Media Center

Are You a Hybrid Entity Under HIPAA?

March 12, 2018

By Alexandra Ableitner
For The Legal Intelligencer

Reprinted with permission from the February 17, 2018  edition of The Legal Intelligencer © 2018 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.


The Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandates privacy and security safeguards for medical information about a person’s health status, care or payment for care, all of which are considered protected health information (PHI). Companies that utilize PHI in electronic communications, such as submission of health care claims, querying eligibility for a health plan or coordinating benefits, are subject to the requirements promulgated under HIPAA to protect PHI.

If only some of your company’s business components use PHI, however, you may be eligible to self-identify as a hybrid entity and designate which business units need to comply with HIPAA and, more importantly, which do not.

This article will help you understand exactly what a hybrid entity is, who should take advantage of being one, how to successfully become one and some pitfalls to avoid.

What Is It?

A hybrid entity under HIPAA is a single legal entity that is a covered entity whose business activities include both covered and non-covered functions and that designates certain units as health care components. So much for the legal definition; let’s break that down a little. A covered entity means a company that offers some health care-related services and some non-health care-related services. A covered function means anything that would render the performer a health plan, health care provider, or health care clearing house (for more information on these terms, see

Normally, if any activities performed by a company are covered under HIPAA, then the entire organization must comply with HIPAA regulations as to privacy and security (see 45 C.F.R. Part 160 and Subparts A and E of Part 164, the “privacy rule,” and 45 C.F.R. Part 160 and Subparts A and C of Part 164, the “security rule;” together, the HIPAA rules). A properly drafted and enforced hybrid entity policy can help you avoid global application of the HIPAA rules. Instead, you will be able to draw invisible lines throughout your organization. Only the “designated components” will be required to comply with the HIPAA rules, and only they will have the right to use, maintain, access or transmit PHI.

Who Should Use It?

There are several types of entities that can take advantage of hybridity: post-secondary institutions, IT companies, research centers, counties and municipalities, to name a few.

Information technology companies that offer software as a service are now entering the health care field. Those entities must comply with HIPAA but may not need to do so for all operations. A local government with a self-funded health plan may qualify as a HIPAA covered entity. A county that operates a health clinic would fall under HIPAA. Similarly, a university health clinic run by doctoral candidates may be bound by HIPAA. (Note, university records on students will be excluded from HIPAA but instead covered under the Family Educational Rights and Privacy Act, aka FERPA.) A municipality with police or firemen will offer emergency services that may be covered by HIPAA. Research centers that conduct clinical studies may need to comply with HIPAA.

The threshold for determining whether or not your organization could hybridize is if it—or one or more of its departments—conduct any of the following transactions electronically:

  • Health plan enrollment (or disenrollment)
  • Health plan eligibility determinations
  • Health plan premium payments
  • Referral certification and/or authorization
  • Claim submissions (encounter info)
  • Coordination of health plan benefits
  • Claim status inquiries
  • Payment and remittance advice
  • First report of injury
  • Health claim attachments

How to Go About It

The first step to becoming a hybrid entity is to assess which of the components or business units comprising your entity could be considered health care components. A health care component is any unit that would meet the definition of a covered entity or a business associate if it were a separate legal entity (see above link for more information about business associates). It is critical to properly identify which units are health care components. Remember that departments like legal and accounting may need access to PHI for certain circumstances and could be considered business associate-type units.

Document your designations in writing by adopting a hybrid entity policy. This policy should:

  • Declare the company’s status as a hybrid entity;
  • Clearly designate the business units that are health care components; and
  • Resolve that those units will comply with the HIPAA r ules.

Next, ensure that your designated health care components securely segregate PHI from access by or disclosure to non-health care components (meaning, the rest of the organization). Limiting which workforce members have access to PHI can help with this effort. The designated units should adopt and implement adequate policies and procedures to comply with the HIPAA Rules, as well as maintain all records for at least six years.

Things to Watch Out For

There are two major umbrellas of risk associated with hybrids: not capturing the designated components correctly and failure to protect PHI.

November 2016 marked the first hybrid entity settlement with the Office of Civil Rights (OCR), the agency charged with the enforcement of HIPAA. The University of Massachusetts Amherst agreed to pay $650,000 after an OCR investigation revealed that UMass did not properly “hybridize” itself. The university had failed to designate its Center for Language, Speech and Hearing as one of its health care components and likewise neglected to ensure the Center adhered to HIPAA.

This is a cautionary tale for other entities. Precise documentation and routine updating are crucial to avoiding the UMass outcome.

Another area of risk is compliance with the Security rule. If your company shares data across a single network, the PHI data traffic must be separated from non-PHI data traffic. This could be accomplished by using a different IP addressing scheme or through virtual local area networks, or VLANs. Without this delineation within the network, the entire organization may be subject to HIPAA, despite its declaration of hybrid entity status.

Strong policies, dedicated segregation and regular review will be the keys to your success as a hybrid entity.

Alexandra Ableitneran associate at McNees Wallace & Nurick, focuses her practice on contracts and regulatory guidance. She works with companies to reach their goals by managing governance documents, assisting with mergers and acquisitions, and staying up-to-date on ever-changing health care and food law regulations. Contact her at