HIPAA for State Agencies

The HHS Office for Civil Rights enforces the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information; the HIPAA Security Rule, which sets national standards for the security of electronic protected health information; the HIPAA Breach Notification Rule, which requires covered entities and business associates to provide notification following a breach of unsecured protected health information; and the confidentiality provisions of the Patient Safety Rule, which protect identifiable information being used to analyze patient safety events and improve patient safety.

The application of HIPAA in state government can sometimes require clarification. The following documents from HHS help clarify HIPAA as it applies to state government:

  • HHS provides clarification regarding the applicability of HIPAA to state and local entities acting as covered entities
  • The Preemption of State Law page outlines specific situations in which federal law takes precedence, and vice versa

The Ohio Office of Information Security and Privacy has produced some documents to assist agencies in interpreting and implementing HIPAA:


General information about HIPAA can be found on our Medical Privacy page.