HIPAA Compliance

Kent State University is committed to providing quality health care which includes respecting patients’ and clinical research subjects’ rights to maintain the privacy of their health information and ensuring appropriate security of all protected health information.  The standards for protecting patient health information are described in the federal law known as the Health Insurance Portability and Accountability Act (HIPAA).  This website provides information on the policies and procedures related to HIPAA compliance at Kent State.  A core purpose of HIPAA is to protect the privacy and security of health information.  HIPAA applies to “Covered Entities” such as health care providers and health plans.

The university is a hybrid entity, meaning it is a single legal entity with components that are covered and non-covered under HIPAA.  Only those designated as covered components are subject to HIPAA requirements. 

University Policy for Privacy for Protected Health Information

University Covered Entities:
Business Associates:

Business Associates are contracted third parties who provide covered components of the university with services that use or involved health information.  In according with university policy 5-20, all Business Associates must sign a business associate agreement approved by the Office of General Counsel.  In some cases, Kent State may serve as a Business Associate of another Covered Entity.  The university may only execute a business associate agreement for the receipt of health information pursuant to an approved business associated agreement.


All personnel in a university HIPAA affected area or students in programs in certain health science schools are required to obtain training related to the regulatory obligations under the HIPAA Privacy and Security Rules.  The training requirements must be met on an annual basis.  Individuals can meet the annual HIPAA training requirement through a training program offered through the Human Resources Training and Development office.

Use of PHI in Research:

The HIPAA Privacy Rule affects research and researchers when the research requires access to and/or use of Protected Health Information (PHI) that is created or maintained by covered entities, or a covered entity component of the university performs research that creates or generates PHI.  University researchers who access, use and/or disclose PHI for research purposes must comply with Institutional Review Board (IRB) policies.  The IRB PHI policy applies to all research involving PHI, regardless of funding and such research must be reviewed and approved in advanced by the KSU IRB.  Research activities may not begin until the IRB has granted final approval of the research protocol.  For further information, please contact the office of Research Compliance in Research and Sponsored Programs.

HIPAA Compliance Committee Chart