Skip to Content
Resource Collection HIPAA Hybrid Entity Status

HIPAA Hybrid Entity Toolkit

February 28, 2019


This toolkit is intended for privacy officers, public health practitioners and their attorneys. It includes legal, policy and practical guidance to understand and implement HIPAA’s hybrid entity option. It includes:

»     A review of the legal issues involved in becoming a hybrid entity and the importance of HIPAA coverage re-assessment
»     FAQs on becoming a hybrid entity, supported by a more detailed regulatory reference table, including commentary
»     Information on the impact HIPAA coverage has on data sharing
»     Information on how becoming a hybrid entity reduces risk and compliance burden
»     Guidance on how to determine whether becoming a hybrid entity is the right choice
»     Guidance on developing a hybrid entity policy, including a policy template

For background on HIPAA, including definitions, view/download Read Me First.

Most health departments have programs that are covered by the Health Insurance Portability and Accountability Act, Public Law 104-191 (“HIPAA”), such as health care providers who bill electronically, clinics or health plans. Health departments may also provide traditional public health services that are not covered by HIPAA, such as surveillance, inspections, outbreak investigation and injury prevention programs. 

Evaluating HIPAA Coverage

Three use cases illustrate the resulting real-world impact HIPAA classification has on public health operations. These use cases also provide insight into why HIPAA coverage re-assessment is a public health priority.