DHHS Home Page NC DHHS On-Line Manuals  
     DHHS Manual Home Manual Admin Letters Change Notices Archive Search Index Help Feedback

Previous PageTable of Contents Next Page



Section VIII:

Privacy and Security


Privacy Manual


HIPAA, Introduction

Current Effective Date:


Revision History:

10/9/03, 5/1/05, 11/15/15

Original Effective Date:




The purpose of the privacy manual is to provide requirements applicable to specified the North Carolina Department of Health and Human Services (NC DHHS) divisions, facilities and schools for protecting the privacy of individually identifiable health information.


The federal standards for privacy of individually identifiable health information final rule (hereinafter referred to as the HIPAA privacy rule), promulgated to implement the Health Insurance Portability and Accountability Act of 1996 (HIPAA), made significant changes in the protection of certain individually identifiable health information that is created, received, and maintained in any form or medium, by the DHHS. Health care providers and health care plans within DHHS that perform specific electronic transactions (e.g., file health care claims electronically) must comply with the HIPAA regulations. These divisions, facilities and schools (or portions thereof) shall be known as “covered health care components” throughout this manual. DHHS has determined that whenever specific privacy requirements promote better business practices and/or provide uniform client rights within the department, the privacy requirements shall apply to other appropriate DHHS divisions, facilities and schools. Each privacy policy developed by the department shall include a scope statement within the “purpose” section specifying the divisions and offices in the department that must comply with the policy.

The NC Office of Attorney General has determined that DHHS meets the definition of a “hybrid entity” and has both covered health care components and non-covered health care components within its department. DHHS, as a hybrid entity, is responsible for designating which of its divisions and offices (or portions thereof) are covered health care components and for ensuring that those components comply with HIPAA regulations.


The department shall ensure compliance with HIPAA privacy requirements through the development and implementation of privacy policies that specify the Department's methods for the protection of individually identifiable health information. The requirements in these policies shall be based on many business practices already employed by DHHS divisions, facilities and schools. In addition, privacy policies shall include other federal and state law requirements that have an impact on the use and disclosure of health information. Most federal and state laws that are more stringent than the HIPAA requirements will generally remain in effect and will not be preempted by HIPAA. In addition, some state laws such as categories of laws that provide for reporting of disease or injury, child abuse, birth or death and other laws requiring disclosure of individually identifiable health information will remain in effect. Such exceptions from the HIPAA privacy requirements shall be identified in policy documentation.

Each DHHS division, facility and school identified in the scope statement within the "Purpose" section of each policy is expected to develop procedures that correspond to that policy for implementing the requirements for protecting the health information maintained by each agency.

DHHS divisions, facilities and schools may only use and disclose individually identifiable health information as provided in this document and are subject to all of the limitations and requirements specified in this manual.

DHHS privacy policies are documented in the DHHS Policies and Procedures Manual that is maintained by the DHHS Office of the Secretary. Such policies are available on the DHHS web site and may be accessed at http://info.dhhs.state.nc.us/olm/manuals/oos/dir/man/ Additions or revisions to privacy policies shall be the responsibility of the department’s privacy officer.


DHHS Directive Number III-11; 45 CFR, Parts 160 and 164

For questions or clarification on any of the information contained in this policy, please contact DHHS Privacy and Security Office. For general questions about department-wide policies and procedures, contact the DHHS Policy Coordinator.

Previous PageTop Of Page Next Page


     DHHS Manual Home Manual Admin Letters Change Notices Archive Search Index Help Feedback