Are You a Hybrid Entity Under HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandates privacy and security safeguards for medical information about a person's health status, care or payment for care, all of which are considered protected health information (PHI).
February 17, 2018 at 03:54 PM
6 minute read
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandates privacy and security safeguards for medical information about a person's health status, care or payment for care, all of which are considered protected health information (PHI). Companies that utilize PHI in electronic communications, such as submission of health care claims, querying eligibility for a health plan or coordinating benefits, are subject to the requirements promulgated under HIPAA to protect PHI.
If only some of your company's business components use PHI, however, you may be eligible to self-identify as a hybrid entity and designate which business units need to comply with HIPAA and, more importantly, which do not.
This article will help you understand exactly what a hybrid entity is, who should take advantage of being one, how to successfully become one and some pitfalls to avoid.
What Is It?
A hybrid entity under HIPAA is a single legal entity that is a covered entity whose business activities include both covered and non-covered functions and that designates certain units as health care components. So much for the legal definition; let's break that down a little. A covered entity means a company that offers some health care-related services and some non-health care-related services. A covered function means anything that would render the performer a health plan, health care provider, or health care clearing house (for more information on these terms, see https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html).
Normally, if any activities performed by a company are covered under HIPAA, then the entire organization must comply with HIPAA regulations as to privacy and security (see 45 C.F.R. Part 160 and Subparts A and E of Part 164, the “privacy rule,” and 45 C.F.R. Part 160 and Subparts A and C of Part 164, the “security rule;” together, the HIPAA rules). A properly drafted and enforced hybrid entity policy can help you avoid global application of the HIPAA rules. Instead, you will be able to draw invisible lines throughout your organization. Only the “designated components” will be required to comply with the HIPAA rules, and only they will have the right to use, maintain, access or transmit PHI.
Who Should Use It?
There are several types of entities that can take advantage of hybridity: post-secondary institutions, IT companies, research centers, counties and municipalities, to name a few.
Information technology companies that offer software as a service are now entering the health care field. Those entities must comply with HIPAA but may not need to do so for all operations. A local government with a self-funded health plan may qualify as a HIPAA covered entity. A county that operates a health clinic would fall under HIPAA. Similarly, a university health clinic run by doctoral candidates may be bound by HIPAA. (Note, university records on students will be excluded from HIPAA but instead covered under the Family Educational Rights and Privacy Act, aka FERPA.) A municipality with police or firemen will offer emergency services that may be covered by HIPAA. Research centers that conduct clinical studies may need to comply with HIPAA.
The threshold for determining whether or not your organization could hybridize is if it—or one or more of its departments—conduct any of the following transactions electronically:
- Health plan enrollment (or disenrollment)
- Health plan eligibility determinations
- Health plan premium payments
- Referral certification and/or authorization
- Claim submissions (encounter info)
- Coordination of health plan benefits
- Claim status inquiries
- Payment and remittance advice
- First report of injury
- Health claim attachments
How to Go About It
The first step to becoming a hybrid entity is to assess which of the components or business units comprising your entity could be considered health care components. A health care component is any unit that would meet the definition of a covered entity or a business associate if it were a separate legal entity (see above link for more information about business associates). It is critical to properly identify which units are health care components. Remember that departments like legal and accounting may need access to PHI for certain circumstances and could be considered business associate-type units.
Document your designations in writing by adopting a hybrid entity policy. This policy should:
- Declare the company's status as a hybrid entity;
- Clearly designate the business units that are health care components; and
- Resolve that those units will comply with the HIPAA r ules.
Next, ensure that your designated health care components securely segregate PHI from access by or disclosure to non-health care components (meaning, the rest of the organization). Limiting which workforce members have access to PHI can help with this effort. The designated units should adopt and implement adequate policies and procedures to comply with the HIPAA Rules, as well as maintain all records for at least six years.
Things to Watch Out For
There are two major umbrellas of risk associated with hybrids: not capturing the designated components correctly and failure to protect PHI.
November 2016 marked the first hybrid entity settlement with the Office of Civil Rights (OCR), the agency charged with the enforcement of HIPAA. The University of Massachusetts Amherst agreed to pay $650,000 after an OCR investigation revealed that UMass did not properly “hybridize” itself. The university had failed to designate its Center for Language, Speech and Hearing as one of its health care components and likewise neglected to ensure the Center adhered to HIPAA.
This is a cautionary tale for other entities. Precise documentation and routine updating are crucial to avoiding the UMass outcome.
Another area of risk is compliance with the Security rule. If your company shares data across a single network, the PHI data traffic must be separated from non-PHI data traffic. This could be accomplished by using a different IP addressing scheme or through virtual local area networks, or VLANs. Without this delineation within the network, the entire organization may be subject to HIPAA, despite its declaration of hybrid entity status.
Strong policies, dedicated segregation and regular review will be the keys to your success as a hybrid entity.
Alexandra Ableitner, an associate at McNees Wallace & Nurick, focuses her practice on contracts and regulatory guidance. She works with companies to reach their goals by managing governance documents, assisting with mergers and acquisitions, and staying up-to-date on ever-changing health care and food law regulations. Contact her at [email protected].
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllThe Forgotten Ballot: Expanding Voting Access for Incarcerated Populations
5 minute readState-Sanctioned Discrimination: Title IX’s Expansive Loophole for Religious Institutions
8 minute readGuiding LGBTQ+ Clients on Safeguarding Their Rights and Protections in Uncertain Political Climates
6 minute readTrending Stories
Who Got The Work
J. Brugh Lower of Gibbons has entered an appearance for industrial equipment supplier Devco Corporation in a pending trademark infringement lawsuit. The suit, accusing the defendant of selling knock-off Graco products, was filed Dec. 18 in New Jersey District Court by Rivkin Radler on behalf of Graco Inc. and Graco Minnesota. The case, assigned to U.S. District Judge Zahid N. Quraishi, is 3:24-cv-11294, Graco Inc. et al v. Devco Corporation.
Who Got The Work
Rebecca Maller-Stein and Kent A. Yalowitz of Arnold & Porter Kaye Scholer have entered their appearances for Hanaco Venture Capital and its executives, Lior Prosor and David Frankel, in a pending securities lawsuit. The action, filed on Dec. 24 in New York Southern District Court by Zell, Aron & Co. on behalf of Goldeneye Advisors, accuses the defendants of negligently and fraudulently managing the plaintiff's $1 million investment. The case, assigned to U.S. District Judge Vernon S. Broderick, is 1:24-cv-09918, Goldeneye Advisors, LLC v. Hanaco Venture Capital, Ltd. et al.
Who Got The Work
Attorneys from A&O Shearman has stepped in as defense counsel for Toronto-Dominion Bank and other defendants in a pending securities class action. The suit, filed Dec. 11 in New York Southern District Court by Bleichmar Fonti & Auld, accuses the defendants of concealing the bank's 'pervasive' deficiencies in regards to its compliance with the Bank Secrecy Act and the quality of its anti-money laundering controls. The case, assigned to U.S. District Judge Arun Subramanian, is 1:24-cv-09445, Gonzalez v. The Toronto-Dominion Bank et al.
Who Got The Work
Crown Castle International, a Pennsylvania company providing shared communications infrastructure, has turned to Luke D. Wolf of Gordon Rees Scully Mansukhani to fend off a pending breach-of-contract lawsuit. The court action, filed Nov. 25 in Michigan Eastern District Court by Hooper Hathaway PC on behalf of The Town Residences LLC, accuses Crown Castle of failing to transfer approximately $30,000 in utility payments from T-Mobile in breach of a roof-top lease and assignment agreement. The case, assigned to U.S. District Judge Susan K. Declercq, is 2:24-cv-13131, The Town Residences LLC v. T-Mobile US, Inc. et al.
Who Got The Work
Wilfred P. Coronato and Daniel M. Schwartz of McCarter & English have stepped in as defense counsel to Electrolux Home Products Inc. in a pending product liability lawsuit. The court action, filed Nov. 26 in New York Eastern District Court by Poulos Lopiccolo PC and Nagel Rice LLP on behalf of David Stern, alleges that the defendant's refrigerators’ drawers and shelving repeatedly break and fall apart within months after purchase. The case, assigned to U.S. District Judge Joan M. Azrack, is 2:24-cv-08204, Stern v. Electrolux Home Products, Inc.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250