The Question That Catches Most Compliance Officers Off Guard

A hospital system I worked with had 14,000 employees. Their HIPAA training program covered about 6,000 of them. When I asked the compliance officer why, she said, "The other departments don't touch patient data." She was partly right — and entirely exposed. Understanding which segments of your organization are considered covered under HIPAA is one of the most misunderstood areas in healthcare compliance, and getting it wrong has cost organizations millions.

Here's what I've seen over and over: organizations either over-apply HIPAA to every employee (wasting time and diluting the message) or under-apply it (leaving massive gaps in PHI protection). Neither approach works. The answer lives in a concept most people have heard of but few truly understand — the hybrid entity designation.

Covered Entity vs. Hybrid Entity: The Distinction That Changes Everything

Let's start with the basics. Under the HIPAA Privacy Rule, a covered entity is a health plan, a healthcare clearinghouse, or a healthcare provider that transmits health information electronically. If your entire organization fits one of those categories, every segment is covered. Full stop.

But most large organizations aren't that simple. A university with a medical center. A manufacturer with a self-insured health plan. A county government that runs a public health clinic. These organizations perform both covered and non-covered functions.

That's where the hybrid entity comes in. Under 45 CFR § 164.105, a covered entity that performs both covered and non-covered functions can designate itself as a hybrid entity. When it does, only the healthcare components — the segments that perform covered functions — are subject to HIPAA's requirements.

What Counts as a Healthcare Component?

A healthcare component is any part of your organization that performs functions that would make it a covered entity if it operated independently. Think of it this way: if you spun off that department into its own company, would it be a health plan, clearinghouse, or healthcare provider transmitting electronic health information? If yes, it's a healthcare component.

Common examples include:

  • A university's student health center or faculty medical practice
  • A corporation's self-administered group health plan
  • A county government's public health department or EMS division
  • A retailer's in-store pharmacy operations

The non-covered segments — the university's English department, the corporation's marketing team, the county's parks and recreation division — fall outside HIPAA's direct reach, unless they access or handle PHI from the covered components.

Which Segments of Your Organization Are Considered Covered Under HIPAA — A Direct Answer

If your organization has designated itself as a hybrid entity, the segments considered covered under HIPAA are your designated healthcare components — the divisions, departments, or units that perform covered entity functions like providing healthcare services, administering health plans, or processing health information. Every workforce member within those components must comply with HIPAA, and those components must have their own safeguards for protecting protected health information (PHI) and electronic protected health information (ePHI).

If your organization has not made a hybrid entity designation, then the entire organization is treated as the covered entity, and HIPAA applies across every department and every employee.

The Hybrid Entity Trap Nobody Warns You About

Here's what trips organizations up: making the hybrid entity designation sounds like a way to reduce your compliance burden. And it can be. But HHS built in a critical safeguard — you must implement firewalls between your covered and non-covered components.

These aren't just IT firewalls. They're administrative, physical, and technical safeguards that prevent PHI from leaking into parts of your organization that aren't subject to HIPAA. That means:

  • Non-covered components cannot access PHI unless they're acting as a business associate with a proper agreement in place
  • Workforce members in non-covered segments who perform duties for healthcare components must be trained and treated as part of the covered component for those duties
  • Your designation must be documented — in writing — and your policies must reflect the boundaries

I've seen organizations claim hybrid entity status on paper but let their HR department freely access health plan enrollment data without a business associate agreement. That's not a hybrid entity. That's a liability.

The $5.55 Million Mistake: When Segment Boundaries Fail

In 2017, Memorial Healthcare System paid $5.5 million to settle with OCR after employees — including those outside of clinical operations — accessed the ePHI of 115,143 individuals without authorization. The breach persisted for over a year. One of OCR's findings: the organization failed to implement adequate access controls and audit procedures.

This is exactly the kind of disaster that happens when organizations don't clearly define which segments are covered and enforce boundaries around PHI access. If your non-covered segments can reach into your covered component's data, your hybrid entity designation is meaningless.

Who Must Be Trained — And Who Can Be Left Out

Workforce training is where this gets practical. Under 45 CFR § 164.530(b), every member of a covered entity's workforce must be trained on HIPAA policies and procedures. In a hybrid entity, that means every person in your designated healthcare components needs training — not just clinical staff.

The billing clerk, the receptionist, the IT administrator who supports the health plan's enrollment system — they're all workforce members of the covered component. They all need training.

For organizations navigating these distinctions, our HIPAA training catalog includes role-specific courses that let you target the right content to the right segments of your workforce — exactly the kind of precision that hybrid entities need.

Business Associates: The Segment You Forgot

There's another segment most organizations overlook when asking which segments are covered: their business associates. Any entity or person — inside or outside your organization — that creates, receives, maintains, or transmits PHI on behalf of your covered component is a business associate.

This includes:

  • Third-party billing companies
  • Cloud storage providers hosting ePHI
  • Shredding companies that destroy paper records containing PHI
  • Internal departments in a hybrid entity that provide services to the healthcare component (like a centralized IT division)

That last bullet is the one that gets people. If your corporate IT team manages servers for your health plan, they need a business associate agreement — even though they're part of your own organization. The HIPAA Privacy Rule is explicit about this for hybrid entities.

How to Map Your Organization's Covered Segments

If you haven't done this exercise yet, here's the framework I walk clients through:

Step 1: Identify All Covered Functions

List every function your organization performs that qualifies as a covered entity function — healthcare delivery, health plan administration, claims processing, etc.

Step 2: Map Functions to Organizational Units

Identify which departments, divisions, or business units perform those functions. These become your healthcare components.

Step 3: Document the Designation

Put it in writing. Your hybrid entity designation should name each healthcare component, describe its covered functions, and outline the safeguards separating it from non-covered segments.

Step 4: Identify Internal Business Associates

Any non-covered segment that provides services involving PHI to your healthcare components needs a business associate agreement.

Step 5: Train the Right People

Every workforce member in your healthcare components — and every internal business associate — needs HIPAA training appropriate to their role. Explore role-specific HIPAA workforce training options designed for exactly this kind of organizational mapping.

What Happens When You Don't Designate at All

Here's the part that surprises people: if your organization performs both covered and non-covered functions and you don't make a hybrid entity designation, the entire organization is the covered entity. Every employee. Every department. Every system.

For a large diversified company, that means your manufacturing floor workers, your retail associates, your marketing team — everyone — falls under HIPAA. That's an enormous (and usually unnecessary) compliance burden. It also creates confusion, because those employees have no idea why they're being asked to comply with healthcare privacy rules.

The hybrid entity designation exists precisely to solve this problem. But you have to actually make the designation, document it, and enforce the boundaries. There's no automatic hybrid status.

The Bottom Line for Your Organization

Knowing which segments of your organization are considered covered under HIPAA isn't an academic question. It determines who gets trained, what systems need safeguards, where your audit trail must reach, and how OCR will evaluate you during an investigation.

Get it right, and you build a focused, effective compliance program. Get it wrong, and you're either wasting resources on unnecessary training or leaving PHI unprotected in departments that don't even know they're responsible for it.

If you're ready to align your workforce training with your organization's actual covered segments, start with the HIPAA training catalog at HIPAACertify and build a program that matches your compliance architecture — not someone else's.