In the preamble to the proposed rule we introduced the concept of a "component entity" to differentiate the health care unit of a larger organization from the larger organization. In the proposal we noted that some organizations that are primarily involved in non-health care activities do provide health care services or operate health plans or health care clearinghouses. Examples included a school with an on-site health clinic and an employer that self administers a sponsored health plan. In such cases, the proposal said that the health care component of the entity would be considered the covered entity, and any release of information from that component to another office or person in the organization would be a regulated disclosure. We would have required such entities to create barriers to prevent protected health information from being used or disclosed for activities not authorized or permitted under the proposal.
We discuss group health plans and their relationships with plan sponsors below under "Requirements for Group Health Plans."
In the final rule we address the issue of differentiating health plan, covered health care provider and health care clearinghouse activities from other functions carried out by a single legal entity in paragraphs (a)-(c) of § 164.504. We have created a new term, "hybrid entity", to describe the situation where a health plan, health care provider, or health care clearinghouse is part of a larger legal entity; under the definition, a "hybrid entity" is "a single legal entity that is a covered entity and whose covered functions are not its primary functions." The term "covered functions" is discussed above under § 164.501. By "single legal entity" we mean a legal entity, such as a corporation or partnership, that cannot be further differentiated into units with their own legal identities. For example, for purposes of this rule a multinational corporation composed of multiple subsidiary companies would not be a single legal entity, but a small manufacturing firm and its health clinic, if not separately incorporated, could be a single legal entity.
The health care component rules are designed for the situation in which the health care functions of the legal entity are not its dominant mission. Because some part of the legal entity meets the definition of a health plan or other covered entity, the legal entity as a whole could be required to comply with the rules below. However, in such a situation, it makes sense not to require the entire entity to comply with the requirements of the rules below, when most of its activities may have little or nothing to do with the provision of health care; rather, as a practical matter, it makes sense for such an entity to focus its compliance efforts on the component that is actually performing the health care functions. On the other hand, where most of what the covered entity does consists of covered functions, it makes sense to require the entity as a whole to comply with the rules. The provisions at §§ 164.504(a)-(c) provide that for a hybrid entity, the rules apply only to the part of the entity that is the health care component. At the same time, the lack of corporate boundaries increases the risk that protected health information will be used in a manner that would not otherwise be permitted by these rules. Thus, we require that the covered entity erect firewalls to protect against the improper use or disclosure within or by the organization. See § 164.504(c)(2).
The term "primary functions" in the definition of "hybrid entity" is not meant to operate with mathematical precision. Rather, we intend that a more common sense evaluation take place: is most of what the covered entity does related to its health care functions? If so, then the whole entity should be covered. Entities with different insurance lines, if not separately incorporated, present a particular issue with respect to this analysis. Because the definition of "health plan" excludes many types of insurance products (in the exclusion under paragraph (2)(i) of the definition), we would consider an entity that has one or more of these lines of insurance in addition to its health insurance lines to come within the definition of "hybrid entity," because the other lines of business constitute substantial parts of the total business operation and are required to be separate from the health plan(s) part of the business.
An issue that arises in the hybrid entity situation is what records are covered in the case of an office of the hybrid entity that performs support functions for both the health care component of the entity and for the rest of the entity. For example, this situation could arise in the context of a company with an onsite clinic (which we will assume is a covered health care provider), where the company's business office maintains both clinic records and the company's personnel records. Under the definition of the term "health care component," the business office is part of the health care component (in this hypothetical, the clinic) "to the extent that" it is performing covered functions on behalf of the clinic involving the use or disclosure of protected health information that it receives from, creates or maintains for the clinic. Part of the business office, therefore, is part of the health care component, and part of the business office is outside the health care component. This means that the non-health care component part of the business office is not covered by the rules below. Under our hypothetical, then, the business office would not be required to handle its personnel records in accordance with the rules below. The hybrid entity would be required to establish firewalls with respect to these record systems, to ensure that the clinic records were handled in accordance with the rules.
With respect to excepted benefits, the rules below operate as follows. (Excepted benefits include accident, disability income, liability, workers' compensation and automobile medical payment insurance.) Excepted benefit programs are excluded from the health care component (or components) through the definition of "health plan." If a particular organizational unit performs both excepted benefits functions and covered functions, the activities associated with the excepted benefits program may not be part of the health care component. For example, an accountant who works for a covered entity with both a health plan and a life insurer would have his or her accounting functions performed for the health plan as part of the component, but not the life insurance accounting function. See § 164.504(c)(2)(iii). We require this segregation of excepted benefits because HIPAA does not cover such programs, policies and plans, and we do not permit any use or disclosure of protected health information for the purposes of operating or performing the functions of the excepted benefits without authorization from the individual, except as otherwise permitted in this rule.
In § 164.504(c)(2) we require covered entities with a health care component to establish safeguard policies and procedures to prevent any access to protected health information by its other organizational units that would not be otherwise permitted by this rule. We note that Sec. 1173 (d)(1)(B) of HIPAA requires policies and procedures to isolate the activities of a health care clearinghouse from a "larger organization" to prevent unauthorized access by the larger organization. This safeguard provision is consistent with the statutory requirement and extends to any covered entity that performs "non-covered entity functions" or operates or conducts functions of more than one type of covered entity.
Because, as noted, the covered entity in the hybrid entity situation is the legal entity itself, we state explicitly what is implicitly the case, that the covered entity (legal entity) remains responsible for compliance vis-a-vis subpart C of part 160. See § 164.504(c)(3)(i). We do this simply to make these responsibilities clear and to avoid confusion on this point. Also, in the hybrid entity situation the covered entity/legal entity has control over the entire workforce, not just the workforce of the health care component. Thus, the covered entity is in a position to implement policies and procedures to ensure that the part of its workforce that is doing mixed or non-covered functions does not impermissibly use or disclose protected health information. Its responsibility to do so is clarified in § 164.504(c)(3)(ii).