HIPAA and the Use of Information Technology Systems at UMD

This guide about the Health Insurance Portability and Accountability Act (HIPAA) is for informational purposes only and is not intended as legal advice. If you have questions, please contact the UMD Office of General Counsel.

General Important Statements

What is HIPAA?

HIPAA is the acronym for the Health Insurance Portability and Accountability Act that was passed by Congress in 1996. The U.S. Department of Health and Human Services offers a summary of the HIPAA security rule should you wish to learn more about this.

In which circumstances does HIPAA apply to my work at UMD?

HIPAA only applies if you are (1) providing health care services, (2) to non-students, AND (3) engaging in HIPAA-covered electronic transactions as set forth in the statute/regulations (e.g., billing insurance companies). If you still have questions about how HIPAA applies to your work at UMD, please refer to the HIPAA decision flow chart.

If my work isn’t covered by HIPAA, do I have a legal obligation to protect data containing personal health information?

Yes! FERPA, the Maryland Confidentiality of Medical Records Act, and other laws and regulations require UMD to protect PHI and personally identifiable information (PII).

What do I need to do if my work at UMD meets all of the three circumstances listed above?

If a UMD unit believes it is (1) offering health care services, (2) to non-students, and (3) engaging in HIPAA-covered electronic transactions, the unit should contact the Office of General Counsel for specific guidance. Should any UMD unit desire to become HIPAA compliant, it must go through a lengthy review process, which includes approval by the UMD president and be added to UMD's HIPAA hybrid policy. Only after approval and inclusion in the policy can any UMD unit claim to be HIPAA compliant. HIPAA Covered Entities are required by law to have contracts, known as a Business Associate Agreements (BAAs), with any service provider with access to Protected Health Information; such service providers are known as business associates. The BAA must be signed by UMD (on behalf of the unit who wishes to become a HIPAA Covered Entity) and the business associate (ex., IT service provider).

Which units at UMD are currently a HIPAA covered entities?

At UMD, only the Health Center and the Hearing and Speech Sciences (HESP) clinics are HIPAA Covered Entities, and then only when providing health care services to non-students. Student information is covered by FERPA, not HIPAA. When it comes to remote communication, these two units must have in place a HIPAA compliant system. For example, HESP clinics use a compliant teletherapy system.

What about the athletic department?

Athletics, which only deals with students, is not required to comply with HIPAA.

What about the Counseling Center?

The Counseling Center in Student Affairs does not engage in any covered electronic transactions and does not provide service to non-students, therefore it is not required to comply with HIPAA.

What about other campus clinics that are not covered by HIPAA but want to provide teletherapy for clients?

The Office of General Counsel has prepared an acknowledgment (for non-HIPAA units) that should be signed by all UMD personnel, including student-practitioners, prior to offering services via teletherapy. An acknowledgment of HIPAA-covered units is also available. You should obtain written consent from patients who agree to participate in teletherapy.

What about research that uses Personal Health Information (PHI)?

Please refer people to the HIPAA decision flow chart designed by UMD’s Office of General Counsel to elucidate questions and concerns that you may have. If a researcher is using PHI in research, they are not subject to HIPAA (other data protection restrictions may apply). This will be a different case if a researcher is performing a clinical trial.