Executive Summary:

  • If an institution doesn’t designate which functions are and are not covered by HIPAA, the assumption is that all activities fall under the HIPAA compliance umbrella.
  • Recent federal actions against the University of Texas and UMass reveal the risks of non-covered activities being subject to HIPAA data security and workplace compliance requirements.
  • The “hybrid entity” approach can be an effective shield against these potential problems, for complex, multidisciplinary entities such as universities, as well as for smaller campuses that may have only a single HIPAA-covered program.
  • The hybrid entity approach may reduce the risk of non-compliance (and exposure to significant financial penalties) by removing certain non-covered functions from HIPAA scrutiny.

How to Qualify your Institution to be designated as Hybrid
Many institutions of higher education and other complex organizations have multi-faceted operations, performing activities that both are covered under the Health Insurance Portability and Accountability Act of 1996, as modified by the Health Information Technology for Economic and Clinical Health Act (“HIPAA”) and not covered by HIPAA’s scope. If an entity performs both covered and non-covered functions, the failure to designate the business activities that constitute covered functions will cause the entire entity to be subject to the data privacy and workplace compliance requirements of HIPAA .

Several recent decisions illustrate the need for multidisciplinary institutions whose business activities include both covered and non-covered functions under HIPAA to potentially identify and distinguish those functions from one another. Designating as a “hybrid entity” may prevent the single, multidisciplinary entity from bringing its entire business functions under HIPAA’s onerous requirements.

For institutions of higher education and complex entities that perform both covered and non-covered functions, the issue of whether to designate as a hybrid entity includes many factors. Notably, an entity that chooses to designate itself as a hybrid entity may choose not to apply the Privacy Rule to its non-healthcare components of the organization .

HIPAA defines a hybrid entity as a single legal entity that is a covered entity; whose business activities include both covered and non-covered functions; and that self-designates the health care components that it provides. Covered functions include functions that make the entity a health plan, healthcare provider who transmits any health information in electronic form, or healthcare clearinghouse under HIPAA.

To qualify as a hybrid entity, an institution must properly distinguish and identify which functions within its purview are covered functions and which ones are not. The entity must then designate those covered functions with HHS to achieve hybrid entity status. Importantly, institutions have the discretion to determine whether they want to be a hybrid entity.

Risks and Fines from Ineffective Designation -
A recent decision by the U.S. Department of Health and Human Services (“HHS”) in the Director of the Office of Civil Rights v. The University of Texas MD Anderson Cancer Center , a decision issued on June 1, 2018, further reminds covered entities that HIPAA provides a mechanism that allows entities to self-designate their healthcare functions and distinguish them from non-healthcare functions to better manage HIPAA compliance. In the MD Anderson case, HHS granted summary judgment in favor of the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) and imposed civil monetary penalties (“CMPs”) of over $4 million against the University for noncompliance with HIPAA. The CMPs included $2,000 per day for each day of a period that began on March 24, 2011 through January 25, 2013; and $1.5 million per year for years 2012 and 2013.

HHS held that the University, an academic medical center that operates both inpatient and outpatient facilities, failed to safeguard ePHI in accordance with HIPAA. The breaches of ePHI were caused by the theft of a laptop computer that was not encrypted and the loss of two unencrypted USB thumb drives. This resulted in the unlawful disclosure of ePHI relating to tens of thousands of patients. Although the University had implemented privacy and security policies, performed risk analysis, identified areas of risk, and implemented various protective mechanisms, it failed to implement the encryption of devices which would have prevented the disclosure of the e-PHI on the stolen laptops and two thumb drives, thus resulting in a HIPAA violation.

In its defense, the University asserted that HIPAA did not apply because the ePHI contained in the stolen and lost devices was research information that is outside of HIPAA’s reach. HHS found that this argument was without merit and that the University ignored the fact that HIPAA provides a regulatory mechanism for a facility to segregate its research functions from its clinical functions and to exempt its research functions from HIPAAs non-disclosure requirements by designating itself as a hybrid entity and distinguishing its clinical and non-clinical functions. Although HHS declined to make any findings regarding whether the University could have availed itself of the hybrid entity exception and exempted certain ePHI from non-disclosure requirements, arguably, had the University self-designated, thus exempting the University’s research functions from HIPAA, there would have been no basis for imposing the monetary penalties.

An earlier settlement between the University of Massachusetts Amherst (“UMass”) and the OCR resulted in the payment, by UMass, of approximately $650,000 in CMPs for potential violations of HIPAA. The UMass settlement further demonstrates the importance of proper hybrid entity designation. UMass failed to designate all of its healthcare components in accordance with the hybrid entity rules, including the component that caused the breach of unsecured ePHI. The OCR emphasized proper designation of an entity’s health care components to ensure compliance with HIPAA.

In certain circumstances, self-designating as a hybrid entity improves compliance with HIPAA and reduces the risk of noncompliance by removing non-covered functions , which often comprise a substantial amount of a multidisciplinary entity’s functions, from the stringent privacy and security safeguards of HIPAA. Both of the highlighted examples serve as a reminder to covered entities that perform covered and non-covered functions of the importance of availing themselves of hybrid entity status and constantly reassessing designated components within a multidisciplinary entity, such as a college or university, to improve HIPAA compliance, reduce the likelihood of noncompliance and reduce the likelihood of exposure to expensive and burdensome civil monetary penalties.