HIPAA Hybrid Entity Toolkit
February 28, 2019
This toolkit is intended for privacy officers, public health practitioners and their attorneys. It includes legal, policy and practical guidance to understand and implement HIPAA’s hybrid entity option. It includes:
» A review of the legal issues involved in becoming a hybrid entity and the importance of HIPAA coverage re-assessment
» FAQs on becoming a hybrid entity, supported by a more detailed regulatory reference table, including commentary
» Information on the impact HIPAA coverage has on data sharing
» Information on how becoming a hybrid entity reduces risk and compliance burden
» Guidance on how to determine whether becoming a hybrid entity is the right choice
» Guidance on developing a hybrid entity policy, including a policy template
For background on HIPAA, including definitions, view/download Read Me First.
Read Me First
HIPAA Hybrid Entity Coverage Assessments
Hybrid Entity FAQ
How to Perform a Hybrid Entity Assessment
How to Create a Hybrid Entity Policy
HIPAA Privacy Rule: Hybrid Entity Regulatory Reference Table
Resources for Understanding, Evaluating and Becoming a Hybrid Entity
Most health departments have programs that are covered by the Health Insurance Portability and Accountability Act, Public Law 104-191 (“HIPAA”), such as health care providers who bill electronically, clinics or health plans. Health departments may also provide traditional public health services that are not covered by HIPAA, such as surveillance, inspections, outbreak investigation and injury prevention programs.
Evaluating HIPAA Coverage
Three use cases illustrate the resulting real-world impact HIPAA classification has on public health operations. These use cases also provide insight into why HIPAA coverage re-assessment is a public health priority.
- Case 1: What does hybrid entity look like?
- Case 2: We are a hybrid entity. It’s only been three years since we’ve done a HIPAA assessment. Do we really need to do this again?
- Case 3: We are a hybrid entity. It’s been ten years since we’ve done a HIPAA assessment, but we have had absolutely no changes in our organization. Do we really have to do this again?