Policy Title:

HIPAA Hybrid Entity Designation

Brief Description:

Identifies MerlinOne, Inc. as a hybrid entity and designates its Business Associate components in accordance with federal law.

Effective:

September 1, 2019

Approved by:

CEO – David Tenenbaum

Responsible Company Officer:

COO – Jeff Seidensticker

Policy Contact:

Jeff Seidensticker

Last Reviewed/Updated:

September 1, 2019

Applies to:

Company-wide

Reason for Policy

To comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH Act), requirements regarding hybrid entities.

I. INTRODUCTION

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH Act), is a federal law designed to improve the portability and continuity of health care coverage, standardize health care transactions and implement requirements surrounding health information privacy and security.

In general, HIPAA addresses Protected Health Information (PHI) that is maintained or transmitted by a covered entity or a business associate of a covered entity.

Covered entities are health plans, health care clearinghouses and health care providers that conduct certain types of transactions in electronic form.

Business associates are entities that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.

A covered entity or business associate that is a single legal entity and conducts both covered and non-covered functions may elect to be a hybrid entity. To be a hybrid entity, the covered entity or business associate must identify its health care components that perform covered functions and designate these health care components as HIPAA compliant. As such, the HIPAA compliance obligations apply only to the designated health care components. A covered entity or business associate that does not make this designation is subject to HIPAA in its entirety.

MerlinOne, Inc. conducts both covered and non-covered functions and elects to be a hybrid entity. This policy identifies the company as a hybrid entity and documents the company’s health care components that must comply with HIPAA requirements.

II. POLICY STATEMENT

 A. Hybrid Entity

MerlinOne, Inc. conducts both covered and non-covered functions and elects to be a hybrid entity under HIPAA as provided by 45 C.F.R. § 164.103 and 45 C.F.R. § 105.

B. Designated Health Care Components

As a hybrid entity, the applicable HIPAA compliance obligations only apply to the designated health care components.

1. The designated health care components include:

a. Any component that meets the definition of covered entity if it were a separate legal entity;

b. Components only to the extent that they perform covered functions; and

c. Components that provide business associate services that perform covered

 

2. The designated health care components are listed in Exhibit A, MerlinOne Designated Health Care

 

3. Our Security Officer in consultation with our Technical Support and Operations teams shall review and amend Exhibit A as needed, but no less frequently than annually.

 

C. MerlinOne Responsibility

The company shall ensure that the designated health care components comply with the applicable HIPAA requirements. 45 C.F.R. § 105. 

D. Health Care Components Responsibility

Each designated health care component shall ensure its compliance with the applicable HIPAA requirements. The designated health care components which provide business associate services shall follow the compliance rules of the designated health care component for which it is providing business associate services.

Exhibit A

MerlinOne Designated Health Care Components

MerlinOne has actively analyzed and addressed its responsibilities and obligations under the federal Health Insurance Portability and Accountability Act (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH).

MerlinOne is not primarily engaged in the activities that define a covered entity but does have health care components that perform customer support and technical operations functions for its affiliated organization (Merlin Compliance, Inc.) that fit the “Business Associate” definition.

Pursuant to this, MerlinOne, Inc. has formally designated itself a “Hybrid Entity” for HIPAA compliance purposes. As a hybrid entity, MerlinOne is required to document and identify its health care components that perform covered functions.

As part of a hybrid entity, covered health care components may freely share protected health information (“PHI”) among themselves in order to better support our customers. All other company departments may not receive or interact with PHI.

The following departments are the officially designated health care components of MerlinOne, Inc. and are therefore required to comply with HIPAA’s privacy rules and standards:

  • Customer Service and Support – provides customer service and support functions as a business associate for Merlin Compliance, Inc. customers.
  • Technical Operations – provides technical operations functions as a business associate for Merlin Compliance, Inc. customers.

How to Contact Us

If you have any questions or concerns about this Privacy Policy, please contact us at: jseidensticker@merlinone.com | 17 Whitney Road, Quincy, MA 02169, 617-328-6645.