As an employee of the Academic Health Center, it is important to know the definitions of a few terms related to the Health Information Portability and Accountability Act (HIPAA).
Health Information Portability and Accountability Act (HIPAA)
HIPAA is actually a very broad law that addresses a number of different health issues. Most of the time when people refer to HIPAA, they are referring to the portions of the law that require certain privacy standards for individual health information. Those standards require that individual health information be handled in a certain way to maintain the confidentiality of that information.
Protected Health Information (PHI)
Protected Health Information (PHI) is the term used in HIPAA for individual health information. PHI is generally defined as individually identifiable information created or received by a health plan or a health care provider that relates to (a) an individual’s past, present or future physical or mental condition (b) the providing of health care to an individual, or (c) the past, present or future payment for the providing of health care to an individual.
Visit the Health Information Privacy & Compliance Office website to learn How to Access HIPAA Training.
A covered entity is an organization that is subject to HIPAA. Generally, covered entities include health plans as well as health care providers who are providing care and receiving payment for that care.
Hybrid Entity/Health Care Components
HIPAA permits certain complex organizations to elect to be treated as a “hybrid entity” instead of a covered entity. A hybrid entity is an organization that includes components that function as a covered entity, and components that perform some other function. The University is a hybrid entity. There are a number of different components that make up the hybrid entity, often times referred to as the “health care components”. The major health care components of the University include Boynton Health Services, UMD Health Services, CUHCC, the Medical School, the Dental School, the School of Nursing, the College of Pharmacy, UPlan, and areas that provide support to those areas and may need access to PHI to provide that support, such as AHC-IS, AHC Shared Services and certain other select areas.
Business Associates and Business Associate Agreement
Business Associates are vendors who provide support to a covered entity and either require access to PHI or have access to PHI in order to provide that support. Many technology vendors and consultants are Business Associates. Business Associates must sign a certain agreement, a Business Associate Agreement (BAA), in which they acknowledge that they (a) will treat PHI appropriately, and (b) are subject to certain HIPAA requirements.