I'm the Security Official for a covered healthcare component of a State agency which declared itself a hybrid entity.
Our covered component agency reports directly to a branch of the hybrid entity which was NOT included on the hybrid's list of covered components. We share PHI with them, and with several other non-covered components of the hybrid, and are required to do so. We have been told that these non-covered components are "Internal" Business Associates, and as such, they must obey the hybrid's privacy and security policies, but that they do not have to comply with HIPAA BA requirements, such as reporting security incidents to us. Furthermore, they decided that it was too difficult a task to determine which of their workgroups served a function which required that we share PHI with them, and they declared their entire office staff (several hundred) to be "internal" BAs. This seems to leave us unable to comply with the HIPAA BA requirements. I can find no reference in the law to "Internal" BAs. Upon complaining to the non-covered component we report to, we are told that we are wrong (but not why), but that since only the hybrid can be punished by HIPAA enforcement (not the covered components of the hybrid), we should stop worrying.
"Internal" BAs are a made-up distiction. Someone is just too lazy, confused, or defiant to sort through compliance. If there is a compliance board or officer at the state level, he should talk to them about straightening this out. While his personal exposure is limited, the exposure of his component agency is extreme. They are wrong, and from the response he is getting it looks like they know they are wrong.