HIPAA Medical Privacy Rule: Information for NC Public Agencies

Frequently Asked Questions

Are local environmental health programs required to comply with the HIPAA medical privacy regulation?

A. Short Answer: Yes, unless the county or the health department (1) designates itself a hybrid entity and (2) "carves-out" the environmental health program.

Longer Answer: NC local health departments are required to comply with the HIPAA privacy regulation.

The HIPAA medical privacy regulation requires all "covered entities" to protect the privacy of individually identifiable health information in certain ways. Any health care provider that bills an insurance company for services electronically (using a standard "HIPAA transaction") is a "covered entity" and therefore must comply with the privacy regulation. As a general rule, the regulation requires providers who are "covered entities" to protect the privacy of individually identifiable health information that they maintain in any form (including information in electronic, paper and oral formats).

All local health departments in North Carolina are covered entities under the HIPAA privacy regulation because they satisfy the two-part test for health care providers: (1) they meet the HIPAA definition of the term "health care providers" and (2) conduct certain billing and other insurance-related transactions electronically using HIPAA transactions (such as filing claims for health care services with Medicare and Medicaid). All local health departments, therefore, must comply with the privacy regulation.

Local environmental health programs standing alone would not be considered covered entities because they do not satisfy the two-part test: (1) they may not meet the HIPAA definition of "health care provider"1 and (2) even if they do meet the definition of "health care provider," they most likely do not bill health insurers electronically using HIPAA transactions. But it is important to remember that local environmental health programs do not actually stand alone. Rather, each program is part of a county or district health department - in other words, local environmental health programs are part of a covered entity.

Each local health department may elect to "carve-out" certain programs, including environmental health programs. Programs that are "carved out" are not required to comply with the HIPAA privacy regulation.

Under the HIPAA privacy regulation, the county or the health department (the "covered entity") is allowed to "carve-out" certain components of the entity and decide that those components are not required to comply with the regulation. In order to carve-out any components, the entity must affirmatively designate itself a "hybrid entity" and identify its "health care components." The "health care components" identified by the covered entity are the only components that are required to comply with the privacy regulation. In order to comply with the regulation, all of the identified health care components must not only protect the confidentiality of individually identifiable health information as required by the HIPAA and by other state and federal law, but they must also comply with many other administrative requirements of the privacy regulation, such as drafting new written policies and procedures related to privacy, providing a "notice of privacy practices" to patients, entering into contracts with other organizations and keeping track of disclosures of health information.

The regulation requires covered entities to identify certain types of components as health care components - including those that (1) meet the HIPAA definition of health care provider and (2) conduct certain billing and other insurance-related transactions electronically using HIPAA transactions. A prenatal clinic, for example, would likely meet both of these criteria and therefore the health department would need to identify the clinic as a health care component (or as part of a larger health care component). If an environmental health program meets both of these criteria, it must be designated a health care component and therefore must comply with the privacy regulation. If the program does not meet both of these criteria, it is up to the covered entity (i.e., the county or the health department) to decide whether the program will be designated a health care component.

If the county or the health department fails to take any action to "carve-out" the environmental health program from the rest of the health department, the environmental health program will have to comply with the privacy regulation with respect to all individually identifiable health information that it uses or maintains. Environmental health programs use and maintain a wide variety of identifiable health information, such as childhood lead testing results and investigation reports relating to foodborne illnesses. In order to ensure that these environmental health records are not covered by the privacy regulation, the county or the health department must designate itself a hybrid entity and it must carve-out the environmental health program.

The county or the health department must document its decision to designate itself a hybrid entity.

In order to be considered a hybrid entity and carve-out certain programs (including environmental health), a covered entity is required to document its decision in writing. Entities are not required to submit any documentation to the federal or state government in order to be considered a hybrid entity under the privacy regulation. They simply need to develop and maintain the documentation internally. The entity should:

• Review the requirements of the regulation in detail (45 C.F.R. § 164.504)
• Determine which components must be identified as "health care components"
• Determine whether the entity wishes to identify any other components as "health care components" (optional)
• Prepare a document explaining that the entity is a hybrid entity and identifying all of the health care components

Some North Carolina counties are taking the approach that the county as a whole is the covered entity. In those counties, the "hybrid entity" would be the county and the "health care components" may include the emergency medical services department, subdivisions of the local health department (such as personal health services), subdivisions of the department of social services (such as at-risk case management), and any other providers within the county. Other North Carolina counties are taking the approach that each individual department within the county is a covered entity (such as the local health department, the department of social services, etc.). In those counties, the "hybrid entity" would be the individual department (such as the local health department) and the "health care components" would be the subdivisions of the department. Health departments interested in carving-out programs such as environmental health should consult with county management to determine how it should approach the hybrid entity designation.

It is important to remember that that in each county, if the county or the health department does not:

(1) designate the health department a hybrid entity and
(2) decide not to identify the environmental health program as a health care component

then the environmental health program will have to protect all individually identifiable health information as required by the HIPAA privacy rule.

Back to Top

¹Under HIPAA, a "health care provider" includes "any person or organization who furnishes, bills, or is paid for health care in the normal course of business." 45 C.F.R. § 160.103. The term "health care" includes (but is not limited to) preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the human body. 45 C.F.R. § 160.103.

Back to FAQs