What qualifies as a HIPAA Covered Component?
To determine if your department or unit should be a HIPAA covered component within the U of A hybrid designation, please review the follow questions.
Does the unit perform a HIPAA-covered function?
- Do you offer health care services?
- Do you operate a health plan?
- Do you handle or process health information?
Does the unit transmit health information electronically in connection with any of the standard HIPAA functions noted above?
- Does the unit submit electronic claims to health plans for payment?
- Does the unit conduct eligibility or referral transactions electronically?
- Does the unit exchange electronic health information for treatment, payment, or operations using HIPAA transaction standards?
If your unit performs any of the functions above, it may qualify as a HIPAA covered component. However, because the U of A operates as a hybrid-entity, there are some functions that may appear to HIPAA related actions, but may not qualify. Some functions are covered by other regulations including FERPA or HSPP and do not need to adhere to all the HIPAA regulations. If you have questions and would like to know if your unit or department should be considered a HIPAA covered component, please contact University Privacy. Additionally, there may be units or departments at the U of A that perform actions that support a HIPAA-covered component, these units may be required to obtain a Business Associate Agreement in order to receive, handle, transmit, or store PHI.