Skip to content

Community Initiatives HIPAA Hybrid Designation Policy

Effective Date: 2/1/2026

Responsible Party: Community Initiatives

HIPAA Privacy Officer:

Gayle Byrne
Privacy Officer
Community Initiatives
1000 Broadway, Suite #480
Oakland, CA 94607
HIPAA@communityinitiatives.org

HIPAA Security Officer:

Sarah Bacon
Security Officer
Community Initiatives
1000 Broadway, Suite #480
Oakland, CA 94607
HIPAA@communityinitiatives.org

Community Initiatives (also referred to as “us” or “we”), pursuant to 45 C.F.R. §§ 164.103 and 164.105 and the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”) elects to be a “hybrid entity” and designates certain internal units as covered Health Care Components. While definitions are provided below for clarity and convenience, all terms defined in HIPAA or their cognate terms, shall be given their definition under HIPAA.

I. Policy Introduction

HIPAA, and its related regulations protect individually identifiable information regarding an individual’s health and the provision of health care to that individual  (“Protected Health Information” or “PHI”). HIPAA applies to entities that perform health-care related functions, including providing health care services (“Covered Entities”).

Community Initiatives is a California nonprofit public benefit corporation that is recognized as tax-exempt under federal and state law. Community Initiatives is a fiscal sponsor of projects that engage in charitable and/or educational activities (the “Projects”). Each Project of Community Initiatives engages in distinct charitable and/or educational activities as programs of and overseen by Community Initiatives, some of which involve the provision of health care services that are subject to HIPAA. HIPAA regulates the use and disclosure of protected health information by Covered Entities and imposes administrative, technical, and physical standards, including implementation specifications, to ensure that PHI is kept secure. To implement these requirements, all Community Initiatives Health Care Components must follow appropriate written procedures to secure the privacy of patient information.

Under HIPAA, an organization with both HIPAA-covered and non-Covered Functions may elect to be a hybrid entity, which is a type of Covered Entity. With that designation, HIPAA requirements apply only to the hybrid entity’s Health Care Components engaged in Covered Functions, and do not apply to other components engaged in non-Covered Functions. If a Covered Entity chooses to designate its Health Care Components in this manner, it must include any component that would meet the definition of a Covered Entity or a Business Associate if such component were a separate legal entity, such as components that provide legal, accounting, or administrative services for internal Health Care Components where such services involve the sharing of PHI. Health Care Components also may include a component only to the extent that it performs Covered Functions.

By adopting this policy, Community Initiatives designates itself to be a hybrid entity under 45 C.F.R. §§ 164.103 and 164.105.

Community Initiatives further designates its Health Care Components subject to HIPAA below. Community Initiatives may designate other Health Care Components by amending this policy.

Community Initiatives remains responsible for the HIPAA compliance of its Health Care Components as outlined in HIPAA.

II. Applicability

Community Initiatives, a California nonprofit public benefit corporation.

III. Definitions for Clarity

Covered Entity: A covered entity means:

  1. A health plan;
  2. A health care clearing house; and
  3. A health care provider who transmits any health information in electronic form in connection with a transaction covered by this chapter.

Covered Functions: A Covered Function means those functions of an entity that would render the performer a Covered Entity.

HIPAA: The Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act, and its regulations as applicable.

PHI: Protected Health Information is individually identifiable health information held or transmitted by a covered entity; and relates to

  • The individual’s past, present, or future physical or mental health condition;
  • The provision of health care to the individual; or
  • The past, present, or future payment for the provision of health care to the individual.

Health Care Component: A component or combination of components of Community Initiatives designated as a Health Care Component of Community Initiatives.  A Health Care Component may be designated as such under this policy if it would meet the definition of Covered Entity under HIPAA if it were a separate legal entity, or if it acts as a Business Associate to another Covered Entity, or another Health Care Component.

IV. Policy Designations and Procedures

Community Initiatives designates the following as Health Care Components subject to HIPAA:

  • Community Initiatives’ Projects
    • Seedz of Peace
    • Food as Medicine
    • El/La Para Translatinas
  • Community Initiatives HIPAA Privacy Officer
  • Community Initiatives HIPAA Security Officer
  • Community Initiatives Data Security Coordinator
  • Community Initiatives Finance Department
  • Community Initiatives Human Resources Department
  • Community Initiatives Client Services Department

Some elements and workforce members of Community Initiatives that are not Health Care Components may perform duties on behalf of, provide oversight, or provide assistance to Health Care Components that are not Covered Functions and do not require a Business Associate Agreement. For example, if one element of Community Initiatives is providing services to a Health Care Component of Community Initiatives, but no PHI is involved as part of those services, the element of Community Initiatives providing those services is not a Business Associate of the Health Care Component and a Business Associate Agreement is not required.

If circumstances dictate that PHI must be disclosed or used in providing services to a Health Care Component, it must be in a manner that is de-identified, ambiguous, or incidental. If a disclosure is required that would exceed such conditions, then the element or workforce member providing the services may be considered a Health Care Component, and must seek approval to be designated as such and/or shall have a signed Business Associate agreement with the Health Care Component to which it provides such services, as required.

V. Sanctions

All workforce members, including employees, independent contractors, and volunteers where applicable, are required to comply with the Community Initiatives’ Policies related to HIPAA. Workforce members shall be subject to sanctions up to and including termination for non-compliance with the established policies and procedures.

Sanctions will be determined based on the context of the violation, including (1) severity, (2) intent, (3) any pattern or practice of violations, and (4) any other relevant considerations.

Main Menu