Can a postsecondary institution be a “hybrid entity” under the HIPAA Privacy Rule?
Yes. A postsecondary institution that is a HIPAA covered entity may have health information to which the Privacy Rule may apply not only in the health records of nonstudents in the health clinic, but also in records maintained by other components of the institution that are not education records or treatment records under FERPA, such as in a law enforcement unit or research department. In such cases, the institution, as a HIPAA covered entity, has the option of becoming a “hybrid entity” and, thus, having the HIPAA Privacy Rule apply only to its health care unit. The school can achieve hybrid entity status by designating the health unit as its “health care component.” As a hybrid entity, any individually identifiable health information maintained by other components of the university (i.e., outside of the health care component), such as a law enforcement unit, or a research department, would not be subject to the HIPAA Privacy Rule, notwithstanding that these components of the institution might maintain records that are not “education records” or treatment records under FERPA.
To become a hybrid entity, the covered entity must designate and include in its health care component all components that would meet the definition of a covered entity if those components were separate legal entities. (A covered entity may have more than one health care component.) However, the hybrid entity is not permitted to include in its health care component other types of components that do not perform the covered functions of the covered entity or components that do not perform support activities for the components performing covered functions. That is, components that do not perform health plan, health care provider, or health care clearinghouse functions and components that do not perform activities in support of these functions (as would a business associate of a separate legal entity) may not be included in a health care component. Within the hybrid entity, most of the HIPAA Privacy Rule requirements apply only to the health care component, although the hybrid entity retains certain oversight, compliance, and enforcement obligations. See 45 CFR § 164.105 of the Privacy Rule for more information.