Summary - June 2017
- The following information was compiled by members of the HIPAA Privacy and Security Compliance Council (HPSCC) to document outstanding questions relating to HIPAA Governance and Covered Entity status. It will be used as a reference document for the HPSCC for creating university policies and processes in support of HIPAA.
Covered Entity Status & Business Associates Agreements
- Loyola University Chicago (LUC) is currently not a HIPAA Covered Entity and currently engages in no activities that would make it as such.
HIPAA Privacy Protection for Loyola University Chicago
- Because LUC has signed Business Associate Agreements with LUHS and/or other HIPAA covered entities, and as a best practice to protect its own PHI as a Non-Covered Entity under HIPAA, LUC will utilize and comply with the HIPAA Privacy Rule. Should the University ever adopt HIPAA Covered Entity status for itself, the HIPAA Security Rule would also be required.
- If covered entity status or hybrid covered entity status is ever adopted by the university, the university must be in compliance with the HIPAA Privacy and the HIPAA Security rules before it engages in activities that would trigger covered entity status. There are many operational and financial decisions the university would need to make prior to declaring covered entity status or undertaking any of the activities that would make it a HIPAA Covered Entity
- LUC would become a “Covered Entity” under HIPAA if it electronically transmits health information in order to carry out financial or administrative activities related to health care, such as:
- payment or remittance advice;
- coordination of benefits (relates to health insurance plans);
- claims status (relates to health insurance plans);
- enrollment status in a health plan (relates to health insurance plans);
- eligibility for a health plan (relates to health insurance plans);
- premiums (relates to health insurance plans);
- referral certification and authorization;
- first report of injury;
- health claims attachments (relates to health insurance plans); and
- health care electronic fund transfers.
- Note: The decision about whether the University would adopt HIPAA Covered Entity status in order to “bill for health related services” will require a comprehensive cost benefit analysis to determine whether the additional regulatory, financial, compliance, training and insurance costs that the institution would have to undertake is worth the benefits that the programs or projects that are seeking other revenue to support these programs or projects would receive.
- A Business Associate Agreement (BAA) is only required with a third party service provider if LUC is a Covered Entity under HIPAA. If LUC is not a Covered Entity, then no BAA is needed, and LUC is not subject to HIPAA. If LUC ever adopts HIPAA Covered Entity Status, a BAA is needed, and there are a number of other financial, technical, training, compliance, risk and other issues for LUC to address.
Definitions from HHS.gov (https://www.hhs.gov/hipaa/for-professionals)
HIPAA Privacy Rule
- Protects the privacy of individually identifiable health information, called protected health information (PHI). A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well-being.
HIPAA Security Rule
- Protects a subset of information covered by the Privacy Rule, which is all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form. The Security Rule calls this information “electronic protected health information” (e-PHI). The Security Rule does not apply to PHI transmitted orally or in writing.
Protected Health Information
(Definition from https://www.hhs.gov/)
- The HIPAA Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)." “Individually identifiable health information” is information, including demographic data, that relates to:
- the individual’s past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual,
- and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number). The HIPAA Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. §1232g. Although FERPA provides for an exception to the HIPAA Privacy Rule, it concurrently requires the university to protect all this same information.
- There are the 18 HIPAA identifiers that are considered personally identifiable information. This information can be used to identify, contact, or locate a single person or can be used with other sources to identify a single individual. When personally identifiable information is used in conjunction with one’s physical or mental health or condition, health care, or one’s payment for that health care, it becomes PHI.
- All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
- All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
- Phone numbers
- Fax numbers
- Electronic mail addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code
- There are also additional standards and criteria to protect individual's privacy from re-identification. Any code used to replace the identifiers in datasets cannot be derived from any information related to the individual and the master codes, nor can the method to derive the codes be disclosed. For example, a subject's initials cannot be used to code their data because the initials are derived from their name. In other words, the information would still be considered identifiable is there was a way to identify the individual even though all of the 18 identifiers were removed.
Frequently asked questions and corresponding guidance can be found via the links below.
General FAQ Search
HIPAA FAQ’s for Professionals Search - https://www.hhs.gov/hipaa/for-professionals/faq
Covered Entities - https://www.hhs.gov/hipaa/for-professionals/faq/covered-entities
Research Uses & Disclosures - https://www.hhs.gov/hipaa/for-professionals/faq/research-uses-and-disclosures