The HIPAA Privacy Rule for Hybrid Entities: Designating and Governing Healthcare Components

The HIPAA Privacy Rule for hybrid entities lets a single legal entity separate its covered functions from everything else, so you can focus Privacy Rule compliance where Protected Health Information is actually handled. This article explains how to designate a Health Care Component, maintain firm firewalls, and control disclosure restrictions while keeping operations efficient and compliant.

Hybrid Entity Definition

A hybrid entity is one legal entity that performs both HIPAA covered functions and non-covered activities. Instead of treating the entire organization as a covered entity, you formally designate one or more Health Care Components (HCCs). The Privacy Rule then applies to those components—where Protected Health Information (PHI) is created, received, maintained, or transmitted.

Covered functions

• Health care providers that conduct certain electronic transactions (for example, claims or eligibility inquiries).
• Health plans (insurers, government plans, certain employer-sponsored plans) that handle PHI.
• Health care clearinghouses that transform data between standard and nonstandard formats.

If your organization performs any covered function, you may become a hybrid entity by formally designating the relevant component(s). If you do not designate, the entire organization is treated as a covered entity for Privacy Rule compliance.

Designation of Health Care Components

Step-by-step designation

1. Inventory operations to identify all covered functions and where PHI flows.
2. Define the Health Care Component boundary, including units that create, receive, maintain, or transmit PHI.
3. Include any internal unit that would be a business associate if it were a separate company (for example, centralized IT or billing supporting the HCC).
4. Document the designation in writing, listing each included unit, the effective date, and governance roles.
5. Train the workforce assigned to the HCC and document role-based access to PHI.
6. Review and update the designation whenever services, systems, or organizational structures change.

Scope and supporting services

Your HCC may include clinical departments, revenue cycle, coding, centralized EHR teams, data analytics supporting treatment, payment, or health care operations, and other support that requires PHI. Keeping these in scope avoids improper internal “business associate” arrangements and clarifies who must follow Privacy Rule compliance controls.

Applicability of Privacy Rule

Within a hybrid entity, the HIPAA Privacy Rule applies to the Health Care Component(s) and to any workforce handling PHI on their behalf. Other parts of the organization are not covered entities, but they must respect the boundaries and may interact with PHI only as the Rule permits.

What applies to whom

• Privacy Rule: Governs uses and disclosures of PHI, individual rights, notices, authorizations, and minimum necessary within the HCC.
• Security Rule: Requires administrative, physical, and technical safeguards for ePHI in the HCC.
• Breach Notification: Applies to PHI of the HCC and triggers required notifications after a breach.

Electronic transactions

When your HCC conducts standard electronic transactions (such as claims, remittance advice, eligibility, referrals, or pharmacy transactions), it must use HIPAA standard formats. Non-HCC units may not conduct such transactions with PHI unless they are included in the HCC or are an external business associate under a proper agreement.

Separation Requirements

Hybrid entities must erect effective “firewalls” between HCCs and non-covered components to prevent impermissible use or disclosure of PHI.

Administrative firewalls

• Written policies describing what the HCC may share, with whom, and for what purpose.
• Role-based access and minimum necessary standards tied to job duties.
• Workforce training, confidentiality acknowledgments, sanctions, and a complaint process.

Technical and physical firewalls

• System segmentation, unique user IDs, multifactor authentication, and least-privilege access.
• Audit logs, periodic access reviews, and monitoring for unauthorized disclosure.
• Secure work areas, device controls, encryption, and disposal procedures for media with PHI.

Dual-role workforce

When employees serve both HCC and non-HCC roles, assign distinct credentials, prohibit cross-use of PHI, and document workflows that prevent spillover. Clear schedules and supervision help ensure PHI stays inside the Health Care Component.

Disclosure Restrictions

The Privacy Rule permits an HCC to use or disclose PHI only for authorized purposes or as otherwise allowed. Inside a hybrid entity, that means PHI cannot freely flow to non-HCC units.

Permitted flows and minimum necessary

• Uses and disclosures for treatment, payment, and health care operations within the HCC.
• Disclosures required by law or for public health, when conditions are met.
• Minimum necessary applies to most non-treatment disclosures and internal requests.

Prohibited or restricted flows (examples)

• HR, legal, or corporate marketing units may not receive PHI from the HCC for employment or advertising decisions without valid authorization or a specific Privacy Rule permission.
• Sharing PHI with a non-HCC analytics or research unit requires a proper pathway (authorization, IRB/Privacy Board waiver, limited data set with a data use agreement, or de-identification).
• If a non-HCC unit would need routine PHI to perform its services, include it in the HCC or engage it as an external business associate—do not rely on informal access.

Compliance Obligations

Core program requirements

• Documented HCC designation and governance roles (privacy and security officials).
• Policies and procedures covering uses/disclosures, individual rights, minimum necessary, and sanctions.
• Security Rule risk analysis and risk management for ePHI; access controls, audit, incident response.
• Notices of Privacy Practices, authorizations, and processes for access, amendment, and accounting of disclosures.
• Breach response and notification procedures, including investigation and mitigation.
• Vendor and partner oversight with business associate agreements where applicable.
• HIPAA electronic transaction standards compliance for the HCC.

Operational best practices

• Data mapping that shows where PHI enters, flows, and leaves the HCC.
• Access reviews for dual-role staff; quarterly audits of disclosures and logs.
• Change management to reevaluate HCC boundaries when systems or org charts change.
• Ongoing training tailored to roles, plus periodic tabletop exercises for incidents.

Examples of Hybrid Entities

• Universities that operate academic programs and separate clinical services or student health centers.
• City or county governments that run public health clinics alongside non-health departments.
• Grocery or big-box retailers with in-store pharmacies or optical clinics plus general retail operations.
• Research institutes that conduct both clinical trials (handling PHI) and basic science labs (no PHI).
• Technology companies with a telehealth business unit in addition to unrelated product lines.

Conclusion

Designating a Health Care Component focuses Privacy Rule compliance where PHI lives, while separation requirements and disclosure restrictions keep the rest of your organization running without unnecessary burden. With clear boundaries, strong firewalls, and disciplined governance, a hybrid entity can meet HIPAA obligations and streamline operations.

FAQs

What is a hybrid entity under HIPAA?

A hybrid entity is a single legal entity that performs both HIPAA covered functions and non-covered activities, and that formally designates one or more Health Care Components. The Privacy Rule then applies to those components—and to workforce handling PHI for them—rather than to the entire organization.

How are health care components designated within a hybrid entity?

You identify all covered functions and PHI flows, include any internal units that would be business associates if separate (such as centralized IT or billing), and document the Health Care Component in writing with effective dates and governance roles. Update the designation whenever operations, systems, or vendors change.

What separation requirements must hybrid entities meet?

Hybrid entities must maintain administrative, technical, and physical firewalls so PHI in the Health Care Component is not impermissibly used or disclosed to non-HCC units. Typical controls include role-based access, system segmentation, monitoring, training, and clear procedures for dual-role staff.

How does the Privacy Rule restrict disclosures within hybrid entities?

PHI may be used or disclosed by the HCC only for permitted purposes (such as treatment, payment, and health care operations) or with valid authorization. Non-HCC units cannot receive PHI for unrelated purposes—like employment or marketing—unless a specific Privacy Rule permission applies and the minimum necessary standard is met.