03.001: General Policy on Health Insurance Portability and Accountability Act (HIPAA) Compliance




October 26, 2017

Initiated by:

John J. Biancamano, General Counsel

Endorsed by:

Deborah Shaffer, Vice President for Finance & Administration

Approved by:

M. Duane Nellis, President


Signatures and dates on archival copy
  1. Ohio university's commitment to HIPAA compliance as a hybrid entity

    Ohio university strives to protect the confidentiality, integrity, and availability of protected health information (PHI) by taking reasonable and appropriate steps to address the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA regulates covered entities, which are health plans, health care clearinghouses and health care providers who transmit any health information in electronic form in connection with a covered transaction. HIPAA requires that each covered entity maintains reasonable and appropriate administrative, technical and physical safeguards for privacy and security. HIPAA also requires that entities or individuals who contract to perform services for a covered entity with access to PHI (referred to as “business associates”) comply with the HIPAA privacy and security standards.

    Ohio university is a HIPAA hybrid entity as that term is defined by HIPAA at 45 C.F.R. § 164.105. As such, its health care components, which are identified in Ohio university’s standards and procedures, are subject to and must comply with HIPAA.

    This general policy reflects Ohio university’s commitment to comply with HIPAA as more fully set forth in the Ohio university HIPAA standards (the “standards”), herein incorporated by reference to this general policy. The standards represent the general operating procedures of Ohio university’s health care components and apply to PHI used or disclosed by or on behalf of Ohio university’s health care components. To the extent the standards express requirements and obligations above and beyond those required by the HIPAA regulations, the standards will be treated as goals but will not be binding on Ohio university. The standards do not address the requirements of any laws other than the HIPAA privacy regulations. No third party rights (including, but not limited to, rights of individuals or business associates) are intended to be created by the standards

    Any questions regarding this general policy or the standards may be directed toward Ohio university’s privacy and/or security officer, as may be appropriate. Ohio university reserves the right to change these standards at any time without notice.


Proposed revisions of this policy should be reviewed by:

  1. Vice President for Research and Creative Activity

  2. Faculty Senate

  3. Deans Council

  4. Chairs

  5. Directors

  6. Chief Human Resource Officer