When North Carolina's Department of Health and Human Services and its mental health Division work alongside locally-run area mental health programs, who is the HIPAA covered entity and who is responsible for compliance with the federal medical privacy rules?

Plain-English summary

When the Health Insurance Portability and Accountability Act ("HIPAA") and its privacy regulations came online in 2001, every entity that touched medical data had to figure out where it fit in the new federal framework. The threshold question was: am I a "covered entity"? If yes, do I have to comply with the privacy rule for everything I do, or only for the part of my operations that involves protected health information?

For a sprawling state agency like the North Carolina Department of Health and Human Services ("DHHS"), the answer was not obvious. DHHS as a whole is not really a "health plan" or a "health care provider" in the sense HIPAA contemplated. Its primary functions are broader: writing rules, supervising local programs, running benefit programs across welfare and aging and child support and public health. But within DHHS, several units clearly are covered: the Medicaid program is a health plan, and the state psychiatric hospitals are health care providers that transmit information electronically in connection with covered transactions.

The HIPAA regulations had a vehicle for that situation: the "hybrid entity." A hybrid entity is a single legal entity that does some HIPAA-covered functions but whose primary functions are something else. The hybrid entity is responsible for designating its "health care components" (the units that actually do the covered functions) and ensuring those components comply with the privacy rules. The non-health-care components are largely outside the privacy rule's reach.

The AG concluded that DHHS is a hybrid entity. The reasoning relied on the federal regulations' guidance that a "single legal entity" is "a legal entity, such as a corporation or partnership, that cannot be further differentiated into units with their own legal identities." DHHS's component agencies (the Division of Medical Assistance, the Division of Mental Health, Developmental Disabilities, and Substance Abuse Services [DMHDDSAS], etc.) and its facilities (the state psychiatric hospitals) are not separate legal entities. They are managed under the same Secretary, operate under the same legal umbrella, and lack separate boards or independent control. So they are part of one legal entity (DHHS), and DHHS is the covered entity that must designate health care components.

The implication for the actual question Dr. Robarge asked, was DMHDDSAS itself a covered entity? was that it is not. DMHDDSAS is a Division within DHHS; it is not a separate legal entity; HIPAA covered-entity status attaches at the DHHS level. DMHDDSAS may end up doing most of the day-to-day compliance work for the mental-health-related health care components, but its responsibilities are derivative (assigned by the Secretary) rather than independently created by HIPAA.

The area mental health programs (now usually called area authorities, LME-MCOs, or by other successor names) are a different story. North Carolina law treats area programs as local political subdivisions, separate legal entities created under Chapter 122C and managed by their own area boards. So an area program that runs a health plan, clearinghouse, or covered health care provider operation is itself a covered entity, with its own HIPAA compliance obligations.

The opinion also flagged two relationship questions:

(1) Business associate status. When DMHDDSAS or other DHHS components exchange protected health information with an area program, both sides are subject to HIPAA's use-and-disclosure limits. DMHDDSAS may also be a "business associate" of the area program for some purposes, in which case the area program needs a HIPAA-compliant memorandum of understanding with DHHS under 45 CFR § 164.504(e)(3)(i).

(2) Affiliated covered entity status. HIPAA lets legally separate covered entities under common control elect to be treated as a single "affiliated covered entity." But "common control" requires the power to "significantly . . . influence or direct the actions or policies of another entity." DHHS's relationship with area programs (Memoranda of Agreement, supervisory functions, some rulemaking power) probably does not rise to that level. The area programs retain enough independence that they are unlikely to qualify as affiliated covered entities with DHHS.

Currency note

This opinion was issued in 2001. Subsequent statutory amendments, court decisions, or later AG opinions may have changed the analysis. Treat this page as historical context, not current legal advice. The HIPAA privacy and security regulations have been amended multiple times since 2001 (most notably by the HITECH Act in 2009, which added direct liability for business associates and revised many of the rules), and North Carolina's Chapter 122C mental health structure has been overhauled significantly (area programs reorganized into Local Management Entities/Managed Care Organizations, or "LME-MCOs," in 2012-2014 and further restructured under tailored plan transitions). The legal-entity analysis of DHHS as a hybrid entity remains conceptually sound, but the specific area-program structures referenced in this opinion have largely been replaced. Anyone analyzing a current question should start with current HIPAA regulations (45 CFR Parts 160 and 164 post-HITECH) and current Chapter 122C structure (consult the LME-MCO and tailored plan provisions in effect now).

Background and statutory framework

The HIPAA covered-entity framework. HIPAA's administrative simplification provisions, codified at 42 U.S.C. § 1320d et seq., direct the Secretary of Health and Human Services to issue standards governing electronic transactions and protecting the privacy and security of individually identifiable health information. The implementing regulations at 45 CFR Parts 160 and 164 apply to "covered entities," defined in 45 CFR § 160.103 as health plans, health care clearinghouses, and health care providers who transmit health information in electronic form in connection with a covered transaction. Most health-related state agencies have multiple covered entities embedded within them.

Why the hybrid-entity construct exists. When the privacy rule was being drafted in the late 1990s, regulators recognized that mechanically applying the rule to every part of a sprawling government department would be both unworkable and irrelevant. A state department of health includes many functions (public health surveillance, statistical reporting, rulemaking, oversight of regulated industries) that have nothing to do with treatment, payment, or operations in the HIPAA sense. Applying the privacy rule's notice-of-privacy-practices requirements and authorization-form requirements to a rulemaking office, or to a population-health surveillance team that does not deal in individually identifiable data, would be pointless busy-work. So the hybrid-entity construct in 45 CFR § 164.504 lets a covered entity designate the "health care components" within itself and isolate the privacy rule's application to those components.

How the designation works. A hybrid entity must (1) designate which of its components perform covered functions, (2) document that designation, (3) ensure the designated components comply with the privacy rule, and (4) implement firewalls (in practice, training, access controls, and policies) that prevent the non-health-care components from getting access to protected health information except as permitted by the rule. The hybrid entity remains liable for the compliance of its health care components, but the rest of the entity is treated more like a separate entity for purposes of disclosure restrictions.

Why DHHS is a hybrid entity and not just a covered entity. The opinion cited 45 CFR § 164.504(a)'s definition of "single legal entity" (a legal entity that cannot be further differentiated into units with their own legal identities) and explained that DHHS includes Medicaid (a health plan), the state psychiatric hospitals (health care providers), and other covered functions. Because these are not separate legal entities, they are part of DHHS. The Department's primary functions are not health care functions (rulemaking, supervision, programs across many domains). That is the classic hybrid-entity profile. The Fed Reg comments accompanying the privacy rule (65 Fed. Reg. 82502, 82639) explicitly contemplated that government agencies running health plans or providing health care services would typically be hybrid entities.

DMHDDSAS's role within DHHS. The Division of Mental Health, Developmental Disabilities, and Substance Abuse Services is part of DHHS. The opinion noted that DMHDDSAS facilities (state psychiatric hospitals) are operated by the Secretary under N.C.G.S. § 122C-181. They have no separate legal identity; their management and control flow from DHHS. So DMHDDSAS does not separately become a HIPAA covered entity. Its HIPAA-related responsibilities are whatever the Secretary assigns to it as a matter of internal DHHS organization.

The area program structure under Chapter 122C. Chapter 122C of the North Carolina General Statutes establishes a state-and-local hybrid system for delivering mental health, developmental disability, and substance abuse services. Area programs are the locus of local coordination (N.C.G.S. § 122C-101). They are local political subdivisions of the State (N.C.G.S. § 122C-116), with their own area boards (N.C.G.S. § 122C, Article 4, Part 2). State-level supervisory, rule-making, budgeting, and monitoring authority is allocated across the Secretary of HHS, DHHS, and the Commission for Mental Health, Developmental Disabilities, and Substance Abuse Services (N.C.G.S. § 122C-112).

Why area programs are separate covered entities, not part of DHHS. Because area programs are separate legal entities under state law, HIPAA's covered-entity analysis treats them separately. Each area program that runs a health plan, a health care clearinghouse, or a covered health care provider operation is its own covered entity with its own HIPAA compliance obligations. DHHS cannot cover area programs by designating them as health care components of itself, because they are not within DHHS's single legal entity.

Business associate relationships between DHHS components and area programs. A "business associate" under the privacy rule is an entity that performs a function or activity involving the use or disclosure of protected health information on behalf of a covered entity. If DMHDDSAS or another DHHS health care component performs that kind of function for an area program (for example, processing claims data on behalf of the area program, or analyzing health records for outcomes reporting), the area program needs a HIPAA-compliant business associate contract or memorandum of understanding with DHHS. That document obligates DHHS to comply with the area program's use-and-disclosure limits, to safeguard the information, and to report breaches.

Affiliated covered entity treatment. 45 CFR § 164.504(d)(2) allows legally separate covered entities that are under common ownership or common control to elect to be treated as a single affiliated covered entity. The benefit is administrative simplification: one notice of privacy practices, one HIPAA officer, one set of policies. But the requirements are strict. Common ownership is not available between DHHS and area programs (both are public entities, neither is owned in the corporate sense). Common control requires power to "significantly . . . influence or direct the actions or policies of another entity." The opinion concluded that DHHS's relationship with area programs (mediated by Memoranda of Agreement and statutory supervisory authority) likely does not meet that threshold, even if DHHS wanted to treat the area programs as part of a unified covered entity.

Common questions

Q: What does it mean for HIPAA purposes that DHHS is a "hybrid entity"?
A: A hybrid entity is one legal organization whose primary function is not health care but which contains within it one or more units (called "health care components") that do HIPAA-covered work. The hybrid entity must formally designate the health care components and document the designation. The privacy rule's restrictions apply to those designated components, and the hybrid entity has to put barriers in place to keep protected health information from flowing freely to non-health-care parts of the organization without proper authorization.

Q: Why isn't DMHDDSAS itself a HIPAA covered entity?
A: Because DMHDDSAS is a Division within DHHS, not a separate legal entity. The HIPAA regulations apply to "single legal entities," and the test is whether the unit can be "further differentiated into units with their own legal identities." DMHDDSAS cannot; it shares legal personality with DHHS. So HIPAA covered-entity status attaches at the DHHS level, and DMHDDSAS's role in HIPAA compliance is whatever the Secretary assigns to it internally.

Q: How are local area mental health programs different from DMHDDSAS for HIPAA purposes?
A: Area programs are separate legal entities. They are local political subdivisions established under N.C.G.S. § 122C-116, with their own boards and their own legal personality. So an area program that runs a covered health care operation is its own HIPAA covered entity, responsible for its own privacy and security compliance. It is not part of DHHS for HIPAA purposes, even though DHHS exercises significant statutory supervision over area programs.

Q: What happens when DHHS and an area program share patient information?
A: Both sides have to comply with HIPAA's use-and-disclosure rules with respect to the information. Each is a covered entity in its own right. In addition, depending on the nature of the data flow, DHHS or one of its components may be acting as a "business associate" of the area program (for example, when DHHS processes data on the area program's behalf). If so, the area program needs a HIPAA-compliant business associate contract with DHHS, even though both are public agencies.

Q: Could DHHS and area programs combine into a single "affiliated covered entity" to simplify compliance?
A: Probably not under the rules as they existed in 2001. Affiliated covered entity status requires common ownership or common control. DHHS does not "own" area programs in the corporate sense, and the AG opinion concluded that DHHS's statutory supervisory authority over area programs probably does not rise to the "common control" threshold required by 45 CFR § 164.504(a). The result is that DHHS and area programs must each maintain their own covered-entity compliance, even though they cooperate operationally.

Q: Does this analysis still apply today?
A: The hybrid-entity construct is still the right framework for analyzing whether a state department of health is a covered entity. But the specific organizational features the opinion described (the Division of Mental Health, the area program structure of Chapter 122C circa 2001) have been substantially reorganized. North Carolina restructured its area programs into Local Management Entities/Managed Care Organizations (LME-MCOs) in 2012-2014, and is now transitioning toward tailored Medicaid plans. The current entity-status analysis depends on how each successor entity is structured, but the same legal-personality rule of thumb (each entity that is a separate legal person under state law analyzed separately under HIPAA) still applies.

Q: How does this affect a patient whose mental health records are shared between a state psychiatric hospital and an area program?
A: From the patient's perspective, both entities owe HIPAA-level privacy protections to the records. Each entity must obtain authorization or fit the sharing into a use-or-disclosure permitted by the privacy rule (treatment, payment, health care operations, etc.). The patient can complain to either entity, to DHHS, or to the federal Office for Civil Rights if either entity mishandles the information. The hybrid-entity and area-program separation does not reduce protection for the patient; it just means there are two compliance regimes operating in parallel rather than one.

Citations

Federal statutes and regulations
- Health Insurance Portability and Accountability Act, P.L. 104-91, codified at 42 U.S.C. § 1320d et seq.
- 45 C.F.R. § 160.103 — definition of "covered entity."
- 45 C.F.R. § 164.504(a) — definitions of "single legal entity," "common control," "covered functions."
- 45 C.F.R. § 164.504(c)(2)-(3) — hybrid entity obligations and designation of health care components.
- 45 C.F.R. § 164.504(d) — affiliated covered entity election and common-ownership/control requirements.
- 45 C.F.R. § 164.504(e)(3)(i) — business associate memorandum of understanding requirement.
- 65 Fed. Reg. 82502 (Dec. 28, 2000) — preamble to the Standards for Privacy of Individually Identifiable Health Information, including the agency interpretation of single-legal-entity and hybrid-entity concepts.

North Carolina statutes
- N.C.G.S. § 122C-11 — general definitions in mental health chapter.
- N.C.G.S. § 122C-101 — area program as locus of coordination of public services in its catchment area.
- N.C.G.S. § 122C-112 — Secretary's rulemaking authority over area program expenditures and federal/state aid conditions.
- N.C.G.S. § 122C-115 / § 122C-115.1 — structure of area authority operations.
- N.C.G.S. § 122C-116 — area authorities as local political subdivisions; separate legal entities.
- N.C.G.S. § 122C-181 — Secretary's responsibility to operate state psychiatric facilities.
- N.C.G.S. § 143B-137.1 — DHHS general duties.

Source

• Landing page: https://ncdoj.gov/opinions/hipaa-liability-for-dmhddsas/

Original opinion text

DISCUSSION

The Status of the Department and Its Component Agencies and Facilities

The Health Insurance Portability and Accountability Act, ("HIPAA"), P.L. 104-91 (42 USC § 1320d et seq.) and its implementing regulations, 45 CFR Part 160 et seq., apply to "covered entities." A covered entity under HIPAA is a health plan, health care clearinghouse, or health care provider who transmits any health information in electronic form in connection with a transaction within the scope of HIPAA. 45 CFR § 160.103. These transactions generally are health claims information.

Although HIPAA was enacted in 1996, its implementing regulations have only recently become effective, with implementation dates scheduled in October, 2002 and April, 2003. Other regulations are expected, along with additional policy guidance from the federal Department of Health and Human Services. This opinion, therefore, is based on the present statute, regulations and accompanying materials. It is possible that future regulations or policy pronouncements could alter the conclusions stated below.

The portion of the HIPAA rules dealing with privacy provide some refinement of the scope of a covered entity's responsibilities. In a section titled "Organizational requirements," 45 CFR § 164.504, the regulations introduce the concepts of "health care components" and "hybrid entity." §164.504(a). A health care component essentially is the unit of a covered entity that performs those functions that make the covered entity subject to HIPAA. A hybrid entity is "a single legal entity that is a covered entity and whose covered functions are not its primary functions." Id. Generally speaking, in the privacy rules, references to a covered entity refer to the health care component of a hybrid entity.

A hybrid entity is responsible for ensuring that its health care components comply with the requirements of the privacy rules. § 164.504(c)(2). In addition, it is responsible for complying with the enforcement and compliance provisions of Subpart C of 45 CFR Part 160 (compliance and enforcement by the Secretary of federal HHS), for implementing certain required policies and procedures, and for designating and documenting the designation of the health care components. See 45 CFR § 164.504(c)(3).

The Department is a legal entity whose primary function is other than covered functions. See, e.g., G.S. 143B-137.1 (General Duties); G.S. 143B, Article 3 (more detailed list of functions); G.S. 108A; G.S. 110; G.S. 122C; G.S. 130A; G.S. 131D. Several of its constituent agencies and facilities clearly perform covered functions, such as the Medicaid Program and the various state psychiatric hospitals. These agencies and facilities are not, however, separate legal entities according to the normal indicia. For example, they do not have separate and independent management and control. They are subject to direction from superiors at the Department (and, in the case of the facilities, from DMHDDSAS). The Secretary is charged by statute to operate the facilities. G.S. 122C-181.

The comments to the Standards for Privacy of Individually Identifiable Health Information support the conclusion that the Department falls within the definition of a hybrid entity and has the responsibilities enumerated in the HIPAA regulations:

By "single legal entity," we mean a legal entity, such as a corporation or partnership, that cannot be further differentiated into units with their own legal identities. For example, for purposes of this rule, a multinational corporation composed of multiple subsidiary companies would not be a single legal entity, but a small manufacturing firm and its health clinic, if not separately incorporated, could be a single legal entity.

65 Fed. Reg. 82502 (Dec. 28, 2000).

We expect that in most cases, government agencies that run health plans or provide health care services would typically meet the definition of a "hybrid entity" under § 164.504(a), so that such an agency would be required to designate the health care component or components that run the program or programs in question under § 164.504(c)(3), and the rules would not apply to the remainder of the agency's operations, under § 164.504(b).

Id. at 82639.

For HIPAA purposes, therefore, the Department is a hybrid entity, responsible for ensuring HIPAA compliance by its health care components. Since the Department is the covered entity, DMHDDSAS does not separately have responsibilities established by HIPAA, although several covered components are under its management control. It does, of course, have such responsibilities as the Secretary may assign.

The Relationship of the Department and the Area Programs

Chapter 122C of the General Statutes establishes a system for delivery of MHDDSAS services with both state and local responsibilities. A local area MHDDSAS program is the "locus of coordination among public services for clients of its catchment area." G.S. 122C-101. The area programs are separate legal entities, created as local political units, managed by a separate area board. G.S. 122C, Article 4, Part 2. The Secretary of Health and Human Services, the Department, and the Commission for Mental Health, Developmental Disabilities, and Substance Abuse Services are allocated varying responsibilities at the State level for supervisory, rule-making, budgeting and monitoring functions related to area program operations.

The Department and the Division, therefore, have various responsibilities under state law that implicate HIPAA compliance by area programs. For example, the Secretary is to adopt rules governing the expenditure of area authority funds and to administer and enforce rules that are conditions of participation in federal or state financial aid. G.S. 122C-112. In addition, the Department traditionally acts as a resource to assist area programs in implementing complex requirements. Therefore, the Department would be expected to provide guidance and assistance in HIPAA compliance to the area programs.

For purposes of HIPAA itself, however, the significant feature of the area program is that it is a local political subdivision of the State. G.S. 122C-116. As a separate legal entity, therefore, to the extent an area program is a covered entity, it is responsible for its own compliance with HIPAA.

If DMHDDSAS exchanges protected health information with an area program, both entities are subject to the HIPAA limitations on use and disclosure. In addition, DMHDDSAS or other Department units might qualify for some purposes as "business associates" of the area programs and therefore be subject to the requirement for a memorandum of understanding on the use or disclosure of health care information established in 45 CFR § 164.504(e)(3)(i).

The HIPAA regulations do permit legally separate covered entities who are "affiliated" to elect designation as an "affiliated covered entity." The status of "affiliated covered entity" is only available to covered entities with common control or ownership. § 164.504(d)(2). The ownership criteria would not apply to separate political entities such as the Department and the area programs. "Common control" exists if an entity "has the power, directly or indirectly, significantly, to influence or direct the actions or policies of another entity." § 164.504(a). The comments to the regulations are not helpful in applying this standard in the context of area programs; the example they offer is a corporation with hospitals in many different states. While the Department has some influence over the area programs through Memoranda of Agreement, this is unlikely to be the degree of control required to meet the criteria for affiliation, even if that were a desirable relationship.

If you require any additional information, please let us know.

With best regards,

Sincerely,

Ann Reed
Senior Deputy Attorney General

R. Marcus Lodge
Special Deputy Attorney General