HIPAA Hybrid Entity Designation
Western Michigan University (WMU) is designated as a single covered entity for purposes of the Healthcare Information Portability and Accountability Act (HIPAA). Only certain components of WMU are involved in providing health care services that are subject to HIPAA. Thus, WMU is a Hybrid Entity. This policy designates the components within WMU that are part of the Hybrid Entity subject to the HIPAA Administrative Simplification regulations
Stakeholders Most Impacted
Individuals working for or with WMU’s covered components.
The terms used in this policy have the same meaning as those terms in the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 and the regulations at 45 CFR Parts 160, 162, and 164. The Hybrid Entity designation includes any component that would meet the definition of a covered entity or business associate if it were a separate entity.
WMU hereby designates the following services as the health care components included in the Hybrid Entity:
- Sindecuse Health Center
- Unified Clinics
- Kalamazoo Autism Center
- Department of Athletics, Medical Services
- Department of Human Resources
- Institutional Research
- Office of Information Technology members assigned to work for health care components
- Center for Disability Services
Whenever WMU’s policies, procedures or guidelines refer to WMU as a “covered entity” under HIPAA, they are referring to the services listed above. The requirements of HIPAA apply only to WMU’s services included within the Hybrid Entity.
Those involved in performing the services listed above may not use or disclose protected health information (PHI) that they create or receive in a way prohibited by HIPAA. One component may not share PHI with another component unless permitted under the HIPAA regulations and WMU’s HIPAA policies and procedures.
Although workforce members of the Hybrid Entity perform duties for both the health care components and for other components of WMU, they must not use or disclose PHI created or received in the course of or incident to the members’ work for the health care component in a way prohibited by HIPAA.
Other programs and services will use and disclose information as required under HIPAA if they are business associates of another entity and therefore subject to HIPAA standards.
Related Procedures and Guidelines
45 C.F.R. Parts 160, 162 & 164
- Effective date of current version: March 11, 2021
- Date first adopted: March 11, 2021
- Revision history: N/A
- Proposed date of next review: March 11, 2024
Responsible Enforcement Official
Jessica M. Swartz
HIPAA Compliance Officer
March 11, 2021