HIPAA Compliance Guide: Are Personal Health Records Covered Entities?

Personal Health Records Overview

What a personal health record is

A personal health record (PHR) is a consumer-facing tool you use to collect, view, or manage health-related data about yourself. It can include diagnoses, medications, allergies, lab results, wearable data, and care plans. When a PHR holds information created or received by a healthcare organization, that information may be Protected Health Information (PHI) under the HIPAA Privacy Rule, depending on who controls the record and why it was created.

PHR versus EHR

• EHR: An electronic health record maintained by a provider or health plan for treatment, payment, or operations. It is part of the organization’s designated record set.
• PHR: A consumer-managed tool that may mirror or supplement an EHR, or operate independently (for example, an app pulling data from devices). Whether HIPAA applies turns on who operates the PHR and on whose behalf it is maintained.

Common PHR models

• Provider- or health plan–sponsored portals that let you view and download records from your clinicians or plan.
• Payer or employer health benefits portals that include claims, authorizations, or wellness data.
• Independent consumer apps that aggregate data you enter or connect from devices and other sources.

Because these models differ, you should review vendor privacy policies to understand how your data is used if the PHR is not operated by your provider or health plan.

HIPAA Coverage Criteria

When HIPAA applies to a PHR

HIPAA applies to PHI created, received, maintained, or transmitted by a covered entity or its business associate. A PHR is within HIPAA when it is offered by, or on behalf of, a covered entity and includes information that forms part of the designated record set used to make decisions about you. In that case, the HIPAA Privacy Rule and Security Rule govern how the data is used, disclosed, and safeguarded.

When a PHR is outside HIPAA

A stand-alone, direct-to-consumer PHR that is not operated for or on behalf of a covered entity is generally not a covered entity and is not a business associate. HIPAA would not apply to that PHR’s data practices. Your protections instead come from state health information laws, general consumer protection requirements, and the provider’s or vendor’s privacy policies and notices.

Practical indicators

• You access the PHR through your provider or health plan, and it contains records used for care decisions: HIPAA likely applies.
• You sign up directly with an app that is not tied to your provider or plan and you self-enter most data: HIPAA likely does not apply.

Covered Entities Defined

Covered entities under HIPAA are specific types of organizations, not technologies. Understanding these definitions clarifies whether a PHR falls inside HIPAA.

• Health care providers who transmit health information electronically in standard transactions (for example, claims or eligibility checks).
• Health plans, including group health plans, insurers, and certain government programs.
• Health care clearinghouses that process nonstandard health information into standard formats.

If a PHR is provided by one of these covered entities, or by a vendor acting on its behalf, it becomes subject to Covered Entity Compliance obligations for PHI within scope.

Business Associate Roles

A business associate (BA) is a person or organization that creates, receives, maintains, or transmits PHI on behalf of a covered entity. Many PHR technology vendors, hosting providers, and integration platforms are business associates when they handle PHI for a provider or health plan.

Business Associate Agreement essentials

When a PHR vendor functions as a BA, the parties must execute a Business Associate Agreement (BAA). The BAA requires the vendor to limit permitted uses, apply safeguards, report incidents, flow down obligations to subcontractors, and return or destroy PHI at contract end. Operating as a “conduit” is a narrow exception; most persistent storage or routine access to ePHI creates BA status and BAA requirements.

Security and privacy expectations

• Implement administrative, physical, and technical safeguards appropriate to risk.
• Maintain audit controls, access management, and encryption to protect electronic PHI.
• Use or disclose only the minimum necessary PHI for the stated purpose, consistent with the HIPAA Privacy Rule.

State Health Data Regulations

Even when HIPAA does not apply, State Health Information Laws may regulate PHR data. Several states have enacted consumer health data or medical privacy laws that cover apps, websites, and advertising technologies handling health-related data outside traditional health care settings.

Common state-law requirements

• Clear notices describing data collection, use, and sharing practices.
• Consent for collection or disclosure of sensitive health data, including restrictions on selling or sharing such data.
• Access, deletion, and portability rights for consumer health data held by non-HIPAA entities.
• Data minimization, purpose limitation, and security safeguards proportionate to risk.
• Contracting obligations for processors and service providers handling consumer health data.

HIPAA generally preempts contrary state laws, but more stringent state protections for health information can apply in addition to HIPAA. If your PHR operates in multiple states, you should align with the strictest applicable standard to reduce compliance risk.

Individual Access Rights

Access under HIPAA

If your PHR is part of a covered entity’s designated record set, you have a HIPAA Right of Access to inspect or obtain a copy in the requested format if readily producible. Covered entities must respond within 30 days (with one permitted 30-day extension and written notice), may charge only a reasonable, cost-based fee, and must send records to a third party you designate when properly directed.

Access outside HIPAA

For non-covered PHRs, your rights depend on vendor privacy policies and applicable state laws. Many state consumer health data laws grant you access and deletion rights for data the vendor holds. If you need records used for care decisions, request them directly from your provider or health plan to ensure you receive the official HIPAA-governed copy.

Compliance Responsibilities

For covered entities

• Establish governance for PHRs that are part of the designated record set, including retention and accounting of disclosures.
• Meet HIPAA Privacy Rule and Security Rule requirements, train your workforce, and apply the minimum necessary standard where applicable.
• Implement a Right of Access process with clear turnaround times, formats, and fee controls.
• Execute and manage BAAs with PHR vendors; verify subcontractor compliance.
• Conduct periodic risk analyses, remediate gaps, and maintain incident response and breach notification procedures.

For business associates and independent vendors

• If acting as a BA, sign a Business Associate Agreement and implement HIPAA-grade safeguards.
• If not a BA, map state health data obligations and align product design with consent, transparency, and data minimization requirements.
• Publish accurate, plain-language vendor privacy policies and honor consumer rights requests.
• Limit data sharing for advertising or analytics unless clearly disclosed and permitted by law and contract.

Conclusion

Personal health records are not covered entities by default. A PHR becomes subject to HIPAA when it is offered by, or on behalf of, a covered entity and holds PHI within the designated record set. Otherwise, protections come from state laws and vendor privacy policies. Determine who operates the PHR, confirm whether a BAA is in place, and align your practices with the most protective standards to meet your compliance obligations and respect individual rights.

FAQs

Are personal health records considered covered entities under HIPAA?

No. A PHR itself is not a covered entity. It falls under HIPAA only when it is offered by, or on behalf of, a covered entity (such as a provider or health plan) and contains PHI maintained as part of the designated record set.

What distinguishes covered entity PHRs from non-covered entity PHRs?

Covered entity PHRs are operated by a provider or health plan (or their business associate), hold PHI used to make decisions about you, and are subject to the HIPAA Privacy Rule and Security Rule. Non-covered entity PHRs are independent consumer apps or services not acting for a covered entity; they are governed by vendor privacy policies and state health information laws, not HIPAA.

How do state laws affect PHR privacy protections?

State laws can impose consent, transparency, and consumer rights requirements on PHRs that fall outside HIPAA. HIPAA preempts conflicting state laws, but more stringent state health protections often apply in addition to HIPAA, especially for consumer health data handled by non-HIPAA entities.

How do individual rights apply to accessing PHRs?

If your PHR is tied to a covered entity’s designated record set, you have a HIPAA Right of Access—typically within 30 days, with a reasonable, cost-based fee and the option to direct the copy to a third party. For stand-alone PHRs, access and deletion depend on state law and the vendor’s privacy policy; you may need to request official records directly from your provider or health plan.