HIPAA for Non-Covered Companies: When It Applies, Examples, and Checklist

Definition of Non-Covered Entities

A non-covered entity is any organization that is not a health plan, healthcare clearinghouse, or healthcare provider that conducts standard electronic healthcare transactions, and that does not act as a business associate for a covered entity. If you do not fall into those categories and you are not handling protected health information (PHI) on behalf of a covered entity, HIPAA generally does not apply to you.

PHI is individually identifiable health information created or received by a covered entity or its business associate. Consumer health data collected directly from users—for example, via a wellness app—may be sensitive, but it is not PHI under HIPAA unless a covered entity or business associate relationship exists.

Covered entities, business associates, and non-covered entities

Covered entities include health plans, healthcare clearinghouses, and healthcare providers that conduct standard healthcare transactions such as claims, eligibility, or payment inquiries. A company becomes a business associate when it creates, receives, maintains, or transmits PHI for or on behalf of a covered entity. Everyone else is a non-covered entity, though other privacy laws may still apply.

What counts as PHI

PHI includes health details tied to an individual’s identity when handled by a covered entity or business associate. Names, addresses, device identifiers, and full-face photos can qualify when linked to health data in that context. De-identified data, meeting HIPAA’s de-identification standards, is not PHI.

Examples of Non-Covered Entities

Below are common organizations that are typically non-covered entities unless they enter a business associate relationship involving PHI:

• Direct-to-consumer wellness and fitness apps that users download and populate themselves.
• Wearable device manufacturers and personal health record services operating directly with consumers.
• Employers in their role as employers (separate from any employer-sponsored group health plan).
• Schools and universities with student records governed by FERPA rather than HIPAA.
• Life, disability, and workers’ compensation insurers and administrators.
• Financial institutions (for example, administering HSAs) and consumer lenders.
• Gyms, nutrition programs, and corporate wellness vendors contracting directly with employers.
• Marketing firms, analytics platforms, and cloud providers that do not handle PHI for a covered entity.

Any of the above may become business associates if they receive PHI from a covered entity and perform a function or provide a service involving that PHI. In that case, HIPAA and business associate agreements apply.

Applicability of HIPAA to Non-Covered Entities

HIPAA applies to you when your activities make you a covered entity or a business associate. For example, if your software starts transmitting standard electronic healthcare transactions on behalf of providers, you may fit within HIPAA’s framework. Likewise, if you host, process, or analyze PHI for a hospital under contract, you are a business associate.

Edge cases and hybrid situations

Employers that sponsor group health plans interact with HIPAA through the plan, not the employer entity. Organizations with both clinical and non-clinical lines of business may designate healthcare components as a “hybrid entity,” walling off PHI from non-covered operations. These structural choices affect whether data you hold is PHI and whether HIPAA applies.

Data flows determine status

Map how data enters your systems, who sends it, and why. If individuals self-enter data for personal use, it is usually outside HIPAA. If a clinic sends you patient data so you can deliver services on its behalf, you are likely a business associate and HIPAA obligations attach.

Business Associate Status and Requirements

You become a business associate when you create, receive, maintain, or transmit PHI for a covered entity. Before doing so, you must execute business associate agreements (BAAs) with the covered entity and with any subcontractors that will handle PHI. BAAs define permitted uses and disclosures, require privacy and security safeguards, and set breach notification duties.

Security Rule obligations

Business associates must implement the administrative, physical, and technical safeguards required by the HIPAA Security Rule. This includes risk analysis, access controls, audit logging, encryption in transit and at rest where reasonable and appropriate, workforce training, and ongoing monitoring of vulnerabilities and third-party risks.

Privacy Rule touchpoints

While covered entities bear primary HIPAA Privacy Rule compliance, business associates must use and disclose PHI only as permitted by their BAAs or as required by law. They must observe the minimum necessary standard, avoid impermissible marketing uses or sales of PHI without authorization, and support covered entities with requests such as accounting of disclosures when applicable.

Breach notification and subcontractors

Business associates must promptly report security incidents and breaches of unsecured PHI to their covered entities and ensure subcontractors agree to equivalent protections through downstream BAAs. Clear incident response procedures and evidence preservation are essential.

Protections for Health Information

If HIPAA does not apply, other frameworks still shape your obligations. The Federal Trade Commission Health Breach Notification Rule can require notifying users and the FTC when vendors of personal health records or related services experience certain breaches. State privacy and breach notification laws, consumer protection laws, and sectoral rules (such as FERPA or GLBA) may also govern your practices.

Baseline privacy and security safeguards

Adopt risk-based privacy and security safeguards regardless of HIPAA status. Use data minimization, strong authentication, role-based access, encryption, logging, and regular vulnerability and penetration testing. Maintain a data retention schedule and secure disposal, vet vendors carefully, and document your program to demonstrate accountability.

Aligning with HIPAA principles

Even when not required, aligning with HIPAA Privacy Rule compliance concepts strengthens trust. For instance, limit uses to what users expect, honor the minimum necessary principle, publish clear notices, and obtain valid authorization for sensitive secondary uses such as targeted advertising.

Recommendations for Non-Covered Entities

Start with a legal and technical data-mapping exercise to pinpoint when you might receive PHI and from whom. Where possible, structure products so consumers provide data directly for personal use, and avoid integrating feeds from covered entities unless you intend to operate as a business associate with the required controls and BAAs.

Build privacy by design into your development lifecycle. Separate identifiable data from analytics, prefer de-identified or aggregated outputs, and limit sharing with marketing and adtech partners. Train staff on handling health-related information and test your incident response plan regularly so you can respond quickly and transparently.

Compliance Checklist for Non-Covered Entities

• Determine your status: covered entity, business associate, hybrid entity, or non-covered.
• Map data flows to confirm whether you handle protected health information and the sources of that data.
• If PHI from a covered entity is involved, execute business associate agreements before receiving any data.
• Implement HIPAA Security Rule-aligned safeguards: risk analysis, access controls, encryption, logging, and vendor risk management.
• Define permitted uses/disclosures in BAAs and apply the minimum necessary principle across workflows.
• Establish incident response and breach notification procedures, including triggers under the Federal Trade Commission Health Breach Notification Rule and state laws.
• Adopt privacy and security safeguards for all health-related data, including data minimization and retention limits.
• Evaluate healthcare transactions your systems may conduct; avoid inadvertently becoming a clearinghouse or provider engaged in standard transactions.
• Control marketing and analytics: disable tracking on pages or apps where health data could flow without explicit authorization.
• Vet subcontractors that may touch PHI and sign downstream BAAs as needed.
• Document policies, training, risk assessments, and remediation actions; review at least annually.
• Use de-identification or aggregation where feasible and validate re-identification risk.

Conclusion

HIPAA for non-covered companies hinges on roles and data flows. If you do not act for a covered entity or engage in standard healthcare transactions, HIPAA likely does not apply, but other laws and best practices still do. When you handle PHI for a covered entity, you become a business associate and must implement formal safeguards, BAAs, and breach procedures.

FAQs

When does HIPAA apply to non-covered entities?

HIPAA applies when a non-covered company receives, maintains, creates, or transmits PHI for or on behalf of a covered entity, making it a business associate. It may also apply if the company starts performing standard electronic healthcare transactions as a provider or functions as a healthcare clearinghouse.

What are examples of non-covered entities under HIPAA?

Examples include consumer wellness apps, wearable manufacturers, employers (outside their group health plan), schools governed by FERPA, life and disability insurers, financial institutions, gyms, and marketing or cloud vendors that do not handle PHI for covered entities.

How do business associate agreements affect non-covered entities?

Business associate agreements convert the relationship into one governed by HIPAA when PHI is involved. BAAs define permitted uses, mandate privacy and security safeguards, require subcontractor BAAs, and set incident reporting and breach notification duties.

What privacy laws protect health information held by non-covered entities?

Non-covered entities can be subject to the Federal Trade Commission Health Breach Notification Rule, state consumer privacy and breach notification laws, and sectoral rules like FERPA or GLBA. These frameworks require transparent practices, reasonable safeguards, and timely notice when certain incidents occur.