Standards for Privacy of Individually Identifiable Health Information

C. Section 164.504--Uses and Disclosures: Organizational Requirements

1. Hybrid Entities

December 2000 Privacy Rule

The Privacy Rule, as published in December 2000, defined covered entities that primarily engage in activities that are not "covered functions," that is, functions that relate to the entity's operation as a health plan, health care provider, or health care clearinghouse, as hybrid entities. See 45 CFR 164.504(a). Examples of hybrid entities were: (1) corporations that are not in the health care industry, but that operate on-site health clinics that conduct the HIPAA standard transactions electronically; and (2) insurance carriers that have multiple lines of business that include both health insurance and other insurance lines, such as general liability or property and casualty insurance.

Under the December 2000 Privacy Rule, a hybrid entity was required to define and designate those parts of the entity that engage in covered functions as one or more health care component(s). A hybrid entity also was required to include in the health care component(s) any other components of the entity that support the covered functions in the same way such support may be provided by a business associate (e.g., an auditing component). The health care component was to include such "business associate" functions for two reasons: (1) It is impracticable for the entity to contract with itself; and (2) having to obtain an authorization for disclosures to such support components would limit the ability of the hybrid entity to engage in necessary health care operations functions. In order to limit the burden on hybrid entities, most of the requirements of the Privacy Rule only applied to the health care component(s) of the entity and not to the parts of the entity that do not engage in covered functions.

The hybrid entity was required to create adequate separation, in the form of firewalls, between the health care component(s) and other components of the entity. Transfer of protected health information held by the health care component to other components of the hybrid entity was a disclosure under the Privacy Rule and was allowed only to the same extent such a disclosure was permitted to a separate entity.

In the preamble to the December 2000 Privacy Rule, the Department explained that the use of the term "primary" in the definition of a "hybrid entity" was not intended to operate with mathematical precision. The Department further explained that it intended a common sense evaluation of whether the covered entity mostly operates as a health plan, health care provider, or health care clearinghouse. If an entity's primary activity was a covered function, then the whole entity would have been a covered entity and the hybrid entity provisions would not have applied. However, if the covered entity primarily conducted non-health activities, it would have qualified as a hybrid entity and would have been required to comply with the Privacy Rule with respect to its health care component(s). See 65 FR 82502.

March 2002 NPRM

Since the publication of the final Rule, concerns were raised that the policy guidance in the preamble was insufficient so long as the Privacy Rule itself limited the hybrid entity provisions to entities that primarily conducted non-health related activities. In particular, concerns were raised about whether entities, which have the health plan line of business as the primary business and an excepted benefits line, such as workers' compensation insurance, as a small portion of the business, qualified as hybrid entities. There were also concerns about how "primary" was to be defined, if it was not a mathematical calculation, and how an entity would know whether or not it was a hybrid entity based on the guidance in the preamble.

As a result of these comments, the Department proposed to delete the term "primary" from the definition of "hybrid entity" in Sec. 164.504(a) and permit any covered entity that is a single legal entity and that performs both covered and non-covered functions to choose whether or not to be a hybrid entity for purposes of the Privacy Rule. Under the proposal, any covered entity could be a hybrid entity regardless of whether the non-covered functions represent the entity's primary functions, a substantial function, or even a small portion of the entity's activities. In order to be a hybrid entity under the proposal, a covered entity would have to designate its health care component(s). If the covered entity did not designate any health care component(s), the entire entity would be a covered entity and, therefore, subject to the Privacy Rule. Since the entire entity would be the covered entity, Sec. 164.504(c)(2) requiring firewalls between covered and non-covered portions of hybrid entities would not apply.

The Department explained in the preamble to the proposal that there are advantages and disadvantages to being a hybrid entity. Whether or not the advantages outweigh the disadvantages would be a decision for each covered entity that qualified as a hybrid entity, taking into account factors such as how the entity was organized and the proportion of the entity that must be included in the health care component.

The Department also proposed to simplify the definition of "health care component" in Sec. 164.504(a) to make clear that a health care component is whatever the covered entity designates as the health care component, consistent with the provisions regarding designation in proposed Sec. 164.504(c)(3)(iii). The Department proposed to move the specific language regarding which components make up a health care component to the implementation specification that addresses designation of health care components at Sec. 164.504(c)(3)(iii). At Sec. 164.504(c)(3)(iii), the Department proposed that a health care component could include: (1) Components of the covered entity that engage in covered functions, and (2) any component that engages in activities that would make such component a business associate of a component that performs covered functions, if the two components were separate legal entities. In addition, the Department proposed to make clear at Sec. 164.504(c)(3)(iii) that a hybrid entity must designate as a health care component(s) any component that would meet the definition of "covered entity" if it were a separate legal entity.

There was some ambiguity in the December 2000 Privacy Rule as to whether a health care provider that does not conduct electronic transactions for which the Secretary has adopted standards (i.e., a non-covered health care provider) and which is part of a larger covered entity was required to be included in the health care component. To clarify this issue, the proposal also would allow a hybrid entity the discretion to include in its health care component a non-covered health care provider component. Including a non-covered health care provider in the health care component would subject the non-covered provider to the Privacy Rule. Accordingly, the Department proposed a conforming change in Sec. 164.504(c)(1)(ii) to make clear that a reference to a "covered health care provider" in the Privacy Rule could include the functions of a health care provider who does not engage in electronic transactions, if the covered entity chooses to include such functions in the health care component.

The proposal also would permit a hybrid entity to designate otherwise non-covered portions of its operations that provide services to the covered functions, such as parts of the legal or accounting divisions of the entity, as part of the health care component, so that protected health information could be shared with such functions of the entity without business associate agreements or individual authorizations. The proposal would not require that the covered entity designate entire divisions as in or out of the covered component. Rather, it would permit the covered entity to designate functions within such divisions, such as the functions of the accounting division that support health insurance activities, without including those functions that support life insurance activities. The Department proposed to delete as unnecessary and redundant the related language in paragraph (2)(ii) of the definition of "health care component" in the Privacy Rule that requires the "business associate" functions include the use of protected health information.

Overview of Public Comments.

The following discussion provides an overview of the public comment received on this proposal. Additional comments received on this issue are discussed below in the section entitled, "Response to Other Public Comments."

The Department received relatively few comments on its proposal regarding hybrid entities. A number of comments supported the proposal, appreciative of the added flexibility it would afford covered entities in their compliance efforts. For example, some drug stores stated that the proposal would provide them with the flexibility to designate health care components, whereas under the December 2000 Rule, these entities would have been required to subject their entire business, including the "front end" of the store which is not associated with dispensing prescription drugs, to the Privacy Rule's requirements.

Some health plans and other insurers also expressed strong support for the proposal. These comments, however, seemed to be based on a misinterpretation of the uses and disclosures the proposal actually would permit. These commenters appear to assume that the proposal would allow information to flow freely between non-covered and covered functions in the same entity, if that entity chose not to be a hybrid entity. For example, commenters explained that they interpreted the proposal to mean that a multi-line insurer which does not elect hybrid entity status would be permitted to share protected health information between its covered lines and its otherwise non-covered lines. It was stated that such latitude would greatly enhance multi-line insurers' ability to detect and prevent fraudulent activities and eliminate barriers to sharing claims information between covered and non-covered lines of insurance where necessary to process a claim.

Some commenters opposed the Department's hybrid entity proposal, stating that the proposal would reduce the protections afforded under the Privacy Rule and would be subject to abuse. Commenters expressed concerns that the proposal would allow a covered entity with only a small health care component to avoid the extra protections of creating firewalls between the health care component and the rest of the organization. Moreover, one of the commenters stated that the proposal could allow a covered entity that is primarily performing health care functions to circumvent the requirements of the Rule for a large part of its operations by designating itself a hybrid and excluding from the health care component a non-covered health care provider function, such as a free nurse advice line that does not bill electronically. In addition, it was stated that the ambiguous language in the proposal could potentially be construed as allowing a hybrid entity to designate only the business associate-like functions as the health care component, and exclude covered functions. The commenter urged the Department to clarify that a hybrid entity must, at a minimum, designate a component that performs covered functions as a health care component, and that a health care provider cannot avoid having its treatment component considered a health care component by relying on a billing department to conduct its standard electronic transactions. These commenters urged the Department to retain the existing policy by requiring those organizations whose primary functions are not health care to be hybrid entities and to institute firewall protections between their health care and other components.

Final Modifications

After consideration of the comments, the Department adopts in the final Rule the proposed approach to provide covered entities that otherwise qualify the discretion to decide whether to be a hybrid entity. To do so, the Department eliminates the term "primary" from the definition of "hybrid entity" at Sec. 164.504(a). Any covered entity that otherwise qualifies (i.e., is a single legal entity that performs both covered and non-covered functions) and that designates health care component(s) in accordance with Sec. 164.504(c)(3)(iii) is a hybrid entity. A hybrid entity is required to create adequate separation, in the form of firewalls, between the health care component(s) and other components of the entity. Transfer of protected health information held by the health care component to other components of the hybrid entity continues to be a disclosure under the Privacy Rule, and, thus, allowed only to the same extent such a disclosure is permitted to a separate entity.

Most of the requirements of the Privacy Rule continue to apply only to the health care component(s) of a hybrid entity. Covered entities that choose not to designate health care component(s) are subject to the Privacy Rule in their entirety.

The final Rule regarding hybrid entities is intended to provide a covered entity with the flexibility to apply the Privacy Rule as best suited to the structure of its organization, while maintaining privacy protections for protected health information within the organization. In addition, the policy in the final Rule simplifies the Privacy Rule and makes moot any questions about what "primary" means for purposes of determining whether an entity is a hybrid entity.

The final Rule adopts the proposal's simplified definition of "health care component," which makes clear that a health care component is what the covered entity designates as the health care component. The Department makes a conforming change in Sec. 164.504(c)(2)(ii) to reflect the changes to the definition of "health care component." The final Rule at Sec. 164.504(c)(3)(iii) requires a health care component to include a component that would meet the definition of a "covered entity" if it were a separate legal entity. The Department also modifies the language of the final Rule at Sec. 164.504(c)(3)(iii) to clarify that only a component that performs covered functions, and a component to the extent that it performs covered functions or activities that would make such component a business associate of a component that performs covered functions if the two components were separate legal entities, may be included in the health care component. "Covered functions" are defined at Sec. 164.501 as "those functions of a covered entity the performance of which makes the entity a health plan, health care provider, or health care clearinghouse."

As in the proposal, the Department provides a hybrid entity with some discretion as to what functions may be included in the health care component in two ways. First, the final Rule clarifies that a hybrid entity may include in its health care component a non-covered health care provider component. Accordingly, the Department adopts the proposed conforming change to Sec. 164.504(c)(1)(ii) to make clear that a reference to a "covered health care provider" in the Privacy Rule may include the functions of a health care provider who does not engage in electronic transactions for which the Secretary has adopted standards, if the covered entity chooses to include such functions in the health care component. A hybrid entity that chooses to include a non-covered health care provider in its health care component is required to ensure that the non-covered health care provider, as well as the rest of the health care component, is in compliance with the Privacy Rule.

Second, the final Rule retains the proposed policy to provide hybrid entities with discretion as to whether or not to include business associate-like divisions within the health care component. It is not a violation of the Privacy Rule to exclude such divisions from the health care component. However, a disclosure of protected health information from the health care component to such other division that is not part of the health care component is the same as a disclosure outside the covered entity. Because an entity cannot have a business associate contract with itself, such a disclosure likely will require individual authorization.

The Department clarifies, in response to comments, that a health care provider cannot avoid being a covered entity and, therefore, part of a health care component of a hybrid entity just by relying on a billing department to conduct standard transactions on its behalf. A health care provider is a covered entity if standard transactions are conducted on his behalf, regardless of whether the provider or a business associate (or billing department within a hybrid entity) actually conducts the transactions. In such a situation, however, designating relevant parts of the business associate division as part of the health care component would facilitate the conduct of health care operations and payment.

Also in response to comments, the Department clarifies that even if a covered entity does not choose to be a hybrid entity, and therefore is not required to erect firewalls around its health care functions, the entity still only is allowed to use protected health information as permitted by the Privacy Rule, for example, for treatment, payment, and health care operations. Additionally, the covered entity is still subject to minimum necessary restrictions under Secs. 164.502 and 164.514(d), and, thus, must have policies and procedures that describe who within the entity may have access to the protected health information. Under these provisions, workforce members may be permitted access to protected health information only as necessary to carry out their duties with respect to the entity's covered functions. For example, the health insurance line of a multi-line insurer is not permitted to share protected health information with the life insurance line for purposes of determining eligibility for life insurance benefits or any other life insurance purposes absent an individual's written authorization. However, the health insurance line of a multi- line insurer may share protected health information with another line of business pursuant to Sec. 164.512(a), if, for example, State law requires an insurer that receives a claim under one policy to share that information with other lines of insurance to determine if the event also may be payable under another insurance policy. Furthermore, the health plan may share information with another line of business if necessary for the health plan's coordination of benefits activities, which would be a payment activity of the health plan.

Given the above restrictions on information flows within the covered entity, the Department disagrees with those commenters who raised concerns that the proposed policy would weaken the Rule by eliminating the formal requirement for "firewalls." Even if a covered entity does not designate health care component(s) and, therefore, does not have to establish firewalls to separate its health care function(s) from the non-covered functions, the Privacy Rule continues to restrict how protected health information may be used and shared within the entity and who gets access to the information.

Further, the Department does not believe that allowing a covered entity to exclude a non-covered health care provider component from its health care component will be subject to abuse. Excluding health care functions from the health care component has significant implications under the Rule. Specifically, the Privacy Rule treats the sharing of protected health information from a health care component to a non- covered component as a disclosure, subject to the same restrictions as a disclosure between two legally separate entities. For example, if a covered entity decides to exclude from its health care component a non- covered provider, the health care component is then restricted from disclosing protected health information to that provider for any of the non-covered provider's health care operations, absent an individual's authorization. See Sec. 164.506(c). If, however, the non-covered health care provider function is not excluded, it would be part of the health care component and that information could be used for its operations without the individual's authorization.

Response to Other Public Comments

Comment: A number of academic medical centers expressed concern that the Privacy Rule prevents them from organizing for compliance in a manner that reflects the integration of operations between the medical school and affiliated faculty practice plans and teaching hospitals. These commenters stated that neither the proposal nor the existing Rule would permit many academic medical centers to designate themselves as either a hybrid or affiliated entity, since the components of each must belong to a single legal entity or share common ownership or control. These commenters also explained that a typical medical school would not appear to qualify as an organized health care arrangement (OHCA) because it does not engage in any of the requisite joint activities, for example, quality assessment and improvement activities, on behalf of the covered entity. It was stated that it is essential that there not be impediments to the flow of information within an academic medical center. These commenters, therefore, urged that the Department add a definition of "academic medical center" to the Privacy Rule and modify the definition of "common control" to explicitly apply to the components of an academic medical center, so as to ensure that academic medical centers qualify as affiliated entities for purposes of the Rule.

Response: The Department does not believe that a modification to include a special rule for academic medical centers is warranted. The Privacy Rule's organizational requirements at Sec. 164.504 for hybrid entities and affiliated entities, as well as the definition of "organized health care arrangement" in Sec. 164.501, provide covered entities with much flexibility to apply the Rule's requirements as best suited to the structure of their businesses. However, in order to maintain privacy protections, the Privacy Rule places appropriate conditions on who may qualify for such organizational options, as well as how information may flow within such constructs. Additionally, if the commenter is suggesting that information should flow freely between the covered and non-covered functions within an academic medical center, the Department clarifies that the Privacy Rule restricts the sharing of protected health information between covered and non-covered functions, regardless of whether the information is shared within a single covered entity or a hybrid entity, or among affiliated covered entities or covered entities participating in an OHCA. Such uses and disclosures may only be made as permitted by the Rule.

Comment: A few commenters expressed concern with respect to governmental hybrid entities having to include business associate-like divisions within the health care component or else being required to obtain an individual's authorization for disclosures to such division. It was stated that this concept does not take into account the organizational structures of local governments and effectively forces such governmental hybrid entities to bring those components that perform business associate type functions into their covered component. Additionally, a commenter stated that this places an undue burden on local government by essentially requiring that functions, such as auditor/controller or county counsel, be treated as fully covered by the Privacy Rule in order to minimize otherwise considerable risk. Commenters, therefore, urged that the Department allow a health care component to enter into a memorandum of understanding (MOU) or other agreement with the business associate division within the hybrid entity. Alternatively, it was suggested that a governmental hybrid entity be permitted to include in its notice of privacy practices the possibility that information may be shared with other divisions within the same government entity for specific purposes.

Response: The Department clarifies that a covered entity which chooses to include its business associate division within the health care component may only do so to the extent such division performs activities on behalf of, or provides services to, the health care component. That same division's activities with respect to non-covered activities may not be included. To clarify this point, the Department modified the proposed language in Sec. 164.504(c)(3)(iii) to provide that a health care component may only include a component to the extent that it performs covered functions or activities that would make such component a business associate of a component that performs covered functions if the two components were separate legal entities. For example, employees within an accounting division may be included within the health care component to the extent that they provide services to such component. However, where these same employees also provide services to non-covered components of the entity, their activities with respect to the health care component must be adequately separated from their other non-covered functions.

While the Department does not believe that a MOU between governmental divisions within a hybrid entity may be necessary given the above clarification, the Department notes that a governmental hybrid entity may elect to have its health care component enter into a MOU with its business associate division, provided that such agreement is legally binding and meets the relevant requirements of Sec. 164.504(e)(3) and (e)(4). Such agreement would eliminate the need for the health care component to include the business associate division or for obtaining the individual's authorization to disclose to such division.

Additionally, the Department encourages covered entities to develop a notice of privacy practices that is as specific as possible, which may include, for a government hybrid entity, a statement that information may be shared with other divisions within the government entity as permitted by the Rule. However, the notice of privacy practices is not an adequate substitute for, as appropriate, a memorandum of understanding; designation of business associate functions as part of a health care component; or alternatively, conditioning disclosures to such business associate functions on individuals' authorizations.

Comment: One commenter requested a clarification that a pharmacy- convenience store, where the pharmacy itself is a separate enclosure under supervision of a licensed pharmacist, is not a hybrid entity.

Response: The Department clarifies that a pharmacy-convenience store, if a single legal entity, is permitted, but not required, to be a hybrid entity and designate the pharmacy as the health care component. Alternatively, such an entity may choose to be a covered entity in its entirety. However, if the pharmacy and the convenience store are separate legal entities, the convenience store is not a covered entity simply by virtue of sharing retail space with the covered pharmacy.

Comment: Another commenter stated that the Rule implies that individual providers, once covered, are covered for all circumstances even if they are employed by more than one entity--one sending transactions electronically but not the other--or if the individual provider changes functions or employment and no longer electronically transmits standard transactions. This commenter asked that either the Rule permit an individual provider to be a hybrid entity (recognizing that there are times when an individual provider may be engaging in standard transactions, and other times when he is not), or that the definition of a "covered entity" should be modified so that individual providers are themselves classified as covered entities only when they are working as individuals.

Response: A health care provider is not a covered entity based on his being a workforce member of a health care provider that conducts the standard transactions. Thus, a health care provider may maintain a separate uncovered practice (if he does not engage in standard transactions electronically in connection with that practice), even though the provider may also practice at a hospital which may be a covered entity. However, the Rule does not permit an individual provider to use hybrid entity status to eliminate protections on information when he is not conducting standard transactions. If a health care provider conducts standard transactions electronically on his own behalf, then the protected health information maintained or transmitted by that provider is covered, regardless of whether the information is actually used in such transactions.

Comment: One commenter requested a clarification that employers are not hybrid entities simply because they may be the plan sponsor of a group health plan.

Response: The Department clarifies that an employer is not a hybrid entity simply because it is the plan sponsor of a group health plan. The employer/plan sponsor and group health plan are separate legal entities and, therefore, do not qualify as a hybrid entity. Further, disclosures from the group health plan to the plan sponsor are governed specifically by the requirements of Sec. 164.504(f).

Comment: A few commenters asked the Department to permit a covered entity with multiple types of health care components to tailor notices to address the specific privacy practices within a component, rather than have just one generic notice for the entire covered entity.

Response: Covered entities are allowed to provide a separate notice for each separate health care component, and are encouraged to provide individuals with the most specific notice possible.

[Top of Page] [Previous] [Next: Group Health Plans]