The Health Insurance Portability and Accountability Act (HIPAA) Compliance Program is meant to provide guidance and resources to those who have responsibilities outlined in University Policy CS 30 (HIPAA).
The University is a hybrid entity, which means that only certain components (schools/departments/units) have operations to which HIPAA applies. A HIPAA Covered Component is an area of the University that serves as a health care provider, health plan, or health care clearinghouse that transmits health information electronically in connection with financial or administrative activities. These operations prompt compliance obligations under HIPAA. The University has identified four Covered Components:
- The Office of Human Resources - Administration of Group Health Plan
- Student Health Services and Pharmacy - Oakland Campus
- The School of Dental Medicine
- University Dental Health Services
University schools/departments/units that are not identified as a Covered Component may encounter personal health information (PHI) in their job functions, but they are not subject to HIPAA requirements. Employees and others within these schools/departments/units are called PHI Workforce Members. Though not subject to the same requirements as Covered Components, PHI Workforce Members are required to practice safe handling and use of PHI.
Notice of the University's Privacy Practices, which informs patients, faculty, staff, and other covered dependents as to how information about individuals may be used and disclosed, how individuals can obtain access to this information, and an individual's rights under HIPAA, must be provided by Covered Components.
