This guide about the Health Insurance Portability and Accountability Act (HIPAA) is for informational purposes only and is not intended as legal advice. If you have questions, please contact the UMD Office of General Counsel.
HIPAA is the acronym for the Health Insurance Portability and Accountability Act that was passed by Congress in 1996. The U.S. Department of Health and Human Services offers a summary of the HIPAA security rule should you wish to learn more about this.
HIPAA only applies if you are (1) providing health care services, (2) to non-students, AND (3) engaging in HIPAA-covered electronic transactions as set forth in the statute/regulations (e.g., billing insurance companies). If you still have questions about how HIPAA applies to your work at UMD, please refer to the HIPAA decision flow chart.
Yes! FERPA, the Maryland Confidentiality of Medical Records Act, and other laws and regulations require UMD to protect PHI and personally identifiable information (PII).
If a UMD unit believes it is (1) offering health care services, (2) to non-students, and (3) engaging in HIPAA-covered electronic transactions, the unit should contact the Office of General Counsel for specific guidance. Should any UMD unit desire to become HIPAA compliant, it must go through a lengthy review process, which includes approval by the UMD president and be added to UMD's HIPAA hybrid policy. Only after approval and inclusion in the policy can any UMD unit claim to be HIPAA compliant. HIPAA Covered Entities are required by law to have contracts, known as a Business Associate Agreements (BAAs), with any service provider with access to Protected Health Information; such service providers are known as business associates. The BAA must be signed by UMD (on behalf of the unit who wishes to become a HIPAA Covered Entity) and the business associate (ex., IT service provider).
At UMD, only the Health Center and the Hearing and Speech Sciences (HESP) clinics are HIPAA Covered Entities, and then only when providing health care services to non-students. Student information is covered by FERPA, not HIPAA. When it comes to remote communication, these two units must have in place a HIPAA compliant system. For example, HESP clinics use a compliant teletherapy system.
Athletics, which only deals with students, is not required to comply with HIPAA.
The Counseling Center in Student Affairs does not engage in any covered electronic transactions and does not provide service to non-students, therefore it is not required to comply with HIPAA.
The Office of General Counsel has prepared an acknowledgement (for non-HIPAA units) that should be signed by all UMD personnel, including student-practitioners, prior to offering services via teletherapy. An acknowledgment of HIPAA-covered units is also available. You should obtain written consent from patients who agree to participate in teletherapy.
Please refer people to the HIPAA decision flow chart designed by UMD’s Office of General Counsel to elucidate questions and concerns that you may have. If a researcher is using PHI in research, they are not subject to HIPAA (other data protection restrictions may apply). This will be a different case if a researcher is performing a clinical trial.