The Health Information Privacy & Compliance Office is responsible for ensuring that individually identifiable health information is handled appropriately across the entire University.

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 is desgined to protect an individual's health information (referred to as "Protected Health Information" or PHI), and to restrict how PHI may be used and disclosed by health care providers, health plans and those accessing PHI to support the providers and plans.  The federal oversight agency for HIPAA is Health and Human Services, and the enforcement agency is the Office of Civil Rights.

Who is Subject to HIPAA?

HIPAA applies to "covered entities," "hybrid entities," and "business associates."  The University is considered a "hybrid entity" under HIPAA, which means that some parts of the University are subject to HIPAA and others are not.  The University's health plans, its health care provider services, and those that may access PHI to support the plans or health care provider services are subject to HIPAA.  The areas that make us the University's hybrid entity are sometimes referred to as the University's "health care components."  Areas outside of the University's health care components may also be subject to HIPAA if they act as a "business associate" of an organization that is subject to HIPAA.

What is a Business Associate?

Business Associates are third parties who create, receive maintain or transmit "protected health information" (PHI) on behalf of a health care provider or health plan, or who provide other services that involve the use or disclosure of PHI. Business Associates of the University are required to enter into our form of Business Associate Agreement.

At times the University may act as a Business Associate for another health care provider or health plan.  When the University is acting as a Business Associate for another entity, the unit acting as the Business Associate is subject to HIPAA.  Contact the Health Information Privacy & Compliance Office if another entity has informed you that it considers your unit its Business Associate and has asked you to sign a Business Associate Agreement.

What about M Health? 

The University of Minnesota, Fairview, and the University of Minnesota Physicians have worked together for many years to provide patient care, conduct research and train the next generation of health care professionals. They operate together under the banner M Health.   

Under HIPAA, these three organizations make up an Organized Health Care Arrangement (OHCA). As members of an OHCA, these organizations are allowed to share PHI with one another in order to manage their joint operations.