Text Size
Increase text size
Increase text size
Colorado Department of Public Health and Environment Banner

HIPAA Requirements

The privacy provisions of the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA), apply to health information created or maintained by health care providers who engage in certain electronic transactions, health plans, and health care clearinghouses.


Although CDPHE as a public health authority is not a covered entity under HIPAA, many of the concerns HIPAA addresses do apply to CDPHE. CDPHE is a business associate of other covered entities, in some instances, and must comply with some parts of HIPAA as a business associate. Furthermore, much of the data CDPHE collects comes from agencies and institutions that are covered by HIPAA. By basing the CDPHE policies and procedures on HIPAA we are positioning ourselves to stay current with developments in the health care industry for privacy and security.


The Department developed policies addressing privacy and security. One policy is specific to the Protection of Human Subjects who Participate in Research Activities.


This policy defines the procedures to be followed by staff before collecting or releasing personal health information for research purposes.


Investigators should review the key research sections of the HIPAA Privacy rule pdf file The full text of the Privacy rule and U.S. Health and Human Services educational materials on the Rule can be found on the Office for Civil Rights HIPAA Privacy web site. Health and Human Services Educational Materials on the Privacy Rule for the research community can be found on the Office for Civil Rights HIPAA Privacy Web site. 


More information can be obtained from the CDPHE Privacy Officer:
Michelle Lavigne, Privacy Officer/IRB Administrator
Office of Legal and Regulatory Compliance