It is not as simple as it might seem.
My colleague David Holtzman recently wrote a blog post on the OCR resolution agreement with the University of Massachusetts at Amherst (UMass). UMass designated itself as a hybrid entity but did not appropriately identify and designate all applicable functions that engaged in health care activities as inside the health care components (HCC) of its hybrid entity structure under HIPAA. Why might this not be as easy as it sounds?
Complexities of University Settings
When dealing with a traditional healthcare entity it is unlikely that it would attempt to designate itself a hybrid entity. Generally, all of what it is engaged in would be healthcare activities covered by HIPAA. However, when dealing with a university setting that has an academic medical center component this can become quite complex. Not only does the organization need to consider the “traditional” healthcare providers, it needs to consider the “pocket” functions that might be occurring. These might be occurring in colleges and schools not routinely thought of when thinking of healthcare services in the traditional sense. They also need to account for the activities of the ancillary staff and business units that provide services to the healthcare parts of the organization.
Designating what is part of the HCC and thus covered by HIPAA may necessitate really parsing out the functions of certain schools, colleges and business units. For example, if the university has an office of general counsel or an internal audit department these business units may be part of the HCC, at least for the functions and services provided to the units that perform health care services or health plan functions. It is important that the business units that become part of the HCC of the hybrid clearly understand when their activities and functions are covered by HIPAA and when they are not. This may also require that documents created, maintained or received by these business units be accessed and stored in a manner that assures compliance with the HIPAA regulations.
It would also generally mean that some or all of the employees in these business units need to take the organization’s training for HIPAA privacy and information security. When the organization is tracking who has completed this training it is important to assure the staff in these business units are included.
Various Healthcare Functions Involved
When designating the covered component of the hybrid entity it is also important to assure that each healthcare function is assessed. When the AMC includes a hospital and/or a physician group it is generally easy to determine these functions are within the HCC of the hybrid entity. They both meet the definition of a provider and it is highly likely they would use one of the HIPAA standard transactions in their administrative processes for eligibility verification, claims submission, payment receipt, etc.
Example: Psychology Clinic
But, what about the psychology clinic that provides services on a self-pay basis and does not use one of the HIPAA standard transactions? Under the regulations, this component of the organization would not meet the definition of a covered entity under HIPAA. So it could be left out of the HCC of the hybrid entity. The organization may wish to include it, not because there is a regulatory obligation to do so, but because this clinic is likely to have sensitive information about patients.The organization might think it is a good idea to elect to have it covered by HIPAA. An alternative is to not have it be included in the HCC and thus not covered by HIPAA but obligate that the business unit(s) comply with the organization’s policies and procedures under HIPAA. This would help assure the appropriate treatment of the sensitive information without subjecting the business unit(s) to the legal obligations and requirements of HIPAA, such as breach notification.
Does it matter who “runs” the psychology clinic? What if it is run by a college or school that is not traditionally considered a health care school versus one of those colleges or schools (medicine, nursing, dentistry, optometry, etc.)? What if it is run by the faculty practice group which itself provides health care services as part of the larger group and uses one of the standard transactions for those services? In the first scenario, it might not be included in the HCC while in the second it probably would.
Example: Free Clinic for Homeless Individuals
Is the college or school itself inside or outside the HCC? Most colleges and schools are there for educational purposes.Those are not health care functions so the school or college is likely outside the HCC. There could be a circumstance where the school or college runs a clinic. What if the students of the school of medicine run a free clinic for homeless individuals? Inside or outside the covered component? It would likely be considered outside the HCC if it is defined as an educational activity. This may require a hybrid designation that says the students and their activities are inside the HCC when they are seeing patients in the hospital or faculty practice clinic, but are functioning outside the HCC when providing services in the free clinic.
What if the hospital or the faculty practice group is a separate legal entity from the university? Under this situation, the hospital and/or the faculty practice group is likely engaging in the health care activity and is the covered entity under HIPAA and the university is not. Is there a need for designation of hybrid status? Perhaps not, so long as no other component of the university is engaged in health care activities that involve the use of a standard transaction under HIPAA.
One other common activity at universities is research. When a faculty member is engaged in research is he or she operating inside the HCC and thus covered by HIPAA? Or is it outside the HCC and not covered by HIPAA? The university may elect to have research functions outside the covered component. However, if the research subject is receiving services from a business unit inside the HCC, i.e. labs, diagnostic tests, etc., the individually identifiable health information held by those business units is categorized as PHI and therefore protected by HIPAA.
Student Health Centers
There are a few other additional things to consider around the complexity of student health centers. Does it provide services to students only? Does it provide services to students, staff and faculty? Does it use one or more HIPAA standard transactions for these services? These are all considerations in determining whether the student health center is inside the HCC of the hybrid or not.
Take a Second Look at Your Hybrid Entity Designation
While it might seem that an organization was remiss in their assessment in the event that they did not capture all of the business units or portions of the organization that should be designated as inside the HCC of a hybrid entity structure. But the truth is that this is not an easy process. Given the complexity of most universities, which is multiplied when multiple campuses with healthcare services are involved, this is a challenging undertaking. Universities may wish to take a second look at their hybrid entity designation to assure they have appropriately captured all the different functions that should be inside the HCC, provided applicable training, and assured that workforce members in any area designated as part of the HCC are aware of the policies and procedures that apply to them.