HIPAAdvisor: Q & A with Steve Fox

Can Your Organization Qualify as an “Affiliated Covered Entity"?

QUESTION: Our company owns a large national chain of outpatient and residential mental health facilities. Is each of these facilities individually responsible for the notifications and consents required under the privacy rule? With the exception of an on-site clinic for employees, no protected health information is created, used or disclosed at our corporate headquarters. Is there a way to implement an enterprise-wide HIPAA compliance initiative? Each of our facilities is a separate and distinct
corporate entity. Does that make a difference?

ANSWER: Legally separate and distinct covered entities may designate themselves as a single covered entity for the purpose of complying with the privacy rule (the “rule”) as long as the entities are “affiliated,” meaning they share common ownership or control. “Common ownership” is defined as an ownership or equity interest of five percent (5%) or more. “Common control” exists if an entity has the power, directly or indirectly, to significantly influence or direct the actions or policies of another entity. The covered entities that together make up an “affiliated covered entity” are subject to separate liability under the rule.

Affiliated organizations don't have to share similar functions or activities in order to designate themselves as a single covered entity. If your company decided to designate all of its facilities as a single affiliated covered entity for the purpose of HIPAA compliance, the on-site clinic at the company’s headquarters could be included as part of that affiliated covered entity.

Perhaps the biggest advantage to this designation is the potential cost savings benefit to larger organizations. Affiliated covered entities may utilize a single shared notice of privacy practices for the entire enterprise, promulgate one consent form, designate one privacy official, and implement one set of privacy policies and procedures. However, it's important to remember that this consolidation does not extend to the restrictions on the use and disclosure of protected health information (PHI) under the rule. If an affiliated covered entity performs more than one type of covered function, each individual component of the affiliated covered entity must still
comply with those provisions of the rule that are specifically applicable to its covered functions. For example, if one of the components of an affiliated covered entity is a health care provider with a direct treatment relationship, that component
entity would still be required to obtain a consent prior to using or disclosing PHI; even if such use or disclosure was between another component of the affiliated covered entity.

In situations where a covered entity (such as the on-site health clinic in the example above) is part of a larger organization that is not itself regulated by HIPAA, then only the healthcare component of the larger organization must comply with HIPAA. The organization as a whole is referred to as a “hybrid entity” under the rule, since only part of it must be HIPAA compliant. Any use or disclosure of PHI by the health care component of the hybrid entity is subject to the privacy standards even when such use or disclosure is made internally within the hybrid entity. Moreover, the health care components of hybrid entities are required to implement firewalls or safeguards between itself and the larger hybrid identity in order to insure meaningful privacy protection.

Read past HIPAA Legal Q/A articles.

This article was co-authored by Rachel H. Wilson, Esq., an associate at Pepper Hamilton.

Disclaimer: Steve's responses offer information that is general in nature and should not be relied upon as legal advice. Only your attorney is qualified to evaluate your specific situation and provide you with customized advice.

Have a question you'd like Steve to discuss in HIPAAlert? Send it to and he'll be glad to consider using it in a future column, with or without attribution.