On November 22, 2016, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) reported its thirteenth settlement for 2016 related to a malware infection at a workstation that infiltrated the entire system of a covered entity that had elected to be a hybrid entity. The incident resulted in the impermissible disclosure of electronic protected health information. The workstation was in an area of the covered entity that was not designated as a “health care component” incorrectly. This means that there were no HIPAA Privacy and Security policies and procedures in place that could have prevented this breach. The settlement includes a corrective action plan and a monetary payment of $650,000.00. The corrective action plan requires the covered entity to conduct an enterprise-wide risk analysis, develop and implement a risk management plan, revise its policies and procedures and train its staff on appropriate policies and procedures. This serves as yet another reminder from OCR to covered entities and business associates that implementing privacy and security measures to safeguard protected health information should be an ongoing process.
Hybrid Entity Designation
This settlement also highlights the ability of covered entities to designate their organization as a “hybrid entity” and emphasizes the importance of properly identifying which of the entity’s functions are health care components. Under HIPAA, a hybrid entity is a single legal entity that is also a covered entity, whose business activities include both covered functions and non-covered functions (regardless of whether the non-covered functions represent that entity’s primary function, a substantial function or even a small portion of that entity’s activities). Covered functions are those functions of a covered entity that make the entity a health plan, health care provider or a health care clearinghouse. Entities that perform covered and non-covered functions have found the hybrid entity designation useful in helping to focus their HIPAA compliance efforts, reduce the risk of non-compliance and reduce compliance costs.
Covered entities may elect the hybrid entity designation by identifying the business activities within the organization that are considered health care components. A health care component is simply the component or combination of components of the entity that engage in covered functions or support those covered functions (e.g., those functions that relate to the entity’s operation as a health plan, health care provider or health care clearinghouse). It is important to note that a hybrid entity must include in its health care component(s) any component that would meet the definition of a covered entity, including the definition’s requirement that the entity conduct standard electronic transactions if it were a separate legal entity.
For covered entities that have elected the hybrid designation or are considering electing the hybrid designation, it is critical that the entity perform an organization-wide assessment of its business activities to properly designate those activities that are health care components. Covered entities must also implement policies and procedures that establish a “firewall” between the health care component(s) and the other components of the entity to prevent impermissible access to protected health information by the parts of the organization that are not designated as health care component(s).
While only the health care component(s) of a hybrid entity are required to comply with the privacy and security regulations, the covered entity remains responsible for the entire organization’s compliance with HIPAA; thus, it must ensure that staff understands the hybrid designation and is properly trained.
Practical Takeaways
- Hybrid entities should regularly assess the organization’s business activities to ensure all health care components have been properly designated and are in compliance with HIPAA.
- Hybrid entities should ensure that proper firewalls are in place between health care components and non-health care components of the organization.
- Hybrid entities should review policies and procedures related to the hybrid designation and ensure all staff are properly trained.
- Covered entities that perform covered and non-covered functions that have not elected the hybrid entity designation should consider whether the designation is appropriate for the organization. The designation may help focus its HIPAA compliance efforts and reduce HIPAA compliance costs.
If you have questions or would like additional information about this topic, please contact:
- Charise R. Frazier at (317) 977-1406 or cfrazier@wp.hallrender.com;
- Patricia Connelly at (317) 429-3654 or pconnelly@wp.hallrender.com; or
- Your regular Hall Render attorney.
Please visit the Hall Render Blog at http://blogs.hallrender.com/ or click here to sign up to receive Hall Render alerts on topics related to health care law.
