Should a Local Government Be a HIPAA Hybrid Entity?

The federal HIPAA regulations apply directly to certain types of entities and individuals, referred to as “covered entities” and “business associates.” These regulations govern standardization of electronic healthcare transactions and identifiers, as well as the privacy and security of health information. Depending on the services provided and the relationships that exist, a local government may be a covered entity or a business associate that is subject to these federal regulations. If a local government concludes that it a HIPAA covered entity, it may want to have only some of its functions, services, or staff members comply with HIPAA. It may want to limit the amount of training and compliance duties, as well as its liability exposure. Can the local government do that? Why, yes! It can. But in order to do so, it must take affirmative steps to designate itself a “hybrid entity.” This post briefly discusses how a local government can determine whether it is a covered entity and explores the concept of hybrid entity designations. It does not provide any discussion of the other substantive requirements of the HIPAA regulations, such as when use and disclosure of protected health information is allowed. We will save those discussions for another time.

Who or what is a covered entity?

There are three types of covered entities under HIPAA:

• health care clearinghouses,
• health plans, and
• health care providers who transmit any health information in electronic form in connection with a HIPAA-covered transaction.

See 42 U.S.C. 1320d-1 (applicability); 45 C.F.R. 160.103 (definition of “covered entity”). The US Department of Health and Human Services developed a series of flowcharts to help individuals and entities decide whether they fall into one of these three categories. Local governments most likely do not operate health care clearinghouses. These are organizations that help other entities convert health information from a nonstandard format to a standard format (or the reverse). A local government may contract with a health care clearinghouse, but it most likely does not operate one within the governmental entity. A local government may operate a self-funded health plan that qualifies as HIPAA covered entity. The government may contract with a third-party administrator to manage the plan, but the plan itself may be a component of the local government. If so, the local government would be the covered entity. Many local governments, especially counties, are HIPAA covered entities because they offer services or have staff that (1) meet the definition of “health care provider” under HIPAA and (2) transmit health information in electronic form in connection with a HIPAA-covered transaction. For clarity, I will refer to individuals, services, or functions that meet both (1) and (2) as “covered health care providers.”

How does a local government know if it is a covered health care provider?

In order to determine whether a local government is a covered health care provider, it is important to understand some of the key HIPAA definitions, most of which are found in 45 C.F.R. 160.103.

• Is it a health care provider? A “health care provider” includes a person or organization who furnishes, bills, or is paid for health care in the normal course of business.
• What is health care? This term is defined broadly as care, services, or supplies related to the health of an individual. The term includes, but is not limited to, preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body. It also includes the sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.

A county may, for example, operate a clinic in the health department that meets the definition of health care provider. A municipality may offer emergency medical services that meet the definition. Given the expansive definition of health care, it is possible that unexpected components of the local government are also providers. For example, a department of social services may employ a nurse-social worker to counsel foster children. Remember, though, that in order for this provider to be a HIPAA-covered health care provider, it must also transmit health information electronically in connection with a HIPAA-covered transaction.

• What is health information? This term is defined broadly to include any information, including genetic information, whether oral or recorded in any form or medium, that is created or received by a health care provider… and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
• What kinds of electronic transactions are implicated? Health care providers participate in a wide range of communications and transactions electronically. The list of HIPAA-covered transactions is, however, limited to certain types of communications including submission of health care claims, querying eligibility for a health plan, enrolling someone in a health plan, and coordinating benefits across plans. These are described in more detail in 45 C.F.R. Part 162.

If a local government determines that it is a covered entity, must the entire entity comply with HIPAA?

If a covered entity has a mix of functions – some that are required to be covered and some that are not – the HIPAA regulations allow the entity to designate itself a “hybrid entity” thereby limiting its compliance responsibilities to only certain parts of the entity. By definition, a hybrid entity is simply a single legal entity that (1) has both covered and non-covered components and (2) designates itself a hybrid entity by identifying covered health care components. In order to become a hybrid, the entity – such as the city or the county – must draw invisible lines throughout its organization identifying who will be required to comply and who will not. The primary benefit of becoming a hybrid entity is limiting the liability exposure in the event there is an enforcement action related to the HIPAA privacy or security regulation. If a local government is a covered entity and it does not designate itself as a hybrid entity, all individually identifiable health information maintained by the entity would be subject to the HIPAA regulations. For example, if the parks and recreation department collects health information about participants in a camp and the local government is a covered entity but it has not designated itself a hybrid entity, that camp-related health information would be protected by HIPAA. Imagine a camp counselor leaves forms that include health information in her bag and then her bag is stolen from her car. That loss would technically be a breach under HIPAA and could trigger breach notification requirements and invite attention from enforcement authorities. The primary drawbacks of becoming a hybrid are the potentially complicated administrative task of delineating which parts of entity are required to comply with the federal laws and then implementing those decisions. In a hybrid, different parts of the local government will need to comply with different bodies of confidentiality law with respect to individually identifiable health information. While this kind of variability is not uncommon in current practice, the hybrid entity designation adds a layer of complexity to local government operations.

If a local government decides to be a hybrid entity, what must it do?

The local government must evaluate its departments, services, and functions to determine whether each one should be covered. Once the decisions are made, there is no requirement that the covered entity file its hybrid entity designation papers with the federal government or any other oversight body. Rather, this is an internal exercise that prepares the entity for meeting its compliance responsibilities. At a minimum, the local government must treat the following two categories as covered components:

1. Any component that would be a covered entity if it was a separate legal entity, and
2. Any component that would be considered a business associate of a component that is required to be covered under #1.

The first category is straightforward and should be relatively easy to evaluate and implement. The second category is a little more complex because it is ties back to the HIPAA-created concept of "business associates." See below for a more detailed discussion of this concept. Once the covered health care component is defined, the covered entity must ensure that there are firewalls in place to prevent inappropriate use and disclosure across components. Information flowing from a covered component of a hybrid entity to a non-covered component of that entity is considered a disclosure under the HIPAA privacy regulation. In addition, staff within the covered component must comply with all of the other requirements of the HIPAA privacy and security regulations, including drafting detailed policies and procedures, providing training, establishing safeguards, and distributing notices of privacy practices.

Who or what is a business associate?

In short, a business associate is a person or entity that is not a member of a covered entity’s workforce who uses protected health information in order to help or support a covered entity. 45 CFR 160.103. There are two types of business associates:

1. One that creates, receives, maintains, or transmits protected health information on behalf of a covered entity for a function or activity that is regulated by HIPAA, such as claims processing, practice management, and quality assurance.
2. One that uses protected health information to provide certain types of services to the covered entity. This includes legal, actuarial, consulting, data aggregation, management, administrative, accreditation, or financial services.

There are some exceptions to the definition of business associate, including one for government agencies that determine eligibility or enroll individuals in government health plans providing public benefits.

What requirements apply to business associate relationships?

The HIPAA regulations require that a covered entity have “satisfactory assurances” that the business associate will protect the information and comply with other administrative requirements. These assurances are typically part of a contract referred to as a “business associate agreement.” In addition to this contractual responsibility to comply with some of the HIPAA requirements, business associates are now directly regulated by HIPAA and are subject to enforcement action. For a typical covered entity, these business associate relationships may be fairly easy to identify and manage. A health care provider hires a billing company. The provider enters into a business associate agreement with the billing company. For a larger hybrid entity, such as a county, the application of the business associate concept may be more complex. The county may have some external business associates – these would look just like the billing company described above. It may be a contract with an outside organization to provide some consulting services that requires disclosure of some protected health information, for example. In this case, the county would enter into a business associate agreement with the consulting group. The county may also have some internal components that are performing business associate-like functions for one or more health care components within the county. For example, the county’s finance office may be managing all of the billing for the provision of health care by the health department and emergency management services. If the finance office was not included within the county, it would be considered a business associate. Since it is within the county and the county is a hybrid entity, the county must include the finance office as part of its covered health care component. In other words, the county is required to include any business-associate like functions in its health care component. It is possible to include a business associate-like function in the health care component “only to the extent that it performs covered functions.” This means that, in our example above, not every staff person in the finance office would need to be trained to comply with the HIPAA regulations but only those staff members who work with protected health information for the covered health care component. In addition, not all records in the office would be subject to all of the HIPAA restrictions on use and disclosure. This may be helpful but it also could be tricky to implement depending upon the size of the organization and the number of people and activities or functions involved. A county may simply decide that, for ease of administration, all staff and records within a business associate-like component will be required to comply with the HIPAA regulations.

Conclusion

Even if a local government evaluated its covered entity status when the HIPAA rules were first adopted, it is important to revisit this analysis from time to time. Not only have the HIPAA regulations changed significantly in recent years, but the functions, services, and relationships in local government change. It is important that this analysis and the accompanying documentation accurately reflect the local government’s operations, that policies and procedures are up-to-date, and that staff are adequately trained on the government’s approach to HIPAA compliance.