FAQ For Health Care Services | Division of Student Affairs

Any UMD activity that provides mental or physical health care services to non-students and electronically transmits certain health information is required to be compliant with HIPAA.

In post-secondary education, the privacy of protected health information (PHI) for students is governed by the Family Educational Rights and Privacy Act (FERPA). If you want to know more about FERPA contact the Office of General Counsel (https://www.president.umd.edu/office-general-counsel).

The use of protected health information by itself does not trigger HIPAA compliance. However, if you are acquiring protected health information from a covered entity as defined by HIPAA (e.g., a health care provider), then certain compliance requirements may apply. You should consult with the source of your protected health information, and UMD’s Office of General Counsel (https://www.president.umd.edu/office-general-counsel).

It is likely you do not need to comply with HIPAA. However, the HIPAA criteria that define electronic transmissions are complex and so if you provide health care services to non-students it is safest to discuss it with the HIPAA Privacy Officer (HIPAA-Privacy@umd.edu).

Charging for services can involve electronic transmission of information that might trigger HIPAA. Generally, if only cash or checks are accepted this does not trigger HIPAA. However, if you directly bill insurance plans (private and/or Medicaid/Medicare) for payment, this will require the electronic transmission of health information governed by HIPAA and compliance is required. If you charge for health care services to non-students, in any form, you should contact the HIPAA Privacy Officer (HIPAA-Privacy@umd.edu).

The University of Maryland is a Hybrid Entity under the HIPAA Privacy Rule. This means we are allowed to have covered and non-covered functions. The University Health Center is a covered entity under HIPAA. The Health Center must work with other units on campus where it might be necessary to disclose PHI to these units in order to carry out its health care function. These units are defined as business associates under HIPAA and must comply with requirements to ensure the safeguarding of protected health information. General Counsel, Chief Information Security Officer, and the HIPAA Privacy Officer are considered business associates.