Are State, county or local health departments required to comply with the HIPAA Privacy Rule?
Yes, if a State, county, or local health department performs functions that make it a covered entity, or otherwise meets the definition of a covered entity they must comply with the HIPAA Privacy Rule. For example, a state Medicaid program is a covered entity (i.e., a health plan) as defined in the Privacy Rule. Some health departments operate health care clinics and thus are health care providers. If these health care providers transmit health information electronically in connection with a transaction covered in the HIPAA Transactions Rule, they are covered entities. For more information, see the definitions of covered entity, health care provider, health plan and health care clearinghouse in 45 CFR 160.103. See also, the “Disclosures for Emergency Preparedness – A Decision Tool” posted at http://www.hhs.gov/ocr/hipaa/decisiontool/tool/ This tool addresses the question of whether a person, business or agency is a covered health care provider, health care clearinghouse or health plan.
