which relates to: (1) the individual's past, present, or future physical or mental health or condition; or (2) the provision of health care to the individual; or (3) the past, present, or future payment for the provision of health care to the individual. And as to any such information, the information identifies the individual or there is a reasonable basis to believe can be used to identify the individual.
Research: A systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge.
Workforce: Employees, volunteers, trainees and other persons whose conduct, in the performance of work for Drexel is under the direct control of Drexel whether or not they are paid by Drexel.
Drexel designates the Health Care Components (the areas subject to HIPAA) as set forth on the attached Exhibit A.
If another Drexel College, School, Institute, Center, Department, Office or Unit not listed in Exhibit A initiates performance of Covered Entity functions, such as beginning to bill insurance companies for care delivery, they would be reclassified as a Health Care Component.
When other Drexel Colleges, Schools, Institutes, Centers, Departments, Offices or Units not listed in Exhibit A perform Business Associate functions for a Covered Entity (or another Business Associate), within Drexel or outside, they would be a Health Care Component to the extent of that activity.
HIPAA also establishes conditions under which protected health information may be used or disclosed by Covered Entities for research purposes. These include the following: (1) preparatory to research; (2) authorization; (3) waiver of authorization; (4) limited data set with a data use agreement; (5) decedents; and (6) fully de-identified. For further information as to these conditions and their definitions, and doing research with protected health information of a Covered Entity, see HIPAA Omnibus Policy IM-13 on the Corporate Compliance and Privacy website and the HIPAA/Privacy & Research section of the Office of Research website.
Any Drexel workforce member who undertakes a new activity that would make that member a health care provider under HIPAA or a Business Associate is obligated to notify the Chief Privacy Officer before engaging in the activity.
Drexel will continue to evaluate its Hybrid Entity Designation as its Colleges, Schools, Institutes, Centers, Departments, Units, Offices and workforce change in roles and responsibilities. Any questions as to the applicability of this Policy should be addressed to the Chief Privacy Officer.
45 CFR Part 160 and 164; Section 164.105; and Section 164.504.
Attachment: Exhibit A – Designated Health Care Components
Drexel University Designated HIPAA Health Care Components
October 10, 2018
I. Covered Entity Components
All workforce of Covered Entity Components are subject to HIPAA.
- Drexel University Group Health Plans
- College of Medicine, including Drexel Medicine
- College of Nursing and Health Professions, including its clinical practices and Stephen and Sandra Sheller 11th Street Family Health Services
- Student Health Center
Note: Drexel Medicine is a member of a HIPAA Organized Health Care Arrangement with American Academic Health System with respect to Hahnemann University Hospital and St. Christopher's Hospital.
II. Business Associate Components
Professional Staff departments of Drexel, including those listed below, are Business Associate Components to the extent they provide Business Associate services (using or disclosing protected health information) to those Drexel Covered Entity Components listed above, in the course of the Covered Entities' health care provider treatment, payment and operations or health plan actions under HIPAA.
- Accounts Payable Office
- Office of the Athletic Director
- Office of Business Services
- Office of Compliance, Privacy and Internal Audit
- Office of the Comptroller
- Office of the General Counsel
- Office of Human Resources
- Office of Information Technology
- Office of Institutional Advancement
- Office of Research
- Office of Risk Management
- Office of University Communications
- Treasury Office
Back to Top