Yes, if a State, county, or local health department performs functions that make it a covered entity, or otherwise meets the definition of a covered entity they must comply with the HIPAA Privacy Rule. For example, a state Medicaid program is a covered entity (i.e., a health plan) as defined in the Privacy Rule. Some health departments operate health care clinics and thus are health care providers. If these health care providers transmit health information electronically in connection with a transaction covered in the HIPAA Transactions Rule, they are covered entities.
For more information, see the definitions of covered entity, health care provider, health plan and health care clearinghouse in 45 CFR 160.103. See also the Disclosures for Emergency Preparedness – A Decision Tool.
This tool addresses the question of whether a person, business or agency is a covered health care provider, health care clearinghouse or health plan. If the health department performs some covered functions (i.e., those activities that make it a provider that conducts certain transactions electronically, a health plan or a health care clearinghouse) and other non-covered functions, it may designate those components (or parts thereof) that perform covered functions as the health care component(s) of the organization and thereby become a type of covered entity known as a “hybrid entity.” Most of the requirements of the Privacy Rule apply only to the hybrid entity’s health care component(s). If a health department elects to be a hybrid entity, there are restrictions on how its health care component(s) may disclose protected health information to other components of the health department. See 45 CFR 164.103 and 164.105 for more information about hybrid entities.
