Are All Medical Records Covered by HIPAA? What’s Protected vs. Exempt (Providers, Schools, Employers, Health Apps)

HIPAA Coverage for Healthcare Providers

Who counts as a covered entity?

Under HIPAA, covered entities include health care providers, health plans, and health care clearinghouses. As a provider, you are a covered entity if you transmit health information in connection with standard electronic transactions, such as claims, eligibility checks, referrals, or remittance advice. If you never conduct these electronic transactions, HIPAA may not apply to you as a provider, but most modern practices do.

What is Protected Health Information (PHI)?

Protected Health Information is individually identifiable health information created or received by a covered entity or its business associate. PHI relates to a person’s past, present, or future physical or mental health or payment for care, and it can exist in any form—electronic, paper, or oral. De-identified data is not PHI, and employment records held by a covered entity in its capacity as an employer are specifically excluded.

Business associates and downstream vendors

Vendors that create, receive, maintain, or transmit PHI on behalf of covered entities—such as billing services, cloud hosts, and analytics firms—are business associates. They must sign business associate agreements and safeguard PHI to the same standards. When you bring in new technology, confirm whether the vendor will handle PHI and whether a business associate agreement is required.

Practical examples of what’s covered

• Clinical charts, lab results, imaging, prescriptions, and care plans maintained by a covered provider.
• Enrollment, claims, and authorization data held by a health plan.
• EHR backups stored by a business associate for a clinic that conducts Electronic Transactions.

Exemptions for Schools and Educational Records

FERPA vs. HIPAA

Most student health records maintained by a school or district are “education records” under the Family Educational Rights and Privacy Act. HIPAA expressly excludes FERPA education records—and the treatment records of postsecondary students—from its definition of PHI. In other words, if FERPA applies, HIPAA does not.

K–12 and postsecondary scenarios

• K–12 school nurse files and immunization records maintained by the district are governed by FERPA, not HIPAA.
• At colleges, student treatment records (for example, counseling center notes kept solely for treatment) are excluded from FERPA’s “education records” definition but are still not PHI under HIPAA. If those records are shared for non-treatment purposes, they typically become FERPA education records.

When a school clinic might be under HIPAA

If an external covered entity (for example, a hospital-run clinic on campus) provides care and conducts Electronic Transactions, its records are usually HIPAA-covered. The key is who maintains the record and in what role—not just where the care occurs.

Employer Health Plan Privacy Requirements

Employer vs. group health plan—two different hats

HIPAA regulates the group health plan (a covered entity), not the employer in its role as an employer. Your HR team cannot freely access PHI from the group health plan for employment decisions. The plan may share only limited information with the employer for plan administration, and only with designated individuals separated by a “HIPAA firewall.”

Self-Insured Health Plans

Self-insured health plans are covered entities and must implement the full HIPAA Privacy and Security Rules. If your company self-funds, confirm that plan documents restrict employer access to PHI, appoint a privacy official, and apply the minimum necessary standard for plan operations.

Permitted sharing and common pitfalls

• Permitted: Summary health information for plan design, or PHI necessary for claims resolution by designated plan staff.
• Not permitted: Using an employee’s claims data to make promotion, discipline, or termination decisions.

Privacy of Health and Fitness Apps

When HIPAA applies to an app

HIPAA can apply to a health or fitness app only if it is offered by, or on behalf of, a covered entity and the app vendor acts as a business associate. For example, a patient portal or remote monitoring tool contracted by a provider usually involves PHI and requires a business associate agreement.

Direct-to-consumer apps and other rules

Most direct-to-consumer health and wellness apps (for steps, sleep, fertility tracking, workouts, or nutrition) are not covered entities and are not business associates. While HIPAA may not apply, these apps are often subject to other frameworks, including general consumer protection laws and emerging Consumer Health Data Privacy statutes at the state level.

Practical tips before you share data

• Check whether the app connects to a provider or health plan; if not, HIPAA likely does not apply.
• Review the app’s privacy policy for data sale, advertising, location tracking, and deletion rights.
• Favor tools that offer data export, granular permissions, and clear breach notifications.

Applicability to Life Insurers and Workers' Compensation

Life, disability, and long-term care insurers

Life insurers are not HIPAA covered entities. They may request medical information with your written authorization during underwriting. Once a covered provider discloses records based on your authorization, HIPAA no longer governs how the insurer uses them, though other state insurance and privacy laws may apply.

Workers’ compensation programs

HIPAA permits covered providers to disclose PHI without authorization to the extent required or authorized by workers’ compensation laws. Typically, disclosures should be limited to what the program needs to adjudicate an injury claim, not the individual’s entire chart.

Law Enforcement Access to Health Data

When disclosures are permitted

HIPAA allows disclosures to law enforcement in defined situations, such as with a court order, warrant, or subpoena; to locate a suspect, fugitive, or missing person; to report certain injuries; or when a crime occurs on the premises. Providers should verify the legal basis and disclose only the minimum necessary information.

Safeguards and documentation

Covered entities should log law-enforcement requests, verify identities, and consult internal policies before releasing PHI. De-identified or limited data sets can reduce exposure when full identifiers are not needed.

Influence of State Laws on Health Data Privacy

HIPAA as a floor, not a ceiling

HIPAA sets a federal baseline. If a state law offers stronger privacy protections for health information, that more stringent state rule generally governs. This is why your rights and obligations can vary by state, especially for sensitive categories of data.

California’s Confidentiality of Medical Information Act (CMIA)

California’s Confidentiality of Medical Information Act protects medical information held by providers, health plans, and certain contractors, sometimes reaching entities and scenarios not fully covered by HIPAA. If you operate in California, evaluate HIPAA and CMIA together to identify the stricter rule.

Consumer health data privacy trend

Several states are adopting Consumer Health Data Privacy laws that regulate how companies collect, use, sell, or share health-adjacent data outside traditional clinical settings. If your organization develops consumer-facing health tools, map the data you collect and build consent, deletion, and transparency mechanisms that meet the highest applicable standard.

Key takeaways

• Ask first: Is the organization a HIPAA covered entity or business associate? Is the information PHI?
• Remember the major carve-outs: FERPA education records, employer-held employment records, many consumer apps, and life insurers.
• State laws like the CMIA—and newer consumer health data statutes—can go beyond HIPAA; follow the most protective rule that applies to you.

FAQs.

Does HIPAA apply to all types of medical records?

No. HIPAA protects PHI held by covered entities and their business associates. It does not cover FERPA education records, employment records held by an employer, most data in direct-to-consumer health apps, or records held by life insurers. De-identified data is also outside HIPAA.

How does FERPA affect student health records?

Student health records maintained by a school or district are governed by the Family Educational Rights and Privacy Act, not HIPAA. At colleges, treatment records kept solely for treatment are excluded from FERPA’s education records but are still not PHI under HIPAA. If those records are shared for non-treatment purposes, they typically become FERPA education records.

Are health apps regulated by HIPAA?

Only when an app is offered by, or on behalf of, a HIPAA covered entity and the vendor functions as a business associate. Most consumer health and fitness apps are not covered by HIPAA but may be subject to consumer protection and Consumer Health Data Privacy laws at the state level.

When are employers subject to HIPAA rules?

Employers are subject to HIPAA when acting as sponsors or administrators of a group health plan, including Self-Insured Health Plans. The plan is the covered entity, and only designated staff may access PHI for plan administration. Employers cannot use plan PHI for employment decisions.