HIPAA - The Privacy Rule

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) went into effect on April 14, 2003 to:

  • insure the portability of insurance coverage as employees moved from job to job
  • increase accountability and decrease fraud and abuse in healthcare; and
  • improve the efficiency of the health care payment process, while at the same time protecting a patient's privacy.

HIPAA applies to "Covered Entities," defined by the Privacy Rule as:

  • a healthcare provider that conducts certain transactions in electronic form,
  • a healthcare clearinghouse,
  • a health plan, or
  • a business associate (person or organization) performing a function on behalf of the Covered Entity for which access to protected health information is needed.

Because Case Western Reserve University (CWRU) has at least one department that provides healthcare services and electronically transmits health information, it is considered a Covered Entity.

CWRU As A "Hybrid Entity"

Since the primary function of CWRU is not to provide healthcare, CWRU is permitted to designate itself as a "hybrid entity," which allows it to apply the Privacy Rule only to those parts of CWRU that, if standing alone, would be a Covered Entity. As a hybrid entity, CWRU must designate its "healthcare components," which includes departments that provide support for healthcare components.

Healthcare components at CWRU are:

  • CWRU School of Dental Medicine
  • CWRU School of Dental Medicine Faculty Practice
  • CWRU Student Self-Insured Health Plan and Optional Dependent Medical Plan
  • CWRU Employee Health Plan

CWRU Policies and Procedures for HIPPA

For more information about how CWRU meets HIPAA requirements, go to the University Policies and Procedures for HIPAA. Navigate the PDF document by clicking on the "Bookmarks" tab on the left to view the table of contents. You can also contact Lisa Palazzo, Director of Export Controls & Privacy Management at lisa.palazzo@case.edu or 216-368-5791.

HIPAA and Research

A researcher who obtains protected health information (PHI) from a Covered Entity (whether at CWRU, University Hospitals of Cleveland, the MetroHealth System, the Louis Stokes Cleveland Veterans Affairs Medical Center, the Cleveland Clinic or from some other Covered Entity) or creates new PHI through the Covered Entity will need to comply with the Privacy Rule. CWRU and its affiliated hospitals empower their IRBs to act as Privacy Boards on behalf of each Covered Entity. For example, the MetroHealth IRB also acts as MetroHealth's Privacy Board for research purposes.

For more information on how to meet each institution's HIPAA requirements, please click on the link for the appropriate IRB below:

  • CWRU Social and Behavioral IRB
  • Case Cancer IRB
  • MetroHealth Medical System
  • University Hospitals Case Medical Center
  • Louis Stokes Cleveland VA Medical Center
  • The Cleveland Clinic

Other Resources on HIPAA

  • Definition of PHI and the 18 identifiers considered to be PHI under HIPAA
  • NIH Privacy Rule and Research
  • DHHS Office for Civil Rights: Government HIPAA Office
  • Office for Civil Rights HIPAA Guidance: Research Section Provides good FAQs
  • CWRU Informational HIPAA Presentation -- Please note that viewing this presentation WILL NOT satisfy your HIPAA training requirement. It is for informational purposes only. Please see above contacts for information on completing mandatory HIPAA training.


Director of Export Control & Privacy Management

Lisa Palazzo

Chief Information Security Officer Director of Export Control & Privacy Management
Mark Herron
Chief Information Security Officer
Office of the Vice President for Information Technology Services
Lisa Palazzo
Director of Export Control & Privacy Management