Yes, “if a State, county, or local health department performs functions that make it a covered entity, or otherwise meets the definition of a covered entity, they must comply with the HIPAA Privacy Rule,” explains the HHS Health Information Privacy website.
The HHS clarifies this requirement since state, county, and local health departments perform different functions, including disease surveillance, environmental health inspections, operating clinics, and administering insurance programs. Not every function automatically triggers HIPAA compliance.
Instead, the determining factor is whether the department performs activities that meet the legal definition of a covered entity under federal regulations.
Federal guidance explains that certain programs run by health departments clearly fall within HIPAA’s scope. For example, “a state Medicaid program is a covered entity (i.e., a health plan) as defined in the Privacy Rule.” Medicaid programs handle eligibility, enrollment, and claims processing, which may involve protected health information (PHI). Departments handling PHI must therefore comply with HIPAA’s privacy and security requirements.
In addition to insurance functions, “Some health departments operate health care clinics and thus are health care providers.” These clinics may offer vaccinations, tuberculosis treatment, sexually transmitted infection testing, maternal health services, or HIV care. Each of these services involves collecting and maintaining identifiable patient information.
However, being a healthcare provider does not automatically make a department subject to HIPAA. According to the rule, “If these health care providers transmit health information electronically in connection with a transaction covered in the HIPAA Transactions Rule, they are covered entities.” This includes submitting electronic claims, checking insurance eligibility, or exchanging standardized billing data.
Consequently, many health departments become covered entities as they rely on electronic systems. More specifically, once a department transmits PHI electronically in regulated transactions, HIPAA compliance is required.
Health departments often perform covered and non-covered functions. For example, one division may run a public clinic while another focuses on restaurant inspections or public health education. Federal regulations allow agencies to account for this structure if the agencies identify themselves as hybrid entities.
“If the health department performs some covered functions … and other non-covered functions, it may designate those components (or parts thereof) that perform covered functions as the health care component(s) of the organization and thereby become a type of covered entity known as a ‘hybrid entity,” the HHS elaborates.
Therefore, HIPAA obligations only apply to specific parts of the organization’s healthcare component. In theory, this allows public health agencies to maintain operational flexibility while still protecting sensitive patient data.
However, hybrid status also creates internal boundaries that must be carefully managed. The HHS advises that “if a health department elects to be a hybrid entity, there are restrictions on how its health care component(s) may disclose protected health information to other components of the health department.” So, PHI cannot freely flow between divisions simply because they are part of the same agency.
These agencies must implement the necessary safeguards for securing PHI, so staff working in non-covered functions cannot accidentally access information that is legally restricted. Ultimately, this requires internal communication systems to uphold HIPAA Rules in the same way as external communications would.
HIPAA compliance is maintained through filing policies, employment training, and the way information is shared in practice. Since health departments communicate daily with hospitals, laboratories, schools, community partners, and patients, most of their communication now takes place via email.
Standard email, however, does not offer sufficient protection, potentially leading to messages being intercepted, forwarded incorrectly, or unauthorized user access. In organizations with hybrid status, the risks are even greater because information must be restricted inside and outside the agency.
Healthcare departments must therefore use a HIPAA compliant email solution like Paubox. These solutions use encryption and authentication to protect messages that contain PHI, safeguarding information during transmission and at rest. They also create audit trails that document who sent and received information, supporting accountability and regulatory oversight.
Since hybrid entities must restrict disclosures between their covered and non-covered components, technical controls are necessary to reinforce legal rules. HIPAA compliant email can help establish these controls.
For example, clinic staff within a health department can be assigned secure email accounts that are authorized to send and receive PHI. Public health education staff or environmental health officers can be assigned separate accounts without access to sensitive patient information. This supports the requirement that “there are restrictions on how its health care component(s) may disclose protected health information to other components of the health department.”
Secure email also helps prevent accidental disclosures. Features such as recipient verification, message encryption, and access expiration reduce the likelihood that PHI will be sent to the wrong person or stored indefinitely in unsecured inboxes.
In addition, the HIPAA compliant solution may generate audit logs, giving agencies evidence of their compliance. If a complaint or investigation occurs, agencies can show that they took reasonable steps to protect PHI during transmission.
Health departments are often instrumental during emergencies like infectious disease outbreaks or natural disasters. During these events, the departments must share the necessary information to save and protect individuals. Federal guidance even references “Disclosures for Emergency Preparedness” when discussing covered entity responsibilities.
HIPAA compliant email allows departments to securely share case data, laboratory results, and treatment guidance with hospitals and emergency responders. Here, encrypted communication maintains urgency that does not come at the cost of confidentiality.
It could also be particularly helpful when dealing with stigmatized conditions or vulnerable populations. Secure communication helps preserve public trust, required for effective outbreak response and community cooperation.
Health departments depend on voluntary participation in testing, vaccination, and treatment programs. If individuals believe their information will not be protected, they may avoid care altogether, undermining public health goals and legal obligations.
HIPAA compliant email helps departments show patients and partners that the agency has invested in systems designed to protect their information. It also protects employees, reducing the risk of mistakes that could lead to penalties or reputational harm.
It also helps staff standardize their secure communication methods, especially in hybrid entities where staff roles may differ. Rather than requiring each employee to determine whether an email contains PHI, agencies must use one HIPAA compliant email solution for all sensitive communications by default.
Paubox email, for example, has a patented solution that automatically encrypts all outgoing emails. It eliminates human error associated with manually selecting which emails must be encrypted, keeping all communications secure and HIPAA compliant with HIPAA regulations.
HIPAA compliance is required for covered entities, such as healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates who handle protected health information (PHI).
A breach occurs when an unauthorized party gains access, uses or discloses PHI without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.
See also: How to respond to a data breach
As of March 2025, HIPAA violations incur fines from $141 to $2,134,831 per violation, depending on culpability.
Tier 1 penalties apply to unintentional violations ($141–$35,581), while Tier 2 covers breaches due to reasonable cause ($1,424–$71,162). Tier 3 applies to willful neglect corrected within 30 days ($14,232–$71,162), and Tier 4 penalizes uncorrected willful neglect with the highest fines ($71,162–$2,134,831).
These fines adjust annually for inflation, and severe cases may result in criminal charges, reputational harm, and mandatory corrective actions.