Hybrid Entity Designation
The Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations apply to “Covered Entities” including: (1) health care providers that conduct “covered transactions” such as, by way of example, transmission of health care claims, health care payments, enrollment in a health plan and referral authorizations; (2) group health plans; and (3) health care clearinghouses. Pathways, Inc. (“Pathways”) engages in certain activities that bring it within the definition of a health care provider under HIPAA. Pathways engages in other activities that are not covered under HIPAA.
Organizations that provide Covered Entity functions and non-covered functions, such as Pathways, may elect to be designated “Hybrid Entities” as provided by 45 C.F.R. § 164.103 and 45 C.F.R. § 164.105. Designation as a “Hybrid Entity” means that only the organization’s health care components will be subject to the oversight, compliance and enforcement obligations of HIPAA; components that are not health care components remain outside these obligations. In Pathways’ case, Pathways must designate and include in its HIPAA “health care components” those programs and services that would independently meet the definition of a HIPAA Covered Entity if the program or service were a separate legal entity.
Designation of Health Care Components
Pathways, Inc. has designated the following programs and services as its health care components that are required to comply with any HIPAA and its implementing regulations:
1. Community-based Services
2. Traumatic Brain Injury services
3. Home Alternatives
4. Home Care Services
5. Family Support Services
6. Therapeutic Foster Care
7. OPWDD Waiver Services
9. Intermediate Care Facilities
10. Preschool Programs
As a HIPAA Covered Entity that is a Hybrid Entity, Pathways must ensure that its health care components comply with the applicable HIPAA requirements. This includes:
- Implementing firewalls between Pathways’ health care functions and its non-health care functions.
- Ensuring that: (1) each health care component does not disclose Protected Health Information of individuals to another non-health care component of Pathways in circumstances in which HIPAA would prohibit such disclosure if the health care component and the other component were separate and distinct legal entities; and (2) it does not use or disclose Protected Health Information that it creates or receives from or on behalf of the health care component in a way that is prohibited by HIPAA’s Privacy Standards and that complies with the HIPAA Security Standards.
- If a Pathways workforce member performs duties for both the health care component and for a non-health care component in the same capacity, that workforce member will not use or disclose Protected Health Information created or received in the course of, or incident to, the workforce member’s work for the health care component. Pathways’ Privacy Officer shall review and amend this list as needed, but no less frequently than annually.