The Health Information Portability and Accountability Act of 1996, as amended (“HIPAA”), establishes federal protections for the use or disclosure of protected health information (PHI). HIPAA is complex and not particularly intuitive. For example, most medical information provided in the course of employment, including workers' compensation information, is excluded from the protection of HIPAA.
HIPAA allows the University, as an entity with a primary purpose other than providing health care or facilitating health care claims, to designate which portions of the University must comply with HIPAA. These components form the University’s Hybrid Entity. As of October 25, 2023, the components of the University’s Hybrid Entity are:
- MSU Health Plans
- Student Health Services
- The Early Learning Institute (all locations) for their Behavioral Health Activities
- MSU Extension – The health education function providing diabetes and behavioral health education, currently limited to counties engaged in receiving third-party payments and those counties receiving individually identifiable health information from Great Lakes Health Connect or other health information exchanges
- Clinical and Translational Sciences Institute, including its Biomedical Research Informatics Core – Performing services such as de-identifying protected health information, performing research feasibility studies, and cohort identification and patient contact regarding the patients’ possible interest in participation in IRB-approved research studies
- Information Technology Services – The functions within ITS that comprise the Health Information Technology Services and those servicing other components of the hybrid entity having access to protected health information
- Institute for Health Policy – The functions within IHP analyzing protected health information
- MSU Human Resources – Benefits- The function providing assistance to Health Plan enrollees and managing the Health Plans
- Office of Audit, Risk and Compliance – Auditing within MSU which requires access to protected health information
- Office of the General Counsel – Advising on legal matters which involve protected health information
- Office of Institutional Equity- The investigatory function which may need access to protected health information
While these components must comply with HIPAA because they generate or work with protected health information, other units in the university may provide services as a business associate, as defined in the regulations, to external entities and, therefore, additionally need to comply with certain aspects of HIPAA because of those relationships. Any business associate agreements should be reviewed by the Office of the General Counsel.
It is recommended that all individuals take the HIPAA training available through MSU’s Ability Training Compliance website at https://orrs.msu.edu/train. If the training has not been assigned to you, you can find the training by searching the catalog in the “Extra Courses” tab.
Please contact the Office of the General Counsel, if you have questions.