Are state, county, or local health departments required to comply with the Privacy Rule?

State, county, or local health departments must comply with the HIPAA Privacy Rule if they qualify as covered entities. For example, a state Medicaid program or a health department that runs a clinic and transmits health information electronically in certain transactions would be subject to HIPAA. Health departments performing covered and non-covered functions can designate specific parts as “healthcare components,” becoming “hybrid entities” where HIPAA applies only to those designated components.

Understanding covered entities under HIPAA

HIPAA designates specific organizations as covered entities if they engage in certain functions:

1. Health plans (e.g., insurance plans, Medicaid programs).
2. Healthcare providers who transmit health information electronically in specific transactions, such as billing.
3. Healthcare clearinghouses that process non-standard health information into standard formats.

Covered entities are subject to HIPAA requirements, including compliance with the Privacy Rule, which controls how PHI is used and shared, and the Security Rule, which requires safeguards for electronic PHI.

When health departments are considered covered entities

According to the HHS, "if a state, county, or local health department performs functions that make it a covered entity, or otherwise meets the definition of a covered entity they must comply with the HIPAA Privacy Rule." For example:

• State Medicaid programs: Health departments administering a state Medicaid program are classified as health plans, which makes them covered entities under HIPAA. Medicaid programs handle PHI, as they collect, use, and share sensitive information to process claims, manage patient care, and more.
• Health clinics run by health departments: If a health department operates clinics that provide healthcare services and transmits health information electronically in connection with transactions covered by the HIPAA Transactions Rule (such as billing or eligibility inquiries), it is considered a healthcare provider and therefore a covered entity.

Hybrid entities and health departments

A health department that performs covered and non-covered functions can designate only certain components that handle PHI as “healthcare components.” The designation allows the health department to operate as a hybrid entity, where HIPAA rules apply only to the healthcare component(s) involved in covered functions.

As a hybrid entity, the health department must ensure its designated healthcare components comply with HIPAA. However, PHI disclosure between these components and other parts of the organization is subject to strict limitations to prevent unauthorized access or use of PHI. The hybrid entity model is defined in 45 CFR 164.103 and 164.105, providing flexibility while ensuring that PHI is protected.

Related: How HIPAA applies to hybrid entities

HIPAA compliance requirements for health departments

1. Protecting PHI: Covered health departments must protect PHI from unauthorized access, use, and disclosure.
2. Implementing privacy and security measures: Policies must be in place to safeguard patient privacy, particularly around how information is shared internally and externally.
3. Limiting information sharing: Health departments must apply the “minimum necessary” standard to limit PHI disclosures to only what is essential for the intended purpose.
4. Security for electronic PHI: Health departments that transmit PHI electronically must follow the HIPAA Security Rule, which requires safeguards like data encryption, access controls, and staff training.

Disclosures for emergency preparedness

During public health emergencies, health departments often need to disclose PHI rapidly and securely. HIPAA allows some flexibility under specific conditions, particularly for emergency preparedness and response activities. To aid in these circumstances, the U.S. Department of Health and Human Services (HHS) has provided a Disclosures for Emergency Preparedness Decision Tool, which helps agencies determine the applicability of HIPAA in emergencies.

FAQs

What is the main purpose of the HIPAA Privacy Rule for health departments?

The HIPAA Privacy Rule aims to protect individuals' health information, ensuring it is only shared for essential public health or healthcare activities while preventing unnecessary disclosures.

If a health department collects health information but doesn’t share it electronically, does HIPAA still apply?

No, HIPAA generally applies to health departments as covered entities only if they transmit health information electronically in transactions defined by the HIPAA Transactions Rule.

How can health departments assess whether they are considered hybrid entities under HIPAA?

Health departments can evaluate their operations to identify which functions handle PHI and whether they perform covered and non-covered activities. That allows them to designate specific components as healthcare-related under the hybrid entity designation.