Skip to Content
Fact Sheet

How to Perform a Hybrid Entity Assessment

February 27, 2019


Health departments may choose whether to be completely covered by HIPAA, or to only apply HIPAA where legally required to do so, which is known as becoming a hybrid entity. Understanding where the health department has covered entity components is key to informing this decision.

Determination of Health Insurance Portability and Accountability Act, Public Law 104-191 (“HIPAA”) coverage is an essential and important component of a health department’s compliance activities. Health departments may provide HIPAA covered health care services because they operate a hospital or a health clinic, or electronically bill for testing services provided by the state public health laboratory. Health departments may also operate a HIPAA covered health plan, such as Medicaid or a State Children’s Health Insurance Plan.

HIPAA does not apply to traditional public health activities including disease or injury registry functions, vital event reporting and conducting surveillance, interventions, and outbreak investigations. However, absent adoption of a hybrid entity policy, HIPAA applies to the entire health department, including traditional public health activities.