When it comes to HIPAA compliance, no stone can be left unturned. The most recent HIPAA settlement announced by the Office for Civil Rights (“OCR”) in the Federal Department of Health and Human Services continues the trend of using settlement agreements to highlight specific areas of HIPAA for compliance. The settlement with the University of Massachusetts at Amherst (“UMass”), which resulted in a fine of $650,000, stemmed from UMass’ failure to appropriately designate of its components when establishing the scope of compliance for purposes of hybridizing. While it is certainly possible and acceptable for entities to engage in activities that fall both inside and outside of HIPAA, entities are then responsible for clearly and accurately covered and non-covered components.
The UMass settlement arose out of a malware attack that impacted 1,670 records that included names, addresses, social security numbers and more. As is usually the case, upon receiving notification of the breach OCR conducted a thorough investigation of UMass’ overall state of compliance. The investigation revealed that UMass did not follow all of the HIPAA “hybrid” entity requirements, did not take appropriate steps to secure protected health information and did not timely conduct the required risk analysis. As such, the breach was only the tip of the non-compliance iceberg. Picking on hybrid entity requirements is a first for OCR, which makes the UMass settlement interesting.
One of the questions resulting from the UMass settlement is what exactly is a hybrid entity under HIPAA. Hybrid entities are a specially defined organizational construct in the HIPAA regulations. A hybrid entity, as suggested above, is a single legal entity that clearly documents what components of that entity perform covered entity and/or business associate type functions. A hybrid entity as such must comply with HIPAA in some regards, but not for others. Using UMass as an example, pieces of UMass are a university and would not qualify as a covered entity under HIPAA. However, UMass also operated certain counseling and occupational therapy centers that engaged in covered health care services. As the example hopefully clearly shows, there may not be any bright lines distinguishing the different functions. However, the nature of the functions being performed should help inform when HIPAA compliance is necessary.
The burden and obligation to define what components engaged in covered health care services lie with the particular organization. No one else will, or should, make that call. Determining the scope of hybridization requires careful review and analysis of operations to determine what functions come under HIPAA. The determination requires weighing each and every aspect of an organization’s services or functions and comparing against the HIPAA regulations definition of covered health care services.
To date, hybrid entities have not received any significant amount of attention. Why did OCR pursue the UMass settlement at this time, if hybrid entities have been a rare occurrence? One possible reason is that hybrid entities are becoming increasingly common. Following the HIPAA regulation revisions and expansions contained in the 2013 Omnibus Rule, more and newer entities that did not previously provide services to the health care industry, and thus fall under HIPAA, are coming within HIPAA’s ambit. Given the expanded reach of the regulations and non-traditional industry participants, hybrid entities are and will appear more frequently. For example, information technology companies that offer software as a service may have been used to providing software for other industries and are now offering the same services for health care entities. Coming into the health care field is not so simple, though. Those entities must comply with HIPAA but may not need to do so for all operations. If that is the case, the entity may be a hybrid entity and should engage in the exercise of separating out its components. With that new reality, OCR probably felt it was high time to educate as to how HIPAA interacts with hybrid entities.
Any emphasis on hybrid entities does not change HIPAA enforcement or expectations. Instead, attention to hybrid entities will only drive awareness of existing and long-standing requirements for entities both established in and new to the health care realm. Any entity providing services within the health care field should carefully review its operations to determine the scope of compliance that will be required. Failure to do so will almost certainly lead to a negative consequence. Such negative consequences become easier to impose in light of breach notification obligations, an increased willingness to pursue enforcement actions and the now ongoing audit protocol. With all of these factors converging, it is unacceptable for any entity to claim ignorance of requirements.