Exploring HIPAA Coverage: Beyond Privacy and Security

HIPAA Covered Entities and Their Responsibilities

HIPAA applies to Covered Entities—health plans, health care clearinghouses, and health care providers that transmit certain transactions electronically. It also binds Business Associates that create, receive, maintain, or transmit PHI on behalf of a Covered Entity.

Your core responsibilities include limiting uses and disclosures to what the Privacy Rule permits, safeguarding PHI under the Security Rule, and managing vendors through Business Associate Agreements. Health Plan Compliance also requires honoring individual rights and documenting your program.

Key responsibilities

• Publish a Notice of Privacy Practices and apply the minimum necessary standard.
• Designate privacy and security officers; train your workforce and enforce sanctions.
• Execute and monitor Business Associate Agreements; perform vendor due diligence.
• Conduct risk analyses and implement administrative, physical, and technical safeguards.
• Respond to access, amendment, restriction, and accounting requests within set timelines.
• Maintain incident response and breach notification procedures and documentation.

Scope of Protected Health Information

Protected Health Information (PHI) is individually identifiable health information held or transmitted by a Covered Entity or Business Associate, in any form—electronic, paper, or oral. It relates to a person’s past, present, or future health status, care, or payment, plus identifiers that make the person recognizable.

PHI includes common identifiers like name, address, full-face photos, device IDs, and medical record numbers. De-identified data, a limited data set with a data use agreement, and information about a decedent more than 50 years after death fall outside PHI’s strict scope. Employment records kept by an employer and education records under FERPA are not Protected Health Information PHI.

Practical boundaries

• PHI status depends on who holds the data and why—not just the content’s “health” nature.
• Identical data can be PHI in a hospital’s system but not in a consumer app with no covered relationship.

HIPAA Privacy and Security Rules

Privacy Rule: what you may use or disclose

The Privacy Rule governs when you may use or disclose PHI without authorization (for treatment, payment, and health care operations; certain public interest purposes) and when individual authorization is required. It grants rights to access, obtain copies, request amendments, receive an accounting of disclosures, and request confidential communications.

Security Rule: how you must protect ePHI

The Security Rule requires a risk-based security program for electronic PHI (ePHI) across three safeguard families:

• Administrative: risk analysis, risk management, workforce training, contingency planning, and BA oversight.
• Physical: facility access controls, device/media controls, secure workstations.
• Technical: access controls, authentication, audit controls, integrity protections, transmission security.

Breach notification overview

When unsecured PHI is compromised, you must assess risk and, if a breach occurred, notify affected individuals and regulators without unreasonable delay, typically no later than 60 days from discovery. Business Associates must notify the Covered Entity so notices can be made on time.

Limitations and Exclusions of HIPAA Coverage

HIPAA is not a universal health privacy law. It primarily covers PHI handled by Covered Entities and their Business Associates. Data in consumer apps, wearables, and many direct-to-consumer services may fall outside HIPAA unless a Covered Entity is involved or a Business Associate relationship exists.

Several programs and data types are excluded or treated differently: on-site employer clinics, workers’ compensation programs, automobile medical payment coverage, life and disability insurance, and many wellness tools operating outside a group health plan. De-identified data sits outside HIPAA, though other laws or contracts may still regulate it.

State-Level Health Data Protection Laws

HIPAA sets a federal baseline; states can impose more stringent protections. Where a state law offers greater privacy for specific data (such as mental health, HIV status, reproductive health, genetic data), it generally controls. HIPAA’s preemption rule yields to stricter state requirements.

Beyond sector-specific rules, many states have broader consumer privacy statutes and universal breach-notification laws. These can capture health-adjacent data that HIPAA misses—such as precise geolocation, website tracking data, or app-derived wellness information—expanding your compliance obligations.

Implications for Benefit Plans under HIPAA

Group health plans, health insurance issuers, HRAs, and health FSAs are typically “health plans” under HIPAA and must implement Privacy Rule and Security Rule safeguards. Plan sponsors may handle PHI only for plan administration and must amend plan documents, create a privacy firewall, and secure Business Associates.

Certain “excepted benefits” are usually outside HIPAA’s health plan definition—examples include accident-only coverage, disability income, workers’ compensation, and automobile medical payment insurance. Limited-scope dental or vision benefits offered separately can also be excepted. However, ERISA Exemptions do not remove HIPAA obligations for a plan that meets the HIPAA “health plan” definition, and government or church plans (though exempt from ERISA) may still be HIPAA-covered.

Wellness and EAP considerations

• Wellness programs integrated with a group health plan or providing medical care (e.g., biometric screenings, health coaching tied to the plan) are generally subject to HIPAA.
• Employee Assistance Programs that provide counseling or referrals often function as health plans and must comply.
• Stand-alone, incentive-only programs that collect minimal data for the employer may fall outside HIPAA but can trigger other federal or state laws.

Integrating HIPAA into Comprehensive Risk Management

Position HIPAA inside a broader privacy and security strategy. Start with a data inventory that maps PHI and health-adjacent data, including data shared with Business Associates. Align governance, risk, and compliance so HIPAA controls interlock with state privacy laws and FTC expectations.

Operational best practices

• Run a living risk analysis; track remediation with owners, deadlines, and metrics.
• Apply zero-trust access, multifactor authentication, encryption in transit and at rest, and rigorous logging.
• Minimize data, de-identify where feasible, and segregate production from analytics environments.
• Harden vendor oversight with BAAs, security questionnaires, and right-to-audit clauses.
• Exercise your incident response plan; test backups and practice breach decision-making.
• Measure outcomes: access request turnaround, patch cadence, and mean time to detect/respond.

Conclusion

HIPAA coverage depends on who you are, why you hold the data, and how you protect it. By understanding Covered Entities, PHI scope, the Privacy Rule and Security Rule, and the limits of HIPAA, you can close gaps with state laws and risk controls and keep Health Plan Compliance on solid footing.

FAQs.

What types of entities are covered by HIPAA?

HIPAA covers health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions, plus their Business Associates. Vendors become Business Associates when they handle PHI for a Covered Entity.

How does HIPAA define protected health information?

PHI is individually identifiable health information related to a person’s health, care, or payment, held or transmitted by a Covered Entity or Business Associate in any form. It includes identifiers that can reveal the individual; de-identified data is not PHI.

What health plans are excluded from HIPAA coverage?

HIPAA generally excludes certain excepted benefits such as accident-only policies, disability income, workers’ compensation, automobile medical payment coverage, and some limited-scope dental or vision benefits when offered separately. On-site medical clinics are also typically excluded.

Are wellness programs subject to HIPAA regulations?

Yes, when a wellness program is part of a group health plan or provides medical care (for example, biometric screenings or health coaching tied to plan incentives). Stand-alone programs that do not create or receive PHI for a plan may fall outside HIPAA, though other laws can still apply.

What are the privacy gaps outside HIPAA coverage?

Consumer health apps, wearables, direct-to-consumer testing, website trackers, and geolocation data often sit outside HIPAA unless a Covered Entity or Business Associate relationship exists. These areas may instead be governed by state privacy laws, the FTC Act, or contracts.