HIPAA Hybrid Entity Toolkit

This toolkit is intended for privacy officers, public health practitioners and their attorneys. It includes: 

  • A review of the legal issues involved in becoming a hybrid entity and the importance of HIPAA coverage re-assessment
  • FAQs on becoming a hybrid entity, supported by a more detailed regulatory reference table, including commentary
  • Information on the impact HIPAA coverage has on data sharing
  • Information on how becoming a hybrid entity reduces risk and compliance burden
  • Guidance on how to determine whether becoming a hybrid entity is the right choice
  • Guidance on developing a hybrid entity policy, including a policy template

Issue Brief: HIPAA Hybrid Entity Coverage Assessments

The Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (HIPAA), covers most health departments at the state and local levels. This issue brief aids public health practitioners and their attorneys to better understand how HIPAA applies to services a health department may provide, options for coverage under HIPAA, and how these decisions directly impact data sharing, compliance burden and risk. This issue brief highlights changes in law and regulatory enforcement action that provide compelling reasons for health departments to update their HIPAA coverage assessments, even if they are already hybrid entities.

Read More

Hybrid Entity FAQ

Becoming a hybrid entity enables a health department to carve out its traditional public health activities – disease or injury registry functions, vital events record functions, and conducting public health surveillance, investigations, or interventions – from HIPAA coverage. This election requires the covered entity to assess itself against HIPAA and to document the results in a written hybrid entity policy.

Read More

Fact Sheet: How to Perform a Hybrid Entity Assignment

Health departments may choose whether to be completely covered by HIPAA, or to only apply HIPAA where legally required to do so, which is known as becoming a hybrid entity. Understanding where the health department has covered entity components is key to informing this decision.

Read More

Fact Sheet: How to Create a Hybrid Entity Policy

The following Hybrid Entity Policy Template documents the hybrid entity and its required components. Because this policy is a useful reference for a variety of HIPAA compliance activities, such as contracting, it is also recommended that the policy document non-covered services.

Read More

HIPAA Privacy Rule: Hybrid Entity Regulatory Reference Table

Congress passed the Health Insurance Portability and Accountability Act (“HIPAA”), Public Law 104-191 in 1996, which required the Department of Health and Human Services (“HHS”) to adopt national standards for electronic health care transactions and code sets, privacy, security and unique health identifiers. The HIPAA Privacy Rule defines the hybrid entity and sets forth the organizational requirements, including standards and implementation specifications. 45 CFR §§ 164.103 and 164.105(a) and (c). The rule provides that the legal entity that is a hybrid entity must implement safeguards and undertake certain responsibilities with respect to its covered entity and business associate components.

Read More

Resources for Understanding, Evaluating and Becoming a Hybrid Entity

This resource summarizes tools for understanding, evaluating and becoming a Hybrid Entity. The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), also hosts a comprehensive website regarding the HIPAA Privacy Rule that includes many useful guidance documents, tools and training materials regarding HIPAA privacy and security regulations. 


Read More