Is Your Practice a “Hybrid Entity”? A Guide to HIPAA’s Organizational Rules (45 CFR § 164.105)
Executive Summary
Not every part of a healthcare organization needs to follow the HIPAA Privacy Rule, but only if the organization is officially designated as a hybrid entity under § 164.105. For small and mid-sized healthcare businesses that perform both covered and non-covered functions (like retail or wellness services), this designation can help limit liability and reduce compliance burdens. However, failing to understand or properly designate hybrid status can expose the entire organization to unnecessary HIPAA obligations. This guide explains what a hybrid entity is, how to determine if your practice qualifies, and the correct steps to take under HIPAA.
Introduction
HIPAA defines strict obligations for covered entities, such as providers, health plans, and clearinghouses. But what happens when a single organization performs both covered and non-covered functions?
Under HIPAA’s organizational rules found in § 164.105, such organizations may choose to designate themselves as hybrid entities, dividing their operations into HIPAA-covered and non-covered components. This designation is particularly useful for organizations that house clinical care and non-clinical services under one legal structure.
However, hybrid status is not automatic. It requires formal designation and documentation. Failure to recognize or implement hybrid entity provisions may lead to broad HIPAA exposure and enforcement across the entire business, even for units that shouldn’t be covered.
What Is a “Hybrid Entity” Under HIPAA?
A hybrid entity is a single legal organization that:
- Performs both HIPAA-covered functions (such as providing healthcare services or billing insurance electronically), and
- Performs non-covered functions (like retail, education, or unrelated services), and
- Formally designates specific units or components to fall under HIPAA requirements.
The hybrid entity rule allows the covered functions (e.g., a medical practice) to comply with HIPAA, while the non-covered units (e.g., a café, spa, or wellness product shop) remain exempt as long as the separation is defined and documented.
According to § 164.105(a)(2)(iii)(D), once designated, the hybrid entity must ensure that:
- HIPAA protections apply only to the designated healthcare components
- Staff working in both components understand when they are acting as part of the covered entity
- PHI does not improperly flow from covered to non-covered areas
Examples of Entities That May Be Hybrid Entities
- A university that operates a student health center
- A retail chain that runs an in-store pharmacy
- A wellness spa that offers both facials and dermatology services
- A community center with behavioral health services and recreational programs
- A holistic practice that includes acupuncture, yoga classes, and clinical counseling
Why designate as a Hybrid Entity?
- Limits HIPAA scope: Only the designated components must comply with HIPAA.
- Simplifies compliance efforts: Reduces cost and administrative burden for unrelated parts of the organization.
- Clarifies roles: Helps employees and patients understand when HIPAA protections apply.
- Protects against over-application: Prevents auditors or regulators from expecting HIPAA compliance in non-covered areas.
A Case Study: Costly Mistake from Undesignated Structure
In 2021, a wellness center in the Midwest was cited by OCR after a patient’s protected health information was shared by an employee working in the retail supplements division. The organization offered both licensed counseling services and natural health products through a shared location.
Although only the counseling unit billed insurance, the entire business operated under a single legal entity. The center had never designated itself as a hybrid entity or formally separated its functions. As a result, OCR determined that the entire organization including retail employees was subject to HIPAA.
The finding led to a $45,000 resolution agreement and a required two-year compliance monitoring program. The center was forced to retrain staff, redesign physical and data boundaries, and implement a hybrid entity designation retroactively.
How to Properly Designate Hybrid Status
Step 1: Identify All Business Functions
List every department, service, or activity conducted under the legal entity. Ask:
- Do we provide treatment or healthcare services?
- Do we submit electronic claims or eligibility inquiries?
- Do we also offer services unrelated to healthcare?
Step 2: Determine Which Units Are “Covered Components”
Under HIPAA, covered components include units that:
- Provide healthcare
- Transmit health information electronically in a HIPAA-standard format
- Function as business associates of another covered entity
Only these parts need to follow HIPAA rules.
Step 3: Make a Formal Designation
Document in writing:
- That your organization is a hybrid entity
- Which departments are designated as covered components
- Which are not subject to HIPAA
- How you will ensure proper separation and safeguard PHI
Step 4: Implement Administrative and Technical Safeguards
Once designated, the organization must implement safeguards to prevent unauthorized access or disclosure of PHI between covered and non-covered components. These include:
- Physical separation (e.g., restricted offices or storage)
- Access controls (user roles in EHR or scheduling systems)
- Workforce training tailored to roles in covered vs. non-covered components
Step 5: Review Annually or Upon Structural Changes
HIPAA does not mandate annual re-designation, but best practice is to review your hybrid status:
- Annually, during compliance audits
- When services are added or removed
- After major staffing or organizational changes
Common Pitfalls for Small Practices
- Assuming hybrid status is automatic: The designation must be made formally. Without documentation, OCR may treat the entire business as a covered entity.
- Failing to define boundaries: Even with hybrid status, if PHI flows freely across units, you may be in violation.
- Inadequate staff training: Employees must know whether they’re acting under the covered or non-covered side of the business and when HIPAA applies.
- Over-applying HIPAA: Conversely, organizations sometimes apply HIPAA unnecessarily to non-covered units, creating unnecessary burdens.
Expert Tips for Managing Hybrid Entity Compliance
- Include hybrid designation in your HIPAA policies and procedures manual.
- Use org charts and visual boundaries (e.g., signage, restricted access) to reinforce roles.
- Train staff during onboarding about their component status.
- For dual-role employees, ensure they understand contextual responsibilities (e.g., receptionist for both the therapy office and the yoga studio).
- Keep documentation of designation decisions and policy updates for six years, as required under HIPAA.
Checklist: Hybrid Entity Designation (§ 164.105)
| Task | Responsible Party | Timeline | Documentation |
|---|---|---|---|
| Inventory of all business activities | Compliance Officer | Initial designation | Org structure chart |
| Identify HIPAA-covered components | Legal/Compliance Team | Initial designation | Written analysis |
| Draft hybrid entity designation | Practice Owner/Consultant | Before implementation | Hybrid designation document |
| Train staff on component roles | HR or Compliance Lead | Onboarding and annually | Training logs |
| Implement safeguards between units | IT/Security & Ops | Concurrently | Access control matrix |
| Review designation for updates | Compliance Officer | Annually or as needed | Board minutes, policy amendments |
Regulatory References and Official Guidance
Concluding Recommendations and Next Steps
Hybrid entity designation under § 164.105 is not just for universities or corporate giants, it’s a practical tool for small practices that combine healthcare and non-healthcare services. If your organization includes both covered and non-covered functions, take time to:
- Analyze your operational structure
- Identify covered components
- Formally designate and document hybrid status
- Train staff and implement technical boundaries
Done correctly, this approach reduces unnecessary HIPAA exposure, clarifies compliance boundaries, and helps your practice focus its efforts where they matter most on protecting patient privacy within your actual HIPAA-covered operations.