About HIPAA Compliance at the University of Minnesota

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 is desgined to protect an individual's health information (referred to as "Protected Health Information" or PHI), and to restrict how PHI may be used and disclosed by health care providers, health plans and those accessing PHI to support the providers and plans.  The federal oversight agency for HIPAA is Health and Human Services, and the enforcement agency is the Office of Civil Rights.

What areas of the University are subject to HIPAA?

HIPAA applies to "covered entities," "hybrid entities," and "business associates."  The University is considered a "hybrid entity" under HIPAA, which means that some parts of the University are subject to HIPAA and others are not.  The University's health plans, its health care provider services, and those that may access PHI to support the plans or health care provider services are subject to HIPAA.  The areas that make us the University's hybrid entity are sometimes referred to as the University's "health care components."  Areas outside of the University's health care components may also be subject to HIPAA if they act as a "business associate" of an organization that is subject to HIPAA.

The University's health care components include:

  • AHC Administrative Shared Services
  • AHC Centers
  • AHC Information Services (AHC-IS)
  • Athletic Training Twin Cities
  • Boynton Health Service
  • College of Pharmacy
  • Community-University Health Care Center
  • Disability Resource Center
  • Internal Audit
  • Julia M. Davis Speech Language Hearing Center
  • Medical School (Twin Cities and Duluth campuses)
  • Minnesota Research Data Center
  • Office of General Counsel (OGC)
  • Office of Institutional Compliance (OIC)
  • Office of Information Technology - Security (OIT-Security)
  • Office of Measurement Services (OMS)
  • School of Dentistry and Dental Clinics
  • School of Nursing
  • UPlan
  • UMD Health Services

What is a Business Associate?

Business Associates are third parties who create, receive maintain or transmit "protected health information" (PHI) on behalf of a health care provider or health plan, or who provide other services that involve the use or disclosure of PHI. Business Associates of the University are required to enter into our form of Business Associate Agreement.

At times the University may act as a Business Associate for another health care provider or health plan.  When the University is acting as a Business Associate for another entity, the unit acting as the Business Associate is subject to HIPAA.  Contact the Health Information Privacy & Compliance Office if another entity has informed you that it considers your unit its Business Associate and has asked you to sign a Business Associate Agreement.

What about M Health?

The University of Minnesota, Fairview, and the University of Minnesota Physicians have worked together for many years to provide patient care, conduct research and train the next generation of health care professionals. They operate together under the banner M Health.  

Under HIPAA, these three organizations make up an Organized Health Care Arrangement (OHCA). As members of an OHCA, these organizations are allowed to share PHI with one another in order to manage their joint operations.