Arthur J. Robarge, Ph.D.
Division of Mental Health, Developmental Disabilities,
RE: Advisory Opinion: HIPAA Liability for DMHDDSAS, State Facilities, and Area Programs
Dear Dr. Robarge:
You have asked whether the Division of Mental Health, Developmental Disabilities, and Substance Abuse Services (“DMHDDSAS”) is responsible for ensuring compliance by the state MHDDSAS facilities and the local area MHDDSAS programs with the requirements of the Health Insurance Portability and Accountability Act (“HIPAA”). It is our opinion that the Department of Health and Human Services (“Department”), as a “hybrid entity,” is responsible for compliance by its “health care components.” The state facilities that fall within the HIPAA definition of “health care providers” are health care components for this purpose. The Department may choose as a management option to charge DMHDDSAS with the task of ensuring HIPAA compliance, but it will retain ultimate responsibility.
As to the area programs, they are separate legal entities not under the common ownership or control of the Department or DMHDDSAS. Therefore, the Department does not have responsibility under HIPAA for them. Note, however, that transactions between the Department or DMHDDSAS and the Area Programs must comply with HIPAA to the extent they fall within the scope of the Act.
The Status of the Department and Its Component Agencies and Facilities
The Health Insurance Portability and Accountability Act, (“HIPAA”), P.L. 104-91 (42 USC § 1320d et seq.) and its implementing regulations, 45 CFR Part 160 et seq., apply to “covered entities.” A covered entity under HIPAA is a health plan, health care clearinghouse, or health care provider who transmits any health information in electronic form in connection with a transaction within the scope of HIPAA. 45 CFR § 160.103. These transactions generally are Arthur J. Robarge, Ph.D. August 8, 2001 Page 2
health claims information.
Although HIPAA was enacted in 1996, its implementing regulations have only recently become effective, with implementation dates scheduled in October, 2002 and April, 2003. Other regulations are expected, along with additional policy guidance from the federal Department of Health and Human Services. This opinion, therefore, is based on the present statute, regulations and accompanying materials. It is possible that future regulations or policy pronouncements could alter the conclusions stated below.
The portion of the HIPAA rules dealing with privacy provide some refinement of the scope of a covered entity’s responsibilities. In a section titled “Organizational requirements,” 45 CFR § 164.504, the regulations introduce the concepts of “health care components” and “hybrid entity.” §164.504(a). A health care component essentially is the unit of a covered entity that performs those functions that make the covered entity subject to HIPAA. A hybrid entity is “a single legal entity that is a covered entity and whose covered functions are not its primary functions.” Id. Generally speaking, in the privacy rules, references to a covered entity refer to the health care component of a hybrid entity.
A hybrid entity is responsible for ensuring that its health care components comply with the requirements of the privacy rules. § 164.504(c)(2). In addition, it is responsible for complying with the enforcement and compliance provisions of Subpart C of 45 CFR Part 160 (compliance and enforcement by the Secretary of federal HHS), for implementing certain required policies and procedures, and for designating and documenting the designation of the health care components. See 45 CFR § 164.504(c)(3).
The Department is a legal entity whose primary function is other than covered functions. See, e.g., G.S. 143B-137.1 (General Duties); G.S. 143B, Article 3 (more detailed list of functions); G.S. 108A; G.S. 110; G.S. 122C; G.S. 130A; G.S. 131D. Several of its constituent agencies and facilities clearly perform covered functions, such as the Medicaid Program and the various state psychiatric hospitals. These agencies and facilities are not, however, separate legal entities according to the normal indicia. For example, they do not have separate and independent management and control. They are subject to direction from superiors at the Department (and, in the case of the facilities, from DMHDDSAS). The Secretary is charged by statute to operate the facilities. G.S. 122C-181.
The comments to the Standards for Privacy of Individually Identifiable Health Information support the conclusion that the Department falls within the definition of a hybrid entity and has the responsibilities enumerated in the HIPAA regulations:
By “single legal entity,” we mean a legal entity, such as a corporation or partnership, that cannot be further differentiated into units with their own legal identities. For example, Arthur J. Robarge, Ph.D. August 8, 2001 Page 3
for purposes of this rule, a multinational corporation composed of multiple subsidiary
companies would not be a single legal entity, but a small manufacturing firm and its
health clinic, if not separately incorporated, could be a single legal entity.
65 Fed. Reg. 82502 (Dec. 28, 2000).
We expect that in most cases, government agencies that run health plans or provide health care services would typically meet the definition of a “hybrid entity” under § 164.504(a), so that such an agency would be required to designate the health care component or components that run the program or programs in question under § 164.504(c)(3), and the rules would not apply to the remainder of the agency’s operations, under § 164.504(b).
Id. at 82639.
For HIPAA purposes, therefore, the Department is a hybrid entity, responsible for ensuring HIPAA compliance by its health care components. Since the Department is the covered entity, DMHDDSAS does not separately have responsibilities established by HIPAA, although several covered components are under its management control. It does, of course, have such responsibilities as the Secretary may assign.
The Relationship of the Department and the Area Programs
Chapter 122C of the General Statutes establishes a system for delivery of MHDDSAS services with both state and local responsibilities. A local area MHDDSAS program is the “locus of coordination among public services for clients of its catchment area.” G.S. 122C-101. The area programs are separate legal entities, created as local political units, managed by a separate area board. G.S. 122C, Article 4, Part 2. The Secretary of Health and Human Services, the Department, and the Commission for Mental Health, Developmental Disabilities, and Substance Abuse Services are allocated varying responsibilities at the State level for supervisory, rule-making, budgeting and monitoring functions related to area program operations.
The Department and the Division, therefore, have various responsibilities under state law that implicate HIPAA compliance by area programs. For example, the Secretary is to adopt rules governing the expenditure of area authority funds and to administer and enforce rules that are conditions of participation in federal or state financial aid. G.S. 122C-112. In addition, the Department traditionally acts as a resource to assist area programs in implementing complex requirements. Therefore, the Department would be expected to provide guidance and assistance in HIPAA compliance to the area programs.
For purposes of HIPAA itself, however, the significant feature of the area program is that it is a local political subdivision of the State. G.S. 122C-116. As a separate legal entity, therefore, to the extent an area program is a covered entity, it is responsible for its own compliance with HIPAA.
Arthur J. Robarge, Ph.D. August 8, 2001 Page 4
If DMHDDSAS exchanges protected health information with an area program, both entities are subject to the HIPAA limitations on use and disclosure. In addition, DMHDDSAS or other Department units might qualify for some purposes as “business associates” of the area programs and therefore be subject to the requirement for a memorandum of understanding on the use or disclosure of health care information established in 45 CFR § 164.504(e)(3)(i).
The HIPAA regulations do permit legally separate covered entities who are “affiliated” to elect designation as an “affiliated covered entity.” The status of “affiliated covered entity” is only available to covered entities with common control or ownership. § 164.504(d)(2). The ownership criteria would not apply to separate political entities such as the Department and the area programs. “Common control” exists if an entity “has the power, directly or indirectly, significantly, to influence or direct the actions or policies of another entity.” § 164.504(a). The comments to the regulations are not helpful in applying this standard in the context of area programs; the example they offer is a corporation with hospitals in many different states. While the Department has some influence over the area programs through Memoranda of Agreement, this is unlikely to be the degree of control required to meet the criteria for affiliation, even if that were a desirable relationship.
If you require any additional information, please let us know.
With best regards,
Ann Reed Senior Deputy Attorney General
R. Marcus Lodge Special Deputy Attorney General