Standards
for Privacy of Individually Identifiable Health Information
C. Section 164.504--Uses and Disclosures: Organizational
Requirements
1. Hybrid Entities
December 2000 Privacy Rule
The Privacy Rule, as published in December 2000, defined covered
entities that primarily engage in activities that are not "covered
functions," that is, functions that relate to the entity's
operation as a health plan, health care provider, or health care
clearinghouse, as hybrid entities. See 45 CFR 164.504(a). Examples
of hybrid entities were: (1) corporations that are not in the health
care industry, but that operate on-site health clinics that conduct
the HIPAA standard transactions electronically; and (2) insurance
carriers that have multiple lines of business that include both
health insurance and other insurance lines, such as general liability
or property and casualty insurance.
Under the December 2000 Privacy Rule, a hybrid entity was required
to define and designate those parts of the entity that engage in
covered functions as one or more health care component(s). A hybrid
entity also was required to include in the health care component(s)
any other components of the entity that support the covered functions
in the same way such support may be provided by a business associate
(e.g., an auditing component). The health care component was to
include such "business associate" functions for two reasons:
(1) It is impracticable for the entity to contract with itself;
and (2) having to obtain an authorization for disclosures to such
support components would limit the ability of the hybrid entity
to engage in necessary health care operations functions. In order
to limit the burden on hybrid entities, most of the requirements
of the Privacy Rule only applied to the health care component(s)
of the entity and not to the parts of the entity that do not engage
in covered functions.
The hybrid entity was required to create adequate separation, in
the form of firewalls, between the health care component(s) and
other components of the entity. Transfer of protected health information
held by the health care component to other components of the hybrid
entity was a disclosure under the Privacy Rule and was allowed only
to the same extent such a disclosure was permitted to a separate
entity.
In the preamble to the December 2000 Privacy Rule, the Department
explained that the use of the term "primary" in the definition
of a "hybrid entity" was not intended to operate with
mathematical precision. The Department further explained that it
intended a common sense evaluation of whether the covered entity
mostly operates as a health plan, health care provider, or health
care clearinghouse. If an entity's primary activity was a covered
function, then the whole entity would have been a covered entity
and the hybrid entity provisions would not have applied. However,
if the covered entity primarily conducted non-health activities,
it would have qualified as a hybrid entity and would have been required
to comply with the Privacy Rule with respect to its health care
component(s). See 65 FR 82502.
March 2002 NPRM
Since the publication of the final Rule, concerns were raised that
the policy guidance in the preamble was insufficient so long as
the Privacy Rule itself limited the hybrid entity provisions to
entities that primarily conducted non-health related activities.
In particular, concerns were raised about whether entities, which
have the health plan line of business as the primary business and
an excepted benefits line, such as workers' compensation insurance,
as a small portion of the business, qualified as hybrid entities.
There were also concerns about how "primary" was to be
defined, if it was not a mathematical calculation, and how an entity
would know whether or not it was a hybrid entity based on the guidance
in the preamble.
As a result of these comments, the Department proposed to delete
the term "primary" from the definition of "hybrid
entity" in Sec. 164.504(a) and permit any covered entity that
is a single legal entity and that performs both covered and non-covered
functions to choose whether or not to be a hybrid entity for purposes
of the Privacy Rule. Under the proposal, any covered entity could
be a hybrid entity regardless of whether the non-covered functions
represent the entity's primary functions, a substantial function,
or even a small portion of the entity's activities. In order to
be a hybrid entity under the proposal, a covered entity would have
to designate its health care component(s). If the covered entity
did not designate any health care component(s), the entire entity
would be a covered entity and, therefore, subject to the Privacy
Rule. Since the entire entity would be the covered entity, Sec.
164.504(c)(2) requiring firewalls between covered and non-covered
portions of hybrid entities would not apply.
The Department explained in the preamble to the proposal that there
are advantages and disadvantages to being a hybrid entity. Whether
or not the advantages outweigh the disadvantages would be a decision
for each covered entity that qualified as a hybrid entity, taking
into account factors such as how the entity was organized and the
proportion of the entity that must be included in the health care
component.
The Department also proposed to simplify the definition of "health
care component" in Sec. 164.504(a) to make clear that a health
care component is whatever the covered entity designates as the
health care component, consistent with the provisions regarding
designation in proposed Sec. 164.504(c)(3)(iii). The Department
proposed to move the specific language regarding which components
make up a health care component to the implementation specification
that addresses designation of health care components at Sec. 164.504(c)(3)(iii).
At Sec. 164.504(c)(3)(iii), the Department proposed that a health
care component could include: (1) Components of the covered entity
that engage in covered functions, and (2) any component that engages
in activities that would make such component a business associate
of a component that performs covered functions, if the two components
were separate legal entities. In addition, the Department proposed
to make clear at Sec. 164.504(c)(3)(iii) that a hybrid entity must
designate as a health care component(s) any component that would
meet the definition of "covered entity" if it were a separate
legal entity.
There was some ambiguity in the December 2000 Privacy Rule as to
whether a health care provider that does not conduct electronic
transactions for which the Secretary has adopted standards (i.e.,
a non-covered health care provider) and which is part of a larger
covered entity was required to be included in the health care component.
To clarify this issue, the proposal also would allow a hybrid entity
the discretion to include in its health care component a non-covered
health care provider component. Including a non-covered health care
provider in the health care component would subject the non-covered
provider to the Privacy Rule. Accordingly, the Department proposed
a conforming change in Sec. 164.504(c)(1)(ii) to make clear that
a reference to a "covered health care provider" in the
Privacy Rule could include the functions of a health care provider
who does not engage in electronic transactions, if the covered entity
chooses to include such functions in the health care component.
The proposal also would permit a hybrid entity to designate otherwise
non-covered portions of its operations that provide services to
the covered functions, such as parts of the legal or accounting
divisions of the entity, as part of the health care component, so
that protected health information could be shared with such functions
of the entity without business associate agreements or individual
authorizations. The proposal would not require that the covered
entity designate entire divisions as in or out of the covered component.
Rather, it would permit the covered entity to designate functions
within such divisions, such as the functions of the accounting division
that support health insurance activities, without including those
functions that support life insurance activities. The Department
proposed to delete as unnecessary and redundant the related language
in paragraph (2)(ii) of the definition of "health care component"
in the Privacy Rule that requires the "business associate"
functions include the use of protected health information.
Overview of Public Comments.
The following discussion provides an overview of the public comment
received on this proposal. Additional comments received on this
issue are discussed below in the section entitled, "Response
to Other Public Comments."
The Department received relatively few comments on its proposal
regarding hybrid entities. A number of comments supported the proposal,
appreciative of the added flexibility it would afford covered entities
in their compliance efforts. For example, some drug stores stated
that the proposal would provide them with the flexibility to designate
health care components, whereas under the December 2000 Rule, these
entities would have been required to subject their entire business,
including the "front end" of the store which is not associated
with dispensing prescription drugs, to the Privacy Rule's requirements.
Some health plans and other insurers also expressed strong support
for the proposal. These comments, however, seemed to be based on
a misinterpretation of the uses and disclosures the proposal actually
would permit. These commenters appear to assume that the proposal
would allow information to flow freely between non-covered and covered
functions in the same entity, if that entity chose not to be a hybrid
entity. For example, commenters explained that they interpreted
the proposal to mean that a multi-line insurer which does not elect
hybrid entity status would be permitted to share protected health
information between its covered lines and its otherwise non-covered
lines. It was stated that such latitude would greatly enhance multi-line
insurers' ability to detect and prevent fraudulent activities and
eliminate barriers to sharing claims information between covered
and non-covered lines of insurance where necessary to process a
claim.
Some commenters opposed the Department's hybrid entity proposal,
stating that the proposal would reduce the protections afforded
under the Privacy Rule and would be subject to abuse. Commenters
expressed concerns that the proposal would allow a covered entity
with only a small health care component to avoid the extra protections
of creating firewalls between the health care component and the
rest of the organization. Moreover, one of the commenters stated
that the proposal could allow a covered entity that is primarily
performing health care functions to circumvent the requirements
of the Rule for a large part of its operations by designating itself
a hybrid and excluding from the health care component a non-covered
health care provider function, such as a free nurse advice line
that does not bill electronically. In addition, it was stated that
the ambiguous language in the proposal could potentially be construed
as allowing a hybrid entity to designate only the business associate-like
functions as the health care component, and exclude covered functions.
The commenter urged the Department to clarify that a hybrid entity
must, at a minimum, designate a component that performs covered
functions as a health care component, and that a health care provider
cannot avoid having its treatment component considered a health
care component by relying on a billing department to conduct its
standard electronic transactions. These commenters urged the Department
to retain the existing policy by requiring those organizations whose
primary functions are not health care to be hybrid entities and
to institute firewall protections between their health care and
other components.
Final Modifications
After consideration of the comments, the Department adopts in the
final Rule the proposed approach to provide covered entities that
otherwise qualify the discretion to decide whether to be a hybrid
entity. To do so, the Department eliminates the term "primary"
from the definition of "hybrid entity" at Sec. 164.504(a).
Any covered entity that otherwise qualifies (i.e., is a single legal
entity that performs both covered and non-covered functions) and
that designates health care component(s) in accordance with Sec.
164.504(c)(3)(iii) is a hybrid entity. A hybrid entity is required
to create adequate separation, in the form of firewalls, between
the health care component(s) and other components of the entity.
Transfer of protected health information held by the health care
component to other components of the hybrid entity continues to
be a disclosure under the Privacy Rule, and, thus, allowed only
to the same extent such a disclosure is permitted to a separate
entity.
Most of the requirements of the Privacy Rule continue to apply
only to the health care component(s) of a hybrid entity. Covered
entities that choose not to designate health care component(s) are
subject to the Privacy Rule in their entirety.
The final Rule regarding hybrid entities is intended to provide
a covered entity with the flexibility to apply the Privacy Rule
as best suited to the structure of its organization, while maintaining
privacy protections for protected health information within the
organization. In addition, the policy in the final Rule simplifies
the Privacy Rule and makes moot any questions about what "primary"
means for purposes of determining whether an entity is a hybrid
entity.
The final Rule adopts the proposal's simplified definition of "health
care component," which makes clear that a health care component
is what the covered entity designates as the health care component.
The Department makes a conforming change in Sec. 164.504(c)(2)(ii)
to reflect the changes to the definition of "health care component."
The final Rule at Sec. 164.504(c)(3)(iii) requires a health care
component to include a component that would meet the definition
of a "covered entity" if it were a separate legal entity.
The Department also modifies the language of the final Rule at Sec.
164.504(c)(3)(iii) to clarify that only a component that performs
covered functions, and a component to the extent that it performs
covered functions or activities that would make such component a
business associate of a component that performs covered functions
if the two components were separate legal entities, may be included
in the health care component. "Covered functions" are
defined at Sec. 164.501 as "those functions of a covered entity
the performance of which makes the entity a health plan, health
care provider, or health care clearinghouse."
As in the proposal, the Department provides a hybrid entity with
some discretion as to what functions may be included in the health
care component in two ways. First, the final Rule clarifies that
a hybrid entity may include in its health care component a non-covered
health care provider component. Accordingly, the Department adopts
the proposed conforming change to Sec. 164.504(c)(1)(ii) to make
clear that a reference to a "covered health care provider"
in the Privacy Rule may include the functions of a health care provider
who does not engage in electronic transactions for which the Secretary
has adopted standards, if the covered entity chooses to include
such functions in the health care component. A hybrid entity that
chooses to include a non-covered health care provider in its health
care component is required to ensure that the non-covered health
care provider, as well as the rest of the health care component,
is in compliance with the Privacy Rule.
Second, the final Rule retains the proposed policy to provide hybrid
entities with discretion as to whether or not to include business
associate-like divisions within the health care component. It is
not a violation of the Privacy Rule to exclude such divisions from
the health care component. However, a disclosure of protected health
information from the health care component to such other division
that is not part of the health care component is the same as a disclosure
outside the covered entity. Because an entity cannot have a business
associate contract with itself, such a disclosure likely will require
individual authorization.
The Department clarifies, in response to comments, that a health
care provider cannot avoid being a covered entity and, therefore,
part of a health care component of a hybrid entity just by relying
on a billing department to conduct standard transactions on its
behalf. A health care provider is a covered entity if standard transactions
are conducted on his behalf, regardless of whether the provider
or a business associate (or billing department within a hybrid entity)
actually conducts the transactions. In such a situation, however,
designating relevant parts of the business associate division as
part of the health care component would facilitate the conduct of
health care operations and payment.
Also in response to comments, the Department clarifies that even
if a covered entity does not choose to be a hybrid entity, and therefore
is not required to erect firewalls around its health care functions,
the entity still only is allowed to use protected health information
as permitted by the Privacy Rule, for example, for treatment, payment,
and health care operations. Additionally, the covered entity is
still subject to minimum necessary restrictions under Secs. 164.502
and 164.514(d), and, thus, must have policies and procedures that
describe who within the entity may have access to the protected
health information. Under these provisions, workforce members may
be permitted access to protected health information only as necessary
to carry out their duties with respect to the entity's covered functions.
For example, the health insurance line of a multi-line insurer is
not permitted to share protected health information with the life
insurance line for purposes of determining eligibility for life
insurance benefits or any other life insurance purposes absent an
individual's written authorization. However, the health insurance
line of a multi- line insurer may share protected health information
with another line of business pursuant to Sec. 164.512(a), if, for
example, State law requires an insurer that receives a claim under
one policy to share that information with other lines of insurance
to determine if the event also may be payable under another insurance
policy. Furthermore, the health plan may share information with
another line of business if necessary for the health plan's coordination
of benefits activities, which would be a payment activity of the
health plan.
Given the above restrictions on information flows within the covered
entity, the Department disagrees with those commenters who raised
concerns that the proposed policy would weaken the Rule by eliminating
the formal requirement for "firewalls." Even if a covered
entity does not designate health care component(s) and, therefore,
does not have to establish firewalls to separate its health care
function(s) from the non-covered functions, the Privacy Rule continues
to restrict how protected health information may be used and shared
within the entity and who gets access to the information.
Further, the Department does not believe that allowing a covered
entity to exclude a non-covered health care provider component from
its health care component will be subject to abuse. Excluding health
care functions from the health care component has significant implications
under the Rule. Specifically, the Privacy Rule treats the sharing
of protected health information from a health care component to
a non- covered component as a disclosure, subject to the same restrictions
as a disclosure between two legally separate entities. For example,
if a covered entity decides to exclude from its health care component
a non- covered provider, the health care component is then restricted
from disclosing protected health information to that provider for
any of the non-covered provider's health care operations, absent
an individual's authorization. See Sec. 164.506(c). If, however,
the non-covered health care provider function is not excluded, it
would be part of the health care component and that information
could be used for its operations without the individual's authorization.
Response to Other Public Comments
Comment: A number of academic medical centers expressed
concern that the Privacy Rule prevents them from organizing for
compliance in a manner that reflects the integration of operations
between the medical school and affiliated faculty practice plans
and teaching hospitals. These commenters stated that neither the
proposal nor the existing Rule would permit many academic medical
centers to designate themselves as either a hybrid or affiliated
entity, since the components of each must belong to a single legal
entity or share common ownership or control. These commenters also
explained that a typical medical school would not appear to qualify
as an organized health care arrangement (OHCA) because it does not
engage in any of the requisite joint activities, for example, quality
assessment and improvement activities, on behalf of the covered
entity. It was stated that it is essential that there not be impediments
to the flow of information within an academic medical center. These
commenters, therefore, urged that the Department add a definition
of "academic medical center" to the Privacy Rule and modify
the definition of "common control" to explicitly apply
to the components of an academic medical center, so as to ensure
that academic medical centers qualify as affiliated entities for
purposes of the Rule.
Response: The Department does not believe that a modification
to include a special rule for academic medical centers is warranted.
The Privacy Rule's organizational requirements at Sec. 164.504 for
hybrid entities and affiliated entities, as well as the definition
of "organized health care arrangement" in Sec. 164.501,
provide covered entities with much flexibility to apply the Rule's
requirements as best suited to the structure of their businesses.
However, in order to maintain privacy protections, the Privacy Rule
places appropriate conditions on who may qualify for such organizational
options, as well as how information may flow within such constructs.
Additionally, if the commenter is suggesting that information should
flow freely between the covered and non-covered functions within
an academic medical center, the Department clarifies that the Privacy
Rule restricts the sharing of protected health information between
covered and non-covered functions, regardless of whether the information
is shared within a single covered entity or a hybrid entity, or
among affiliated covered entities or covered entities participating
in an OHCA. Such uses and disclosures may only be made as permitted
by the Rule.
Comment: A few commenters expressed concern with respect
to governmental hybrid entities having to include business associate-like
divisions within the health care component or else being required
to obtain an individual's authorization for disclosures to such
division. It was stated that this concept does not take into account
the organizational structures of local governments and effectively
forces such governmental hybrid entities to bring those components
that perform business associate type functions into their covered
component. Additionally, a commenter stated that this places an
undue burden on local government by essentially requiring that functions,
such as auditor/controller or county counsel, be treated as fully
covered by the Privacy Rule in order to minimize otherwise considerable
risk. Commenters, therefore, urged that the Department allow a health
care component to enter into a memorandum of understanding (MOU)
or other agreement with the business associate division within the
hybrid entity. Alternatively, it was suggested that a governmental
hybrid entity be permitted to include in its notice of privacy practices
the possibility that information may be shared with other divisions
within the same government entity for specific purposes.
Response: The Department clarifies that a covered entity
which chooses to include its business associate division within
the health care component may only do so to the extent such division
performs activities on behalf of, or provides services to, the health
care component. That same division's activities with respect to
non-covered activities may not be included. To clarify this point,
the Department modified the proposed language in Sec. 164.504(c)(3)(iii)
to provide that a health care component may only include a component
to the extent that it performs covered functions or activities that
would make such component a business associate of a component that
performs covered functions if the two components were separate legal
entities. For example, employees within an accounting division may
be included within the health care component to the extent that
they provide services to such component. However, where these same
employees also provide services to non-covered components of the
entity, their activities with respect to the health care component
must be adequately separated from their other non-covered functions.
While the Department does not believe that a MOU between governmental
divisions within a hybrid entity may be necessary given the above
clarification, the Department notes that a governmental hybrid entity
may elect to have its health care component enter into a MOU with
its business associate division, provided that such agreement is
legally binding and meets the relevant requirements of Sec. 164.504(e)(3)
and (e)(4). Such agreement would eliminate the need for the health
care component to include the business associate division or for
obtaining the individual's authorization to disclose to such division.
Additionally, the Department encourages covered entities to develop
a notice of privacy practices that is as specific as possible, which
may include, for a government hybrid entity, a statement that information
may be shared with other divisions within the government entity
as permitted by the Rule. However, the notice of privacy practices
is not an adequate substitute for, as appropriate, a memorandum
of understanding; designation of business associate functions as
part of a health care component; or alternatively, conditioning
disclosures to such business associate functions on individuals'
authorizations.
Comment: One commenter requested a clarification that a
pharmacy- convenience store, where the pharmacy itself is a separate
enclosure under supervision of a licensed pharmacist, is not a hybrid
entity.
Response: The Department clarifies that a pharmacy-convenience
store, if a single legal entity, is permitted, but not required,
to be a hybrid entity and designate the pharmacy as the health care
component. Alternatively, such an entity may choose to be a covered
entity in its entirety. However, if the pharmacy and the convenience
store are separate legal entities, the convenience store is not
a covered entity simply by virtue of sharing retail space with the
covered pharmacy.
Comment: Another commenter stated that the Rule implies
that individual providers, once covered, are covered for all circumstances
even if they are employed by more than one entity--one sending transactions
electronically but not the other--or if the individual provider
changes functions or employment and no longer electronically transmits
standard transactions. This commenter asked that either the Rule
permit an individual provider to be a hybrid entity (recognizing
that there are times when an individual provider may be engaging
in standard transactions, and other times when he is not), or that
the definition of a "covered entity" should be modified
so that individual providers are themselves classified as covered
entities only when they are working as individuals.
Response: A health care provider is not a covered entity
based on his being a workforce member of a health care provider
that conducts the standard transactions. Thus, a health care provider
may maintain a separate uncovered practice (if he does not engage
in standard transactions electronically in connection with that
practice), even though the provider may also practice at a hospital
which may be a covered entity. However, the Rule does not permit
an individual provider to use hybrid entity status to eliminate
protections on information when he is not conducting standard transactions.
If a health care provider conducts standard transactions electronically
on his own behalf, then the protected health information maintained
or transmitted by that provider is covered, regardless of whether
the information is actually used in such transactions.
Comment: One commenter requested a clarification that employers
are not hybrid entities simply because they may be the plan sponsor
of a group health plan.
Response: The Department clarifies that an employer is not
a hybrid entity simply because it is the plan sponsor of a group
health plan. The employer/plan sponsor and group health plan are
separate legal entities and, therefore, do not qualify as a hybrid
entity. Further, disclosures from the group health plan to the plan
sponsor are governed specifically by the requirements of Sec. 164.504(f).
Comment: A few commenters asked the Department to permit
a covered entity with multiple types of health care components to
tailor notices to address the specific privacy practices within
a component, rather than have just one generic notice for the entire
covered entity.
Response: Covered entities are allowed to provide a separate
notice for each separate health care component, and
are encouraged to provide individuals with the most
specific notice possible.
|
