Are You a Hybrid Entity Under HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandates privacy and security safeguards for medical information about a person's health status, care or payment for care, all of which are considered protected health information (PHI).
February 17, 2018 at 03:54 PM
6 minute read
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandates privacy and security safeguards for medical information about a person's health status, care or payment for care, all of which are considered protected health information (PHI). Companies that utilize PHI in electronic communications, such as submission of health care claims, querying eligibility for a health plan or coordinating benefits, are subject to the requirements promulgated under HIPAA to protect PHI.
If only some of your company's business components use PHI, however, you may be eligible to self-identify as a hybrid entity and designate which business units need to comply with HIPAA and, more importantly, which do not.
This article will help you understand exactly what a hybrid entity is, who should take advantage of being one, how to successfully become one and some pitfalls to avoid.
|What Is It?
A hybrid entity under HIPAA is a single legal entity that is a covered entity whose business activities include both covered and non-covered functions and that designates certain units as health care components. So much for the legal definition; let's break that down a little. A covered entity means a company that offers some health care-related services and some non-health care-related services. A covered function means anything that would render the performer a health plan, health care provider, or health care clearing house (for more information on these terms, see https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html).
Normally, if any activities performed by a company are covered under HIPAA, then the entire organization must comply with HIPAA regulations as to privacy and security (see 45 C.F.R. Part 160 and Subparts A and E of Part 164, the “privacy rule,” and 45 C.F.R. Part 160 and Subparts A and C of Part 164, the “security rule;” together, the HIPAA rules). A properly drafted and enforced hybrid entity policy can help you avoid global application of the HIPAA rules. Instead, you will be able to draw invisible lines throughout your organization. Only the “designated components” will be required to comply with the HIPAA rules, and only they will have the right to use, maintain, access or transmit PHI.
|Who Should Use It?
There are several types of entities that can take advantage of hybridity: post-secondary institutions, IT companies, research centers, counties and municipalities, to name a few.
Information technology companies that offer software as a service are now entering the health care field. Those entities must comply with HIPAA but may not need to do so for all operations. A local government with a self-funded health plan may qualify as a HIPAA covered entity. A county that operates a health clinic would fall under HIPAA. Similarly, a university health clinic run by doctoral candidates may be bound by HIPAA. (Note, university records on students will be excluded from HIPAA but instead covered under the Family Educational Rights and Privacy Act, aka FERPA.) A municipality with police or firemen will offer emergency services that may be covered by HIPAA. Research centers that conduct clinical studies may need to comply with HIPAA.
The threshold for determining whether or not your organization could hybridize is if it—or one or more of its departments—conduct any of the following transactions electronically:
- Health plan enrollment (or disenrollment)
- Health plan eligibility determinations
- Health plan premium payments
- Referral certification and/or authorization
- Claim submissions (encounter info)
- Coordination of health plan benefits
- Claim status inquiries
- Payment and remittance advice
- First report of injury
- Health claim attachments
How to Go About It
The first step to becoming a hybrid entity is to assess which of the components or business units comprising your entity could be considered health care components. A health care component is any unit that would meet the definition of a covered entity or a business associate if it were a separate legal entity (see above link for more information about business associates). It is critical to properly identify which units are health care components. Remember that departments like legal and accounting may need access to PHI for certain circumstances and could be considered business associate-type units.
Document your designations in writing by adopting a hybrid entity policy. This policy should:
- Declare the company's status as a hybrid entity;
- Clearly designate the business units that are health care components; and
- Resolve that those units will comply with the HIPAA r ules.
Next, ensure that your designated health care components securely segregate PHI from access by or disclosure to non-health care components (meaning, the rest of the organization). Limiting which workforce members have access to PHI can help with this effort. The designated units should adopt and implement adequate policies and procedures to comply with the HIPAA Rules, as well as maintain all records for at least six years.
|Things to Watch Out For
There are two major umbrellas of risk associated with hybrids: not capturing the designated components correctly and failure to protect PHI.
November 2016 marked the first hybrid entity settlement with the Office of Civil Rights (OCR), the agency charged with the enforcement of HIPAA. The University of Massachusetts Amherst agreed to pay $650,000 after an OCR investigation revealed that UMass did not properly “hybridize” itself. The university had failed to designate its Center for Language, Speech and Hearing as one of its health care components and likewise neglected to ensure the Center adhered to HIPAA.
This is a cautionary tale for other entities. Precise documentation and routine updating are crucial to avoiding the UMass outcome.
Another area of risk is compliance with the Security rule. If your company shares data across a single network, the PHI data traffic must be separated from non-PHI data traffic. This could be accomplished by using a different IP addressing scheme or through virtual local area networks, or VLANs. Without this delineation within the network, the entire organization may be subject to HIPAA, despite its declaration of hybrid entity status.
Strong policies, dedicated segregation and regular review will be the keys to your success as a hybrid entity.
Alexandra Ableitner, an associate at McNees Wallace & Nurick, focuses her practice on contracts and regulatory guidance. She works with companies to reach their goals by managing governance documents, assisting with mergers and acquisitions, and staying up-to-date on ever-changing health care and food law regulations. Contact her at [email protected].
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllThe Forgotten Ballot: Expanding Voting Access for Incarcerated Populations
5 minute readState-Sanctioned Discrimination: Title IX’s Expansive Loophole for Religious Institutions
8 minute readGuiding LGBTQ+ Clients on Safeguarding Their Rights and Protections in Uncertain Political Climates
6 minute readTrending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250