This toolkit is intended for privacy officers, public health practitioners and their attorneys. It includes:
The Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (HIPAA), covers most health departments at the state and local levels. This issue brief aids public health practitioners and their attorneys to better understand how HIPAA applies to services a health department may provide, options for coverage under HIPAA, and how these decisions directly impact data sharing, compliance burden and risk. This issue brief highlights changes in law and regulatory enforcement action that provide compelling reasons for health departments to update their HIPAA coverage assessments, even if they are already hybrid entities.
Becoming a hybrid entity enables a health department to carve out its traditional public health activities – disease or injury registry functions, vital events record functions, and conducting public health surveillance, investigations, or interventions – from HIPAA coverage. This election requires the covered entity to assess itself against HIPAA and to document the results in a written hybrid entity policy.
Health departments may choose whether to be completely covered by HIPAA, or to only apply HIPAA where legally required to do so, which is known as becoming a hybrid entity. Understanding where the health department has covered entity components is key to informing this decision.
The following Hybrid Entity Policy Template documents the hybrid entity and its required components. Because this policy is a useful reference for a variety of HIPAA compliance activities, such as contracting, it is also recommended that the policy document non-covered services.
Congress passed the Health Insurance Portability and Accountability Act (“HIPAA”), Public Law 104-191 in 1996, which required the Department of Health and Human Services (“HHS”) to adopt national standards for electronic health care transactions and code sets, privacy, security and unique health identifiers. The HIPAA Privacy Rule defines the hybrid entity and sets forth the organizational requirements, including standards and implementation specifications. 45 CFR §§ 164.103 and 164.105(a) and (c). The rule provides that the legal entity that is a hybrid entity must implement safeguards and undertake certain responsibilities with respect to its covered entity and business associate components.
This resource summarizes tools for understanding, evaluating and becoming a Hybrid Entity. The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), also hosts a comprehensive website regarding the HIPAA Privacy Rule that includes many useful guidance documents, tools and training materials regarding HIPAA privacy and security regulations.