The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides the first national standards for protecting the privacy and security of health information and gives new rights to individuals with respect to their health information. The HIPAA Privacy Rule regulates how covered entities may use and disclose certain individually identifiable health information called protected health information (PHI), whether communicated on paper, electronically, or orally. A covered entity is defined as a health plan, a health care clearinghouse, or a health care provider who transmits health information in electronic form in connection with a transaction for which the Department of Health and Human Services has adopted a standard. Only individually identifiable health information that is created or received by a covered entity qualifies as PHI and is covered by HIPAA.
Johns Hopkins University is a single legal entity that performs both covered and non-covered functions. Therefore, the University has elected to be a hybrid entity under HIPAA.
The Johns Hopkins Bloomberg School of Public Health is not a covered entity. This is because JHSPH is not a healthcare component of JHU that transmits health information in electronic form, as contemplated by HIPAA.
To view the JHSPH HIPAA policy, click here.