​Privacy and HIPAA

MDH privacy matters are handled through the Privacy Officer within IAC's Compliance Division. The Privacy Officer is responsible for implementing HIPAA and privacy training for MDH staff, investigating potential violations of HIPAA to determine whether a breach has occurred, and advising MDH components on how HIPAA applies to their programs.  

For MDH Components

MDH components can rely on the Privacy Officer to assist them with navigating HIPAA and potential HIPAA violations. If you have a question about how HIPAA applies to your program or a specific issue in your program or if you have questions about Business Associate Agreements (BAAs), please contact the privacy officer by phone or email. 

  • Breach response: If you become aware of a breach of unsecured PHI, you must notify the Privacy Officer within 5 days. Notification should be made by completing the online Breach Notification Form and​ included any relevant documentation and background information.
  • ​Business Associates: Some vendors and contractors will be required to sign a Business Associate Agreement (BAA) because of the nature of their work for MDH.  Any vendor or contractor that handles PHI or will have access to PHI is considered a “Business Associate" and must sign a BAA. MDH has a template BAA that we request all Business Associates sign. If you have any questions about Business Associates or the BAA, contact the Privacy Officer. 

For Members of the Public

You have rights under HIPAA that concern the privacy of your protected health information. IAC and the Privacy Officer are responsible for investigating allegations of HIPAA privacy violations that occur at MDH facilities and components. If you believe your rights under HIPAA were violated by an MDH employee or vendor, you can make a report online.                                                                                                                                                                                            
The IAC cannot investigate allegations of HIPAA violations at hospitals, doctor's offices, or other facilities that are not overseen by MDH. If you believe your rights under HIPAA have been violated at a non-MDH facility, you can still file a complaint with the US Department of Health and Human Services, Office of Civil Rights. This is the organization in the federal government that enforces the HIPAA rules in the United States. 

​Contact Us: 
Maryland Department of Health
Office of Internal Controls and Audit Compliance​
Chief Privacy Officer
201 W. Preston Street
Baltimore, MD 21201
410-767-5411 office 
410-333-7194 fax