How to Create a Hybrid Entity Policy
February 27, 2019
The following Hybrid Entity Policy Template documents the hybrid entity and its required components. Because this policy is a useful reference for a variety of HIPAA compliance activities, such as contracting, it is also recommended that the policy document non-covered services.
If an independent health department or the legal entity, within which the health department resides, chooses to be a hybrid entity, it must designate its components in compliance with the Health Insurance Portability and Accountability Act, Public Law 104-191 (“HIPAA”) Privacy Rule. Absent this designation, the HIPAA Privacy Rule requirements apply to the entire legal entity. The HIPAA Privacy Rule requires identification of components that would meet the definition of a covered entity or business associate, if they were separate legal entities. Covered entities have the option of including health care providers that do not bill electronically or engage in other standard electronic transactions. Guidance regarding the hybrid entity assessment is available on this Fact Sheet.
This designation must be in writing or recorded electronically. Electronic recordation, i.e., saving a copy of the policy in Word or other word processing program, provides for ease of revision and is generally preferred. Typically, this designation takes the form of a hybrid entity policy.