Hybrid Entity FAQ
February 27, 2019
Becoming a hybrid entity enables a health department to carve out its traditional public health activities – disease or injury registry functions, vital events record functions, and conducting public health surveillance, investigations, or interventions – from HIPAA coverage. This election requires the covered entity to assess itself against HIPAA and to document the results in a written hybrid entity policy.
While the U.S. Department of Health and Human Services did not intend the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (HIPAA) to cover traditional public health activities, HIPAA does regulate the provision of certain services that health departments might provide. For example, a health department may provide HIPAA covered health care services because it operates a hospital or a health clinic or electronically bills for testing services provided by the state public health laboratory. It may also operate a HIPAA covered health plan such as Medicaid or a State Children’s Health Insurance Plan.
When a health department provides HIPAA covered services, it is a covered entity and must ensure HIPAA compliance. A covered entity may limit HIPAA to those organizational components that are regulated by HIPAA. This is known as becoming a hybrid entity.