The Catholic University of America

Summary of Federal Laws


Compliance Partners

Manager of Benefits and Compensation

Chief Information Officer

Director of Information Security

Benefits Specialists

AVP for Human Resources

Related Policy

Information Security and Assurance

Omnibus Plan Document

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Pub. L. No. 104-191, 110 Stat. 1936 (1996)

Codified at 42 U.S.C. § 300gg and 29 U.S.C § 1181 et seq. and 42 USC 1320d et seq.

This law is intended to improve health insurance availability for those persons who lose coverage as a result ofjob change or loss, and also imposes certain privacy and efficiency standards on covered entities.

45 CFR § 160.103 contains definitions, including Business Associate and Workforce.

Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination
Act; Other Modifications to the HIPAA Rules; Final Rule,
78 Fed. Reg. 5565, Jan. 25, 2013.

This final rule is effective on March 26, 2013. Compliance date: Covered entities and business associates must comply with the applicable requirements of this final rule by September 23, 2013. The Final Rule makes business associates of covered entities directly liable for compliance with certain HIPAA Privacy and Security Rule requirements; increases limits on the use or disclosure of protected health information (PHI) for marketing or fundraising purposes; expands individuals’ rights to receive electronic copies of their health information; requires modifications to, and redistribution of a covered entity’s notice of privacy practices; and adopts changes to the HIPAA Enforcement Rule to implement increased and tiered civil monetary penalties enacted by the HITECH Act.

Dangerous Patient: Gudiance Letter January 2013

Letter issued by the U.S. Department of Health and Human Services (HHS) on January 15. The letter, citing 45 CFR § 164.512(j), states that the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule does not prevent the disclosure by a health care provider of necessary information about a patient to law enforcement, family members of the patient, or other persons, when the health care provider believes that a patient presents a serious danger to himself or other people

OCR HIPPA Audit Protocol (updated April 2016)

The audit protocol covers various aspects of the Privacy, Security and Breach Notification Rules.  The protocol addresses 165 performance criteria, 77 of which focus exclusively on compliance with the Security Rule, and 88 in combination that deal with Breach Notification and Privacy Rule requirements.


HIPAA Privacy Rule, Accounting of Disclosures Under the Health Information Technology For Economic and Clinical Health Act (HITECH Act), 76 Fed. Reg. 31426 (May 31, 2011)

The purpose of these modifications is, in part, to implement the statutory requirement under the
Health Information Technology for Economic and Clinical Health Act to require covered entities and business associates to account for disclosures of protected health information to carry out treatment, payment, and health care operations if such disclosures are through an electronic health record. Two separate rights would be created for individuals: a right to an accounting of disclosures, and a right to an access report. The access report would provide information on who has accessed electronic PHI in a designated record set (including access for purposes of treatment, payment and health care operations), while the accounting of disclosures would provide additional information about the disclosure of designated record set information (whether electronic or hard copy) to persons outside the covered entity and its business associates for certain purposes.


Title I of HIPAA is the Health Insurance Reform section and does the following:

  • Restricts an employer's or insurer's ability to use pre-existing condition exclusions or limitations. Pre-existing condition limitations may not exceed 12 months, except for late enrollments, in which case the limitation may not exceed 18 months. No pre-existing condition limitation may be applied to an individual who was continuously covered for 12 months or more under the prior employer's health plan. In addition, no pre-existing condition limitation can be applied to children who become covered under "creditable coverage" within 30 days of birth, adoption or placement for adoption. Pre-existing condition limitation periods have to be reduced by the length of the aggregate period of the employee's prior creditable coverage. "Creditable coverage" is coverage of the individual under a group health plan, health insurance coverage (either group or individual), Medicare, Medicaid, military sponsored health care, or certain other government sponsored medical plans. A break in coverage that extends beyond 63 days disqualifies the opportunity to have the prior coverage count towards limiting the pre-existing condition limitation period. Pre-existing condition is defined as "a condition, mental or physical, present on the enrollment date, for which any medical advice, diagnosis, care or treatment was recommended or received within six months before the enrollment date." Pregnancy may not be identified as a pre-existing condition under any pre-existing condition exclusion. An employer or the employer's insurer must provide notification to each individual about any pre-existing condition limitations. The notice must include the basis of the determination, the source and substance of any information on which the plan relied in making the determination, and an explanation of the plan's appeal procedures, and notification of the individual's right to present additional evidence.

  • Requires almost all employers and insurers to comply with certification requirements. Insurers and health plan sponsors are required to maintain coverage records and to issue certifications of coverage for periods of coverage occurring after July 1, 1996. Written certification of the participant's period of creditable coverage must be provided by the employer or their insurer: a) at the time the individual ceases to be covered under COBRA continuation coverage; b) at the time a qualified beneficiary under COBRA ceases that coverage; or c) upon a covered individual's request if such a request is made within 24 months after termination of coverage. The employer or its insurer should retain coverage information for 24 months after individuals lose group health coverage; and maintain data and issue certificates based on categories of coverage, such as prescription drugs, mental health, or substance abuse. For copies of the model notice, model certificate, and model form, see 62 Fed. Reg. 16,894 (Apr. 8, 1997).

  • Imposes special enrollment period rules on group health plans. In general, group health plans and health insurance issuers offering group health insurance coverage are required to permit late enrollment for individuals who originally declined coverage due to alternative coverage if they lose such other coverage and request enrollment within 30 days.

  • Restricts group health plans from discrimination on the basis of health status. Limitations on conditions covered by the plan can last no longer than 12 months. All medical plans will be guaranteed renewable. Group plans cannot use health status to deny or drop coverage.

Title II contains The Administration Simplification Provisions of HIPAA

Title II addresses the security and privacy of health data. When Congress adopted HIPAA in 1996, the law included a provision mandating the Department of Health and Human Services to promulgate standards to ensure the privacy of personally identifiable health information if Congress had failed to act by 1999. Congress did not act, and thus HHS issued proposed rules on privacy and several other standards. While much of the focus has been on the privacy standards, there are actually four sets of standards:

  • Privacy
  • Electronic Transactions
  • Security
  • Unique Identifiers 

What entities are covered by these standards?

Before getting involved in all of the deadlines imposed by the HIPAA Standards, the first question is whether the university is covered by the standards at all, in other words, are you a covered entity? In general, the standards apply to all health care providers that conduct certain transactions in electronic form; health care clearinghouses, and health care plans. Unfortunately, there is no quick and easy way to determine if you are indeed a covered entity. This decision requires either some heavy reading, or consultation with an outside attorney. However, the key questions are 1. Are there health care services provided? and 2. Do you engage in standard electronic transactions with third party payors?

If a student health center posts a bill to a student's online account, which will ultimately be paid by the student or his/her parent, this is not a standard electronic transaction with a third party payor.

Once you have determined you are a covered entity, or a hybrid entity (this is a special designation for those whose primary business is not health care, see 45 CFR § 164.504(a)) then you must decide what your obligations are under the law. Final regulations have been issued for the privacy and transaction standard sections of the law. The final privacy regulations can be found at 67 Fed. Reg. 53181, Aug. 14, 2002. Compliance with the privacy regulations must occur by April 14, 2003.

The final transaction standards are online at 65 Fed. Reg. 50312, Aug. 17, 2000, and final modifications to the Electronic Data Transaction Standards and Code Sets are published at 68 Fed. Reg. 8381 (Feb. 20, 2003). Compliance with the transaction standards was set for Oct. 16, 2002, but covered entities may delay compliance until Oct. 16, 2003 if they have filed for an extension by Oct. 16, 2002. ( Public Law 107-105) See 67 Fed. Reg. 18216 (April 15, 2002) for further information on filing for an extension, and a sample model compliance plan.

Security Regs

Final rules for the Security Standards are published at 68 Fed. Reg. 8333 (Feb. 20, 2003). The FERPA exception to the definition of protected health information was added to this rule. Page 8342 of the rule states the following :

1. Scope of Health Information Covered by the Rule [Sec. 164.306(a)]. We proposed to cover health information maintained or transmitted by a covered entity in electronic form. We have modified, by narrowing, the scope of health information to be safeguarded under this rule from that which was proposed. The statute requires the privacy standards to cover individually identifiable health information. The Privacy Rule covers all individually identifiable information except for: (1) Education records covered by the Family and Educational Rights and Privacy Act (FERPA); (2) records described in 20 U.S.C. 1232g(a)(4)(B)(iv); and (3) employment records.  The scope of information covered in the Privacy Rule is referred to as "protected health information.'' Based upon the comments we received, we align the requirements of the Security and Privacy Rules with regard to the scope of information covered, in order to eliminate confusion and ease implementation. Thus, this final rule requires protection of the same scope of information as that covered by the Privacy Rule, except that it only covers that information if it is in electronic form. We note that standards for the security of all health information or protected health information in nonelectronic form may be proposed at a later date.

The final security rule states that covered entities, with the exception of small health plans, must comply with the requirements of this final rule by April 21, 2005. Small health plans must comply with the requirements of the final rule by April 21, 2006. The security regs provide for certain required implementation specifications and otherwise set forth implementation specifications and standards to be addressed by each covered entity, allowing flexibility in the means and methods by which covered entities address that latter category of specifications. 

The security rule applies to electronic PHI, i.e. PHI that is transmitted by or maintained in electronic media. This definition includes storage media such as hard drives, magnetic tape or disks, and digital memory cards, and it also includes transmission media such as the Internet, extranets, leased lines, dial-up lines, private networks, and the physical movement of electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media, because the information being exchanged did not exist in electronic form before the transmission.

Electronic PHI may be shared with a business associate only if a business associate contract exists that specifically addresses the security rule. This can be done by a new contract or amending an existing contract.

The general requirements of the security rule require covered entities to do the following:
(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.
(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of the rule.
(4) Ensure compliance with this subpart by its workforce.

Electronic PHI may only be disclosed to the Plan Sponsor when the electronic protected health information disclosed to a plan sponsor is summary health information or enrollment or disenrollment information as provided for by Sec. 164.504(f). If more than the above is disclosed, then the plan documents of the group health plan must be amended to incorporate provisions to require the plan sponsor to--
(i) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the group health plan;
(ii) Ensure that the adequate separation required by Sec. 164.504(f)(2)(iii) is supported by reasonable and appropriate security measures;
(iii) Ensure that any agent, including a subcontractor, to whom it provides this information agrees to implement reasonable and appropriate security measures to protect the information; and
(iv) Report to the group health plan any security incident of which it becomes aware.

Security incident means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

Implementation of the rule at colleges and universities

Universities with hospitals and academic medical centers are subject to the rules as health care providers. Research institutions are allowed to disclose protected health information to researchers without patient authorization if an Institutional Review Board approves a waiver or alteration of authorization. Universities, if they are self-insured employers, must amend plan documents to limit the employer's ability to obtain health information, must appoint a privacy official, set up firewalls within the institution, and comply with other requirements under the rule.

What about schools that simply operate a student health center? Whether or not the HIPAA privacy rules will apply to the school may hinge on whether or not the university health center engages in electronic transmission of personally identifiable health information. Under the regulations, a health care provider is a covered entity if it transmits health information in electronic form in connection with transactions listed in 45 CFR § 160.103. For example, if the student health center bills a student's health insurer electronically, then the rule comes into play. If the health center does not engage in electronic transmission of personally identifiable health information in a covered "HIPAA transaction," then the HIPAA privacy law will most likely be inapplicable.

If the university receives federal funds, students already have privacy protection under the Family Educational Rights and Privacy Act (FERPA). Under FERPA, medical records are defined as records:

  • of students who are 18 years or older or are attending post-secondary educational institutions,
  • maintained by a physician, psychiatrist, psychologist, or recognized professional or paraprofessional acting or assisting in that capacity,
  • that are made, maintained, or used only in connection with the provision of treatment to the student, and

  • that are not available to anyone, except a physician or appropriate professional reviewing the record as designated by the student.

FERPA excludes the above records from its protections only to the extent they are not available to anyone other than persons providing treatment to students. Any use or disclosure of the record for other purposes, including providing access to the individual student who is the subject of the information, would turn the record into an education record protected by FERPA. The Department of Health and Human Services decided there was no need for another layer of federal privacy protection for these records, and thus student medical records as described above are excluded from the definition of protected health information under the HIPAA. It is important to remember that HIPAA does not preempt FERPA.


Guidance on HIPAA and Cloud Computing: Issued October 2016

When a covered entity engages the services of a CSP to create, receive, maintain, or transmit ePHI (such as to process and/or store ePHI), on its behalf, the CSP is a business associate under HIPAA.  Further, when a business associate subcontracts with a CSP to create, receive, maintain, or transmit ePHI on its behalf, the CSP subcontractor itself is a business associate.  This is true even if the CSP processes or stores only encrypted ePHI and lacks an encryption key for the data.  Lacking an encryption key does not exempt a CSP from business associate status and obligations under the HIPAA Rules.   As a result, the covered entity (or business associate) and the CSP must enter into a HIPAA-compliant business associate agreement (BAA), and the CSP is both contractually liable for meeting the terms of the BAA and directly liable for compliance with the applicable requirements of the HIPAA Rules.

For more on what this means see the October 8, 2016 HealthBlawg on the new Guidance.

HIPPA Standard Transactions-45 CFR Part 162

HIPAA Security Risk Assessment Tool


Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA) to Student Health Records Issued November 2008. The guidance addresses the interplay between FERPA and the HIPAA Privacy Rule at elementary and secondary levels, as well as at the postsecondary level and addresses many of the questions raised by school officials, health care professionals, and others regarding the applicability of these two laws to records maintained on students. It also addresses certain disclosures that are allowed without consent or authorization under both laws, especially those related to health and safety emergency situations.


Washington & Lee University: HIPAA: Understanding the Basics
by Jennifer Kirkland & Leanne Shank

 Idaho State University Resolution Agreement with HHS: This page contains a link to the $400,000 resolution agreement dated 5.13.13 between Idaho State University and HHS, as well as an HHS press release.  ISU has agreed to pay $400,000 to HHS and comply with a two-year Corrective Action Plan (Appendix A) that includes submitting a risk management plan to HHS for approval, conducting a compliance gap analysis, and submitting an annual status report, among other requirements. The HHS Office for Civil Rights (OCR) opened an investigation after ISU notified HHS of the breach in which the ePHI of approximately 17,500 patients was unsecured for at least 10 months, due to the disabling of firewall protections at servers maintained by ISU.

HITECH Act: New Law Requires Significant Investment in Health Information Privacy and Security: NACUANOTES July 17, 2009 by Barbara Bennett and Alexander Dreier, Hogan and Hartson

Protecting Personal Health Information in Research: A booklet discussing how the Privacy Rule may affect research posted on the NIH web site.

HIPAA Privacy Rule (HHS web page)

HIPAA Security Rule: NACUANOTES June 13, 2007

HR's role in HIPAA Security Compliance by Philip L. Gordon, Littler Mendelson

This is an excellent summary of the steps Human Resources departments need to take to work with IT professionals to ensure that PHI stored or transmitted electronically is protected.

See for an ongoing commentary on HIPAA.

 updated 1-5-18 mlo