HIPAA carves out certain areas of state authority that are not limited or invalidated by its provisions. For example, HIPAA was not intended to limit existing state public health activities. The Privacy Rule provides that a covered entity may disclose protected health information to a public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury or disability. It further provides that the covered entity may disclose protected health information to a health oversight agency for oversight activities authorized by law. Many of the Department's responsibilities in the non-covered components of the hybrid entity fall within the definition of public health authority or health oversight agency.
Because HIPAA is a federal statute, it is interpreted and enforced by the Department of Health and Human Services' Office of Civil Rights, and the Centers for Medicare & Medicaid Services. The Department of Public Health neither interprets nor enforces HIPAA, and is required like all other holders of protected health information, including both private and public entities, to analyze and determine HIPAA's application to our own business practices. The Department cannot provide entities with legal or technical assistance regarding their status under HIPAA, or with the steps that must be taken to comply with HIPAA. However, the Department will address questions that relate to an individual's or organization's interaction with DPH under the HIPAA requirements, or to DPH's hybrid entity status. Questions should be referred to (617) 624-5194 or emailed to the Privacy and Data Compliance Office.