Brigham Young University (BYU) is committed to complying with the requirements of the Health Insurance Portability and Accountability Act of 1996, as amended, and its accompanying regulations at 45 C.F.R. Parts 160, 162, and 164 (HIPAA) where applicable. HIPAA is a federal law designed to ensure the privacy of certain health information and to safeguard access to and disclosure of certain health information.

Most university operations are not subject to HIPAA; however, the university has designated certain university units as Health Care Components (defined below) that must comply with HIPAA.

For purposes of this policy, key terms are defined as follows:

Business Associate means an entity or person that performs functions on behalf of, or services for, a Covered Entity that involves the use or disclosure of Protected Health Information.

Covered Entity means an entity or person covered by HIPAA because it is a (1) a health plan; (2) a health care clearinghouse; or (3) a health care provider that transmits health information in electronic form in connection with a transaction listed in 45 C.F.R. § 160.103.

Health Care Component means a campus unit that (1) would meet the definition of Covered Entity if it were a separate legal entity, (2) would meet the definition of a Business Associate if it were a separate legal entity; or (3) performs a covered function regulated by HIPAA. Merely handling personal medical information is not enough to make a campus unit a Health Care Component.

Hybrid Entity means a single legal entity whose business activities include both HIPAA-covered and non-HIPAA-covered functions.

Protected Health Information (PHI) means any information that identifies, or can be used to identify, an individual and that relates to (1) that individual’s past, present, or future physical or mental health, (2) the provision of health care to that individual, or (3) the payment for that individual’s past, present, or future health care. PHI does not include the following:

• education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. § 1232g (FERPA);
• student provision-of-treatment records described at 20 U.S.C. § 1232g(a)(4)(B)(iv);
• employment records held by a Covered Entity in its role as an employer.

BYU elects to be a Hybrid Entity and, as required by 45 C.F.R. § 164.103 & § 164.105(a)(2)(iii)(D), designates certain campus units as Health Care Components. These Health Care Components are listed in the HIPAA Procedures. BYU segregates its Health Care Components from its non-health care components so that PHI is not shared between the two.

The Assistant Director of the Student Health Center serves as the BYU HIPAA Compliance Officer and is responsible for the development and implementation of the university’s HIPAA policies and procedures. See 45 CFR § 164.308; 45 CFR § 164.530. The HIPAA Compliance Officer chairs the HIPAA Committee, tracks completion of mandatory training, and tracks incidents involving potential HIPAA violations. See HIPAA Procedures.

The HIPAA Committee supports the HIPAA Compliance Officer and is responsible for periodically monitoring the university’s compliance with HIPAA, this policy, and the HIPAA Procedures.

The HIPAA Committee is also responsible for providing HIPAA-related guidance to the university’s Health Care Components. Under the leadership of the HIPAA Compliance Officer, the HIPAA Committee reviews the HIPAA Procedures at least annually to update the list of Health Care Components and to make other amendments as necessary to comply with HIPAA.

Health Care Components must implement measures to comply with HIPAA, this policy, and the HIPAA Procedures, including training its personnel, maintaining the privacy and security of PHI, and fulfilling any required compliance reporting. To accomplish this, Health Care Components adopt HIPAA procedures specific to their operations in consultation with the Office of General Counsel. Each Health Care Component annually reviews its HIPAA procedures.

Health Care Components must also comply with the following safeguards:

• A Health Care Component must not disclose PHI to another campus unit in a manner that would be prohibited under the HIPAA Privacy Rule (45 C.F.R. Part 164, Subpart E) if the Health Care Component and the other campus unit were separate legal entities;
• Health Care Components must protect electronic PHI with respect to other campus units to the same extent that they would be required to protect such information under the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C) if the Health Care Component and the other campus unit were separate and distinct legal entities;
• If a university workforce member performs duties for both a Health Care Component and for another campus unit, the workforce member must not use or disclose PHI created or received in the course of or incident to the member's work for the Health Care Component in a way prohibited by the HIPAA Privacy Rule (45 C.F.R. Part 164, Subpart E).

See 45 C.F.R. § 164.105(a)(2)(ii).

Any individual who fails to comply with the university’s HIPAA policies and procedures may be subject to sanctions up to and including employment termination, dismissal from the university, and/or legal action.

Any campus unit, whether or not designated as a Health Care Component, must obtain permission from the HIPAA Compliance Officer before entering into any agreements to act as a Business Associate for an external Covered Entity.