The Board of County Commissioners adopted resolution 03-006 on January 9, 2003, designating Multnomah County as a hybrid covered entity for the purposes of HIPAA compliance. This designation describes the organizational units that are subject to HIPAA regulations and those that are not. This resolution was amended in 2005 by resolution 05-083 to remove the County Auditor as a covered component. This organizational chart  shows the current status of county organizational units as covered entities.

As part of the implementation of HIPAA regulations, the Board of County Commissioners adopted a set of privacy polices contained in resolution 03-054 on April 10, 2003. These polices describe the basic responsibilities and actions required under HIPAA's privacy rule. These repsonsiblities included the requirement that the county appoint a central privacy officer. The county's HIPAA policy base was expanded in 2005 with resolution 05-050. This resolution mirrored the earlier privacy polices by creating a set of security polices, including the creation of a central security officer.

Multnomah County has adopted four administrative rules to implement the polices adopted above:

• HIPAA-1 Protected Health Information (PHI) (2008)
• HIPAA-2 Security of Electronic Protected Health Information - All Employees (2008)
• HIPAA-3 Security of Electronic Health Information - IT Staff (2008)
• HIPAA-4 Breach Notification for Unsecured Protected Health Information (2009)

In addition, individual organizational units have program-specific rules. Contact your privacy and security official for more information.