4-OP-H-30.01 Designation of University Health Care Components

Responsible Executive: Information Security and Privacy Office

Approving Official: Vice President for Finance and Administration

Effective Date: March 1, 2024

Revision History: No revisions at this time.

  1. OVERVIEW

    Florida State University (“university” or “FSU”) has elected to operate as a hybrid entity in accordance with the Health Insurance Portability and Accountability Act (“HIPAA”) laws and regulations and the 4-OP-H-30 Health Insurance Portability and Accountability Act (HIPAA) Policy and the 4-OP-H-31 HIPAA Authorization for Use and Disclosure of Protected Health Information Policy.

    Generally, HIPAA requires hybrid entities to identify every Health Care Component (“HCC”) that would meet the definition of a covered entity or a business associate if they were separate legal entities. HCCs are required to comply with HIPAA to the extent each component is performing a covered function, or responsible for use or disclosure of protected health information.

    Protected Health Information (“PHI”) is defined to have the same meaning as the term “protected health information” in 45 C.F.R. § 160.103. PHI includes any individually identifiable health information, including payment, genetic, or demographic information, collected from an individual, whether oral or recorded in any form or medium that is created or received by or on behalf of a covered entity. PHI excludes student education and student treatment records regulated by FERPA, employment records held by a covered entity in its role as an employer, and records regarding a person who has been deceased for 50 years.

    Please refer to the 4-OP-H-30 Health Insurance Portability and Accountability Act (HIPAA) Policy for definitions of additional HIPAA terms referenced herein.
     

  2. RESPONSIBILITIES OF UNIVERSITY HEALTH CARE COMPONENTS

    This Designation of University Health Care Components (“Designation”) identifies the university’s health care components to include the centers, colleges, departments, divisions, institutes, laboratories, and their respective offices, programs, and schools, that would meet the definition of a covered entity or business associate in accordance with the FSU HIPAA Policy.

    Any University Health Care Component designated herein is subject to the HIPAA requirements.  University workforce members in a University Health Care Component are required to comply with their respective unit’s applicable HIPAA policies and procedures. University centers, colleges, departments, divisions, institutes, laboratories, or their respective offices, programs, and schools that are not designated herein are not considered HCCs and generally are not subject to HIPAA requirements.

    If a unit is not identified in this Designation and is required to comply with HIPAA requirements established for covered entities or business associates, it is the responsibility of the unit head or the unit’s HIPAA Privacy Officer to contact the university information security and privacy office at hipaa@fsu.edu to determine whether updates to the Designation that are needed.   Further, if changes to a University Health Care Component’s HIPAA compliance requirements are necessary, the unit shall contact the information security and privacy office to consult on the requested changes. 
     

  3. FSU RESEARCHERS AND WORKFORCE MEMBERS IN UNITS NOT DESIGNATED AS UNIVERSITY HCC

    University workforce members and researchers affiliated with units not designated as University Health Care Components who are performing HIPAA-regulated health care functions for research purposes are determined to be functioning in a capacity as part of the University Health Care Component and are responsible for complying with the university and unit-specific HIPAA policies and procedures.  
    For example, FSU faculty, staff, research scientists, or student researchers who collaborate on HIPAA regulated research activities conducted by the University Health Care Component, are determined to be functioning in a capacity as workforce members of the Component for the purpose of compliance with the FSU HIPAA policies and are responsible for complying with unit specific HIPAA requirements established for the research activities being conducted.

  4. University Health Care Components

    University Internal Covered Entities

    1. Intercollegiate Department of Athletics

      Note Pending Confirmation: Included only if/to the extent Athletics’ departments are performing a HIPAA regulated function or handling PHI regulated by HIPAA.

      • Sports Medicine

    2. College of Arts and Sciences

      Note Pending Confirmation: Included only if/to the extent A&S departments are performing a HIPAA regulated function or handling PHI regulated by HIPAA.

      • Psychology Clinic
      • Psychology Department

    3. College of Communication and Information Components

      Note Pending Confirmation: Included only if/to the extent CCI units are performing a HIPAA regulated function or handling PHI regulated by HIPAA.

      • Speech and Hearing Clinic
      • School of Communication Science & Disorders

    4. College of Education, Health, and Human Sciences Components

      Note Pending Confirmation: Included only if/to the extent CEHHS is performing a HIPAA regulated function or handling PHI regulated by HIPAA.

      • Adult Learning Evaluation Center (ALEC)  [Previously COE]
      • College Autism Network (CAN) [Previously COE]
      • ISSM (Institute for Sports Science & Medicine)  [Previously COE]
      • Center for Couple and Family Therapy (CCFT) [Previously CHHS]
      • Nutrition and Physiology Lab [Previously CHHS]

    5. College of Medicine

      Note Pending Confirmation: Included only if/to the extent Medicine as a whole or Medicine departments or programs identified herein are performing a HIPAA regulated function or handling PHI regulated by HIPAA.

      • College of Medicine main and regional campuses providing health treatment and/or conducting HIPAA regulated research.
      • Center for Translational Behavioral Science
      • FSU Primary Health?
      • Network for Clinical Research, Training, and Community Engagement

    6. College of Music Components

      Note Pending Confirmation: Included only if/to the extent Music departments or programs identified herein are performing a HIPAA regulated function or handling PHI regulated by HIPAA.

      • Music Therapy Program (BA Supporting Florida Department of Corrections)

    7. College of Nursing

      Note Pending Confirmation: Included only if/to the extent Nursing departments or programs identified herein are performing a HIPAA regulated function or handling PHI regulated by HIPAA.

      • Institute on Digital Health and Innovation
      • College of Nursing programs providing health treatment and/or conducting HIPAA regulated research

    8. College of Social Work Components

      Note Pending Confirmation: Included only if/to the extent CSW identified departments herein are performing a HIPAA regulated function or handling PHI regulated by HIPAA.

      • Multidisciplinary Center

    9. International Programs

      Noted Pending Confirmation: Included only if/to the extent International Programs departments are performing a HIPAA regulated function or handling PHI regulated by HIPAA. If only FERPA regulated student education or student treatment records are accessed, there is no HIPAA compliance obligation.

    10. Panama City Campus Components [Bay County]

      Note Pending Confirmation: Included only if/to the extent PC campus departments identified herein are performing a HIPAA regulated function or handling PHI regulated by HIPAA. If only FERPA regulated student education or student treatment records are accessed, there is no HIPAA compliance obligation.

      1. Panama City Health Services (Ex. PanCare partnership – students, staff, & walk-ins)
      2. Early Childhood Autism Program (In-home & In-Clinic services)
      3. Mental Health Counseling Center

    11. Student Affairs Components

      Note Pending Confirmation: Included only if/to the extent SA departments identified herein are performing a HIPAA regulated function or handling PHI regulated by HIPAA. If only FERPA regulated student education or student treatment records are accessed, and services are not open to or provided to non-students, there is no HIPAA compliance obligation.

      1. Counseling & Psychological Services at Florida State University
      2. University Health Services

    University Internal Business Associates

    1. Academic Affairs

      Note Pending Confirmation: Included only if/to the extent AA departments or programs are performing a HIPAA regulated function or handling PHI regulated by HIPAA. If only FERPA regulated student education or student treatment records are accessed, there is no HIPAA compliance obligation.

      1. Office of the Provost

    2. College of Arts and Sciences

      Note Pending Confirmation: Included only if/to the extent A&S departments and programs identified herein are performing a HIPAA regulated function or handling PHI regulated by HIPAA. If only FERPA regulated student education or student treatment records are accessed, there is no HIPAA compliance obligation.

    3. Enrollment Management

      Note Pending Confirmation: Included only if/to the extent EM departments identified herein are performing a HIPAA regulated function or handling PHI regulated by HIPAA. If only FERPA regulated student education or student treatment records are accessed, there is no HIPAA compliance obligation.

      1. Office of the Registrar

    4. Finance and Administration

      Note Pending Confirmation: Included only if/to the extent F&A departments identified herein are performing a HIPAA regulated function or handling PHI regulated by HIPAA. If only employment records or FERPA regulated student education or student treatment records are accessed, there is no HIPAA compliance obligation.

      1. Controller's Office
      2. Human Resources Employee Assistance Program

    5. Information Technology Services (HIPAA affected areas)

      Note Pending Confirmation: Included only if/to the extent ITS units or ITS personnel are performing or supporting a HIPAA regulated function or handling PHI regulated by HIPAA.

      1. Application Development and Analytics
      2. Community Technology Services
      3. Enterprise Application Services
      4. Information Security and Privacy Office
      5. Shared Infrastructure Services

    6. National High Magnetic Field Library (NHMFL)

      Included only if/to the extent NHMFL units identified herein are performing a HIPAA regulated function or handling PHI regulated by HIPAA.

      1. Magnetic Resonance Imaging Facility

    7. Office of Compliance and Ethics

      Note Pending Confirmation: Included only if/to the extent OCE is performing a HIPAA regulated function or handling PHI regulated by HIPAA.

    8. Office of the General Counsel

      Note Pending Confirmation: Included only if/to the extent OGC is performing a HIPAA regulated function or handling PHI regulated by HIPAA.

    9. Office of Inspector General Services

      Note Pending Confirmation: Included only if/to the extent OIGS is performing a HIPAA regulated function or handling PHI regulated by HIPAA.

    10. Office of the Vice President for Research

      Note Pending Confirmation: Included only if/to the extent Research departments identified herein are performing a HIPAA regulated function or handling PHI regulated by HIPAA.

      1. Office for Clinical Research Advancement, Office of Clinical Trials
      2. Office of Human Subjects Protection
      3. Office of Research Compliance
      4. Sponsored Research Administration

 

  1. SPECIFIC AUTHORITY AND JUSTIFICATION

    BOG Regulation 3.0075 - Security of Data Related Information Technology Resources

    Chapter 501.171, Florida Statutes – Security of Confidential Personal Information, Florida Information Protection Act 2014 (FIPA)

    Health Insurance Portability and Accountability Act Regulations - 45 C.F.R. Part 160 – General Administrative Requirements

    Health Insurance Portability and Accountability Act Regulations - 45 C.F.R. Part 164 – HIPAA Security and Privacy 

    Health Insurance Portability and Accountability Act Regulations - 45 C.F.R. Parts 164.400-414 – Notification in the Case of Breach of Unsecured Protected Health Information

    HHS Covered Entities and Business Associates

  2. MAINTENANCE AND REVIEW
    This Designation shall be reviewed by the Chief Information Security Officer (CISO) at least three (3) years from the date of initial establishment.  The CISO, or designee of the CISO, is authorized to make any necessary changes to the Designation based on changes in federal or state laws, rules, or regulations or changes to the HIPAA compliance status of a University Health Care Component included herein.