1. Government health plans like Medicaid and Medicare are covered by HIPAA privacy rules. Medicaid rules on using and disclosing PHI are more restrictive than HIPAA. 2. Managed care organizations that contract with Medicaid may be considered business associates or participants in an organized health care arrangement with more flexible sharing of PHI. 3. State agencies can disclose PHI to auditors for oversight of providers and health plans as permitted by the privacy rule.