Carnegie Mellon University

Health Insurance Portability and Accountability Act (HIPAA)

POLICY TITLE: Health Insurance Portability and Accountability Act Policy (HIPAA)
DATE OF ISSUANCE: March 16, 2010; Revised October 15, 2021
ACCOUNTABLE DEPARTMENT/UNIT: Office of the Vice President for Student Affairs. Questions about Policy content should be directed to Health Services, 412-268-2157.
ABSTRACT: Policy regarding compliance with the Health Insurance Portability and Accountability Act of 1996 and subsequent federal regulations.


In compliance with the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191 as amended) ("HIPAA"), Carnegie Mellon University ("University") has adopted the following Health Insurance Portability and Accountability Act Policy ("Policy") to protect Protected Health Information ("PHI"), as defined by the Code of Federal Regulations 45 C.F.R. 160.103. It is the intent of this Policy to act as a supplement to, not a replacement for, other University Policies.

Declaration of Hybrid Entity Status

The University is a Covered Entity under the HIPAA statute and regulations, however, the business activities of the University include both covered and non-covered functions. The University hereby designates itself a hybrid entity for purposes of HIPAA compliance.

The University’s Health Care Component (“HCC”), which may be revised and updated by the Privacy Officer from time to time, is hereby designated as including the following: HCC Provider Functions

  • University Health Services (“UHS”), limited to standard health care services provided to students; and
  • Counseling and Psychological Services (“CaPS”), limited to psychiatry services provided to students.
    • Internal Business Associates Currently, the university does not have any internal business associate functions as the Primary Components listed above provide covered services only to students and, thus, does not create or maintain any PHI. Accordingly, there are no internal functions or departments that engage in the creation, receipt, maintenance or transmission of PHI for or on behalf of the HCC.


Carnegie Mellon University's designated HCC shall maintain the privacy of PHI in accordance with the requirements of the HIPAA statute and regulations.

The President of the University shall appoint a University HIPAA Privacy Officer responsible for coordinating compliance with the HIPAA Privacy Rule. The specific roles and responsibilities of this officer shall be set forth in supplemental documentation developed by the University.

The University HIPAA Privacy Officer and Primary Components shall coordinate to develop supplemental procedures to implement this Policy.


This Policy shall be reviewed by the Office of the General Counsel and University HIPAA Privacy Officer as deemed necessary based on changes in the law and changes in functions or activities that affect HIPAA compliance and this Policy. All iterations of this Policy shall be maintained for a period specified by applicable federal regulations.


Violations of this Policy may result in suspension or loss of the violator's use privileges with respect to University Information Systems, and/or discipline up to and including termination of employment with the University. Additional civil, criminal and equitable remedies may apply.


Exceptions to this Policy must be approved by the University HIPAA Privacy Officer in consultation with the Office of the General Counsel and relevant individuals in the HCC. All exceptions must be formally documented. Exceptions will be reviewed on a periodic basis for appropriateness.


Health Information is defined as any information, whether oral or recorded in any form or medium, that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or healthcare clearinghouse; and that is related to the past, present or future physical or mental health condition of an individual, the provision of health care of an individual, or the past, present or future payment for the provision of healthcare to an individual. 

Individually Identifiable Health Information is defined as any heath information, as defined above, that identifies an individual or where there is reasonable basis to believe that the information can be used to identify an individual.

Protected Health Information ("PHI") is defined as Individually Identifiable Health Information transmitted by electronic media, maintained in electronic media or transmitted or maintained in any other form or medium. Protected Health Information does not include education records covered by, or treatment records excluded from, the Family Educational Rights and Privacy Act (20 U.S.C. 1232g) or employment records held by the University in its role as an employer.

Workforce member means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for the Health Care Component, is under the direct control of the Health Care Component, whether or not they are paid by the Health Care Component.