Executive Policy: HIPAA Hybrid Entity
Executive Policy 40: HIPAA Hybrid Entity Designation Policy
This policy identifies Washington State University (WSU) as a hybrid entity and designates its covered health care components, which include business associate functions (collectively “Health Care Components” or “HCC”), in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Protected Health Care Information (PHI) Incident Response Guide
If you are unsure if an incident has occurred please fill out our PHI Incident Response Form.
- Incident Response Guide for Employees
- Incident Response Guide for Supervisors and Managers
- Incident Response Guide for Privacy Officers
Building Security Reminders
Use the building security reminders checklist as needed to review building security.
Health Sciences Training
Required Trainings
Professionals working in healthcare components and applicable business units are required to take these WSU trainings:
- HIPAA Privacy Overview and Protected Health Information
- Discrimination, Sexual Harassment, and Sexual Misconduct Prevention (DSHP)
- Ethics in Public Service
- Cyber Security Awareness Training
For new employees, additional trainings are required. Please see the HRS required trainings list. To access these trainings log on to Percipio with your WSU credentials.
Finding the Required Trainings
Follow these steps after logging into Percipio:
- The assignments that your Learning Manager has assigned to you will be on the main Percipio page under Assignments. We ask that the Learning Manager at each healthcare component or applicable business unit assigns the required trainings to the applicable workforce member for convenience and tracking.
- To find the HIPAA Training: If you are not assigned the training, but still would like to take it, type “Regulatory Compliance” in the search bar. This will bring up the Regulatory Compliance Channel.
- Scroll through the channel to find:
- HIPAA Privacy Overview
- Protected Health Information
- Click the card to begin the training and complete the required courses.
- For other required trainings, use the search function in Percipio or check with your Learning Manager.
If you have questions about Percipio please visit the Percipio FAQ page.
Having issues accessing any of these trainings? Please contact us at smakamson@wsu.edu.
Policy Templates
These templates are for WSU Departmental use as the groundwork for departmental policies regarding HIPAA and Protected Health Information – Departments needing assistance or that have questions are encouraged to reach out.
Notice of Privacy Practice – Template
Risk Assessment
Multiple Risk Assessments are available for use ranging from isolated incidents to yearly departmental review.
The Security Risk Assessment Tool provided by the Office of the National Coordinator for Health Information Technology is available for WSU Health Care Components when completing their annual departmental risk assessment.
The SRA tool must be downloaded and installed to use; departments may need to work with their IT contacts for setup.
Business Associate Agreements
WSU Departments who are considered covered entities must ensure that HIPAA Business Associate Agreements (BAA’s) are in place and up to date with partners regarding Protected Health Information (PHI) security as well as HIPAA compliance.
BAA’s need to go through the WSU Contracts process and procedure as outlined in BPPM 10.11