Skip to Content

Public Health COVID-19 Frequently Utilized HIPAA Privacy Rule Provisions

April 4, 2020


The Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (HIPAA), does not regulate all health departments.

Health departments fall into three broad categories with respect to HIPAA:

  1. Health departments that have no covered functions are not covered by HIPAA. Examples of covered functions include a clinic that bills health plans electronically or a health plan, such as Medicaid. 45 CFR § 164.103.
  2. If a health department provides a covered function, it is a fully covered entity by default. Consequently, its core public health programs, such as disease prevention and control programs are covered by HIPAA. 45 CFR § 164.105.
  3. Health departments that have a covered function and have elected to become a hybrid entity adopt written policy that lists HIPAA covered programs and limits HIPAA’s reach so that it applies only to those programs. Generally, hybrid health departments’ disease prevention and control programs are not covered by HIPAA. For more information on how HIPAA regulates certain programs that public health provides and the hybrid entity policy option, read more. The majority of state health departments are hybrid entities.

This table is useful for health departments with HIPAA-covered disease prevention and control programs.