The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Title XIII, Subtitle D of the Health Information Technology for Economic and Clinical Health Act (HITECH), hereafter collectively referred to as HIPAA, and associated regulations (see Code of Federal Regulations (CFR) 45 Parts 160, 162 and 164) were enacted in part to establish rights for patients and responsibilities for Covered Entities and Business Associates of Covered Entities with regard to the confidentiality, availability, and integrity of Protected Health Information (PHI).
Pursuant to the statute and regulations, organizations that are Hybrid Entities must designate certain segments of their organizations as Health Care Components and take all reasonable steps to assure compliance within the Health Care Component with all applicable HIPAA Privacy, Security, and Breach Notification Rules and regulations promulgated under HIPAA.
The University is a Hybrid Entity, as defined by HIPAA (see 45 CFR § 164.103). For the purpose of this Policy, University Health Care Components consist of those programs that meet the definitions of “Covered Entity” or “Business Associate,” as defined by 45 CFR § 160.103, and as determined by the University HIPAA Privacy Program Director, in consultation with appropriate parties.
Additionally, organizations performing work for or on behalf of Covered Entities, and which meet the definition of a Business Associate, must establish Business Associate Agreements and comply with the applicable HIPAA Rules.
The purpose of this policy is to:
- Designate the University of Arizona (University) as a Hybrid Entity;
- Acknowledge that the University performs certain activities that meet the definitions of a “Covered Entity” and “Business Associate”;
- Establish the University's commitment to maintaining a broad operational framework for the Privacy, Security, and Breach Notification Rules found in HIPAA; and
- Ensure all members of the University community understand their rights and obligations with regard to the privacy, security, and integrity of PHI.