The Health Insurance Portability and Accountability Act of 1996 (HIPAA) allows certain organizations to designate themselves as “hybrid entities.” In a hybrid entity structure, organizations are permitted to segregate their activities into both covered and non-covered functions regarding the handling of protected health information (PHI).
The covered functions of an organization are fully subject to HIPAA requirements, while the non-covered components of the organization are exempt from some HIPAA requirements. By forming a hybrid entity, organizations can segregate their operations, focusing HIPAA compliance efforts on the components that handle PHI, while the non-covered components have more flexibility in their operations and are subject to fewer regulatory obligations under HIPAA.
In health care provider organization that is a hybrid entity, the organization’s non-covered components are not considered to be a “provider” for the purposes of HIPAA. Therefore, health information received or created by non-covered components does not constitute “protected health information” under HIPAA.
This is important because, under the My Health, My Data Act, protected health information is exempt from the requirements of the Act. Therefore, if a non-covered component receives or creates information that meets the definition of consumer health data under the My Health, My Data Act, the non-covered component could be subject to the Act’s requirements.
In other words, a HIPAA hybrid entity may need to ensure that its HIPAA-covered components comply with HIPAA, and also ensure that its non-covered components comply with the My Health, My Data Act. It is critical for HIPAA hybrid entities to take a close look at any health information that its non-covered components create or receive and take steps to comply with the Act if necessary.