How to know if you’re a hybrid entity

HIPAA safeguards the privacy and security of protected health information (PHI) in the healthcare industry. However, what if your organization doesn't solely focus on healthcare-related activities? You might be a hybrid entity and must know how to determine that to understand how HIPAA applies to your organization.

What is a hybrid entity?

A hybrid entity is an organization that performs both covered and noncovered functions. This designation allows segments of the organization to adhere to HIPAA regulations while exempting others. It's a mechanism that provides flexibility for organizations with diverse operations. 

According to the HHS, "A covered entity that qualifies as a hybrid entity, meaning that the entity is a single legal entity that performs both covered and noncovered functions, may choose whether it wants to be a hybrid entity. If such a covered entity decides not to be a hybrid entity then it, and all of its components, are subject to the Privacy Rule in its entirety. "

Related: Who needs to be HIPAA compliant?

Examples of hybrid entities

1. Universities with medical centers: A university might have a medical center or clinic that handles PHI, while the rest of the institution does not. In this case, only the medical center would need to comply with HIPAA.
2. Retail pharmacies: A retail store with a pharmacy section would be a hybrid entity. The pharmacy must comply with HIPAA, but the rest of the retail operations would not.
3. Insurance companies: An insurance company that also offers health insurance would have some departments that need to comply with HIPAA (those dealing with health insurance claims) and others that do not (like auto or home insurance departments).
4. Local governments: A local government might operate public health clinics, but also have many other functions that do not involve PHI. Only the public health clinics would need to comply with HIPAA.
5. Tech companies with health divisions: A technology company with a division focused on healthcare solutions would be a hybrid entity. 
6. Fitness centers with health clinics: A fitness center offering health screenings or a physical therapy clinic would be a hybrid entity.
7. Corporations with employee health clinics: Some large corporations offer on-site health clinics for employees. These clinics would need to comply with HIPAA, but the rest of the company would not.
8. Nonprofits with health services: A nonprofit organization that provides a range of services, including some healthcare services like clinics or mental health services, would be a hybrid entity.

1. Evaluating your organization

To determine if your organization qualifies as a hybrid entity, you must first conduct a comprehensive evaluation of your operations. Examine every nook and cranny of your organization's functions. Are some divisions involved in healthcare-related activities, such as patient care, health information management, or processing health insurance claims? Conversely, do other segments of your organization perform non-healthcare-related functions? If you've identified this distinction, you're on your way to hybrid entity status.

2. Identifying covered functions

Once you've recognized the distinction between covered and noncovered functions, you must pinpoint the functions or components of your organization that directly handle PHI. These functions are subject to HIPAA regulations. The covered functions can vary widely depending on the type of organization. For healthcare providers, it may include patient records departments. Health plans might focus on claims processing divisions and healthcare clearinghouses on PHI handling processes.

3. Documenting designation

Formally designating your organization as a hybrid entity is the next step in the process. This involves creating clear policies and procedures for PHI protection within the covered entities. Documentation should clearly specify which components of your organization fall under HIPAA regulations and which do not. Clarity in this documentation helps maintain compliance.

Related: How to develop HIPAA compliance policies and procedures

4. Ensuring HIPAA compliance

One of the fundamental responsibilities of a hybrid entity is to ensure that noncovered functions within the organization do not impermissibly use or disclose PHI. This necessitates the implementation of robust safeguards and ongoing monitoring practices. Hybrid organizations must maintain the balance between healthcare and non-healthcare activities for compliance. 

FAQs

How do hybrid entities manage PHI within non-healthcare-related segments of their organization?

Hybrid entities must establish protocols to prevent the impermissible use or disclosure of PHI within noncovered functions of their organization. This may involve implementing access controls, employee training programs, and auditing procedures to ensure compliance with HIPAA regulations while maintaining operational efficiency across all segments.

Can hybrid entities change their designation over time?

Yes, hybrid entities can reassess their designation based on changes in their organizational structure or functions. If there are significant alterations in covered and noncovered activities within the organization, it may be necessary to reevaluate and update the hybrid entity status accordingly to ensure continued compliance with HIPAA regulations.

How do hybrid entities manage subcontractors or third-party vendors who may handle PHI on their behalf?

Hybrid entities are responsible for ensuring that subcontractors or third-party vendors who handle PHI on their behalf comply with HIPAA regulations. This involves conducting thorough vetting processes, establishing business associate agreements (BAAs), and implementing oversight mechanisms to monitor the handling of PHI and ensure compliance with privacy and security requirements.