Under the HIPAA Privacy Rule, any entity that meets the definition of a covered entity, regardless of size or complexity, generally will be subject in its entirety to the Privacy Rule – that is, the entire entity will be subject to all of the rule. However, the HIPAA Privacy Rule provides a means for covered entities to partially exempt themselves from this general rule, by designating themselves as a HIPAA hybrid entity. 

A HIPAA hybrid entity is an entity that performs some business requirements (“healthcare functions”) that are functions that a covered entity performs (that is, it performs covered functions, defined as any activity that would make the entity a healthcare provider, a health plan, or a healthcare clearinghouse), and also performs some business functions that a covered entity does not perform. Business functions that are not functions a covered entity performs, are referred to as “non-covered functions” or “non-healthcare functions”).  

If an entity properly designates, per the HIPAA regulations, which of its business activities are healthcare components subject to HIPAA regulation, and properly designates those business activities that are not healthcare components, the entity has the legal status of a HIPAA hybrid entity. 

Having valid HIPAA hybrid entity status offers entities a certain regulatory relief: As a general matter, only the designated healthcare components of the entity will have to comply with the full scope of the HIPAA Privacy Rule; the non-healthcare components need not. 

How Does an Entity Become a HIPAA Hybrid Entity?

To become a HIPAA hybrid entity, an entity should take the following actions:

• First, the entity should assess which of its components or business units might be considered healthcare components.
  • A healthcare component is any entity unit that would meet the definition of a covered entity or a business associate if it were a separate legal entity. A healthcare component may also include any component that conducts covered functions (i.e., non-covered healthcare provider) or performs activities that would make the component a business associate of the entity if it were legally separate. 
• Next, you should document your designations in writing. This can be done by creating a hybrid entity policy, that declares the company’s status as a hybrid entity, and clearly designates those business units that are healthcare components. 
• Ensure that your designated healthcare components securely segregate protected health information (PHI) from access by, or disclosure to, non-healthcare components.
• Limiting which workforce members have access to PHI, and documenting the limitations in the hybrid entity policy.
• Designated units should adopt and implement adequate policies and procedures to comply with the HIPAA regulations.

Are there Specific HIPAA Security Rule Measures Hybrid Entities Must Take?

Hybrid entities should be mindful of their obligations under the HIPAA Security Rule. Companies that share data across a single network should take measures to separate PHI data traffic from non-PHI data traffic. Failure to properly segregate PHI data from non-PHI data may result in forfeiture of hybrid status – that is, under HIPAA, the entity will no longer be regarded as hybrid and may lose the partial exemption status conferred by hybrid status.