The Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandates privacy and security safeguards for medical information about a person’s health status, care or payment for care, all of which are considered protected health information (PHI). Companies that utilize PHI in electronic communications, such as submission of health care claims, querying eligibility for a health plan or coordinating benefits, are subject to the requirements promulgated under HIPAA to protect PHI. If only some of your company’s business components use PHI, however, you may be eligible to self-identify as a hybrid entity and designate which business units need to comply with HIPAA and, more importantly, which do not. This article will help you understand exactly what a hybrid entity is, who should take advantage of being one, how to successfully become one and some pitfalls to avoid.
What Is It?
A hybrid entity under HIPAA is a single legal entity that is a covered entity whose business activities include both covered and non-covered functions and that designates certain units as health care components. So much for the legal definition; let’s break that down a little. A covered entity means a company that offers some health care-related services and some non-health care-related services. A covered function means anything that would render the performer a health plan, health care provider, or health care clearing house (for more information on these terms, see https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html). Normally, if any activities performed by a company are covered under HIPAA, then the entire organization must comply with HIPAA regulations as to privacy and security (see 45 C.F.R. Part 160 and Subparts A and E of Part 164, the “privacy rule,” and 45 C.F.R. Part 160 and Subparts A and C of Part 164, the “security rule;” together, the HIPAA rules). A properly drafted and enforced hybrid entity policy can help you avoid global application of the HIPAA rules. Instead, you will be able to draw invisible lines throughout your organization. Only the “designated components” will be required to comply with the HIPAA rules, and only they will have the right to use, maintain, access or transmit PHI.
Who Should Use It?
There are several types of entities that can take advantage of hybridity: post-secondary institutions, IT companies, research centers, counties and municipalities, to name a few. Information technology companies that offer software as a service are now entering the health care field. Those entities must comply with HIPAA but may not need to do so for all operations. A local government with a self-funded health plan may qualify as a HIPAA covered entity. A county that operates a health clinic would fall under HIPAA. Similarly, a university health clinic run by doctoral candidates may be bound by HIPAA. (Note, university records on students will be excluded from HIPAA but instead covered under the Family Educational Rights and Privacy Act, aka FERPA.) A municipality with police or firemen will offer emergency services that may be covered by HIPAA. Research centers that conduct clinical studies may need to comply with HIPAA. The threshold for determining whether or not your organization could hybridize is if it—or one or more of its departments—conduct any of the following transactions electronically: