DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
What is a HIPAA Hybrid Entity?
One persistent misconception about HIPAA is that a HIPAA “hybrid” is an entity that is "both a CE and a BA.” This is not the definition of "hybrid entity," however. Rather, a hybrid is an entity that performs various services, some of which are “covered functions” and some of which are “non-covered functions.” Covered functions are regulated by HIPAA, while non-covered functions are functions not regulated by HIPAA.
The definition of a hybrid entity is found in the HIPAA Privacy Rule. A HIPAA “hybrid entity” means a single legal entity:
(1) That is a covered entity;
(2) Whose business activities include both covered and non-covered functions; and
(3) That designates health care components.
What are Covered and Non-Covered Functions?
“Covered functions” are the functions that a covered entity performs that make it a health plan, healthcare provider, or healthcare clearinghouse. “Non-covered functions” are those functions a covered entity performs that HIPAA does not regulate.
Example: A hospital that also runs a cafeteria. The cafeteria service is a non-covered function. Or, a big box store that has a pharmacy. Here, the pharmacy service is a covered function. The grocery service part of the store is not a covered function.
How Does an Entity Go About Becoming a Hybrid Entity?
The first step for an entity to become a hybrid entity is to assess which of its components or business units can considered healthcare components. A healthcare component is any unit that would meet the definition of a covered entity or a business associate if it were a separate legal entity. An example of a unit that meets the definition of a business associate if it were a separate legal entity is a legal or accounting department that needs access to PHI.
Entities should document their assessments in a written hybrid entity policy that should:
1. Declare the company’s status as a hybrid entity;
2. Clearly designate the business units that are healthcare components; and
3. Declare that these units will comply with all applicable HIPAA rules.
Once an entity has taken these steps, the entity must ensure that its designated healthcare components securely segregate PHI from access by, or disclosure to, the entity's non-healthcare components. To this, the entity must limit which workforce members may access PHI. All designated units should adopt and implement adequate policies and procedures to comply with the HIPAA Rules, as well as maintain all records for at least six years.
Entities may be able to form other HIPAA-compliant structures besides a “hybrid entity” structure. The Privacy Rule defines and describes two other such structures - “affiliated covered entities” and “organized healthcare arrangements (OHCAs)." Each of these has its own HIPAA requirements.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article