HIPAA

Understanding the regulations surrounding health information can sometimes feel complex, especially within a large university setting like Texas A&M. One of the key federal laws in this area is the Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA. Its main goal is to protect sensitive health information, known as Protected Health Information (PHI), from being disclosed without a patient's consent or knowledge, while still allowing necessary information flow for quality healthcare.

A common question is how HIPAA interacts with another important privacy law relevant to education: the Family Educational Rights and Privacy Act (FERPA). Generally, FERPA protects the privacy of student education records. At universities, student health records maintained by campus health clinics or counseling services are often considered part of these "education records" or specific "treatment records" under FERPA. Because these records are already protected by FERPA, HIPAA's Privacy Rule typically excludes them.

While FERPA covers many student health records, HIPAA does apply at Texas A&M in specific situations. The university is considered a "hybrid entity," meaning certain parts of the university that perform specific healthcare functions must comply with HIPAA. These designated units are known as TAMU HIPAA Health Care Components (TAMU HIPAA HCCs), or a covered entity. The university Privacy Officer is ultimately responsible to determine whether data or systems are covered by HIPAA or not.

Business Associate Agreements (BAAs) are another way that data can fall under HIPAA governance. BAAs are typically found as part of a grant contract or data use agreement when a researcher receives a dataset from another institution or federal agency.

Texas A&M is committed to safeguarding all health information, whether it falls under HIPAA, FERPA, or other state and federal requirements. Typically, health records are subject to the same security controls regardless of whether they fall under HIPAA. Knowing whether data or systems are regulated by HIPAA is still important, because it can change how the university is obligated to respond when there is a cybersecurity incident.

For the parts of the university where HIPAA applies, compliance involves several key areas:

• Privacy Rule: This sets the standards for how PHI can be used and disclosed, outlining patient rights to access, correct, and control their health information.
• Security Rule: This focuses specifically on protecting electronic PHI (ePHI), requiring technical, physical, and administrative safeguards to ensure its confidentiality, integrity, and availability.
• Breach Notification Rule: This requires notifying affected individuals and regulatory bodies if unsecured PHI is improperly accessed or disclosed.
• Policies and Training: Texas A&M has specific Standard Administrative Procedures (SAPs) related to HIPAA. Personnel who handle HIPAA-regulated data as part of their job duties receive mandatory training on these policies and practices to ensure they understand their responsibilities.
• Designated Roles: The university has a designated Privacy Officer responsible for overseeing HIPAA compliance, developing policies, and handling complaints or investigations.

Protecting health information is a shared responsibility. Understanding when and how HIPAA applies helps ensure the privacy and security of sensitive data. If you handle health information as part of your role at Texas A&M, especially within a designated health care component, be sure to complete required training and familiarize yourself with relevant university policies.

• If you are an IT Professional and have questions about specific security controls that are required to comply with HIPAA, contact the IT Risk Management team at it-policy@tamu.edu.
• If you have questions about HIPAA or need to report a potential privacy concern, you can contact the Texas A&M Privacy Officer.