12-2 HIPAA: Hybrid Entity Defined

1. Attachments are included in the PDF file.
2. Effective date of this revision: June 27, 2025
3. Contact for more information: Office of HIPAA Compliance, 989-774-2829, hipaa@cmich.edu

BACKGROUND

Central Michigan University (CMU) is a covered entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) law and regulations. CMU has designated itself as a hybrid entity as its business activities include both covered and non-covered functions. HIPAA requires that all CMU officers, employees and agents of units within the hybrid entity must preserve the confidentiality and integrity of Individually Identifiable Health Information (IIHI) pertaining to each patient, client, or participant in CMU’s self-funded health plan. This IIHI is considered Protected Health Information (PHI) and shall be safeguarded in compliance with the rules and standards established under HIPAA.

For additional information on the measures Central Michigan University has implemented to comply with this legislation, visit CMU’s official HIPAA website at HIPAA.cmich.edu.

PURPOSE

This policy designates and defines, in accordance with HIPAA, how CMU will identify departments, clinics, programs, and functions determined to be a designated unit within Central Michigan University’s Hybrid Entity, subject to CMU polices and HIPAA regulations.

DEFINITIONS

Covered Entity: A health plan, health care clearinghouse, or a healthcare provider who transmits any health information in electronic form in connection with a HIPAA transaction.

Hybrid Entity: A single legal entity: that is a covered entity; whose business activities include both covered and non-covered functions; and that designates its healthcare components.

All other terms used in this policy have the same meaning as those terms in the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 and the regulations at 45 CFR Parts 160, 162, and 164.

POLICY

1. The HIPAA Privacy Officer in consultation with the appropriate administrators and HIPAA Executive Steering Committee, will identify the departments, clinics, programs, and functions determined to be designated in the Hybrid entity. The Privacy Officer, in collaboration with the Office of General Counsel and the Executive Vice President of Health Affairs, shall have the authority to make final determinations regarding designation of Hybrid Entity components and update Exhibit A as needed.
2. The HIPAA Privacy Officer will, not less than annually, review the activities of CMU departments, clinics, programs, and functions to determine whether any modifications to the designated Hybrid Entity should be made.
3. Hybrid: Covered Entity Units: All CMU units with workforce members who use or disclose Protected Health Information (PHI) in connection with (1) carrying out the functions of the CMU self-funded health plan, or (2) carrying out the functions of a healthcare provider that conducts HIPAA covered electronic transactions or uses another entity to conduct the HIPAA covered electronic transactions, are designated as a covered entity of the CMU Hybrid Entity. These units are subject to all CMU HIPAA policies and HIPAA regulations and will be listed on Exhibit A.
4. Hybrid: Business Associate Units: All CMU units who perform activities that if they were separate entities, would make them business associates of CMU HIPAA covered entity units, are designated as a unit of the Hybrid Entity. These Business Associate units are subject to all CMU HIPAA policies and HIPAA regulations and will be listed on Exhibit A.
5. Hybrid: Other Units: A CMU unit that performs a HIPAA covered function that is a healthcare provider but does not conduct HIPAA covered electronic transactions, or use another entity to do so, may, but is not required to be included in the CMU Hybrid Entity designation. If CMU determines that it will designate such units as a part of the CMU Hybrid Entity, those units will be required to adhere to CMU HIPAA policies and HIPAA regulations.
6. Non-Hybrid Units: Those health care units that perform a covered function, but do not conduct HIPAA covered electronic transactions, and CMU has determined will be exempt from the Hybrid Entity designation, but the security and confidentiality of the Individually Identifiable Health Information (IIHI) are protected by other state and federal law, and/or by CMU policy. In addition:
   1. These units may not in any way transmit health information in electronic form, or use another entity to do so, in relation to a HIPAA covered electronic transaction.
   2. If these units want to conduct HIPAA covered electronic transactions, they must first obtain consultation with and approval from the Executive Vice President for Health Affairs and the HIPAA Privacy Officer.
   3. These units are required to report breach of IIHI to the HIPAA Privacy Officer for further review and applicable follow-up.
7. Non-Hybrid Units: When the use and disclosure of IIHI is carried out by CMU in its capacity as an employer or an educational institution, and not in the role of a self-insured health plan or a health care provider, the information is not PHI, and those functions are not subject to the HIPAA regulations. These units are exempt from the CMU Hybrid entity designation, but the security and confidentiality of the IIHI are protected by other state and federal law, and/or by CMU policy.
8. For Research functions:
   1. A researcher that functions as a health care provider and engages in standard electronic transactions must be included in the hybrid entity's health care component(s) and be subject to HIPAA regulations and CMU HIPAA policies.
   2. PHI may only be disclosed to a researcher for use in connection with an Institutional Review Board (IRB)-approved or exempt protocol and waiver of authorization. When a researcher requests access to PHI that has been created, received or maintained by the CMU hybrid entity, the hybrid entity must receive specific assurances that the PHI will be protected once disclosed to the researcher. CMU must account for certain disclosures as required by the HIPAA regulations. CMU’s IRB will function as the Privacy Board as defined by HIPAA and CMU IRB policies.
9. A CMU college, unit, or department that would like to pursue a healthcare service must first consult with and obtain approval from the Executive Vice President of Health Affairs and HIPAA Privacy Officer.
10. A CMU college, unit, or department that would like to pursue an information system to use and/or house electronic health information, must first consult with and obtain approval from the Vice President of Information Technology, the Executive Vice President for Health Affairs and the HIPAA Privacy Officer.
11. Before the University begins to offer a new self-insured employee benefit health program to its employees, the Associate Vice President of Human Resources will consult with the HIPAA Privacy Officer to ensure that the new program complies with HIPAA.
12. Separation Controls:
    1. The Hybrid Entity is required to ensure that it does not disclose protected health information to any other component of the University in circumstances in which HIPAA regulations would prohibit such disclosure if the health care component and the other component were separate and distinct legal entities.
    2. CMU workforce members who provide business services to both the CMU Health Care Components and CMU Health Plans cannot use or disclose PHI between those entities unless it is allowed in HIPAA regulations.

Central Michigan University reserves the right to make exceptions to modify or eliminate this policy and or its content.  This document supersedes all previous policies, procedures or guidelines related to this subject.