Does HIPAA Protect Medical Information? Only PHI from Covered Entities—What’s Covered vs. Not Covered

HIPAA Coverage and Scope

HIPAA protects medical information only when it qualifies as Protected Health Information (PHI) and is created, received, maintained, or transmitted by Covered Entities or their Business Associates. In other words, HIPAA safeguards do not follow the data everywhere—protections attach to who holds the data and why they hold it.

PHI is individually identifiable health information about your past, present, or future physical or mental health or condition, the care you receive, or payment for that care. It can exist in any form—electronic, paper, or oral—and includes obvious identifiers like your name, address, full-face photographs, and medical record numbers.

What’s covered vs. not covered at a glance

• Covered: PHI inside an electronic health record, insurance claims, lab reports, pharmacy dispensing records, and billing files held by Covered Entities or Business Associates.
• Not covered: Health data held by HIPAA Non-Covered Entities (for example, many consumer health apps and wearables), De-Identified Health Information, most employment files, and FERPA Educational Records.

HIPAA allows many routine uses and disclosures without your written authorization for treatment, payment, and health care operations. Other disclosures—such as certain public health reporting or specific law enforcement requests—may also occur under defined conditions.

Definition of Covered Entities

Covered Entities are the core organizations directly regulated by HIPAA. They fall into three categories, and HIPAA applies when these entities handle PHI in standard health care transactions.

The three categories

• Health plans: health insurers, HMOs, government programs like Medicare and Medicaid, and employer-sponsored group health plans.
• Health care clearinghouses: entities that translate health information from one format to another (for example, billing intermediaries).
• Health care providers: doctors, dentists, hospitals, clinics, pharmacies, and laboratories—but only if they electronically transmit health information in connection with HIPAA standard transactions (such as claims or eligibility checks).

Practical examples

• Your physician’s EHR, a hospital’s patient portal, and a pharmacy’s dispensing system are all within HIPAA because they belong to Covered Entities handling PHI.
• Large organizations may be “hybrid entities,” designating health care components (like an onsite clinic) as Covered Entities while leaving unrelated business units outside HIPAA.

Role of Business Associates

Business Associates are vendors or partners that perform functions or services for a Covered Entity involving PHI. They must safeguard PHI under HIPAA and sign a Business Associate Agreement (BAA) that sets limits on how they use and disclose PHI.

Typical Business Associates

• Cloud and data hosting providers, EHR and practice-management vendors, e-prescribing networks, and data analytics firms.
• Billing companies, revenue-cycle firms, claims administrators, and certain consultants, attorneys, or auditors who access PHI to deliver their services.
• Subcontractors of Business Associates who handle PHI are also subject to HIPAA through “downstream” obligations.

Business Associates may use or disclose PHI only as permitted by the Privacy Rule and the BAA, and they must apply appropriate safeguards under the Security Rule and report certain breaches.

Differences Between Covered and Non-Covered Entities

HIPAA draws a bright line between entities that are regulated and those that are not. The same type of data may be protected in one context and unprotected in another—what matters is who holds it and the purpose.

Covered Entities/Business Associates

• Must follow HIPAA’s Privacy, Security, and Breach Notification Rules for PHI.
• Provide rights such as access to records, amendments, and an accounting of certain disclosures.
• Issue a Notice of Privacy Practices and maintain policies, risk analyses, and workforce training.

HIPAA Non-Covered Entities

• Many consumer health apps, fitness wearables, wellness websites, personal health record tools not acting on behalf of a provider or plan, life insurers, and most employers in their role as employers.
• These organizations generally are not bound by HIPAA, though other laws (such as consumer protection or state privacy laws) may still apply.
• If a consumer app is offered on behalf of a Covered Entity or under a BAA, it can become a Business Associate and then must follow HIPAA.

When you share the same heart rate or medication list with your physician’s portal (Covered Entity) versus a standalone consumer app (often non-covered), HIPAA’s protections may differ significantly.

Handling De-Identified Information

De-Identified Health Information is not PHI and falls outside HIPAA’s privacy restrictions. De-identification can occur in two ways: by removing specified identifiers or through expert determination that the risk of re-identification is very small.

Two recognized methods

• Safe harbor: removal of specified direct identifiers (for example, names, full addresses, telephone numbers, email addresses, Social Security numbers, full-face photos, and comparable data), plus no actual knowledge that remaining information can identify a person.
• Expert determination: a qualified expert uses accepted statistical or scientific methods to conclude the risk of re-identification is very small and documents the analysis.

De-identified datasets may be used for analytics, quality improvement, and research without HIPAA authorization. By contrast, a “limited data set” (which may include certain dates, city, state, and ZIP Code) is still PHI but can be shared for research, public health, or health care operations under a Data Use Agreement.

Exclusions for Employment and Educational Records

HIPAA expressly excludes certain categories of records even when they concern health information, recognizing other legal frameworks or business roles.

Employment Records Exclusion

• Health information in an employer’s files—such as FMLA certifications, drug-testing results, pre-employment physicals, or disability accommodation forms—is generally not PHI under HIPAA when held by the employer in its role as an employer.
• When a provider sends information to an employer, the disclosure must meet HIPAA allowances (for example, with your authorization or as required by law). Once in the employer’s possession as an employment record, HIPAA no longer governs that copy.

FERPA Educational Records

• Student health and immunization records maintained by K–12 schools or school districts subject to FERPA are education records, not PHI.
• At postsecondary institutions, treatment records maintained by a student health clinic are governed by FERPA’s rules for treatment records, not by HIPAA.

The takeaway: records governed by FERPA Educational Records and employment files fall outside HIPAA’s PHI protections, even if similar information would be PHI in a clinical setting.

Limitations of HIPAA Protections

HIPAA is a targeted health privacy framework—not a universal health data law. It protects PHI in the hands of Covered Entities and Business Associates and permits many routine uses without authorization for care, payment, and operations.

• HIPAA does not cover information held solely by HIPAA Non-Covered Entities, nor does it regulate purely De-Identified Health Information.
• Certain disclosures are allowed without authorization (for example, specific public health activities, health oversight, and narrowly defined law enforcement requests).
• HIPAA sets security and breach-notification requirements, but no system is breach-proof, and HIPAA provides no private right of action for damages—enforcement is primarily by regulators.
• State health privacy or consumer laws may impose stricter rules; the more protective law typically controls where applicable.

Conclusion

Does HIPAA protect medical information? Only when the information is PHI held by Covered Entities or their Business Associates. To understand what’s covered vs. not covered, identify who holds your data, whether it is de-identified, and the context—clinical care and insurance operations trigger HIPAA, while many consumer tools and employment or education files do not.

FAQs.

What types of entities are considered covered under HIPAA?

Covered Entities include health plans (insurers, HMOs, group health plans), health care clearinghouses, and health care providers that electronically conduct standard transactions such as claims or eligibility checks. Their Business Associates, when handling PHI for them, are also subject to HIPAA obligations.

Does HIPAA protect health information held by non-covered entities?

Generally, no. Health information held solely by HIPAA Non-Covered Entities—such as many consumer apps, wearables, wellness websites, or life insurers—is not PHI under HIPAA. If those entities act on behalf of a Covered Entity under a Business Associate Agreement, then HIPAA applies to that work.

How does HIPAA define Protected Health Information?

Protected Health Information is individually identifiable health information about your health status, care, or payment for care that is created, received, maintained, or transmitted by a Covered Entity or Business Associate. It includes identifiers that can tie the information to you and exists in electronic, paper, or oral form.

Are de-identified medical records protected by HIPAA?

No. Once health information is de-identified—either through safe-harbor removal of specified identifiers or expert determination that re-identification risk is very small—it is no longer PHI and HIPAA’s privacy restrictions do not apply.