February 18, 2019

February 18, 2019

Subscribe to Latest Legal News and Analysis

Are Non-Covered Activities And Programs At Your Campus/Institution Leaving You Overly Vulnerable to HIPAA? A “Hybrid” Designation Can Reduce Risks for HIPAA Compliance and Fines -- But be Careful to Do It Right!

Executive Summary:

  • If an institution doesn’t designate which functions are and are not covered by HIPAA, the assumption is that all activities fall under the HIPAA complianceumbrella.
  • Recent federal actions against the University of Texas and UMass reveal the risks of non-covered activities being subject to HIPAA data security and workplace compliance requirements.
  • The “hybrid entity” approach can be an effective shield against these potential problems, for complex, multidisciplinary entities such as universities, as well as for smaller campuses that may have only a single HIPAA-covered program.
  • The hybrid entity approach may reduce the risk of non-compliance (and exposure to significant financial penalties) by removing certain non-covered functions from HIPAA scrutiny.

How to Qualify your Institution to be designated as Hybrid 

Many institutions of higher education and other complex organizations have multi-faceted operations, performing activities that both are covered under the Health Insurance Portability and Accountability Act of 1996, as modified by the Health Information Technology for Economic and Clinical Health Act (“HIPAA”) and not covered by HIPAA’s scope. If an entity performs both covered and non-covered functions, the failure to designate the business activities that constitute covered functions will cause the entire entity to be subject to the data privacy and workplace compliance requirements of HIPAA .

Several recent decisions illustrate the need for multidisciplinary institutions whose business activities include both covered and non-covered functions under HIPAA to potentially identify and distinguish those functions from one another. Designating as a “hybrid entity” may prevent the single, multidisciplinary entity from bringing its entire business functions under HIPAA’s onerous requirements.

For institutions of higher education and complex entities that perform both covered and non-covered functions, the issue of whether to designate as a hybrid entity includes many factors. Notably, an entity that chooses to designate itself as a hybrid entity may choose not to apply the Privacy Rule to its non-healthcare components of the organization .

HIPAA defines a hybrid entity as a single legal entity that is a covered entity; whose business activities include both covered and non-covered functions; and that self-designates the health care components that it provides. Covered functions include functions that make the entity a health plan, healthcare provider who transmits any health information in electronic form, or healthcare clearinghouse under HIPAA.

To qualify as a hybrid entity, an institution must properly distinguish and identify which functions within its purview are covered functions and which ones are not. The entity must then designate those covered functions with HHS to achieve hybrid entity status. Importantly, institutions have the discretion to determine whether they want to be a hybrid entity.

Risks and Fines from Ineffective Designation - 

A recent decision by the U.S. Department of Health and Human Services (“HHS”) in the Director of the Office of Civil Rights v. The University of Texas MD Anderson Cancer Center , a decision issued on June 1, 2018, further reminds covered entities that HIPAA provides a mechanism that allows entities to self-designate their healthcare functions and distinguish them from non-healthcare functions to better manage HIPAA compliance. In the MD Anderson case, HHS granted summary judgment in favor of the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) and imposed civil monetary penalties (“CMPs”) of over $4 million against the University for noncompliance with HIPAA. The CMPs included $2,000 per day for each day of a period that began on March 24, 2011 through January 25, 2013; and $1.5 million per year for years 2012 and 2013.

HHS held that the University, an academic medical center that operates both inpatient and outpatient facilities, failed to safeguard ePHI in accordance with HIPAA. The breaches of ePHI were caused by the theft of a laptop computer that was not encrypted and the loss of two unencrypted USB thumb drives. This resulted in the unlawful disclosure of ePHI relating to tens of thousands of patients. Although the University had implemented privacy and security policies, performed risk analysis, identified areas of risk, and implemented various protective mechanisms, it failed to implement the encryption of devices which would have prevented the disclosure of the e-PHI on the stolen laptops and two thumb drives, thus resulting in a HIPAA violation.

In its defense, the University asserted that HIPAA did not apply because the ePHI contained in the stolen and lost devices was research information that is outside of HIPAA’s reach. HHS found that this argument was without merit and that the University ignored the fact that HIPAA provides a regulatory mechanism for a facility to segregate its research functions from its clinical functions and to exempt its research functions from HIPAAs non-disclosure requirements by designating itself as a hybrid entity and distinguishing its clinical and non-clinical functions. Although HHS declined to make any findings regarding whether the University could have availed itself of the hybrid entity exception and exempted certain ePHI from non-disclosure requirements, arguably, had the University self-designated, thus exempting the University’s research functions from HIPAA, there would have been no basis for imposing the monetary penalties.

An earlier settlement between the University of Massachusetts Amherst (“UMass”) and the OCR resulted in the payment, by UMass, of approximately $650,000 in CMPs for potential violations of HIPAA. The UMass settlement further demonstrates the importance of proper hybrid entity designation. UMass failed to designate all of its healthcare components in accordance with the hybrid entity rules, including the component that caused the breach of unsecured ePHI. The OCR emphasized proper designation of an entity’s health care components to ensure compliance with HIPAA.

In certain circumstances, self-designating as a hybrid entity improves compliance with HIPAA and reduces the risk of noncompliance by removing non-covered functions , which often comprise a substantial amount of a multidisciplinary entity’s functions, from the stringent privacy and security safeguards of HIPAA. Both of the highlighted examples serve as a reminder to covered entities that perform covered and non-covered functions of the importance of availing themselves of hybrid entity status and constantly reassessing designated components within a multidisciplinary entity, such as a college or university, to improve HIPAA compliance, reduce the likelihood of noncompliance and reduce the likelihood of exposure to expensive and burdensome civil monetary penalties.

Copyright © 2019 Womble Bond Dickinson (US) LLP All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

Alissa Fleming, Womble Dickinson Law Firm, Charleston, Health Care Law Attorney
Of Counsel

Alissa possesses first-hand knowledge of the healthcare industry as an attorney and registered nurse.  Her legal practice and medical background enable her to advise and represent national, regional and local healthcare providers on a broad and diverse spectrum of legal issues.

She has represented healthcare providers in health law and healthcare litigation throughout the duration of her career.  She regularly represents hospitals, long term care facilities, home health agencies, pharmacies, and professionals in healthcare litigation, regulatory...

843-720-4638
Elizabeth LeVan Riley, Womble Carlyle Law Firm, Raleigh, Higher Education Attorney

Liz Riley has been with Womble Carlyle since 1986. She concentrates her practice in school and higher education law. Her practice evolved as a business litigator with a passion for working with school leaders on the many issues facing schools, colleges and universities as they strive to deal with legal compliance and shifting campus demands in the ever-evolving world of education. Liz works with a variety of public traditional and charter schools, private schools, colleges, universities, foundations, education management organizations (EMOs) and charter management organizations (CMOs). Whether the issue at hand is school policy, governance, compliance, risk and claims management or construction issues, Liz provides a solid foundation of knowledge and a guiding hand. She has been called upon to assist with the licensure and chartering of new schools and can provide valuable insight regarding institutional partnering with outside providers. She works regularly on matters involving auxiliary or foreign college campus sites, including state authorization requirements for degree-granting programs.  Across the spectrum of education law, Liz’s depth of experience provides intuitive support and advice for school managers, college administrators and governing boards alike.

919-755-2114