Skip to main content

Cornell University Hybrid Entity Designation for HIPAA

Reason for Document

To comply with the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act and the 2013 HIPAA Omnibus Rule, and its implementing federal regulations (collectively, “HIPAA”).

Introduction and Policy Statement

Cornell University (“CU”) is a private education institution of higher learning providing academic programs and degrees through the doctoral level. Certain CU colleges and departments are involved in healthcare-related activities subject to compliance with healthcare regulations, including HIPAA.

HIPAA applies to individuals and entities that are healthcare providers, healthcare clearinghouses, and health plans (“covered entities”). Under HIPAA, a covered entity that is a single legal entity that conducts both covered and non-covered functions may elect to be a hybrid entity. To be a hybrid entity, the covered entity must identify its components that perform covered functions and designate these components as healthcare components. The HIPAA compliance obligations apply only to the designated healthcare components, and those units that perform support functions on behalf of the healthcare components. A covered entity that does not make this designation is subject to HIPAA in its entirety.

CU conducts both covered and non-covered functions and elects to be a hybrid entity as defined in 45 C.F.R. §§ 164.103 and 164.105. This policy documents CU’s designated healthcare components that must comply with HIPAA requirements in Exhibit A. This list shall be reviewed and updated as necessary by the Office of University Counsel and Weill Cornell Medicine (“WCM”) Privacy Office. CU shall segregate its healthcare components from its non-healthcare components and require the identified healthcare components to comply with HIPAA. Protected health information shall not be shared between the healthcare and the non-healthcare components.

Exhibit A

CU designates the following components as healthcare components covered under HIPAA:

  1. Weill Cornell Medicine (“WCM”), excluding the WCM Employee Assistance Program. (WCM entered into an Organized Health Care Arrangement ("OHCA") with New York-Presbyterian Hospital, Columbia University, Weill Cornell Imaging at New York-Presbyterian, and certain affiliated entities.)
  2. The WCM self-funded employee health, dental, and prescription drug plans, and the health and dental portion of the flexible benefits plan.
  3. Cornell Health, the student health center in Ithaca, NY, excluding the Faculty Staff Assistance Program and Student Disability Services.
  4. The Cornell University self-funded employee health plan, and the health and dental portion of the flexible benefits plan in Ithaca, NY.
  5. The Cornell University health plan in Ithaca, NY, which consists of the self- funded student health plan. 
  6. The Cornell COVID-19 Testing Laboratory (CCTL) in Ithaca, NY.

Administrative Services (to the extent necessary when providing support services to one or more of the healthcare components covered under HIPAA listed above):

  1. Office of University Counsel
  2. Privacy Office
  3. Risk Management
  4. Internal Audit
  5. Cornell Information Technologies (CIT)
  6. Infrastructure, Properties, and Planning (IPP)
  7. Student Services Information Technologies (SSIT)
  8. Office of Human Resources, Health Plan Benefits Managers and Staff

Review, Approval, History

  • July 15, 2020: Added the Cornell COVID-19 Testing Laboratory
  • September 27, 2020: Revisions throughout Hybrid Entity Designation to reflect changes in federal regulations and CU's current organization and practices
  • April 13, 2003: Original issue date

Approved: Cornell University, Ithaca Campus by Joanne DeStefano, Executive Vice President and Chief Financial Officer - Date: July 20, 2020

Approved: Weill Cornell Medicine by Stephen Cohen, Executive Vice Provost, Administration and Finance - Date: July 27, 2020