HIPAA Privacy Rule Applicability Explained: Who It Covers and Why

The HIPAA Privacy Rule defines who must protect health information, what data is protected, and when disclosures are permitted. Understanding HIPAA Privacy Rule applicability helps you determine your organization’s duties, your vendors’ obligations, and the boundaries for using and sharing protected health information (PHI).

Covered Entities

Who HIPAA directly regulates

Covered entities are the organizations primarily responsible for complying with the Privacy Rule. They include health plans, most health care providers that conduct standard electronic transactions, and health care clearinghouses. If you bill electronically, process eligibility checks, or perform claims activities, you likely fall within the rule’s scope.

Common examples

• Health plans: employer-sponsored group health plans, HMOs, and government programs such as Medicare Advantage.
• Providers: hospitals, physician practices, clinics, dentists, pharmacies, laboratories, and telehealth providers that transmit HIPAA transactions.
• Clearinghouses: entities that translate nonstandard health data into standard formats and vice versa.

Who is not a covered entity

Many organizations are outside HIPAA, including life insurers, workers’ compensation carriers (except where state law requires certain privacy protections), most schools and school districts, most employers acting as employers, law enforcement, and direct-to-consumer health apps that are not acting for a covered entity. HIPAA Privacy Rule applicability turns on the role, not the industry label.

Hybrid entities

Some organizations (for example, a university that operates a hospital) can designate health care components as “hybrid entities.” Only the health care component is subject to HIPAA, but internal firewalls are required to keep PHI from flowing into non-covered parts.

Business Associates

Definition and scope

Business associates are persons or companies that create, receive, maintain, or transmit PHI on behalf of a covered entity. They include subcontractors that handle PHI. When you outsource billing, cloud hosting, claims processing, data analytics, or EHR services, those vendors become business associates.

Common examples

• IT and cloud service providers storing ePHI.
• Revenue cycle and medical billing firms.
• Consultants, legal, or accounting firms that need PHI to perform services.
• Health information exchanges and e-prescribing gateways.

Business Associate Agreements (BAAs)

Covered entities must execute BAAs with business associates to define permitted uses and disclosures, require safeguards, flow down obligations to subcontractors, and mandate breach reporting. Business associates are directly liable under HIPAA for compliance failures tied to PHI they handle.

Protected Health Information

What counts as PHI

Protected health information (PHI) is individually identifiable health information related to a person’s past, present, or future health status, care, or payment for care, held or transmitted by a covered entity or business associate. PHI can exist in any medium—paper, verbal, or electronic (ePHI).

Identifiers and context

PHI combines health-related data with identifiers such as name, address, contact details, Social Security or medical record numbers, device serials, IP addresses, or biometric identifiers. Even demographic data can be PHI when it can reasonably identify a person in a health context.

Limited Data Sets and de-identified information

A Limited Data Set removes direct identifiers but keeps certain elements (for example, dates and ZIP prefixes) and requires a Data Use Agreement. De-identified information removes sufficient identifiers so individuals cannot be identified. De-identified information is not PHI and falls outside the Privacy Rule’s protections.

Exclusions from PHI

De-identified information

Data de-identified through expert determination or by removing specified identifiers may be used or disclosed without HIPAA restrictions. You should still implement good data governance to prevent re-identification.

FERPA exclusions

Education records covered by the Family Educational Rights and Privacy Act (FERPA) are excluded from HIPAA. This includes most student health and immunization records maintained by schools and school districts, as well as student treatment records held by a postsecondary institution’s health clinic. These are governed by FERPA, not HIPAA.

Employment records and other carve-outs

Employment records a covered entity maintains in its role as an employer—such as FMLA paperwork, drug tests for employment, or ADA accommodations—are not PHI. In addition, information about a person deceased for more than 50 years is no longer PHI.

Minimum Necessary Standard

Core requirement

When using, disclosing, or requesting PHI, you must limit it to the minimum necessary to accomplish the purpose. Apply role-based access, define routine protocols, and document criteria for non-routine requests.

Key exceptions

• Treatment: disclosures to or requests by health care providers for treatment.
• To the individual: disclosures to the patient about their own PHI.
• Authorization: uses or disclosures made pursuant to a valid authorization.
• Required by law or to HHS for compliance investigations.

Putting it into practice

• Use role-based permissions and audit logs for ePHI.
• Standardize minimum fields in routine reports; require approvals for exceptions.
• De-identify or use a Limited Data Set when full PHI is unnecessary.

State Laws Impact

Preemption and “more stringent” rules

HIPAA generally preempts contrary state laws, but if a state law is more stringent—providing greater privacy protection or granting individuals broader access—it controls. Many states impose stricter consent or redisclosure limits for sensitive information like mental health, HIV status, genetic data, or reproductive health.

Practical compliance tips

• Map where you operate and inventory state-specific privacy requirements.
• Default to the rule that offers the greatest protection when laws conflict.
• Adjust notices, authorizations, and access controls for state-sensitive categories.

Public Health Disclosures

Disclosures to public health authorities

The Privacy Rule permits public health authority disclosures to prevent or control disease, injury, or disability. Covered entities may report communicable diseases, vital events, adverse events to regulated products, and certain exposures as authorized by law.

Additional permitted disclosures

• Notifying people at risk of contracting or spreading a disease, when authorized.
• Reporting child abuse or neglect to appropriate authorities.
• Sharing workplace medical surveillance findings with an employer when required.

Safeguards still apply

Use the minimum necessary standard unless a disclosure is required by law. Where detailed identifiers are unnecessary, rely on de-identified information or a Limited Data Set under a Data Use Agreement.

Conclusion

HIPAA Privacy Rule applicability hinges on who you are (covered entity or business associate), the nature of the data (PHI versus de-identified information), and the purpose of the use or disclosure. Apply the minimum necessary standard, account for state laws that are more protective, and understand when public health authority disclosures are permitted.

FAQs

Who qualifies as a covered entity under the HIPAA Privacy Rule?

Covered entities include health plans, most health care providers that conduct standard electronic transactions, and health care clearinghouses. Organizations that do not perform HIPAA transactions, or that are not in one of these categories, are generally not covered entities.

What types of information are protected under the Privacy Rule?

The Privacy Rule protects protected health information (PHI)—individually identifiable health information about health status, care, or payment for care, in any medium, held by a covered entity or business associate. De-identified information and certain excluded records are not PHI.

How do business associates relate to HIPAA compliance?

Business associates handle PHI on behalf of covered entities and must sign Business Associate Agreements. They are directly liable for implementing safeguards, limiting uses and disclosures, and reporting breaches related to the PHI they create, receive, maintain, or transmit.

When is PHI excluded from the Privacy Rule?

Information is excluded when it is properly de-identified, when it is a FERPA-covered education or treatment record, when it is an employment record held by an employer, or when it concerns an individual who has been deceased for more than 50 years.

What are the enforcement consequences for violating the Privacy Rule?

Enforcement actions can include corrective action plans, monitoring, and civil monetary penalties that scale with the level of culpability (from lack of knowledge to willful neglect). Significant breaches can result in multimillion-dollar settlements, reputational harm, and mandated remediation.