HIPAA applies to "covered entities".
What is a "covered entity"?
Covered Entities are defined in HIPAA as (1) health plans, (2) health care providers and (3) health care clearinghouses (entities that process nonstandard information they receive from another entity into a standard format or data content, or vice versa) who electronically transmit any health information in connection with transactions for which HHS has adopted standards.
- The University Hospital is a covered entity because it provides health care.
- UPI is a covered entity because is processes patient information in order to bill for services.
The University is a "hybrid entity".
What is a "hybrid entity"?
A single legal entity that conducts both covered and non-covered functions and designates certain health care components as covered functions – resulting in those functions of the entity being subject to HIPAA. The University of Colorado Denver | Anschutz Medical Campus is a Hybrid Entity.
- The Physiology and Biophysics Department is a NON-HIPAA unit (as are most of the basic science departments as well as the Schools and Colleges on the downtown campus).
- The Department of Medicine, with all its divisions, is a clinical science unit, and is under HIPAA as a "covered entity" due to seeing patients and providing health care.
See University of Colorado’s Administrative Policy Statement #5055: "HIPAA Hybrid Entity Designation"