HIPAA stands for the Health Insurance Portability and Accountability Act. This act, passed by Congress in 1996, is an expansive set of rules that includes, among other items, establishment of national standards for the privacy and security of electronic health care transactions and records. The regulations were updated in 2013 to include clearer requirements for action, and set penalties, in the event that such covered health care information is breached.
The combined text of the HIPAA Privacy and Security regulations can be found here.
So-called “covered entities” and their “business associates” must comply with HIPAA regulations, as well as applicable state privacy and security statutes. Under HIPAA, health care providers or business associates that create, receive, maintain or transmit health information in electronic form for treatment, payment or operations purposes, health care clearinghouses, and health plans are considered covered entities.
UNH is considered a "hybrid entity" for HIPAA compliance purposes. This means that only certain identified components of the University are subject to the HIPAA regulations. UNH's HIPAA policy is here.
UNH has identified the following components as subject to the HIPAA regulations, due to the nature of the services offered at these departments:
Health & Wellness (Employee clinic)
Additional components may be added from time to time.
UNH departments that have signed Business Associate Agreements with other entities (for example, as part of sponsored projects or service contracts) are subject to the HIPAA regulations, as well. If there is a question about whether certain activities or projects are covered by HIPAA, please contact the Compliance Officer.
UNH may be a Business Associate through a direct relationship with a covered entity, or as a lower-tier sponsored project awardee or contractor. UNH also may have contractors or subawardees that act as business associates of the University.
A Business Associate is a person or entity who:
(i) On behalf of a covered entity (or another business associate of a covered entity), but other than in the capacity of a member of the workforce of such covered entity, creates, receives, maintains, or transmits protected health information for a function or activity regulated covered by HIPAA, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities, billing, benefit management, practice management, and repricing;
(ii) Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for such covered entity (or another business associate of a covered entity), where the provision of the service involves the disclosure of protected health information from such covered entity, or from another business associate of such covered entity, to the person or entity.
A Business Associate Agreement (BAA) is a contractual arrangement that formalizes the terms and obligations of the relationship between the covered entity and the business associate relative to the handling of protected health information. A BAA may be an exhibit to a project agreement, an addendum, or a wholly separate agreement between the parties. See the UNH Research Blog post, "Have you been asked to sign a BAA?"
PHI is any individually identifiable health information - such as health status, diagnosis, treatment, or payment for care - that is transmitted or maintained in electronic or other form/medium by a covered entity or business associate.
Individually identifiable health information is information, including demographic information, that:
Is created, maintained, transmitted, or received by a health care provider, health plan, employer, or health care clearinghouse, or by UNH on behalf of such an entity; and
Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
- That identifies the individual; or
- With respect to which there is a reasonable basis to believe the information can be used to identify the individual (e.g., by putting two or more data points together, such as date of service and diagnosis).
Examples of ways covered components are permitted to use or disclose PHI include: (i) to facilitate treatment, payment or health care operations; (ii) as may be required by state or federal law; or (iii) for other purposes if authorized to do so by the individual. UNH staff must make an effort, when disclosing PHI in accordance with the HIPAA regulations and state privacy laws, to disclose the minimum information necessary to achieve the purpose of the disclosure.
The covered components of UNH each provide a "Notice of Privacy Practices" to the individuals to whom they provide health care or other covered services. These notices describe how UNH may use or disclose PHI within these covered components, and describe individual rights regarding access and amendment.
FERPA (Family Educational Rights and Privacy Act) governs the privacy of student records, including UNH student health information. Information in records covered by FERPA is not considered to be protected health information, and therefore is not also subject to the HIPAA regulations.
Researchers who work with PHI are required to follow the HIPAA regulations applicable to the organization that owns the PHI, or, if acting as a business associate, according to the terms of the applicable Business Associate Agreement. The UNH Institutional Review Board, which oversees research involving human subjects, has additional information regarding the use of PHI for research purposes.
UNH must flow-down similar privacy and security terms to any of our subawardees or subcontractors that perform covered activities on the project. Contact your Grant/Contract Administrator to discuss when and how this must be done.
Training and education are important components of UNH’s HIPAA compliance. Both in-person training and an online training module are available. The online training module provides a general overview of the HIPAA regulations, and is designed to assist faculty, staff and students with acquiring a basic level of understanding of HIPAA. The module takes approximately 30 minutes, and includes a brief series of quiz questions. Individuals who certify their completion of the module at the end will receive an email as documentation of their review of the training. In-person training is also available for any individual or group of faculty, staff or students who would like more specific guidance regarding the application of HIPAA at UNH. Please contact the UNH HIPAA Privacy Officer to schedule a training session.
UNH HIPAA Privacy Officer (for general HIPAA inquiries, and inquiries related to this page)
Melissa McGee, Compliance Officer
Research Integrity Services
UNH Health & Wellness Privacy Coordinator (for HIPAA inquiries related to records maintained at UNH Health & Wellness)
Cindy McGahey, MBA
USNH IT Security Officer (for IT-related HIPAA inquiries)
Brian Dennis Gaon
Last modified February 27, 2018.