About HIPAA Compliance at the University of Minnesota

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 is desgined to protect an individual's health information (referred to as "Protected Health Information" or PHI), and to restrict how PHI may be used and disclosed by health care providers, health plans and those accessing PHI to support the providers and plans.  The federal oversight agency for HIPAA is U.S. The Department of Health and Human Services (DHHS), and the enforcement agency is the Office of Civil Rights (OCR).

What areas of the University are subject to HIPAA?

HIPAA applies to "covered entities," "hybrid entities," and "business associates." Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standard. A hybrid entity is any single legal entity that performs both covered and noncovered functions as part of its business operations. A covered function is any function the performance of which makes the performer a health plan, a health care provider, or a health care clearinghouse. The University is considered a "hybrid entity" under HIPAA, which means that some parts of the University are subject to HIPAA and others are not.  The University's health plans, its health care provider services, and those that may access PHI to support the plans or health care provider services are subject to HIPAA.  The areas that make us the University's hybrid entity are sometimes referred to as the University's "health care components."  Areas outside of the University's health care components may also be subject to HIPAA if they act as a "business associate" of an organization that is subject to HIPAA.

The University's health care components include:

  • Addressing and Mailing Services
  • Athletic Training Twin Cities
  • Boynton Health
  • Center for Allied Health Programs
  • College of Pharmacy
  • Community-University Health Care Center
  • Disability Resource Center
  • Genomics Center
  • Health Sciences Administration
  • Health Sciences Technology
  • Internal Audit
  • Medical School (Twin Cities and Duluth campuses)
  • Minnesota Research Data Center
  • Morris Health Service
  • Office of Academic Clinical Affairs
  • Office of General Counsel (OGC)
  • Office of Institutional Compliance (OIC)
  • Office of Information Technology - University Information Security (UIS)
  • Office of Measurement Services (OMS)
  • School of Dentistry and Dental Clinics
  • School of Nursing
  • Speech-Language-Hearing Sciences (including the Julia M. Davis Speech Language Hearing Center)
  • UMD Health Services
  • University Services - Radiation Safety and Regulated Waste
  • UPlan

What is a Business Associate?

Business Associates are third parties who create, receive maintain or transmit "protected health information" (PHI) on behalf of a health care provider or health plan, or who provide other services that involve the use or disclosure of PHI. Business Associates of the University are required to enter into our form of Business Associate Agreement.

At times the University may act as a Business Associate for another health care provider or health plan.  When the University is acting as a Business Associate for another entity, the unit acting as the Business Associate is subject to HIPAA.  Contact the Health Information Privacy & Compliance Office if another entity has informed you that it considers your unit its Business Associate and has asked you to sign a Business Associate Agreement.

What about M Health?

The University of Minnesota, Fairview, and the University of Minnesota Physicians have worked together for many years to provide patient care, conduct research and train the next generation of health care professionals. They operate together under the banner M Health.  

Under HIPAA, these three organizations make up an Organized Health Care Arrangement (OHCA). As members of an OHCA, these organizations are allowed to share PHI with one another in order to manage their joint operations.