What is HIPAA?
HIPAA stands for the Health Insurance Portability and Accountability Act. This act passed by Congress in 1996 is an expansive set of rules that includes establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, an employers.
What organizations must comply with HIPAA?
Covered entities must comply with HIPAA rules. Under HIPAA, health care providers that transmit health information in electronic form for treatment, payment or operations purposes, health care clearinghouses, and health plans are considered covered entities.
Is UVM considered a covered entity under HIPAA?
The University is considered a "hybrid entity" for HIPAA compliance purposes. This means that only certain identified components of the University are subject to the HIPAA Privacy rules. The University is able to designate some components that are medical components or group health plans that are separate and distinct from non-medical components. Only those components that the University has identified as medical components or group health plans are subject to the privacy requirements of HIPAA.
What components has UVM identified as covered?
The University has identified the following components as subject to the HIPAA Privacy Rule:
- As health care providers:
- Eleanor M. Luse Center for Communication: Speech, Language and Hearing
- Employee Group Health Plans
- University departments that have signed Business Associate Agreements with other entities are subject to the use and disclosure provisions of the Privacy Rule.
Is the University of Vermont Medical Center part of UVM?
No. The University of Vermont Medical Center (formerly Fletcher Allen Health Care) and its parent organization the University of Vermont Health Network are separate and distinct organizations from the University of Vermont (UVM). A copy of the University of Vermont Medical Center's notice of privacy practices may be found on their website.
What is the Privacy Rule?
The HIPAA Privacy Rule establishes regulations for the use and disclosure or Protected Health Information (PHI)
What is Protected Health Information (PHI)?
PHI is any information about the health status, provision of health care, or payment for healthcare that can be linked to an individual. This is interpreted to include any part of a patient's medical record or payment history.
How can PHI be used by UVM's covered components?
The covered components identified by UVM may disclose PHI to facilitate treatment, payment or health care operations, or for other purposes if authorized to do so by the individual. These components must make an effort when disclosing PHI in accordance with the rule to disclose the minimum amount necessary to achieve its purpose.
What is UVM's Privacy Notice?
The covered components of UVM provide a notice of privacy to individuals for whom they provide health care or who participate in the identified group health plans.
Privacy Notice examples:
- Group health plans - Privacy Notice (PDF)
- Eleanor M. Luse Center – Notice of Privacy Practices (PDF)
Please note: While student health records are covered under FERPA and not HIPAA, if you are looking for the Center for Health and Wellbeing’s Privacy Notice, please go to CHWB Notice of Privacy Practices (PDF).
What is the difference between FERPA and HIPAA?
FERPA (Family Educational Rights and Privacy Act) governs the privacy of student records including UVM student health information. As a result, the HIPAA Privacy Rule governs UVM's medical treatment of non-students.
What about Medical Research?
Researchers that work with Private Health Information (PHI) are required to follow the Privacy Rule of the organization that owns the PHI. Since College of Medicine physicians that provide health care services do so as University of Vermont Medical Center physicians, the University of Vermont Medical Center is the covered entity for HIPAA purposes for research using its PHI. The College of Medicine, the University of Vermont Medical Center and the Institutional Review Board that oversees research involving human subjects have defined policies and procedures governing use of PHI for research purposes. See the Research Protections Office's HIPAA guidance page for further information.
Who can I contact regarding the HIPAA privacy rule?
You may contact the relevant Coordinator at the provider of service:
- HIPAA Coordinator - UVM Benefit Plans (802) 656-3150
- HIPAA Coordinator - UVM Luse Center (802) 656-3861