Conceptually, the health care component of an entity is the part that performs functions covered by HIPAA -- that is, the part that uses or discloses protected health information (PHI). For hybrid entities, such operations are not the only, or even the primary, activity.

Formally, the health care component is whatever the entity designates as the health care component, which must be at least as broad as the part with access to PHI. That includes:

• components that engage in covered functions (see the definition of covered entity);

• any component that engages in activities that would make such component a business associate of a component that performs covered functions, if the two components were separate legal entities; and

• any component that would meet the definition of covered entity if it were a separate legal entity.

Entities may choose to make their entire operation subject to HIPAA, instead of having hybrid status.

What is the advantage of designating otherwise non-covered portions of operations that provide services to the covered ones (such as parts of the legal or accounting divisions) as part of the health care component? It is that PHI can then be shared across such boundaries without individual authorizations or business associate agreements (which one cannot generally have with oneself).

In such circumstances, the entity would not have to erect "firewalls" between its covered and non-covered functions -- since all would be covered by HIPAA. However, minimum necessary rules would then apply for transfers within the entire covered organization, achieving the same protective effects (in theory) as a firewall.

See also:

• 45 CFR 164.504

Last modified: 14-May-2005 [RC]