HIPAA Hybrid Entity and Covered Component Designation Policy

To designate the University of North Carolina at Chapel Hill (the “UNC-Chapel Hill”) as a HIPAA Hybrid Entity in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), and all regulations promulgated thereunder (hereinafter collectively referred to as “HIPAA”).

University Policy

Title

University of North Carolina at Chapel Hill Policy on HIPAA Hybrid Entity and Covered Component Designation

Introduction

Purpose

To designate the University of North Carolina at Chapel Hill (the “UNC-Chapel Hill”) as a HIPAA Hybrid Entity in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), and all regulations promulgated thereunder (hereinafter collectively referred to as “HIPAA”).

Scope

UNC-Chapel Hill faculty, staff, students, fellows, volunteers, trainees, agents, contractors, and/or other affiliates, whether paid or unpaid, who work, train, or support UNC-Chapel Hill’s HIPAA Covered Components.

Policy

Policy Statement

A. Designation of UNC-Chapel Hill as a HIPAA Hybrid Entity

Under HIPAA, a single legal entity that is a Covered Entity, whose business activities include both covered and non-covered functions, may designate its individual components that are covered by the HIPAA Rules. UNC-Chapel Hill has designated itself as a HIPAA Hybrid Entity. By designating itself as a HIPAA Hybrid Entity, only the parts of UNC-Chapel Hill performing covered functions, each a Covered Component, are subject to HIPAA.

B. Roles and Responsibilities

1. It is the responsibility of UNC-Chapel Hill’s HIPAA Privacy Official to periodically assess which units, departments, clinics, or programs are included as Covered Components in UNC-Chapel Hill’s HIPAA Hybrid Entity designation.
2. The UNC-Chapel Hill HIPAA Privacy Official will establish criteria to determine which UNC-Chapel Hill units, departments, clinics, programs, and functions meet the definition of a Covered Component, the following criteria are considered:
   1. The extent a component meets the definition of a covered entity under HIPAA if it were a separate legal entity;
   2. The extent a component performs HIPAA covered functions (e.g., treatment); and
   3. The extent a component performs activities that would make it a business associate under HIPAA if it were a separate legal entity.
3. The UNC-Chapel Hill Institutional Privacy Office, under the direction of UNC-Chapel Hill’s HIPAA Privacy Official, will maintain the written and electronic record of UNC-Chapel Hill’s HIPAA Hybrid Entity Designation.
4. All Workforce Members within Covered Components must comply with all UNC-Chapel Hill policies, procedures, and standards related to the HIPAA Rules.
5. The UNC-Chapel Hill HIPAA Privacy Official may use their discretion to modify or require the criteria that are used to determine which UNC-Chapel Hill units, departments, clinics, programs, and functions meet the definition of a Covered Component.

Definitions

1. Covered Components. All units, departments, divisions, clinics, and programs that have been designated under UNC-Chapel Hill’s HIPAA Hybrid Entity Designation to which the HIPAA Rules apply.
2. Covered Entity. A health plan, health care clearinghouse, or healthcare provider who transmits any health information in electronic form in connection with a transaction covered under the HIPAA regulations.
3. HIPAA Hybrid Entity. A single legal entity that is a Covered Entity, whose business activities include both covered and non-covered functions, and designates components covered by the HIPAA Rules. UNC-Chapel Hill has designated itself as a HIPAA Hybrid Entity.
4. HIPAA Privacy Official. The University’s Chief Privacy Officer who, pursuant to 45 CFR 164 Subpart E, is responsible for overseeing the development and implementation of the policies, procedures, and standards for the University required by the HIPAA Privacy Rule.
5. HIPAA Rules. The HIPAA Breach Notification, Privacy, and Security Rules. 45 CFR 164 Subpart D, 45 CFR Part 160 and Subparts A and E of Part 164, and 45 CFR Part 160 and Subparts A and C of Part 164 respectively.
6. Workforce Member. UNC-Chapel Hill faculty, staff, students, fellows, volunteers, trainees, agents, contractors, and/or other affiliates, whether paid or unpaid, who work, train, or support UNC-Chapel Hill’s HIPAA Covered Components.

Related Requirements

External Regulations

• 45 CFR 164 Subpart A: General Provisions

University Policies, Standards, and Procedures

• UNC-Chapel Hill’s HIPAA Hybrid Entity Designation

Contact Information

Primary Contact

Name: Katherine Georger

Title: Associate Vice Chancellor, Chief Privacy Officer, Chief Digital Risk Officer, and Special Counsel

Unit: Institutional Privacy Office

Email: privacy@unc.edu

Other Contacts 

Name: Paul Rivers

Title: Assistant Vice Chancellor and Chief Information Security Officer

Unit: Information Security Office

Email: security@unc.edu