to signed PDF version
 
 

August 5, 2003
 

M E M O R A N D U M
 

TO:

CSU Presidents
 

FROM:

Charles B. Reed
Chancellor
 

SUBJECT:

Designation of Health Care Components for Purposes of the Health Care Portability and Accountability Act of 1996 (HIPAA)
Executive Order Number 877
 

Attached is a copy of Executive Order No. 877 relating to Health Care Portability and Accountability Act of 1996 (HIPAA).

In accordance with policy of the California State University, the campus president has the responsibility for implementing executive orders where applicable and for maintaining the campus repository and index for all executive orders.

CBR/pg

Attachment (see below)

cc:

Executive Staff, Office of the Chancellor

Executive Order 877
 
THE CALIFORNIA STATE UNIVERSITY
Office of the Chancellor
401 Golden Shore
Long Beach, California 90802-4210
(562) 951-4700

 

Executive Order:

877
 

Title:

Designation of Health Care Components for Purposes of the Health Care Portability and Accountability Act of 1996 (HIPAA)
 

Effective Date:

April 14, 2003
 

Supersedes:

No Prior Executive Order
 

This executive order is issued under the authority of Sections 1 and 2 of Chapter III of the Standing Orders of the Board of Trustees and is effective as of April 14, 2003.
 

  1. Purpose
     
    This executive order is established to govern the California State University's compliance obligations with respect to the Administrative Simplification Rules promulgated under the Health Care Portability and Accountability Act of 1996 (HIPAA). These rules mandate significant changes in the legal and regulatory landscape governing the provision of health benefits, the delivery of and payment for health care services, and the privacy and security of individually identifiable health information.
     
    The Administrative Simplification Rules are comprised of several sets of regulations, the most important of which are the Privacy Rule, the Transactions Rule, and the Security Rule. The Privacy Rule, with a compliance date of April 14, 2003, governs the privacy of an individual's health information. The Transactions Rule sets specifications for the electronic transmission of data relating to certain health-related financial and administrative transactions. Compliance is required on or before October 16, 2003. The Security Rule provides for security of an individual's health information that is transmitted or stored in electronic form. The compliance date for the Security Rule is April 21, 2005.
     
    The HIPAA regulations apply to health care providers who transmit health information in electronic form in connection with specific types of transactions (discussed below). The regulations also apply to health plans and health care clearinghouses. Although the California State University is a higher education institution, it performs some of these covered functions and therefore must comply with HIPAA.
     
    CSU may limit the scope of its compliance obligations, however, by taking on "hybrid entity" status under HIPAA. This is accomplished by formally designating CSU "health care components," i.e., those parts of the CSU that actually engage in covered functions. As a hybrid entity, only the designated CSU health care components — and not the entire institution — will be required to comply fully with HIPAA, while the CSU system will be responsible for the following:

    2.  
    1. Ensuring that each designated CSU health care component (and any CSU components that provide certain financial or administrative services to it) comply with the Privacy Rule's restrictions on the use and disclosure of protected health information when dealing with the rest of the CSU.

      2.  
    2. Complying with the enforcement and compliance provisions of the regulations, including:
       
      1. Keeping records and submitting compliance reports in response to a request by the Secretary of the U.S. Department of Health and Human Services;
         
      2. Cooperating with complaint investigations and compliance reviews; and
         
      3. Permitting access by the Secretary during normal business hours (unless exigent circumstances exist) to CSU facilities, books, records, accounts and other sources of information, including protected health information, that are pertinent to ascertaining compliance with HIPAA regulations;
         
    3. Implementing policies and procedures for protected health information that are designed to comply with HIPAA; and
       
    4. Designating health care components.

     
    The purpose of this executive order is to formalize the designation of CSU health care components, to assign responsibility for reporting additional CSU health care components that may need to be formally designated, and to ensure that CSU and its designated health care components comply with HIPAA to the extent applicable.
     
  2. Designated CSU Health Care Components
     
    CSU, as a hybrid entity for purposes of HIPAA, has designated the health care components listed on Attachment 1. The Assistant Vice Chancellor, Student Academic Support shall be responsible for promptly updating Attachment 1 to reflect all newly designated or de-designated CSU health care components, and shall append each revised version of the attachment to this executive order. Each revised version of Attachment 1 shall show the effective date of the revision. A copy of each version of Attachment 1 shall be maintained for at least six years after the date it was last in effect.
     
    1. Responsibility for Additional Covered Health Plans, If Any
       
      The Vice Chancellor, Human Resources shall be responsible for ensuring that the formal designation of CSU health care components is at all times accurate with respect to covered health plans offered by CSU or any of its campuses. Additional health care components shall be reported promptly to the Assistant Vice Chancellor, Student Academic Support.
       
    2. Responsibility for Additional Covered Health Care Providers, If Any
       
      The President of each CSU campus shall be responsible for ensuring that the formal designation of CSU health care components is at all times accurate with respect to covered health care providers on his/her respective campus. Additional health care components shall be reported promptly to the Assistant Vice Chancellor, Student Academic Support.
       
      Covered health care providers are those who meet the following requirements:
       
      1. The health care provider (directly or indirectly) transmits health information in electronic form; and
         
      2. The transmission is in connection with a covered transaction between two parties to carry out financial or administrative activities related to health care. This includes the following types of information transmissions:
         
        1. Health care claims or equivalent information about patient visits submitted for payment purposes;
        2. Health care payment and remittance advice;
        3. Coordination of benefits;
        4. Health care claim status;
        5. Enrollment and disenrollment in a health plan;
        6. Eligibility for a health plan;
        7. Health plan premium payments;
        8. Referral certification and authorization;
        9. First report of injury;
        10. Health claims attachments; and
        11. Other transactions that the Secretary of the U.S. Department of Health & Human Services may prescribe by regulation.
           
    3. Obligations of Designated CSU Health Care Components
       
      Each designated CSU health care component shall comply with HIPAA regulations to the full extent applicable. Guidance is available through the CSU Office of General Counsel.
       
      Student health centers, in particular, must be mindful of the obligation to comply with the Family Educational Rights and Privacy Act (FERPA) with respect to patients who are CSU students. The HIPAA Privacy and Security Rules do not apply to student records of any kind, regardless of whether they contain health information.
       
      Each designated CSU health care component shall adopt policies and procedures to implement the HIPAA Privacy Rule to the extent required. Standard policies and procedures are available through the CSU Office of General Counsel.
       
      In addition to other applicable requirements of the HIPAA regulations, each designated CSU health care component shall comply with the following:
       
      1. Designated CSU health care components shall not disclose protected health information to other parts of the CSU or to other designated CSU health care components if such disclosure would violate the HIPAA Privacy Rule;
         
      2. If a CSU employee, office or department performs activities that would make it a "business associate"1 of a designated CSU health care component if the two components were separate legal entities, the CSU "business associate" component must not use or disclose protected health information that it creates or receives from or on behalf of the designated CSU health care component in a manner that violates HIPAA.
         
      3. If a CSU employee, contractor, or volunteer performs duties for a designated CSU health care component as well as for another component of the university, that person must not use or disclose protected health information that was created or received in the course of his/her work for the health care component in a manner that violates HIPAA.
         

 


Charles B. Reed
Chancellor

Date: August 5, 2003
 


1 A "business associate" is one who performs a function or activity on behalf of the designated health care component that involves the use or disclosure of individually identifiable health information, including: claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing.

Executive Order 877
 

ATTACHMENT 1
 
DESIGNATED CSU HEALTH CARE COMPONENTS
 
Effective April 14, 2003

 

 

  1. The Benefits Group in systemwide Human Resources Administration, CSU Office of the Chancellor, with respect to CSU's Health Care Reimbursement Accounts (HCRA) plan, a small health plan as defined by HIPAA. For small health plans only, the compliance dates are: (a) for the Privacy Rule, April 14, 2004; (b) for the Transactions Rule, October 16, 2003; and (c) for the Security Rule, April 21, 2006.
     
  2. California State University, Hayward, Student Health Services, a covered health care provider.
     
  3. California State University, Monterey Bay, Campus Health Center, a covered health care provider.
     
  4. California State University, Northridge, Klotz Student Health Center, a covered health care provider.
     
  5. California State University, Sacramento, Student Health Center, a covered health care provider.
     
  6. San Diego State University, Student Health Service, a covered health care provider.