The Health Insurance Portability and Accountability Act (HIPAA), Public Law 104-191, is a federal law that instituted dramatic reforms regarding the use of information in the health care and insurance industry. It created a great deal of apprehension among many private and public entities that were uncertain about whether the act impacted them as well. The Act required the Secretary of Health and Human Services to issue privacy regulations governing individual health care information. The privacy provisions of HIPAA are found in the ironically named “administrative simplification” provisions of the act. The goal of the privacy rule is to safeguard protected health information (PHI) while allowing the free flow of health care information in the world of electronic commerce and transactions.^[1]  Protected health information includes all individually identifiable health information held by a covered entity or its business associate in any form or media.^[2]  In other words, it is made up of health and medical records that identify the individual to whom the record relates. The privacy rules apply to three types of entities: health plans, health care providers, and health care clearinghouses.^[3]  The easiest category to consider from the local government standpoint is the health care clearinghouse.  This category deals with entities that process and re-format information being transmitted between entities. Counties will not fall under this category. 

Health plans are individual and group health care plans that provide or pay the cost of medical care.^[4]  If your county provides health insurance for its employees through private insurance, the insurance carrier would be the health plan. If your county is self-insured, it is likely that in administering the self-insured health care plan, the county will have to comply with the privacy rules and may be covered by HIPAA. If you have a third party administrator, that entity may be handling most compliance issues for the county, but you should still evaluate your requirements under HIPAA. Technically your third party administrator is merely a “business associate” under the terms of HIPAA who falls under provisions of the law due to its relationship with the county’s health plan. Responsibility for compliance ultimately lies with the plan itself and not with its business associates.

Health care providers are also be covered by HIPAA if the provider electronically transmits health information in connection with certain types of transactions.^[5]  These include claims, benefit eligibility inquiries, referral authorization requests, or certain other transactions listed under the HIPAA Transactions Rule.^[6]  For example, the fact that your county may employ a nurse or doctor for the jail may make the county a health care provider; however, the county will only be a covered health care provider under HIPAA if those employees are electronically transmitting health information in conjunction with one of the listed transactions. If your sheriff does not employ personnel to provide medical services to the jail but merely contracts with another entity to provide the service, then the sheriff’s office would not be a covered entity.

Even if it appears that some aspects of county government may be considered covered functions under certain circumstances, it is possible for the county to declare itself a hybrid entity. Under the HIPAA regulations, a hybrid entity is a single legal entity that is covered, but whose covered functions are not its primary functions.^[7]  By being declared a hybrid entity, the county limits the application of the HIPAA requirements to only those county operations that are acting as a health care provider.  For instance, a county operated ambulance service or hospital would need to comply with HIPAA as a health care provider if it transmits PHI electronically, but the register of deeds and county clerk’s offices, and other non-health care operations would not be covered.

Covered entities are required to provide notices and disclosures to individuals who have PHI held by the entity. If you have been to a doctor’s office in the last couple of years, you have probably seen these standard forms. Offices that are covered by HIPAA are also required to adopt privacy policies and procedures that are consistent with the privacy rule, must designate a privacy official responsible for implementing these policies, must conduct workforce training and management, must mitigate any harmful disclosures of PHI, must maintain reasonable appropriate safeguards to protect against improper disclosure of PHI, must have procedures for receiving complaints about privacy issues, and must meet certain documentation and record keeping standards.^[8]

The HIPAA rules and regulations are extremely complex and filled with exceptions, limitations, and modifications for various entities and transactions and will only apply to limited operations of local governments if at all. If you think your office or your county may be covered by HIPAA, you should discuss the requirements of the law with your county attorney and with any  third party administrators or other health care consultants with which your county may contract. For more information about the law and associated rules, see the Web site for the HHS, Health Information Privacy. A  recent opinion of the Tennessee attorney general also gives instructions with regard to the release of health information under HIPAA for law enforcement purposes.^[9]