Privacy Policy

HIPAA Privacy Policy

Effective:        September, 2023


Responsible Leader:          Chief Compliance Officer

Applicability:                        Peak Health, LLC

Review By:                            September, 2024

Peak Health, LLC, (“Peak”) pursuant to 45 C.F.R. §§ 164.103 and 164.105 and other guidance under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), elects to be a “hybrid entity” and designates certain entities as covered health care components.


HIPAA and related regulations protect individually identifiable information regarding an individual’s health and the provision of health care to that individual. Such information is referred to as “Protected Health Information” or “PHI.” HIPAA applies to entities that perform health-care related functions, including entities that provide health care services (“Covered Entities”).

Peak and West Virginia University Health System (the “University”) are comprised of multi-disciplinary entities and divisions which perform a wide array of functions and activities, some of which involve the provision of health care services that are subject to HIPAA. HIPAA regulates the use and disclosure of PHI by Covered Entities and imposes administrative, technical, and physical standards, including implementation specifications, to ensure that PHI is kept secure. To implement these requirements, all University health care providers, along with any Peak personnel that handle PHI on behalf of the University, must follow written procedures to maintain the confidentiality, accessibility and integrity of PHI.

Under HIPAA, an organization with both HIPAA-covered and non-covered functions may elect to be a hybrid entity. With that designation, HIPAA requirements apply only to the entity’s health care components, which are engaged in covered functions, and do not apply to non-covered functions. If a Covered Entity chooses to designate its health care components in this manner, it must include any component that would meet the definition of a covered entity or a business associate if such component were a separate legal entity.  Examples of non-covered functions can include the provision of legal, accounting, data aggregation, or administrative services for internal health care components where such services involve the sharing of PHI. 45 C.F.R. § 160.103 (definition of Business Associate). Peak provides many of these services to the University pursuant to various agreements, including a third party administrative services agreement and a business associate agreement.


Health care components also may include a component only to the extent that it performs covered functions. 45 C.F.R.§164.105(a)(2)(iii)(D). By adopting this policy, the University designates itself to be a hybrid entity under 45 C.F.R. §§ 164.103 and 164.105.  The University further designates its health care components, whose functions are subject to HIPAA, as those identified in Section II below. The University may designate other health care components by amendment to this policy.

Notwithstanding this designation, the University remains responsible for the HIPAA compliance of its health care components. Therefore, all designated health care components must cooperate with the Compliance and Privacy and other University offices, in collaboration with those same those offices with Peak Health, LLC,  in maintaining HIPAA compliance.


The University designates the following as health care components subject to HIPAA:

  • West Virginia University Health System (we can insert list of all WVU entities as on the other policies).
  • Any other offices or divisions or units that might access PHI for legitimate business purposes.

Additionally, the University designates the following as health care components, which are subject to HIPAA only to the extent they perform the functions of a Covered Entity or business associate (e.g., functions that involve the use and/or disclosure of PHI):

  • Peak Health Plan, LLC
  • Peak Health, LLC and subordinate entities
  • Any other offices or divisions or units that might access PHI for billing, research or other legitimate business purposes.


Covered Entity: A covered entity means:

  • A health plan;
  • A health care clearing house; and
  • A health care provider who transmits any health information in electronic form in connection with a transaction covered by this chapter. (45 C.F.R. § 160.103 (Definitions).)

HIPAA: The Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act.

PHI: Protected Health Information is individually identifiable health information held or transmitted by a covered entity; and relates to:

  • The individual’s past, present, or future physical or mental health condition;
  • The provision of health care to the individual; or
  • The past, present, or future payment for the provision of health care to the individual. (45 C.F.R. § 160.103 (Definitions).)