Frequently Asked Questions
Is the county the "covered entity"
or is each individual department a "covered entity"?
- No clear answer under HIPAA: Neither
the HIPAA regulations nor any guidance provided by
DHHS has answered this question directly. Throughout
the health care industry, the "covered entity"
determination will likely vary significantly from
entity to entity depending on the entity's corporate
structure, ownership and organization.
- "Single legal entity":
Some of the language in the HIPAA regulations suggests
that a covered entity is a "single legal entity."
HIPAA does not explain what is intended by the phrase
"single legal entity," but one could reasonably
infer that a legal entity is a person or organization
that, for example:
- Is established as a legal entity by law;
- May be sued and may bring suit against others;
- Would be held directly accountable for paying
any penalty assessed under HIPAA; and/or
- Has a certain degree of autonomy with respect
to issues such as budget, policy-making and/or
personnel.
These are only a few of the possible factors that
could be evaluated when determining who is the covered
entity. Applying some of these factors in the context
of county government, for example, one could determine
that a county department of social services:
- Is not established as a legal entity by law;
- Is not allowed to sue or be sued (but rather must
do so through the county);1
- Would likely rely on the county to pay any penalty
assessed under HIPAA.
On the other hand, the department of social services
(including the board and the director) has significant
autonomy with respect to policy-making and personnel.
Balancing all of these factors, one might reasonably
conclude either that the county - rather than the
department - is the legal entity or that the department
is a legal entity separate from the county.
Another factor that would be worth considering in
the context of county governments is whether the department
in question serves a single county or whether it serves
multiple counties. For example, a district health
department serves multiple counties and often has
significant autonomy from the county governments.
It would be reasonable to conclude that the multi-county
district health department is a legal entity separate
from the counties that it serves and therefore is
a separate covered entity for the purposes of HIPAA
compliance.
Back to Top
1See Malloy v. Durham County
Department of Social Services, 58 N.C. App. 61, 67,
293 S.E.2d 285, 289 (1982) ("Assuming arguendo
that a right of subrogation did inhere in the County
of Durham in the present case, and granted that such
a right is statutory and not contractual, the intervenor
plaintiff [DSS], as a mere subdivision of the County,
could have no more capacity to assert such right than
an agent would with respect to a contractual right of
his principal.")
Back to FAQs |
