HIPAA defines a hybrid entity as one that uses or discloses protected health information (PHI) for only a part of its business operations.

By contrast, if all of an entity's activities are covered functions -- see the list in the definition of a covered entity -- then it cannot be a hybrid.

Examples of hybrid entities would include:

• corporations that are not in the health care industry, but that operate on-site health clinics that conduct the HIPAA standard transactions electronically; or

• insurance carriers that have multiple lines of business that include both health insurance and other insurance lines, such as general liability or property and casualty insurance.

Hybrid entities are required to create adequate "firewalls" between their health care component(s) and other components. Transfer of PHI held by the health care component to other components of the hybrid entity is a disclosure subject to the HIPAA privacy rule and is allowed only under the same circumstances as would make it permissible for a separate entity.

See also:

• 45 CFR 164.504

Last modified: 14-May-2005 [RC]