POL 2.265 HIPAA Hybrid Entity Designation
Kirtland Community College recognizes the applicability of the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH Act), and its regulations (HIPAA) to certain sectors of the College.
The HIPAA Privacy Rule defines a Hybrid Entity as a covered entity whose business activities include covered and non-covered functions and designates health care components. The rule also sets forth the organizational requirements, including standards and implementation specifications. 45 CFR §§ 164.103 and 164.105(a) and (c).
The Hybrid Entity must implement safeguards and undertake specific responsibilities with respect to its covered entity health care and business associate components. More specifically, a Hybrid Entity must ensure that:
- Its healthcare component does not disclose protected health information (PHI) to another component of the covered entity to the extent that the components are separate and distinct legal entities.
- Its healthcare component protects electronic PHI with respect to another component of the covered entity to the extent that the components are separate and distinct legal entities.
- If a person performs duties for both the health care component in the capacity of a member of the workforce of such component and for another component of the entity in the same capacity with respect to that component, such workforce member must not use or disclose PHI created or received in the course of or incident to the member’s work for the health care component except for the purpose authorized.
Under HIPAA, Kirtland Community College can elect to be a Hybrid Entity with identified Health Care Components that are subject to HIPAA and non-covered components that are not. The policy identifies the Health Care Components subject to HIPAA’s privacy, security, breach notification, and enforcement provisions.
Covered Entity Components – All workforce of Covered Entity Components are subject to HIPAA.
- Kirtland Community College Group Health Plans
- Kirtland’s Nursing and Health Professions
Business Associate Components – Departments providing Business Associate services (using or disclosing PHI to Kirtland Covered Entity Components.
- Accounts Payable Department
- Human Resources Department
- Information Technology Department
- Compliance Department
- Business Services Office
This policy designates Kirtland Community College as a Hybrid Entity as described above and in compliance with all applicable safeguards.
Revised September 21, 2023
Approved March 5, 2004