Yes.  The University is a covered entity and HIPAA applies to all covered entities— Healthcare providers, Health plans, and healthcare clearinghouses.

Often, contractors, subcontractors, third party service providers (vendors) and other outside persons that are not employees of the covered entity will need to have access to patients’ health information when providing services to the covered entity.  These entities are called “Business Associates” and are required to comply with HIPAA.