Skip to main content

Cornell University Hybrid Entity Designation for HIPAA

Reason for Document

To comply with the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act and the 2013 HIPAA Omnibus Rule, and its implementing federal regulations (collectively, “HIPAA”).

Introduction and Policy Statement

Cornell University (“CU”) is a private education institution of higher learning providing academic programs and degrees through the doctoral level. Certain CU colleges and departments are involved in healthcare-related activities subject to compliance with healthcare regulations, including HIPAA.

HIPAA applies to individuals and entities that are healthcare providers, healthcare clearinghouses, and health plans (“covered entities”). Under HIPAA, a covered entity that is a single legal entity that conducts both covered and non-covered functions may elect to be a hybrid entity. To be a hybrid entity, the covered entity must identify its components that perform covered functions and designate these components as healthcare components. The HIPAA compliance obligations apply only to the designated healthcare components, and those units that perform support functions on behalf of the healthcare components. A covered entity that does not make this designation is subject to HIPAA in its entirety.

CU conducts both covered and non-covered functions and elects to be a hybrid entity as defined in 45 C.F.R. §§ 164.103 and 164.105. This policy documents CU’s designated healthcare components that must comply with HIPAA requirements in Exhibit A. This list shall be reviewed and updated as necessary by the Office of General Counsel and the privacy offices of CU at its Ithaca and Weill Cornell Medicine (“WCM”) campuses. CU shall segregate its healthcare components from its non-healthcare components and require the identified healthcare components to comply with HIPAA. Protected health information shall not be shared between the healthcare and the non-healthcare components except as permitted under HIPAA.

Exhibit A

CU designates the following components as healthcare components covered under HIPAA:

  1. Weill Cornell Medicine (“WCM”), excluding the WCM Employee Assistance Program.
  2. The WCM self-funded employee health, dental, and prescription drug plans, and the health and dental portion of the flexible benefits plan in Manhattan, NY.
  3. The clinical care components of Cornell Health, the student health center in Ithaca, NY.
  4. The Cornell University endowed employee health plans, including all active and retiree medical, vision, and dental plans, prescription drug programs, health flexible spending accounts, and health savings accounts in Ithaca, NY.
  5. The Cornell University Student Health Plan. 

Administrative Services (to the extent necessary when providing support services to one or more of the healthcare components covered under HIPAA listed above):

  1. Office of General Counsel
  2. Privacy and Compliance
  3. Risk Management & Insurance
  4. Internal Audit
  5. Institutional Review Board (IRB)
  6. Information Technology
  7. Offices of Human Resources
  8. Student Health Benefits
  9. Research Administration & Export Control
  10. Research Informatics
  11. Export Control
  12. University Tax Office

Footnotes

1 - WCM entered into an Organized Health Care Arrangement ("OHCA") with New York-Presbyterian Hospital, Columbia University, Weill Cornell Imaging at New York-Presbyterian, and certain affiliated entities.

Review, Approval, History

  • April 21, 2025: Added various administrative support offices related to research, updated office names, deleted the Covid-19 Testing Laboratory, and added the University Tax Office.
  • July 15, 2020: Added the Cornell COVID-19 Testing Laboratory
  • September 27, 2017: Revisions throughout Hybrid Entity Designation to reflect changes in federal regulations and CU's current organization and practices
  • April 13, 2003: Original issue date

Approved: Cornell University, Christopher J. Cowen, Executive Vice President and Chief Financial Officer - Date: April 21, 2025