What is a hybrid entity under HIPAA?

Hybrid entities under HIPAA are unique organizational structures that address the complexities of organizations that perform both HIPAA covered and non-covered functions. A Journal of the Medical Library Association journal article ‘Balancing between two goods’ that looked at hybrid entities under HIPAA noted, “If an organization performs both covered and non-covered functions, it may elect to be a hybrid organization by designating the health care components in its operations as covered functions.” The hybrid entity concept is common for entities like universities, municipal governments, or public health departments.

The hybrid entity concept was further reinforced by the Health Information Technology for Economic and Clinical Health (HITECH) Act. HITECH expanded the definition of business associates and clarified that hybrid entity policies must include both covered entity and business associate components. The U.S. Department of Health and Human Services (HHS) provides guidance on the implementation and compliance obligations of hybrid entities that apply specifically to the designated health care components.

How a single organization can have both covered and non-covered components

The Network for Public Health Law paper on the hybrid entity assessment for local public health departments provides, “HIPAA recognizes larger organizations such as LPHDs may have some components that are required to be covered by HIPAA and some that need not be…The LPHD is not required to make the entire organization subject to HIPAA. Instead, it can limit HIPAA’s applicability to those covered components, such as clinical services, which are subject to HIPAA.” Noncovered functions, on the other hand, are those that do not involve HIPAA covered activities like general administration, education, or public health surveillance that do not include electronic billing or direct provision of health care services.

For example, a local public health department (LPHD) might operate a clinic that provides immunizations and bills health plans electronically, this clinic would be a covered component under HIPAA. At the same time, the LPHD might have divisions responsible for community outreach, environmental health inspections, or disease surveillance, which do not engage in covered electronic transactions and thus are considered noncovered components. In a university setting, the student health center may be a covered component, while academic departments and administrative offices are noncovered components.

The distinction between covered and noncovered components determines the scope of HIPAA. If an organization performs both types of functions, it may elect to become a hybrid entity by formally designating its health care components. The designation allows the organization to apply HIPAA’s privacy and security requirements only to the covered components, rather than the entire organization. The noncovered components remain subject to other applicable state or local privacy laws but are not bound by HIPAA’s specific requirements.

The “designation” process

The designation process is outlined in Section 164.105, which specifies that a covered entity that performs both covered and noncovered functions may elect to be a hybrid entity by designating its health care components. This process involves several key steps to ensure that only the appropriate components are subject to HIPAA’s privacy and security rules.

According to the HHS FAQs section on the topic, “If a covered entity decides to be a hybrid entity, it must define and designate its health care component(s). Research components of a hybrid entity that function as health care providers and engage in standard electronic transactions must be included in the hybrid entity's health care component(s), and be subject to the Privacy Rule.”

The organization in question must conduct a comprehensive assessment of its operations to identify all components that perform covered functions. Covered functions are defined as activities that would make the component a health plan, a health care provider that transmits health information electronically in connection with certain transactions, or a health care clearinghouse. The assessment should also identify any internal business associates that provide services to the covered components, as these must also be included in the designation.

Once the assessment is complete, the organization must formally adopt a hybrid entity policy that clearly identifies the designated health care components. The policy has to be documented in writing or recorded electronically and must be retained for at least six years from the date of creation or last effective date, whichever is later. The policy should specify which components are covered by HIPAA and which are not, and it must be updated as organizational changes occur. 

The difference between covered entities and hybrid entities 

A covered entity, as defined in 45 CFR § 160.103, is any health plan, health care clearinghouse, or health care provider who transmits health information electronically in connection with certain transactions. Covered entities are subject to all provisions of the HIPAA Privacy, Security, and Breach Notification Rules, and must ensure that all components of the organization comply with these requirements.

According the Journal of Medical Library Association study mentioned above, “Only a covered entity, or the covered part of a hybrid entity, must comply with the privacy rule, although other federal or state privacy and confidentiality laws may apply to non-covered entities.”

A hybrid entity is a specific type of covered entity that performs both covered and noncovered functions and has formally designated its health care components in accordance with 45 CFR § 164.105. The hybrid entity designation allows the organization to limit the application of HIPAA’s requirements to only those components that perform covered functions or act as business associates.

The primary difference lies in the scope of HIPAA compliance. For a covered entity, all parts of the organization are subject to HIPAA, regardless of whether they handle PHI or perform covered functions. This means that workforce training, privacy and security policies, breach notification requirements, and other compliance measures apply across the entire organization. For a hybrid entity, only the designated health care components and internal business associates are subject to HIPAA.

The need for firewalling PHI between components

According to a 1012 International Conference on Biomedical Engineering and Biotechnology paper on the topic of network security, “Specified firewalls or the routers with firewall features are recommended for protecting the network attacks as well.” 

The rationale for firewalling is twofold. First, it ensures that PHI is not inadvertently or improperly shared with parts of the organization that are not subject to HIPAA’s stringent privacy and security requirements. Noncovered components may not have the necessary policies, training, or safeguards in place to protect PHI, increasing the risk of unauthorized use or disclosure. By establishing clear boundaries and controls, the organization can prevent breaches and reduce its overall risk exposure.

Second, firewalling supports compliance with HIPAA’s minimum necessary standard, which requires that access to PHI be limited to only those individuals or components that need it to perform their job functions. This is a beneficial feature in organizations where employees may move between covered and noncovered components, or where business processes involve multiple divisions. Without effective firewalls, there is a risk that PHI could be accessed or used for purposes unrelated to health care, in violation of HIPAA.

Related: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQs

Can an employee work for both a covered and a non-covered component within the same hybrid entity?

Yes, but the employee must not use or disclose PHI obtained from the covered component in a way that would violate HIPAA.

Who is responsible for HIPAA compliance in a hybrid entity?

The legal entity as a whole is responsible for ensuring that its health care components comply with HIPAA.

What happens if an organization does not formally designate itself as a hybrid entity?

If a covered entity does not adopt and document a written hybrid entity policy, HIPAA applies to the entire organization—including all non-covered functions.