HIPAA Covered Entities vs. Hybrid Entities: How to Designate, Scope, and Govern in 2025

You may operate entirely as a HIPAA covered entity or function as a hybrid entity with both regulated and non-regulated units. Getting the designation, scope, and governance right in 2025 reduces risk, clarifies responsibilities, and prevents unnecessary constraints on your non-health operations.

This guide explains how HIPAA covered entities compare to hybrid entities, how to complete a Written Designation, how to identify Health Care Components, and how to build Compliance Firewalls that keep Protected Health Information (PHI) secure while your broader organization runs efficiently.

Defining HIPAA Covered Entities

Who qualifies as a covered entity

Under HIPAA, a covered entity is one of three types: a health plan, a health care clearinghouse, or a health care provider who transmits health information in connection with standard Electronic Transactions (for example, claims, eligibility inquiries, or remittance advice). If you meet any of these criteria, HIPAA applies to your relevant activities.

What HIPAA regulates

HIPAA regulates the use and disclosure of Protected Health Information by covered entities and their business associates, and imposes Privacy, Security, and Breach Notification requirements. For electronic PHI (ePHI), the Security Rule requires Administrative Safeguards, Physical Safeguards, and technical controls proportionate to risk.

Key implications

• Only the covered functions and related operations are in scope; unrelated business activities are not automatically covered.
• If your organization performs both covered and non-covered functions, you may qualify to be a hybrid entity to narrow HIPAA’s scope.

Understanding Hybrid Entity Designation

When hybrid status makes sense

If your organization houses clinical services alongside non-health operations (for example, a university, city government, or retailer with onsite clinics), hybrid entity status can limit HIPAA obligations to designated Health Care Components without over-regulating the rest of the enterprise.

Completing the Written Designation

• Inventory functions: list all units that perform covered functions or support them (billing, IT, revenue cycle, clearinghouse activity, plan administration).
• Identify Health Care Components: include any unit that would be a covered entity if it were separate, plus supporting units that create, receive, maintain, or transmit PHI for those components.
• Draft the Written Designation: name each component precisely, describe its covered functions, and state the effective date and approval authority.
• Assign workforce: specify which roles are part of each component, including shared-service staff who handle PHI.
• Document Compliance Firewalls: define how PHI will be segregated from non-covered operations and how requests flow across boundaries.
• Communicate and archive: publish the designation internally, keep it centrally accessible, and incorporate it into onboarding and training.

What the designation must clarify

• Which units are inside vs. outside the Health Care Components.
• Which systems and records contain PHI and ePHI.
• How Electronic Transactions are conducted (directly or via a vendor/clearinghouse).
• Who serves as privacy official and security official for the components.

Delineating the Scope of HIPAA Application

Inside the Health Care Components

HIPAA applies to all uses and disclosures of PHI within your designated Health Care Components and to shared services that support them. This includes workforce members, systems, and vendors that create, receive, maintain, or transmit PHI on their behalf.

Outside the components

Non-covered parts of a hybrid entity are not subject to HIPAA, but they must respect Compliance Firewalls. If a non-covered unit needs PHI, it must meet minimum necessary standards and use authorized channels, or receive de-identified data when feasible.

Handling mixed-use units

For teams that perform both covered and non-covered work (such as enterprise IT or HR), define role-based assignments, separate workflows, and data stores so only the “covered” side interacts with PHI. Where separation is impractical, include the unit (or specific roles) in the Health Care Components.

Implementing Governance and Compliance Policies

Accountability and leadership

• Appoint a privacy official and a security official for the Health Care Components.
• Establish a cross-functional governance committee to oversee risk, incidents, vendors, and audits.

Core policy framework

• Privacy Rule policies: minimum necessary, uses/disclosures, authorizations, patient rights, and Notice of Privacy Practices (as applicable).
• Security Rule policies: Administrative Safeguards (risk analysis, workforce training, access management, contingency planning), Physical Safeguards (facility controls, device/media handling), and technical controls for ePHI.
• Operational policies: Electronic Transactions, records retention, data quality, and change management.
• Third-party management: business associate due diligence, BAAs, and ongoing monitoring.

Operationalize the controls

• Implement role-based access and least privilege; align identity lifecycle with component membership.
• Segment systems that process PHI; encrypt data at rest and in transit; log and monitor access.
• Train workforce on the Written Designation, PHI handling, and incident reporting before access is granted and periodically thereafter.
• Test incident response and breach notification procedures with tabletop exercises.

Maintaining Separation Between Components

Build effective Compliance Firewalls

• Data boundaries: segregate PHI repositories from general enterprise data; restrict queries and exports.
• Workflow boundaries: define approved handoffs, ticket types, and request forms when non-covered units support covered operations.
• Identity boundaries: use distinct security groups, inboxes, and distribution lists for Health Care Components.
• Network and device boundaries: segment networks, harden endpoints with PHI access, and control removable media.
• Facilities boundaries: restrict access to areas where PHI is stored or discussed; protect visual and verbal privacy.

Cross-boundary requests

When non-covered units need information, require documented justification, minimum necessary scope, and approval from the Health Care Components. Use de-identified data or aggregated data whenever possible.

Examples of Hybrid Entities

University with a medical center

Designate patient care clinics, student health, and revenue cycle as Health Care Components; keep academic departments outside unless they handle PHI for covered functions.

Municipal government

Designate public health, EMS, and employee health clinics; keep parks, utilities, and permitting outside, protected by Compliance Firewalls.

Retailer with onsite clinics

Designate clinics and related billing; keep merchandising and e-commerce outside, using strict data and workflow separation.

School district

Designate school-based health services and special education nursing; keep general administration outside unless roles require PHI access.

Corrections system

Designate inmate health services; keep custody operations outside while enforcing facility and data boundaries to protect PHI.

Reviewing and Updating Compliance Measures

Review cadence and triggers

• Conduct a structured review of the Written Designation, policies, and risk analysis at least annually.
• Update immediately upon material changes: new clinics, acquisitions, EHR or billing system changes, Electronic Transactions onboarding, or org restructuring.

Monitoring and evidence

• Use metrics: access exceptions, incident trends, training completion, vendor risk scores, and audit findings.
• Maintain artifacts: inventories, diagrams of Health Care Components, policy versions, training records, and BAA repository.

Common pitfalls to avoid

• Naming components too vaguely, causing scope creep or weak controls.
• Leaving shared services outside the components while they routinely handle PHI.
• Inconsistent role assignments that bypass Compliance Firewalls.
• Failing to align technical configurations with Administrative Safeguards and Physical Safeguards.

Conclusion

For HIPAA covered entities vs. hybrid entities, success hinges on precision: craft a clear Written Designation, define Health Care Components rigorously, enforce Compliance Firewalls, and govern with risk-based safeguards. Review often, adjust quickly, and keep PHI handling aligned with your real-world operations.

FAQs

What criteria define a HIPAA covered entity?

An organization is a covered entity if it is a health plan, a health care clearinghouse, or a health care provider that transmits health information in connection with standard Electronic Transactions. Meeting any one of these criteria brings HIPAA obligations for PHI created, received, maintained, or transmitted in those activities.

How does an organization designate a hybrid entity?

Perform a functional inventory, identify Health Care Components, and publish a Written Designation that lists the components, their covered functions, supporting units handling PHI, and the effective date. Assign workforce roles to components, define Compliance Firewalls, communicate the designation, and integrate it into policies, training, and system access.

What are the governance requirements for hybrid entities?

Hybrid entities must apply HIPAA to their Health Care Components, appoint privacy and security officials, implement Administrative Safeguards and Physical Safeguards along with technical controls for ePHI, manage business associates, train the workforce, and monitor compliance through risk analysis, audits, and incident management.

How often must designations and policies be reviewed?

Review at least annually and whenever material changes occur—such as launching new services, adopting or replacing systems that process PHI, restructuring departments, or changing Electronic Transactions workflows. The goal is to keep scope, controls, and documentation accurate and effective.