Oregon State University HIPAA Hybrid Entity Designation
Oregon State University is a covered entity under the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. §§ 1320d to 1320d-9, as amended, and its implementing regulations at 45 C.F.R. parts 160 to 164 (collectively, “HIPAA”). Specifically, Oregon State University is a covered entity because: (1) it is a health care provider because it furnishes, bills, or is paid for health care in the normal course of business; and (2) through its Student Health Services Center, it transmits health information in electronic form in connection with a transaction covered by HIPAA’s regulations.
Oregon State University is a “hybrid entity” in accordance with 45 C.F.R. § 164.103 by hereby designating the following health care components in accordance with 45 C.F.R. § 164.105(a)(2)(iii)(D):
- Oregon State University Student Health Services
To the extent that Oregon State University’s designated health care component provides health care to students and maintains education records or treatment records that are excluded from the definition of “protected health information” at 45 C.F.R. § 160.103, nothing in this designation is intended to suggest that the designated health care component has compliance obligations with respect to such records under the HIPAA privacy, security, or breach notification regulations.
For the avoidance of doubt, Oregon State University’s designated health care component does not include the following component(s) that provide health care but do not transmit health information in electronic form in connection with a transaction covered by HIPAA’s regulations:
- Oregon State University-Cascades Counseling Clinic.
- Oregon State University Counseling & Psychological Services
- Oregon State University Occupational Health Services
- Oregon State University Athletics Sports Medicine
This designation became effective on March 25, 2025.