In the ways businesses operate today, it is quite common for an entity to comply with multiple regulations and laws. HIPAA allows single legal entities that perform both covered functions and non-covered functions under HIPAA to designate themselves as “Hybrid Entities.” So how do you make sense of the terminology? In this article, we outline both the nature and importance of these terms for hybrid entities.
Generally speaking, covered functions are functions that OCR can regulate based on an entity’s status as a Covered Entity. That is, functions that relate to the entity’s operation of a health plan, health care provider, or health care clearinghouse are considered covered functions. Non-covered functions are best described as functions that are not covered entity functions. The hybrid entity provisions of HIPAA permit an entity to limit the application of HIPAA only to its healthcare components.
Don’t cross-contaminate your compliance
The covered entity that designates themselves as a hybrid entity must ensure that the health care component of the entity complies with HIPAA. To assist in clarifying, imagine that the health care component, with its covered functions, and the non-health care component, with its non-covered functions, are separate businesses. As such, the entity’s health care component is the only part of the entity that has the right to use, maintain, access or transmit the PHI. The covered component may not impermissibly use or disclose PHI to the non-covered component unless allowed under HIPAA.
The covered component must also protect electronic PHI (ePHI) as required by the Security Rule. This can prove challenging to organizations that share data across one network. It is crucial that the covered health care component segment its ePHI data traffic from non-ePHI data traffic within the network. This is usually achieved either through the use of a different IP addressing scheme or Virtual LANs (VLAN). By segmenting the organizations ePHI traffic within the network, the compliance focus can be placed in the areas that contain ePHI, thus limiting HIPAA’s scope to the covered health care component. Without segmenting the network and allowing ePHI to reside on the entire network, the entire organization would be in scope, despite its designation as a hybrid entity.
Limit access to PHI
Segmentation can also be achieved by limiting which workforce members have access to protected health information. HIPAA requires that workforce members that work for the covered health care component will not use and disclose PHI in a manner that violates HIPAA. Similarly, workforce members that work solely for the non-covered component shall not access PHI.
Covered entities that perform both covered functions and non-covered functions likely interact with each other as a necessary means to conduct business. For example, the covered entity may need to disclose PHI to the entity’s legal or accounting division. However, any disclosure of PHI from the covered component to a non-covered component, including a business associate division, is treated the same as a disclosure outside the organization. An entity with both covered and non-covered functions typically cannot have a business associate agreement with itself, a disclosure from the covered to the non-covered would require an authorization. Because business associates are now directly liable to OCR for HIPAA violations, by not including the business associate function within the health care component, the business associate component could avoid direct liability and compliance obligations. As such, covered healthcare components of a hybrid entity must include all business associate functions within the entity so that those components are directly subject to HIPAA.
The bottom line
Keep in mind that the covered entity as a whole, must ensure that the health care component of the entity complies with HIPAA. In its official comments, OCR suggests that hybrid entities may need to execute legal contracts and conduct other organizational matters at the level of the legal entity rather than at the level of the health care component.