HIPAA does not apply to individuals acting in a personal capacity, most employers and employment records, most schools and education records covered by federal education privacy law, most life insurers, most workers’ compensation carriers and programs when operating under workers’ compensation authority, and most businesses and apps that collect health-related data but are not HIPAA Covered Entities or Business Associates.
HIPAA applies to HIPAA Covered Entities, which include healthcare providers that transmit health information in electronic form in connection with certain standard transactions, health plans, and healthcare clearinghouses. HIPAA also applies to Business Associates that perform functions or activities on behalf of a HIPAA Covered Entity that involve the creation, receipt, maintenance, or transmission of protected health information, and to subcontractors of Business Associates when they handle protected health information. Entities outside those categories are not regulated by HIPAA, even when they handle information that a patient considers sensitive.
HIPAA does not regulate most employers in their role as employers. Employment records held by an employer, including medical documentation held in an employment file or occupational health file for employment purposes, are not protected health information under HIPAA. An employer can be regulated by HIPAA only when it operates a covered health plan, a healthcare provider component, or another HIPAA Covered Entity function, and the HIPAA obligations attach to the covered function rather than to general human resources operations.
HIPAA does not apply to most schools because student health records maintained by an educational agency or institution that receives federal funding are usually education records governed by federal education privacy requirements. A school-based clinic may be a HIPAA Covered Entity when it meets the HIPAA Covered Entity definition and the records at issue are not education records, but many school health offices remain outside HIPAA because their records fall under education privacy law.
HIPAA does not apply to many consumer health products and services. Mobile applications, wearable device providers, direct-to-consumer genetic testing services, fitness platforms, and online support communities are usually outside HIPAA unless they are providing services to a HIPAA Covered Entity as a Business Associate and handling protected health information under a business associate agreement. Retailers and websites that collect health-related purchasing or browsing data also remain outside HIPAA in most circumstances.
HIPAA does not apply to entities that may receive health information from other sources but are not HIPAA Covered Entities or Business Associates, such as many law enforcement agencies, courts, and social services agencies. Separate federal and state laws may regulate those entities, and HIPAA can still restrict disclosures by HIPAA Covered Entities to those entities unless a HIPAA permission or requirement applies.
The Applicable HIPAA Regulatory Text
45 C.F.R. § 160.102 is relevant because it limits the scope of the HIPAA Administrative Simplification regulations to specified entity types and extends certain requirements to business associates when a rule states it applies. The regulation states “Except as otherwise provided, the standards, requirements, and implementation specifications adopted under this subchapter apply to the following entities” and then lists “A health plan” and “A health care clearinghouse” and “A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.” It also states “Where provided, the standards, requirements, and implementation specifications adopted under this subchapter apply to a business associate.”
45 C.F.R. § 160.103 is relevant because it defines “Covered entity” and that definition determines which organizations are directly regulated by the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule. The regulation states “Covered entity means” and then lists “(1) A health plan” and “(2) A health care clearinghouse” and “(3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.” This definition explains why most organizations outside those categories are not subject to HIPAA requirements.
45 C.F.R. § 160.103 is relevant because it defines protected health information and expressly excludes categories that are often mistaken as covered, including many education records and employment records. The regulation states “Protected health information excludes individually identifiable health information” that is “In education records covered by the Family Educational Rights and Privacy Act, as amended” and “In employment records held by a covered entity in its role as employer” and “Regarding a person who has been deceased for more than 50 years.” These exclusions explain why certain records held by covered entities can fall outside HIPAA even when they contain health-related information.
45 C.F.R. § 160.103 is relevant because it narrows when service providers are business associates by listing relationships that are not treated as business associate arrangements. The regulation states “Business associate does not include” “A health care provider, with respect to disclosures by a covered entity to the health care provider concerning the treatment of the individual” and “A plan sponsor, with respect to disclosures by a group health plan” when specified conditions are met and “A government agency, with respect to determining eligibility for, or enrollment in, a government health plan that provides public benefits” to the extent authorized by law. This text explains why many recipients of information from a covered entity are not automatically subject to HIPAA as business associates.