Forms, Policies & Procedures

HIPAA Hybrid Statement

1. Introduction
   As with some other research-intensive institutions¹ , the University of Delaware (“UD”) recognizes that the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) is a consumer protection law intended to protect individually identifiable information relating to the physical or mental health of an individual, the provision of health care to the individual, or the payment for the provision of health care to the individual. HIPAA applies to “Covered Entities,” which include health care providers, health plans and health care clearinghouses that conduct specified transactions electronically (“Covered Entities” or each a “Covered Entity”)² . UD is engaged in both Covered Entity and non-Covered Entity activities. HIPAA allows entities that are engaged in both Covered Entity functions and other activities that are not Covered Entity functions to designate themselves as “Hybrid Entities,” with the result that the HIPAA regulations do not apply to the non-covered functions.

   ¹For Example, Vanderbilt University (https://ww2.mc.vanderbilt.edu/osp/51235).

   ²https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html.

2. Hybrid Entity Status Assessment
   Based upon an assessment of UD units and a review of HIPAA standards, UD designates itself as a Hybrid Entity under HIPAA. Identification of individuals and entities that are part of the UD Covered Entity (“UDCE”) is complicated by the fact that UD is engaged in multiple covered functions and non-covered functions with a mission that includes education, health care, and research. Workforce members often have multiple roles, both covered and non-covered. Therefore, determination of those entities and individuals who are included in the UDCE is a dynamic and ongoing process that is based upon the data used and/or being disclosed, not based upon any particular overall department mission or activity.

   The UDCE includes health-related research centers, interdisciplinary programs, and University-wide programs. Whether a UD function or individual’s activity on behalf of UD is included in the UDCE is hereafter determined based not upon any particular department or unit, but instead upon the data being used and/or disclosed.

3. Categories of Data
   The following defined categories of data are critical to the determination of covered functions and activities:

   A. Individually identifiable health information (IIHI) is information collected from an individual that is created or received by a health care provider, employer, plan or clearinghouse and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health

   care to an individual; or the past, present, or future payment for the provision of health care to an individual and identifies the individual, or can reasonably be used to identify the individual.

   B. Protected Health information (PHI) is IIHI that is transmitted or maintained in any form or medium by a covered function within the UDCE. This specifically excludes education records, which are protected by other privacy regulations, and employment records held by UD in its role as an employer. This also excludes research health information (see definition below), which is protected by other regulatory requirements.

   C. Research Health Information (RHI) is IIHI that is used for research purposes but that is not PHI, and thus is NOT subject to the requirements of HIPAA. RHI is IIHI that is created in connection with research activity and is not created in connection with patient care activity. When a researcher is not also functioning as a health care provider, and creates IIHI in connection with pure research activities (no patient care involved) the IIHI is not PHI and is not subject to the privacy and security rules of HIPAA. If a researcher is also a health care provider and IIHI is created in connection with the researcher’s health care provider activities, then the IIHI is PHI subject to HIPAA. IIHI that is created as PHI and is needed for research purposes may be disclosed to a researcher (the same individual healthcare provider who is also a researcher may disclose PHI to herself in her research role) pursuant to the IRB approval process, which includes proper patient authorization or IRB waiver of authorization. After the PHI is properly disclosed to the research setting, the IIHI transferred to the research setting becomes RHI, which is no longer subject to the requirements of HIPAA. In certain cases such as interventional clinical trials it is expected there will be two copies of some IIHI: a copy kept in the patient’s medical record which is PHI and subject to HIPAA, and a copy of the same data kept in the research record which is RHI and not subject to HIPAA.

   D. Key Determinants: The key determinants as to whether or not information is IIHI and not protected by the Privacy Rule or PHI and protected are: 1) the function being performed by the provider or health plan; and 2) the purpose for which an entity or workforce member has received, created or maintained the medical information (e.g., treatment, payment, operations). Record keeping practices are not the determinant. For example, an assessment of fitness for duty generates PHI when the UDCE administers or oversees a test of a UD employee. When the employee authorizes UD, the health care provider, to turn over the information to UD, the employer, it is a part of the employee’s employment record and no longer PHI. It is important to note that in most circumstances (exceptions include workplace injury, illness or medical surveillance) the employee must provide a signed authorization to the UD health care provider to release the information to UD, the employer.

4. Determining Covered Functions Criteria
   The following criteria are used to determine whether a function or individual workforce member is included in the UDCE:

   A. Health care or health plan use or disclosure: When the use or disclosure of IIHI is carried out in connection with a health care provider or health plan function by UD workforce members, the individual’s health information is defined as PHI, and HIPAA privacy and security regulations apply to those functions and to the workforce members who carry out those functions;

   B. Functions that support health care or health plan: When the use or disclosure of IIHI is carried out by business, financial, legal or administrative functions on behalf of UD’s health care provider and health plan activities, the individual’s information is PHI and the HIPAA privacy and security regulations apply to those functions and to the workforce members who carry out those functions;

   C. Employer and education functions: When the use and disclosure of IIHI is carried out by UD in its capacity as an employer or an educational institution, the information is not PHI and those UD functions are not subject to the privacy or security regulations of HIPAA, but the confidentiality of the individual’s health information is protected by other state and federal law, as well as by UD policy; and

   D. IRB functions: PHI may only be disclosed to a researcher for use in connection with an IRB-approved or exempt protocol and pursuant to a waiver or authorization. When a researcher requests access to PHI that has been created, received or maintained by the UDCE, the Privacy Rule requires that the UDCE receive specific assurances that the PHI will be protected once disclosed to the researcher for use as RHI, and UD must account for certain disclosures as required by the HIPAA regulations. UD’s IRB will function as the Privacy Board as defined by HIPAA.

   E. Examples of UD workforce members who may provide services to covered functions: Workforce members of the following components of UD may provide administrative functions on behalf of the UDCE (use of PHI subject to the requirements of HIPAA) and on behalf of non-covered components of UD (IIHI not subject to the requirements of HIPAA):

   • Alumni Relations (https://www.udconnection.com/)
   • Development (https://www1.udel.edu/giving/)
   • Economic Innovation & Partnerships (http://www.oeip.udel.edu/)
   • Environmental Health & Safety (https://www1.udel.edu/ehs/)
   • Finance and Administration (https://sites.udel.edu/vpfinance/)
   • General Counsel (https://sites.udel.edu/generalcounsel/)
   • Institutional Research & Effectiveness (https://ire.udel.edu/)
   • Institutional Review Board (https://www1.udel.edu/research/preparing/humansub.html)
   • Internal Audit (https://www1.udel.edu/Treasurer/internalaudit.html)
   • Public Safety (https://www1.udel.edu/police/)
   • Research & Research Compliance (https://www1.udel.edu/research/about/index.html)
   • Risk Management (https://sites.udel.edu/vpfinance/departments/risk-management/)
   • Other UD entities that perform covered functions within the UDCE, such as:
     1. Applicable Academic Programs
        • College of Agriculture and Natural Resources (https://canr.udel.edu/)
        • College of Arts and Sciences (https://www.cas.udel.edu/Pages/default.aspx)
        • Alfred Lerner College of Business and Economics (https://lerner.udel.edu//)
        • College of Earth, Ocean, and Environment (https://www.ceoe.udel.edu/)
        • College of Engineering (https://www.engr.udel.edu/)
        • College of Health Sciences (https://chs.udel.edu/)
        • College of Education and Human Development (https://www.cehd.udel.edu/)
        • Biomechanics & Movement Science  (https://sites.udel.edu/bioms/)
        • Cognitive Science (https://www.lingcogsci.udel.edu/)
     2. Research Centers/Institutes
        • Applied Science & Engineering Laboratories (http://www.asel.udel.edu/)
        • Center for Bioinformatics & Computational Biology (http://bioinformatics.udel.edu/)
        • Center for Biomedical Engineering Research (http://www.cber.udel.edu/)
        • Center for Environmental Genomics (http://www.ceoe.udel.edu/ceg/index.shtml)
        • Center for Science, Ethics & Public Policy (http://www.sepp.udel.edu/)
        • Center for Spintronics and Biodetection (https://wiki.physics.udel.edu/csb/Main_Page)
        • Center for Translational Cancer Research (https://www1.udel.edu/ctcr/)
        • Delaware Biotechnology Institute (http://www.dbi.udel.edu/)
        • Delaware Design Institute (http://ddi.udel.edu/)
        • Delaware Physical Therapy Clinic (http://sites.udel.edu/ptclinic/)
        • Delaware Rehabilitation Institute (http://www1.udel.edu/dri/)
        • Institute for Global Studies (http://www1.udel.edu/global/)
        • Institute for Transforming Undergraduate Education (http://www1.udel.edu/inst/)
        • Small Business & Technology Development Center (http://delawaresbdc.org/)
     3. University-wide Units
        • Academic Enrichment Center (https://www1.udel.edu/AEC-workshop/resource.html)
        • Counseling & Student Development (http://sites.udel.edu/counseling/)
        • Student Health Service (http://www1.udel.edu/studenthealth/)
        • Student Services for Athletes (http://www.bluehens.com/SportSelect.dbml?DB_OEM_ID=29100&SPID=176008&SPSID=1036210)
5. Protected Health Information transfer between covered and non-covered componentsA. Patient authorization required: When workforce members who provide services to the UDCE perform services on behalf of non-covered components of UD, these non-covered functions are not part of the UDCE. Workforce members must not disclose PHI to non-covered UD components without the individual or patient’s authorization, or waiver of authorization by the IRB in the case of disclosures for research purposes, as required by the Privacy Rule.

   B. Disclosure between Health Plan and Providers: Workforce members who provide business and finance services to both UDCE providers and UDCE health plans cannot use or disclose PHI between those entities unless it is allowed in the Privacy Rule.

Direct Inquiries to:

Sean Hayes, J.D., Ph.D.
Research Advisor
Institutional Privacy Officer
Email: hayes@udel.edu
Phone: 302-831-7445

OR

Cordell Overby, Sc.D.
Associate Vice President for Research & Regulatory Affairs
Email: overbyc@udel.edu
Phone: 302-831-2383

The complete policy and more can be found on the UD Research Office’s web site.