Definition[]
A hybrid entity is one that uses or discloses protected health information (PHI) for only a part of its business operations.
Examples of hybrid entities would include:
- corporations that are not in the health care industry, but that operate on-site health clinics that conduct the HIPAA standard transactions electronically; or
- insurance carriers that have multiple lines of business that include both health insurance and other insurance lines, such as general liability or property and casualty insurance.
Hybrid entities are required to create adequate "firewalls" between their health care component(s) and other components. Transfer of PHI held by the health care component to other components of the hybrid entity is a disclosure subject to the HIPAA Privacy Rule and is allowed only under the same circumstances as would make it permissible for a separate entity.
References[]
Source[]
- Univ. of Miami, Miller School of Medicine, Privacy/Data Protection Project (full-text).