Tribal HIPAA Hybrid Entity FAQs
March 13, 2020
While the U.S. Department of Health and Human Services did not intend the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (HIPAA) to cover core public health activities, HIPAA likely covers many tribal health departments and regulates the provision of certain services that they might provide.
For example, a tribal health department may provide HIPAA covered health care services because it operates a hospital or a health clinic and electronically submits claims for services. It may also operate a HIPAA covered health plan. An example of a tribe operating a health plan is where a tribe operates an Indian Self-Determination and Education Assistance (ISDEAA) agreement, its health care program may constitute a health plan, if its individual or group plan provides or pays the cost of medical care; medical care is the diagnosis, treatment and prevention of disease.
When a tribal health department provides HIPAA covered services, it is a covered entity and must ensure HIPAA compliance. A covered entity may restrict HIPAA to those organizational components that are regulated by HIPAA. This is known as becoming a hybrid entity.
Becoming a hybrid entity enables a tribal health department to carve out its core public health activities – disease or injury registry functions, vital events record functions, and conducting public health surveillance, investigations, or interventions – from HIPAA coverage. This election requires the covered entity to assess itself against HIPAA and to document the results in a written hybrid entity policy.