All of the Following Are Purposes of HIPAA—Except: What HIPAA Doesn’t Do

HIPAA Privacy Rule Protections

The HIPAA Privacy Rule protects your Protected Health Information (PHI) when it is created, received, maintained, or transmitted by covered entities and their business associates. It permits necessary uses and disclosures for treatment, payment, and healthcare operations, while requiring privacy safeguards such as the minimum necessary standard and a clear Notice of Privacy Practices.

You have specific rights under the Privacy Rule: to access and obtain copies of your records, request amendments, receive an accounting of certain disclosures, request confidential communications, and ask for restrictions (including limiting disclosure to a health plan for services you paid in full). These rights give you meaningful control without disrupting essential care coordination.

However, HIPAA does not ban all sharing. Covered entities may disclose PHI without your authorization for public health reporting, certain law enforcement needs, health oversight, and as otherwise permitted by the rule. HIPAA also does not apply to everyone who handles health-related data; it applies only to covered entities and their business associates. De-identified data and employment records held by an employer are not PHI.

HIPAA Security Rule Safeguards

The Security Rule sets flexible, risk-based requirements to protect electronic PHI (ePHI). It organizes safeguards into administrative, physical, and technical measures—risk analysis and management, workforce training, facility and device controls, access controls, audit logs, integrity protections, and transmission security. These measures anchor Electronic Health Records Security in day-to-day operations.

Encryption and other advanced controls are “addressable,” meaning you must implement them when reasonable and appropriate, or document suitable alternatives. The rule does not dictate specific brands or one-size-fits-all tools; you tailor your security program to your size, complexity, and risks while meeting your healthcare compliance obligations.

Even robust security cannot guarantee zero incidents. The Security Rule aims to reduce risk and demonstrate due diligence—not to promise absolute prevention. Consumer health apps that are not acting for a covered entity typically fall outside HIPAA’s Security Rule.

Breach Notification Requirements

When unsecured PHI is compromised, the Breach Notification Rule requires prompt action. You must investigate, perform a risk assessment, and, if a breach occurred, provide individual notices without unreasonable delay and no later than 60 calendar days after discovery. Business associates must notify the covered entity so that timely notifications can proceed.

Breach Notification Compliance includes notifying affected individuals, reporting to the Department of Health and Human Services (timing depends on the number affected), and alerting prominent media outlets if a breach affects 500 or more residents of a state or jurisdiction. Notices must explain what happened, the types of data involved, steps individuals should take, and what you are doing to mitigate harm.

There is a safe harbor: if PHI was secured using strong encryption or properly destroyed, notification is generally not required. These duties do not replace security obligations—you still need to fix control gaps, retrain staff, and document corrective actions.

HIPAA Portability Provisions

HIPAA’s “P” stands for Health Insurance Portability. In employer-sponsored plans, HIPAA established special enrollment rights (for events like marriage, birth, adoption, or loss of other coverage) and historically limited preexisting condition exclusions—provisions that improved portability when you changed jobs or coverage.

Portability provisions help you avoid unnecessary gaps, but they do not force an employer to offer a plan, set premiums, or guarantee identical benefits when you switch coverage. HIPAA does not give you an unrestricted right to buy any policy at any time; eligibility and plan design still follow plan terms and other applicable laws.

Think of portability as guardrails for transitions, not a universal guarantee of coverage on your terms.

HIPAA Enforcement Mechanisms

HIPAA is enforced primarily by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). OCR investigates complaints and breaches, conducts compliance reviews, and can require corrective action plans and settlements. State attorneys general may also bring actions to protect residents’ privacy.

Violations can trigger civil and criminal penalties. Civil penalties are tiered based on the level of culpability and can include significant monetary assessments and ongoing monitoring. Criminal enforcement—handled by the Department of Justice—can apply to intentional wrongful disclosures or misuse of PHI, with potential fines and imprisonment.

What HIPAA does not do: it does not create a private right of action for individuals to sue directly for HIPAA violations (though other state or federal claims may be available). It also does not override more protective state privacy laws; HIPAA sets a federal floor that states can exceed.

Exclusions from HIPAA Coverage

HIPAA’s protections do not extend to all health-related information everywhere. Common exclusions include life, disability, and workers’ compensation insurers; employers acting in their role as employers; many schools and student health records governed by FERPA; and automobile insurers handling medical claims after an accident. These entities generally are not covered entities under HIPAA.

Consumer wellness tools—such as fitness trackers, nutrition apps, or direct-to-consumer services not acting for a covered entity—often fall outside HIPAA. Data you record for personal use on a device or app may be sensitive, but unless a covered entity or business associate is involved, HIPAA typically does not apply. Other laws (like consumer protection or state privacy statutes) may still create healthcare compliance obligations.

De-identified data, employment records held by an employer, and health information of individuals who have been deceased for more than 50 years are also outside HIPAA’s PHI rules. Knowing these boundaries helps you set realistic expectations and use additional privacy safeguards where HIPAA stops.

Bottom line: HIPAA protects PHI within the healthcare system, strengthens security, mandates breach notifications, supports portability, and enforces compliance—yet it is not a universal consumer privacy law and leaves notable gaps where you must look to other protections.

FAQs

What is not covered by HIPAA?

HIPAA generally does not cover life, disability, or workers’ compensation insurers; employers acting as employers; many schools and student health records under FERPA; auto insurers; or consumer apps and wearables that do not act for a covered entity. De-identified data and employment records held by an employer are not PHI.

How does HIPAA enforce privacy protections?

OCR investigates complaints and breaches, requires corrective actions, and can impose civil penalties; the Department of Justice can pursue criminal cases for intentional misuse. Individuals may file complaints with OCR, but HIPAA does not create a private lawsuit right. Enforcement aims to drive sustained privacy safeguards across the healthcare system.

Who is exempt from HIPAA regulations?

Entities that are not covered entities or business associates—such as employers, life and disability insurers, workers’ compensation carriers, many schools under FERPA, and standalone consumer health apps—are typically outside HIPAA’s scope. Other laws may still regulate their data practices.

What are the notification requirements for a HIPAA breach?

If unsecured PHI is breached, affected individuals must be notified without unreasonable delay and no later than 60 days after discovery. For large breaches, report to HHS and, when 500 or more residents in a state or jurisdiction are affected, notify prominent media. Strong encryption provides a safe harbor that can remove the duty to notify.