The HIPAA Privacy Rule 15th Anniversary - Blast from the Past & Hybrid Entities

In April 2003, sports drama ‘42’ was a hit at the box office, hip hop hit ‘In da Club’ by 50 Cent topped the Billboard charts, and the Human Genome Project was completed with 99% of the human genome sequenced to an accuracy of 99.99%. The date also marked the end of years of preparation for healthcare providers and most payers to comply with the HIPAA Privacy Rule.

Fifteenth anniversaries are traditionally symbolized with roses, rubies, or crystal. Throughout the month of April, VantagePoint is highlighting the 15th anniversary of the compliance date for the HIPAA Privacy Rule with special informational posts regarding HIPAA compliance and some of the lesser known (or understood) provisions.

An example of provisions that cause confusion include how HIPAA works for entities that have healthcare and non-healthcare related components. An example of an organization type that often experiences confusion regarding compliance with HIPAA is a college or university that offers on-site health services for students.  The Family Educational Rights and Privacy Act of 1974 (FERPA) applies to the health records maintained on students at the campus health clinics of postsecondary schools.  Entities subject to FERPA classify records as either education or treatment records, both of which are excluded from coverage under the HIPAA Privacy Rule (with some exceptions) even if the school is a HIPAA covered entity.  A school becomes a hybrid entity, subject to HIPAA, by segregating healthcare related activities into a separate component of operations.