Public Health's Covered Entity Status under HIPAA

The Department of Public Health (MDPH) is a Hybrid Entity

The Department determined that it is a hybrid entity, a covered entity whose business activities include both covered and non-covered functions under HIPAA. Only the programs that engage in covered functions are required to comply with HIPAA's privacy, security, and transactions and code sets requirements. However, programs that do not engage in covered functions must still comply with the Department's Confidentiality Policy and Procedures.


A detailed description of the Department's hybrid status includes answers to several questions related to this status, as well as the impact of HIPAA on MDPH's public health responsibilities.

Additional Resources for