Skip to Content

HIPAA Hybrid Toolkit

October 11, 2019


The Hybrid Toolkit includes legal, policy and practical guidance to understand and implement HIPAA’s hybrid entity option, including:

e- HIPAA coverage overview

e- Guidance on whether becoming a hybrid entity is the right choice

FAQs on becoming a hybrid entity

Discussion of the legal issues involved

Guidance on developing a hybrid entity policy and a policy template

Information on how state health departments classify themselves and how that classification has changed since 2004

Most health departments have programs that are covered by the Health Insurance Portability and Accountability Act, Public Law 104-191 (“HIPAA”), such as health care providers who bill electronically, clinics or health plans. Health departments may also provide traditional public health services that are not covered by HIPAA, such as surveillance, inspections, outbreak investigation and injury prevention programs.

Becoming a Hybrid Entity is Important for Data Sharing

To improve important data sharing, health departments that elected to be fully covered by HIPAA should now re-evaluate the option to generally restrict HIPAA to only those programs that are required under law to comply with HIPAA. This is known as becoming a hybrid entity.

Periodically Re-assessing Hybrid Status is Critical for Compliance

Health departments should periodically re-evaluate HIPAA coverage. Changes in organizational structure, function or technology may cause changes in HIPAA classification. Failure to ensure that all components are currently and properly HIPAA assessed may result in significant regulatory exposure to enforcement action, including civil monetary penalties. Additionally, health departments’ re-assessment of HIPAA coverage may result in cost savings through reduced compliance burden and regulatory exposure.