State, county, or local health departments must comply with the HIPAA Privacy Rule if they qualify as covered entities. For example, a state Medicaid program or a health department that runs a clinic and transmits health information electronically in certain transactions would be subject to HIPAA. Health departments performing covered and non-covered functions can designate specific parts as “healthcare components,” becoming “hybrid entities” where HIPAA applies only to those designated components.
HIPAA designates specific organizations as covered entities if they engage in certain functions:
Covered entities are subject to HIPAA requirements, including compliance with the Privacy Rule, which controls how PHI is used and shared, and the Security Rule, which requires safeguards for electronic PHI.
According to the HHS, "if a state, county, or local health department performs functions that make it a covered entity, or otherwise meets the definition of a covered entity they must comply with the HIPAA Privacy Rule." For example:
A health department that performs covered and non-covered functions can designate only certain components that handle PHI as “healthcare components.” The designation allows the health department to operate as a hybrid entity, where HIPAA rules apply only to the healthcare component(s) involved in covered functions.
As a hybrid entity, the health department must ensure its designated healthcare components comply with HIPAA. However, PHI disclosure between these components and other parts of the organization is subject to strict limitations to prevent unauthorized access or use of PHI. The hybrid entity model is defined in 45 CFR 164.103 and 164.105, providing flexibility while ensuring that PHI is protected.
Related: How HIPAA applies to hybrid entities
During public health emergencies, health departments often need to disclose PHI rapidly and securely. HIPAA allows some flexibility under specific conditions, particularly for emergency preparedness and response activities. To aid in these circumstances, the U.S. Department of Health and Human Services (HHS) has provided a Disclosures for Emergency Preparedness Decision Tool, which helps agencies determine the applicability of HIPAA in emergencies.
The HIPAA Privacy Rule aims to protect individuals' health information, ensuring it is only shared for essential public health or healthcare activities while preventing unnecessary disclosures.
No, HIPAA generally applies to health departments as covered entities only if they transmit health information electronically in transactions defined by the HIPAA Transactions Rule.
Health departments can evaluate their operations to identify which functions handle PHI and whether they perform covered and non-covered activities. That allows them to designate specific components as healthcare-related under the hybrid entity designation.