A single, multidisciplinary entity, like a university, may include certain departments that use PHI, and other departments that do not. Such institutions are eligible to (and should) self-identify as “hybrid entities” to better manage HIPAA compliance risk.
The Health Insurance Portability and Accountability Act of 1996, as modified by the Health Information Technology for Economic and Clinical Health Act (collectively, “HIPAA”) mandates privacy and security safeguards for information about an individual’s health status, care, or payment for care. Individuals, organizations, and agencies that meet the definition of a “covered entity” or “business associate” under HIPAA must comply with its requirements.
On June 1, 2018, in Director of the Office for Civil Rights v. The University of Texas MD Anderson Cancer Center, Department of Health and Human Services, Departmental Appeals Board (Docket No. C-17-854; Decision No. CR5111), Steven T. Kessel, Administrative Law Judge (“ALJ”), issued a ruling against the University of Texas MD Anderson Cancer Center (“MD Anderson”) for HIPAA violations. The Office for Civil Rights (“OCR”) investigated MD Anderson following three separate data breach reports involving the theft of an unencrypted laptop and the loss of two unencrypted thumb drives containing the protected health information (“PHI”) of 33,500+ individuals. The ALJ granted summary judgment to OCR on all issues, requiring MD Anderson to pay $4,348,000 in civil money penalties—the fourth largest penalty ever exacted for a HIPAA violation.
MD Anderson claimed that it was not obligated to encrypt its devices since the unencrypted PHI at issue was for research purposes and, thus, was not subject to HIPAA’s privacy and security protections. In responding to this conclusion, OCR maintained that research data itself did not fall outside HIPAA’s ambit. Instead, it was the research entities that fell outside of HIPAA. Because scientific researchers and research institutions do not generally meet the HIPAA definition of “covered entity,” they are not generally subject to HIPAA regulations. However, as OCR observed, HIPAA continues to apply to any research conducted by a covered entity (or a business associate that receives information from a covered entity). MD Anderson was deemed by the ALJ to be a covered entity conducting clinical research and, thus, subject to HIPAA.
Notably, the HIPAA “hybrid entity standard” set forth in 45 CFR §164.105(a) allows an entity to formally designate its healthcare components—i.e., to identify the business components that engage in functions covered by HIPAA and distinguish them from the non-healthcare components that do not. A single, multidisciplinary institution, like a university, is eligible to self-identify as a “hybrid entity” (an entity with both healthcare and non-healthcare components) to better manage its HIPAA compliance risk. In issuing its ruling, the ALJ noted MD Anderson had ignored this regulatory mechanism, which would likely have allowed the facility “to segregate its research function from its clinical function” and to, thus, “exempt its research function from [HIPAA] non-disclosure requirements.”
Although there are administrative, operational, and technical requirements for hybrid entity designation, the designation helps to ensure that the HIPAA rules apply only to an entity’s healthcare components and not the organization as a whole. Because the HIPAA rules do not apply to non-healthcare components, proper identification and designation of all healthcare components is critical to compliance with the hybrid entity standard. Healthcare components should securely segregate PHI from access by or disclosure to non-healthcare components, and have policies and procedures in place to adhere to HIPAA’s administrative, technical and physical safeguards requirements.
We have created the following Hybrid Entity Assessment Tool to assist healthcare entities with the proper designation of their healthcare components in accordance with 45 CFR §164.105(a). When reviewing the Assessment Tool, please note that it was created to be an internal guide with general applicability to a wide variety of healthcare entities. Since HIPAA analysis is highly dependent on an entity’s individual facts and circumstances, the Assessment Tool should not be considered a substitute for individualized legal advice.
 See, 65 Fed. Reg. 82,462, 82,575 (Dec. 28, 2000).