In this installment of our HIPAA compliance series, we delve into the concepts of different types of practices and how HIPAA compliance changes based on the structure of your practice. This may apply to you if you have two or more parts to your business. For example, if you have for-profit and non-profit components that share the same clients. Or, it may apply if you have one business but part of your business does not provide healthcare services (e.g., you have a clinic and offer online courses). The different types of entities include Hybrid Entities, Affiliated Covered Entities, Organized Health Care Arrangements, and the considerations for Covered Entities with Multiple Covered Functions.
Hybrid Entity
Balancing Covered and Non-Covered Functions
The Privacy Rule allows a covered entity engaged in both covered and non-covered functions to become a Hybrid Entity. Through a written designation of health care components, the entity can selectively apply Privacy Rule requirements to those components responsible for covered functions. It is important to have your health care components in writing, if not, your entire business is subject to the Privacy Rule.
Remember, covered entities are healthcare providers, no matter how big or small the organization. Covered functions are the things you do that make you a healthcare provider.
Affiliated Covered Entity
Unifying Compliance for Commonly Owned Entities
Legally distinct entities sharing common ownership or control can opt for a single covered entity designation under certain conditions. For example, if one person owns two separate clinics under two separate businesses - one providing occupational therapy and the other providing physical therapy - they can designate themselves as one single entity for Privacy Rule compliance. This must be in writing.
Organized Health Care Arrangement
Collaborative Sharing for Joint Enterprise
The Privacy Rule recognizes "organized health care arrangements" where participating covered entities collaboratively manage and benefit their common enterprise. This could be one clinic where patients can receive care from more than one provider. For example, this would apply to a multidisciplinary clinic where health information is shared for the benefit of the patient.
Covered Entities With Multiple Covered Functions
Ensuring Compliance Across Varied Functions
Covered entities performing diverse covered functions must adhere to the specific Privacy Rule provisions for each function. In other words, you can disclose PHI only if the patient is involved in both functions. For example, if you have a multidisciplinary clinic where a patient is receiving physical therapy, and the treating therapist talks to a speech-language pathologist on staff about the patient, they can only disclose PHI if the speech-language pathologist is also treating the patient.
In conclusion, no matter what entity you operate under, put everything in writing - it will help keep your business compliant and keep your staff on the same page. Stay tuned for more insights as we unravel the complexities of safeguarding patient privacy in healthcare settings.
Resources
Layers Demystifying HIPAA Course
Ready to Uncover your True Potential?
Explore our range of services or book a consultation to start your journey toward personal and professional growth with Layers.