The Schrödinger’s Org: Why Your Company Is Covered, Not Covered—Or Both

In healthcare, compliance risk doesn’t just scale with revenue or headcount—it scales with structure. Even seemingly straightforward companies can end up operating across multiple regulatory domains, particularly as they expand services, build partnerships, or pursue new lines of business.

This post explores five structural patterns that often catch companies off guard—and why understanding your organizational scope is essential to designing an effective, defensible compliance program.

1. Hybrid Entities: When Only Some Functions Are Covered

A hybrid entity is a single legal organization that performs both HIPAA-covered and non-covered functions. HIPAA only applies to the designated “covered” portion—but full compliance is still required for that part.

Examples include:

• A retail pharmacy that operates a covered dispensing business alongside a non-covered convenience store

• A health tech company that offers both a wellness app (non-covered) and a telehealth service (covered)

• A digital platform that connects patients with providers while storing or transmitting PHI for billing purposes

These structures aren’t always accidents—they’re often strategic. Partitioning allows companies to enjoy the benefits of offering reimbursable healthcare services while isolating other operations from HIPAA’s more stringent requirements. But once this choice is made, it’s crucial to formalize it: document the hybrid designation, implement internal firewalls, and ensure clear operational boundaries.

2. Federal Contracting: Covered by Procurement Obligations

Covered status doesn’t always come from HIPAA. Companies that contract with the federal government—especially under Medicare Advantage or Medicaid managed care programs—may become FDRs (first-tier, downstream, or related entities) under CMS rules.

Examples include:

• A subcontractor managing claims or enrollment services for a Medicare Advantage plan

• A tech vendor supporting CMS-regulated customer service or call center operations

• An analytics company accessing beneficiary data as part of a delegated function

Here too, structure matters. Companies can choose to ringfence these operations within defined business units—but they’ll need programmatic safeguards to prevent spillover and to demonstrate that unrelated services remain outside CMS oversight.

3. Multiple Covered Functions: When You’re More Than One Thing

Some organizations wear more than one compliance hat—simultaneously acting as multiple HIPAA-covered functions or operating under separate regulatory regimes.

Examples:

• An integrated delivery system that includes a health plan, a hospital system, and a clearinghouse

• A lab that performs direct-to-consumer testing while also rebundling and reselling services under white-labeled partnerships

• A payer that offers both insurance products and claims processing for third-party administrators

Each function may have its own regulatory expectations—whether under HIPAA, the Stark Law, ERISA, or state insurance codes. Even within the same legal entity, compliance programs may need to distinguish among these roles and manage conflicts of interest accordingly.

3.5 Role Switching: When One Entity Plays Multiple HIPAA Roles

Some companies don’t just operate multiple lines of business—they play different HIPAA roles depending on the context.

Examples:

• A telehealth platform that provides services directly to patients (covered entity) but also hosts virtual care infrastructure for other clinics (business associate)

• A clinical lab that offers DTC services (covered entity) and separately processes tests under a BAA for partner health systems (business associate)

• A clearinghouse that also provides interoperability or health information exchange services that may involve covered or business associate responsibilities

Even though the legal entity is the same, the regulatory obligations differ—especially around uses and disclosures of PHI, breach notification, and downstream subcontracting. Compliance programs must track and operationalize these distinctions at the workflow level, not just in contracts.

4. Organized Health Care Arrangements (OHCAs): Multiple Entities, Shared Operations

At the other end of the spectrum, some legally distinct entities may function as a single operational unit. Under HIPAA, this is called an Organized Health Care Arrangement (OHCA).

An OHCA allows:

• Shared notices of privacy practices

• Unified HIPAA policies and procedures

• A common electronic medical record

• Coordinated access and disclosure practices

Typical OHCAs include hospitals and affiliated physician groups, clinically integrated networks, or ACOs. These arrangements enable efficiency and care coordination—but require formal documentation, agreed-upon governance, and joint compliance oversight.

Outside HIPAA, similar operational integration can occur in management services organizations (MSOs), value-based care arrangements, and joint ventures—each with its own regulatory implications.

Key implication: If you act like a single entity, regulators may expect unified compliance—even if your legal structure says otherwise.

Final Thought: Structure First, Compliance Second

Many startups build compliance programs around products or departments. But in healthcare, structure is destiny.

Whether launching a new service, onboarding a partner, or expanding into another market, it’s not just what you do—it’s how you’re structured to do it. That structure determines:

• Which regulatory frameworks apply

• Whether certain rules or exceptions are available

• How internal controls must be scoped and maintained

In some cases, companies can choose how they want the rules to apply—by segmenting operations, adopting formal designations, or drawing clean boundaries. But if you don’t make those choices, regulators may do it for you.

This blog is for general informational purposes only and does not constitute legal advice. For help identifying or structuring covered functions within your organization, consult with qualified counsel or compliance advisors.