Does HIPAA Protect All Health Information? What’s Covered—and What Isn’t

HIPAA sets a national baseline for health data privacy—but it doesn’t cover every situation where your health information appears. Understanding what counts as Protected Health Information, who qualifies as a Covered Entity, and where HIPAA stops is essential to make smart choices about Health Data Privacy and Health Information Security.

Definition of Protected Health Information

Protected Health Information (PHI) is individually identifiable health information created, received, maintained, or transmitted by a HIPAA Covered Entity or its Business Associate. It relates to an individual’s past, present, or future physical or mental health or condition, the provision of care, or payment for care—whether the information is electronic, paper, or oral.

PHI is “identifiable” when it includes data that could reasonably identify you. Typical examples include your name, contact details, medical record number, insurance member ID, device identifiers, and full-face photos, combined with any clinical, billing, or benefit information. PHI also includes clinical notes, lab results, imaging, prescriptions, and claims data tied to those identifiers.

Crucially, whether information is PHI depends on who holds it and why. The same heart-rate value might be PHI when stored in a hospital’s patient portal but not PHI when stored only in a consumer fitness app not acting for a Covered Entity.

Covered Entities Under HIPAA

HIPAA applies to specific organizations and the vendors that handle PHI for them. Covered Entities are:

• Health care providers who transmit health information electronically in standard transactions (for example, hospitals, physicians, clinics, pharmacies, labs, and telehealth providers).
• Health plans (insurers, HMOs, employer-sponsored group health plans, government programs like Medicare and Medicaid, and certain dental/vision plans).
• Health care clearinghouses (entities that standardize or process nonstandard health information into standard formats).

Business Associates are service providers (such as EHR vendors, cloud hosts, billing firms, analytics providers) that create, receive, maintain, or transmit PHI on a Covered Entity’s behalf. They must sign Business Associate Agreements and follow the HIPAA Privacy Rule and Security Rule requirements relevant to their services.

Some organizations are “hybrid entities,” where only designated health care components are subject to HIPAA. The distinction matters for determining what data is PHI in any given system.

Types of Health Information Excluded

Not all health-related information is PHI. Key exclusions include:

• De-identified information that meets HIPAA’s De-Identification Standards (described below).
• Education records covered by FERPA, such as student health information maintained by a school for educational purposes.
• Employment records held by a Covered Entity in its role as an employer (e.g., workplace injury logs, pre-employment drug tests kept in HR files).
• Health information about a person who has been deceased for more than 50 years.
• Personal wellness notes or self-tracking data not created or held by a Covered Entity or its Business Associate.

Some records are regulated by other laws or programs and may have different privacy rules; nevertheless, if they are not PHI under HIPAA, HIPAA’s protections do not apply.

De-Identified Health Data

De-identified data is not PHI and falls outside the HIPAA Privacy Rule. HIPAA recognizes two De-Identification Standards:

1) Safe Harbor method

The data holder removes all 18 identifiers of the individual, relatives, employers, or household members, and has no actual knowledge that the remaining information could identify the person. The 18 identifiers are:

• Names
• Geographic subdivisions smaller than a state (street address, city, county, precinct, ZIP code; limited use of three-digit ZIPs applies)
• All elements of dates (except year) related to an individual; ages over 89 must be aggregated to 90+
• Telephone numbers
• Fax numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including license plates
• Device identifiers and serial numbers
• Web URLs
• IP addresses
• Biometric identifiers (for example, fingerprints, voiceprints)
• Full-face photographs and comparable images
• Any other unique identifying number, characteristic, or code

2) Expert Determination method

A qualified expert applies statistical or scientific principles to determine and document that the risk of re-identification is very small, given anticipated recipients, data context, and safeguards.

Limited Data Set versus de-identified data

A Limited Data Set removes direct identifiers but may retain certain dates and locations (like city, state, ZIP) and remains PHI. Use requires a Data Use Agreement. Fully de-identified data, by contrast, is no longer PHI and can be used or disclosed without HIPAA restrictions.

Even when de-identified, best practice is to manage re-identification risk through contractual limits, access controls, and ongoing risk assessment—especially for granular or longitudinal datasets.

Health Data Outside HIPAA Scope

Large volumes of health-related information live with Non-Covered Entities where HIPAA does not apply. Common examples include:

• Consumer fitness trackers, wellness apps, meditation or nutrition apps used independently by consumers.
• Direct-to-consumer genetic or lab testing companies that do not act for a Covered Entity.
• Life insurers, workers’ compensation carriers, and many employer programs unrelated to a group health plan.
• Websites, search engines, and social media where people share symptoms, diagnoses, or appointment details.

Context matters. If a provider prescribes a remote monitoring app that sends data to the clinic’s EHR, that app vendor is likely a Business Associate and the data is PHI. Conversely, if you download your records to a personal app at your direction and the app is not a Business Associate, HIPAA protections generally stop at the point of transfer to that app.

Outside HIPAA, other laws and enforcement tools may still apply (for example, consumer protection and data breach rules). Always review an app’s privacy practices, data sharing, and security controls before connecting sensitive information.

HIPAA Compliance Requirements

HIPAA Privacy Rule

• Use/disclose PHI only as permitted, applying the “minimum necessary” standard.
• Provide a Notice of Privacy Practices and obtain authorizations when required.
• Honor individual rights: access, obtain copies, request amendments, and receive an accounting of certain disclosures.
• Execute Business Associate Agreements and oversee vendors handling PHI.

HIPAA Security Rule (for ePHI)

• Risk analysis and risk management addressing administrative, physical, and technical safeguards.
• Access controls, authentication, audit logs, integrity protections, and transmission security (encryption is an addressable—but widely expected—control).
• Workforce training, device/media controls, and contingency planning (backup, disaster recovery, emergency mode operations).

Breach Notification Rule

• Identify and investigate incidents involving unsecured PHI.
• Conduct a risk assessment to determine if PHI was compromised.
• Notify affected individuals (and when applicable regulators and media) without unreasonable delay and within required time frames.

Implications for Health Data Privacy

HIPAA protects PHI in the clinical and insurance ecosystem, but a growing share of your health story lives elsewhere. For strong Health Data Privacy, you should verify who holds your data, whether they are a Covered Entity or Business Associate, and what protections apply when data moves across systems.

Whether or not HIPAA applies, prioritize Health Information Security: choose services with clear data minimization, meaningful consent, granular controls, and robust security (encryption, access controls, incident response). Ask how data is shared, how long it’s retained, and how you can delete it.

Conclusion

HIPAA does not protect all health information—it protects PHI handled by Covered Entities and their Business Associates. De-identified data falls outside HIPAA, and many consumer apps and services are Non-Covered Entities. Knowing these boundaries helps you safeguard your information, make informed choices about tools you use, and ask the right questions before you share.

FAQs.

What types of health information does HIPAA protect?

HIPAA protects PHI—individually identifiable health information about your health, care, or payment for care—when it is created or held by a Covered Entity (like a provider, health plan, or clearinghouse) or its Business Associate. PHI can be electronic, paper, or oral and includes identifiers such as your name, contact details, medical record number, and insurance member ID paired with clinical or billing data.

Does HIPAA apply to fitness trackers and health apps?

Usually no. Most consumer fitness trackers and wellness apps are Non-Covered Entities, so HIPAA doesn’t apply. If the app is provided by or contracted to your provider or health plan (for example, a prescribed remote monitoring tool that sends data back to your clinic), the app vendor may be a Business Associate and the data may be PHI.

How is de-identified information treated under HIPAA?

De-identified data is not PHI and is outside the HIPAA Privacy Rule. Data can be de-identified by removing all 18 Safe Harbor identifiers or through Expert Determination that the re-identification risk is very small. A Limited Data Set is not fully de-identified and remains PHI subject to a Data Use Agreement.

Who are considered covered entities under HIPAA?

Covered Entities include health care providers who conduct standard electronic transactions, health plans (such as insurers, HMOs, and group health plans), and health care clearinghouses. Vendors that handle PHI for them are Business Associates and must meet applicable HIPAA requirements.