HIPAA and Social Determinants of Health (SDOH) Data: What’s Protected, What Isn’t, and How to Use It Compliantly

Definition of Social Determinants of Health

Social Determinants of Health (SDOH) are the non-medical conditions where people live, learn, work, and age that influence health outcomes. Common categories include economic stability, education, social and community context, neighborhood and built environment, and access to healthcare and healthy food.

SDOH data spans patient-reported screenings (for example, food insecurity, transportation needs), observations recorded by care teams, and contextual indicators such as housing stability or utility shutoff risk. In clinical records, SDOH often appears as narrative notes, structured fields, and ICD-10-CM Z codes related to social needs.

Scope of HIPAA Protection

HIPAA protects Protected Health Information (PHI): individually identifiable health information that a Covered Entity (healthcare provider, health plan, or clearinghouse) or its Business Associates create, receive, maintain, or transmit. PHI can exist in any form—electronic, paper, or oral.

SDOH becomes PHI when it is linked to an identifiable individual and relates to that person’s health, healthcare, or payment for care. The same SDOH element, when stripped of identifiers and properly de-identified, is no longer PHI. HIPAA does not regulate data held solely by entities that are neither Covered Entities nor Business Associates, although other laws or agreements may still apply.

Inclusion of SDOH Data under HIPAA

SDOH data is included under HIPAA when it meets both tests: it is held by a Covered Entity or Business Associate, and it identifies the individual (directly or indirectly) in connection with health or care. Consider these common scenarios:

• Included as PHI: A food insecurity screening result stored in the EHR with a medical record number; a referral to a housing navigator sent from a clinic to a contracted vendor; transportation barriers documented in care management notes.
• Not PHI: Aggregated neighborhood-level indices shared without any identifiers; publicly available census-tract statistics; de-identified SDOH data used for analytics after proper De-identification Methods are applied.

Borderline cases often turn on whether the information can reasonably identify a person. A risk score derived from ZIP+4 and utility shutoff history may still be PHI if it can be tied back to a specific patient record or used to contact the individual.

Permitted Uses and Disclosures of SDOH Data

Core HIPAA permissions

• Treatment: Sharing SDOH for care coordination, case management, and referrals across providers is permitted. The “minimum necessary” rule does not apply to treatment, but you should still be prudent.
• Payment: Using SDOH to support payment determinations or benefits coordination is allowed, subject to the minimum necessary standard.
• Healthcare Operations: Quality improvement, population health management, risk stratification, and program evaluation can use SDOH as part of Healthcare Operations, applying minimum necessary.

Other pathways

• Public health and health oversight: Disclosures required by law or for specific public health purposes may be permitted.
• Research: Use a HIPAA Authorization for Disclosure, an IRB/Privacy Board waiver, a Limited Data Set with a Data Use Agreement, or fully de-identified data.
• Individual authorization: When a disclosure is not otherwise permitted, obtain a valid HIPAA Authorization for Disclosure from the patient specifying who, what, why, and for how long.

Always document your legal basis, apply role-based access, and align data sharing with your Notice of Privacy Practices. When in doubt, default to the minimum necessary standard for non-treatment disclosures.

De-identification Standards for PHI

De-identified data is not PHI and falls outside HIPAA. HIPAA recognizes two De-identification Methods:

• Safe Harbor: Remove 18 types of identifiers about the individual, relatives, employers, or household members, and ensure no actual knowledge of re-identification risk.
• Expert Determination: A qualified expert applies statistical or scientific principles and documents that the risk of re-identification is very small, with controls to maintain that status.

Safe Harbor identifiers to remove

• Names; all geographic subdivisions smaller than a state (with limited ZIP code exceptions); all elements of dates (except year) related to an individual and ages over 89.
• Telephone numbers; email addresses; URLs; IP addresses; device identifiers; social security, medical record, and account numbers.
• Biometric identifiers; full-face photos and comparable images; vehicle and license plate numbers; certificate or license numbers; unique identifying codes or characteristics.

Limited Data Set option

A Limited Data Set permits certain elements (for example, city, state, ZIP code, dates) to support analytics and research when coupled with a Data Use Agreement restricting re-identification, redisclosure, and permitted purposes. Remember that pseudonymization alone does not equal de-identification under HIPAA.

Sharing SDOH Data with Non-HIPAA Entities

Many Community-based Organizations (CBOs)—such as food banks, housing agencies, or transportation providers—are not Covered Entities. Before sharing SDOH with a CBO, determine its role:

• Business Associate route: If the CBO performs services for you involving PHI (for example, care coordination), execute a Business Associate Agreement to extend HIPAA obligations.
• Authorization route: If the CBO is not your Business Associate and the disclosure is not otherwise permitted, obtain the patient’s HIPAA Authorization for Disclosure.
• De-identified or Limited Data Set: When individual-level information is unnecessary, share de-identified data, or use a Limited Data Set with a Data Use Agreement.

Practical safeguards

• Data minimization: Share only fields necessary for the intended purpose, and segregate SDOH from clinical details when possible.
• Secure exchange: Use encrypted channels, access controls, and audit logging; confirm the recipient’s identity and intended use.
• Clear purpose and retention: Define why the data is needed, how long it will be kept, and how it will be disposed.
• Cross-regulatory checks: Screen for other laws (for example, state privacy laws or 42 CFR Part 2) that may impose stricter rules for certain records.

Compliance Requirements for SDOH Data Usage

Build a clear legal basis

• Classify each SDOH element as PHI, Limited Data Set, or de-identified; map it to treatment, payment, healthcare operations, research, public health, or authorization.
• Maintain an inventory of data flows and recipients, including Community-based Organizations and technology vendors.

Strengthen governance and agreements

• Execute Business Associate Agreements where applicable; use Data Use Agreements for Limited Data Sets; maintain referral MOUs that define scope, safeguards, and redisclosure limits.
• Embed the minimum necessary standard and role-based access in policies and procedures; review them at least annually.

Operationalize privacy and security

• Train your workforce on SDOH sensitivity, bias risks, and appropriate documentation practices.
• Apply technical controls: encryption in transit and at rest, multi-factor authentication, endpoint protection, and monitored audit logs.
• Conduct periodic risk analyses and vendor due diligence; test incident response and breach notification plans.

Respect individual rights and ethics

• Provide clear notices and respect patient preferences where feasible; obtain Authorization for Disclosure when required.
• Validate data quality to avoid harms from inaccurate SDOH labeling; monitor programs for equity impacts and unintended consequences.

Conclusion

In short, SDOH data is protected by HIPAA when it is identifiable PHI in the hands of Covered Entities or Business Associates. You can use and share it for treatment, payment, and healthcare operations, or with authorization, and you can unlock broader insights by applying robust de-identification methods. With disciplined governance, secure sharing, and thoughtful partnership with Community-based Organizations, you can leverage SDOH to improve outcomes while staying compliant.

FAQs

What types of SDOH data are protected under HIPAA?

Any SDOH information that identifies an individual and is created or held by a Covered Entity or its Business Associates in relation to health, care, or payment is PHI. Examples include food, housing, or transportation needs documented in the EHR, referral details to support services, and case management notes. Aggregated or properly de-identified SDOH data is not PHI.

How can covered entities share SDOH data compliantly?

Share for treatment, payment, or healthcare operations (applying minimum necessary for non-treatment uses); use a Business Associate Agreement when a partner performs services involving PHI; rely on a Limited Data Set with a Data Use Agreement when appropriate; or obtain a HIPAA-compliant Authorization for Disclosure from the patient when a disclosure is not otherwise permitted.

What are the risks when sharing SDOH data with non-HIPAA entities?

Key risks include re-identification and redisclosure, security vulnerabilities, mission creep beyond the stated purpose, equity or discrimination impacts, and exposure to non-HIPAA laws. Mitigate by minimizing data elements, clarifying purpose and retention, using secure exchange, and leveraging BAAs, DUAs, or individual authorizations as the context requires.

How is de-identification applied to SDOH data?

You can remove the Safe Harbor identifiers (including names, specific addresses, most dates, contact details, and unique numbers) or use Expert Determination to show a very small re-identification risk with documented controls. For many analytics needs, a Limited Data Set plus a Data Use Agreement balances utility and privacy while keeping direct identifiers out of the dataset.