HIPAA at SLU

Saint Louis University’s Health Information Privacy compliance program is implemented to support sound health care practices, protect the privacy of health information, and fulfill the University’s legal obligations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), including its implementing regulations at 45 CFR Parts 160 and 164 (“Privacy Rule”), as amended, and Missouri state laws.

As a designated hybrid entity, the University applies HIPAA requirements to its defined health care components, which operate as covered entities under the law. SLU takes reasonable steps to ensure the confidentiality, integrity and availability of protected health information (PHI), in accordance with HIPAA and any applicable state laws that provide greater protections.

At SLU, health data is categorized as either PHI (clinical) or RHI (research). The rules that apply depend on where the data is stored and how it was collected. Use the decision tree below to determine your data's status and your compliance obligations.

Please note: As of July 1, 2022, SSM Health handles SLUCare-specific HIPAA issues. For patient privacy concerns related to SLUCare, please contact the SSM Ethics and Compliance Helpline at 877-427-7275.

Student Health Privacy at SLU

Student health information at Saint Louis University is governed by the Family Educational Rights and Privacy Act (FERPA) and Missouri state law, not HIPAA. This is due to a required exception in HIPAA’s privacy rule. The University complies with FERPA and applicable state laws to protect student health information, which may differ in scope and requirements from HIPAA.

HIPAA Hybrid Entity Designation

As part of the University’s education mission, SLU has components whose activities include health care provider functions covered by HIPAA as well as many functions unrelated to the provision of health care. To focus its compliance efforts, the University is designated as a hybrid entity. This means HIPAA applies only to certain clinical components of the university that function as "health care components."

SLU’s health care components are:

• Center for Advanced Dental Education (CADE)
• Physical Therapy Clinic
• Student Health Center
• Center for Autism Services
• Psychological Services Center (Clinic)
• Medical Family Therapy Clinic

For a current list of these components, please refer to the official HIPAA hybrid policy.

Research and Health Privacy

As a designated HIPAA hybrid entity, Saint Louis University generally does not use protected health information (PHI) for research purposes. As a result, research health information that is released through a participant's authorization and is not associated with a health care service in a SLU health care component is not subject to the HIPAA privacy and security rules. More specifically, health-related information (research health information) generated during research conducted outside SLU’s patient care areas or in a dedicated research setting is not subject to HIPAA.

However, in limited cases where PHI is involved because it originates from or is part of a SLU health care component’s patient care, its use must comply with applicable HIPAA privacy and security regulations. In all cases, research data, including research health information (RHI) must follow Institutional Review Board (IRB) protocols and university policies, which may require de-identification or explicit authorization to ensure participant privacy.

HIPAA and Research: Understanding the Hybrid Entity

As a Carnegie R1-research institution, Saint Louis University thrives on global collaboration. Our hybrid entity structure is designed to facilitate these high-level partnerships by providing a clear framework for data sharing. This ensures that while our research mission expands, our clinical data remains protected under the highest regulatory standards.

• Clinical care (covered): Within a covered component, as defined above (in the HIPAA hybrid policy), the data is protected health information (PHI) and governed by HIPAA.
• Research (non-covered): Most university research happens in "non-covered components." When a researcher receives health data from a clinical provider under a valid authorization or waiver, that data is no longer protected by HIPAA and becomes RHI. Not PHI anymore. Although RHI is not subject to the HIPAA privacy rule, it is strictly confidential. It is protected by:
  • The Common Rule
  • IRB Protocols
  • SLU data security standards
  • Contractual agreements (data use agreements)
• Administrative and academic functions (non-covered): Most routine university operations (including teaching, advising, human resources, student services, general administration and academic programs, etc.) are not HIPAA covered functions. These activities operate outside the HIPAA framework but remain subject to SLU policies, FERPA (where applicable), and SLU’s data security standards.

Mishandling RHI

While not a HIPAA violation, losing or disclosing RHI outside approved protocol is a serious "protocol non-compliance" and may result in IRB suspension or loss of research privileges. Please report any mishandling of RHI to the HIPAA privacy office.

Training

The University provides comprehensive HIPAA training for all workforce members who handle PHI. To request training, please contact the Compliance Office at compliance@slu.edu.

Health Privacy Policies and Forms

• SLU HIPAA Hybrid Policy
• SLU Notice of Privacy Practices

All other health privacy policies are available to the SLU community on PolicyStat.

Health Privacy and HIPAA Resources and Support

For questions, comments or concerns about health privacy-related policies and procedures at SLU, please email compliance@slu.edu or hipaa@health.slu.edu.