Visit
Apply
Give

Institutional Compliance

Designated Components of the Covered Entity

Designated Components of The University of Toledo & The University of Toledo Physicians, LLC

HIPAA Affiliated Covered Entities & HIPAA Privacy and Security Rule

Pursuant to University Policy 3364-15-01, the Privacy and Security Committee determines, reviews and updates the HIPAA designated components of both entities.   The organization is structured as a hybrid entity with designated components and “affiliated covered entities.”

Hybrid Structure and Designated Components:  The University of Toledo is a “hybrid entity” for purposes of HIPAA, because it performs both HIPAA covered functions and HIPAA non-covered functions in different departments across its various locations, and it has documented which components are covered, i.e., the “designated components.”  HIPAA covered functions include the activities performed by the University that make the entity a covered entity under HIPAA such as health plan or health care provider activities.  In a hybrid entity, HIPAA Rules, policies, and training requirements, as well as permission to access, receive, use and store protected health information (“PHI”) are limited to the entity’s designated components.  Designated components of a hybrid entity must include any component that would meet the definition of a HIPAA covered entity or business associate if the component were a separate legal entity.

Service Departments within The University of Toledo: In addition to the traditional designated components, any department of the University that creates, receives, maintains or transmits PHI for a University designated component, including claims processing, billing, quality assurance, legal, accounting, administrative services, or financial services, etc. must be included as a designated component.  These “service” departments within the University that create, maintain or transmit protected health information for a HIPAA designated component would be considered “business associates” of the University if they were separate legal entities.

Affiliated Covered Entities – The University of Toledo Physicians, LLC:  Legally separate covered entities that are under common ownership or common control may designate themselves as a single covered entity known as “Affiliated Covered Entities” or “ACE”, which permits the entities to act jointly with respect to HIPAA administration and compliance.  UT and UTP have elected the ACE structure under HIPAA, which consists of (1) the designated components of The University of Toledo, and (2) The University of Toledo Physicians LLC, including administrative offices and all UTP clinics.

As an ACE the two entities will maintain:

  • one Joint Notice of Privacy Practices for its patients;
  • one set of HIPAA policies and procedures;
  • the same HIPAA training (including institution-specific policies);
  • a single privacy officer;
  • a single security officer;
  • a joint security risk analysis;
  • and implement a joint risk management plan.

List of Designated Components: the following departments are the units that perform covered functions and are therefore designated components of The University of Toledo.  These units are required to comply with HIPAA privacy and security rules and policies.

  1. The University of Toledo Medical Center (UTMC)

  2. All departments located at the Health Science Campus (HSC) that:

(1) are involved in Treatment, Payment, or Health Care Operations; and

(2) any department that creates, receives, maintains or transmits PHI for a University designated component, including claims processing, billing, quality assurance, legal, accounting, administrative services, or financial services, etc., to the extent that department’s activities relate to the departments in group (1) of this paragraph are a designated component of the Hybrid. 

Departments located on the HSC that are not involved in groups (1) or (2) of this paragraph are not designated components of the hybrid.  However, due to their location and close proximity to areas with Patient Health Information, they will be required to take HIPAA training to minimize risk of incidental disclosures.

C. The University of Toledo

  1. Office of the President and the President’s Cabinet
  2. Board of Trustees
  3. UToledo Health Board
  4. Office of Legal Affairs
  5. Office of Risk Management
  6. Internal Audit
  7. Finance and Administration
  8. Privacy Office
  9. Healthcare Compliance Office
  10. Patient Financial Services
  11. Hospital Finance Research and Sponsored Programs, Administration only
  12. Human Resources
  13. Division of Technology and Advanced Solutions
  14. Safety and Health
  15. Diversity and Inclusion
  16. Disability Services
  17. Self-Insurance Plan, Flexible Spending Account, and employees designated by these plans to administer the plans.
  18. Supply Chain
  19. Controller/Grants Accounting
  20. Accounting
  21. University Marketing and Communications
  22. Main Campus Student Health Services*
  23. Psychology Department
  24. Speech Language Pathology Department
  25. Sports Medicine – Department of Athletics
  26. Pharmacy – Inpatient and Outpatient
  27. Student Insurance Management
  28. Health Sciences Colleges
  29. Student Affairs for Title IX matters only
  30. Academic Affairs for Title IX matters only

*Faculty, staff, in addition to students may receive health care services at MCSHS

 

Note:  Reviewed by the UToledo Healthcare Privacy and Security Committee on 1/15/2020; revised 6/9/2023

Last Updated: 7/15/24