About OAHHS
Member Center
Data Center
Key Issues
Legal Issues
 
     
  Organized Health Care Arrangements
  Affiliated Entity
  Hybrid Entity
 
 
 
 
   
   
     
     
 
  Return to HIPAA Main Menu  
     
 
     
 

 

Entities Covered by the HIPAA Privacy Regulations

 

What Kind of Covered Entity Are You?

 


After determining that you qualify as a covered entity, the next critical step in compliance planning is identifying the kind of covered entity you are. Are you part of an organized health care arrangement? Are you an affiliated entity or a hybrid entity? Your status will affect how you comply with the HIPAA privacy regulations.

Organized Health Care Arrangements

The term "organized health care arrangement" means certain arrangements in which participants need to share protected health information about their patients to manage and benefit the common enterprise. A key component of any organized health care arrangement is that the individual who obtains services from the arrangement has an expectation that the arrangement is integrated and that the participants jointly manage their operations.

Under the regulations, an organized health care arrangement is defined as:

  • A clinically integrated setting in which patients receive care from more providers than one;

  • An organized system of healthcare in which the participants hold themselves out to the public as participating in a joint arrangement and in which the joint activities include at least one of specified activities, such as utilization review, quality assessment and improvement activities or payment activities; or

  • A combination of group health plans or group health plans and insurers.

Implications of Organized Health Care Arrangement status:

  • Participants in an organized health care arrangement may obtain a joint privacy notice and joint consent for release of protected health information from the patient. See the consent section for more information and administrative requirements.

  • Participants in an organized health care arrangement are still subject to the minimum necessity requirement.

Frequently asked question:

  • Must a physician who sees a patient for the first time in a hospital obtain a consent form from the patient separate from the consent obtained by the hospital? Probably not. The preamble to the privacy regulations states that a hospital and a physician with staff privileges at the hospital together provide treatment to the individual and may be considered clinically integrated. NOTE: A hospital that determines physicians with staff privileges are part of an organized health care arrangement with the hospital must make certain administrative changes to ensure adequate patient consent to release of information. See, the consent section of these guidelines for more discussion.

Top

Affiliated Entity

  • Legally distinct covered entities that share common ownership or control.

  • Common ownership exists if:

    • An entity has the power, directly or indirectly, significantly to influence or direct the actions or policies of another entity.

    • An entity or entities possess an ownership or equity interest of 5% or more in another entity

  • An example of an affiliated entity is a health system composed on several affiliated hospitals.

Implications of Affiliated Entity status:

Affiliated entities may share a single privacy notice and a consent form. If a patient receives a privacy notice and consent form from one affiliated entity, the patient need not receive another notice and consent from another affiliated entity. Note, however, that the privacy notice must reference the privacy policies of all affiliated entities. See, the consent section of these guidelines for more information

The minimum necessity requirement still applies to releases between affiliated entities.

Affiliated entities that together make up the affiliated covered entity are individually subject to liability under the rule.

Frequently Asked Questions:

If a patient requests an accounting of disclosures from an affiliated entity, is the patient entitled to an accounting of releases from all other affiliated entities? Probably not. The accounting for disclosure rules refer to covered entities, not affiliated entities. One way to handle this issue would be to ask the patient to specify if the patient wants an accounting of releases from all affiliated entities or just one.

Does an authorization obtained by one affiliated entity authorize release by another affiliated entity? No. Affiliated entities may not use a joint authorization. HIPAA authorization forms require great specificity in what information can be released, to whom and in what time frame.

Top

Hybrid Entity

A single legal entity, such as a corporation or partnership, that cannot be further differentiated into units with their own legal identities that;

Qualifies as a covered entity; and

The entity's covered functions are not its primary functions.

An example of a hybrid entity is a small manufacturing firm and its health clinic, if the health clinic is not separately incorporated.

Implications of Hybrid Entity status:

Hybrid entities must comply with the HIPAA privacy regulations. However, the privacy regulations apply only to the part of the entity that is the healthcare component. If, in the manufacturing firm example above, the business office handles both health clinic records and the company's personnel records, the business office would be required to protect only the clinic records, not the personnel records.

Because the lack of corporate boundaries increases the risk of impermissible disclosures of protected information, hybrid entities must erect firewalls to protect against the improper use or disclosure within or by the organization. In our manufacturing firm example, the firm would need to establish firewalls with respect to the record systems to ensure the clinic records were handled in accordance with the privacy regulations.

Covered Entity Implementation Tips:

Covered entities are bound by the regulations even if they contract with others to perform some of their essential functions. See the Business Associates section of these guidelines for more information.

You can be both a covered entity and a business associate.

For a provider to be a covered entity, you not only must qualify as one of the above entities, you also must transmit health information in electronic form in connection with a transaction governed by the regulations. This means that you may avoid compliance with HIPAA by using entirely paper media. As a practical matter, however, it is expected that health plans will require providers to use electronic standard transactions.

If you use electronic media for some transactions and paper for others, you must comply with the HIPAA regulations for all transactions.

Top

 

Home | Contact Us
© Copyright 2008 OAHHS